Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package quagga for openSUSE:Factory checked in at 2022-06-30 13:18:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/quagga (Old) and /work/SRC/openSUSE:Factory/.quagga.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "quagga" Thu Jun 30 13:18:24 2022 rev:56 rq:985928 version:1.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/quagga/quagga.changes 2019-04-26 22:55:33.145272517 +0200 +++ /work/SRC/openSUSE:Factory/.quagga.new.1548/quagga.changes 2022-06-30 13:18:30.837540204 +0200 @@ -1,0 +2,25 @@ +Wed Jun 29 09:31:14 UTC 2022 - Stefan Schubert <schubi@suse.com> + +- Moved logrotate files from user specific directory /etc/logrotate.d + to vendor specific directory /usr/etc/logrotate.d. + +------------------------------------------------------------------- +Thu Oct 21 07:17:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_bgpd.service.patch + * harden_isisd.service.patch + * harden_ospf6d.service.patch + * harden_ospfd.service.patch + * harden_ripd.service.patch + * harden_ripngd.service.patch + * harden_zebra.service.patch + +------------------------------------------------------------------- +Fri Apr 9 20:02:44 UTC 2021 - Cristian Rodr��guez <crrodriguez@opensuse.org> + +- Avoid using libpcre-posix, which is intended for systems without + a working regex.h, symbols clash with libc and undefined behaviour + may ensue. + +------------------------------------------------------------------- New: ---- harden_bgpd.service.patch harden_isisd.service.patch harden_ospf6d.service.patch harden_ospfd.service.patch harden_ripd.service.patch harden_ripngd.service.patch harden_zebra.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.7feF1g/_old 2022-06-30 13:18:31.621540792 +0200 +++ /var/tmp/diff_new_pack.7feF1g/_new 2022-06-30 13:18:31.625540795 +0200 @@ -1,7 +1,7 @@ # # spec file for package quagga # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -30,7 +30,6 @@ %bcond_without irdp %bcond_with isis %bcond_with isis_topology -%bcond_without pcre %if %{defined _rundir} %define quagga_statedir %{_rundir}/%{name} %else @@ -42,7 +41,7 @@ Summary: Routing Software for BGP, OSPF and RIP License: LGPL-2.1-or-later Group: Productivity/Networking/Routing -Url: http://www.quagga.net +URL: http://www.quagga.net Source: http://download.savannah.gnu.org/releases/quagga/%{name}-%{version}.tar.gz Source1: %{name}-SUSE.tar.bz2 Source2: %{name}.pam @@ -57,6 +56,13 @@ Patch1: %{name}-add-ospf6_main-return-value.patch Patch2: %{name}-add-table_test-return-value.patch Patch3: 0001-systemd-change-the-WantedBy-target.patch +Patch4: harden_bgpd.service.patch +Patch5: harden_isisd.service.patch +Patch6: harden_ospf6d.service.patch +Patch7: harden_ospfd.service.patch +Patch8: harden_ripd.service.patch +Patch9: harden_ripngd.service.patch +Patch10: harden_zebra.service.patch BuildRequires: autoconf >= 2.6 BuildRequires: automake >= 1.6 BuildRequires: c-ares-devel @@ -73,9 +79,6 @@ Provides: zebra = %{version} Obsoletes: zebra < %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if %{with pcre} -BuildRequires: pcre-devel -%endif %if 0%{?suse_version} > 1220 BuildRequires: makeinfo %endif @@ -149,6 +152,13 @@ %patch1 -p 1 %patch2 -p 1 %patch3 -p 1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" @@ -171,9 +181,7 @@ %if %{with irdp} --enable-irdp \ %endif - %if %{with pcre} - --enable-pcreposix \ - %endif + --disable-pcreposix \ --sysconfdir=%{_sysconfdir}/quagga \ --localstatedir=%{quagga_statedir} \ --enable-multipath=0 @@ -183,7 +191,12 @@ rm -r doc/quagga.info %make_install find %{buildroot} -type f -name "*.la" -delete -print -install -d %{buildroot}%{_sysconfdir}/{init.d,quagga,pam.d,logrotate.d} +install -d %{buildroot}%{_sysconfdir}/{init.d,quagga,pam.d} +%if 0%{?suse_version} > 1500 +install -d %{buildroot}%{_distconfdir}/logrotate.d +%else +install -d %{buildroot}%{_sysconfdir}/logrotate.d +%endif %if %{with systemd} install -d %{buildroot}%{_unitdir} install -p -m 0644 redhat/zebra.service %{buildroot}%{_unitdir}/zebra.service @@ -218,7 +231,11 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/quagga install -d -m 0750 %{buildroot}%{_localstatedir}/log/quagga install -d -m 0751 %{buildroot}%{quagga_statedir} +%if 0%{?suse_version} > 1500 +install -m 0644 %{SOURCE7} %{buildroot}%{_distconfdir}/logrotate.d/quagga +%else install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/quagga +%endif rm -f %{buildroot}%{_sysconfdir}/quagga/*.sample* cat > %{buildroot}%{_sysconfdir}/quagga/zebra.conf << __EOF__ !hostname quagga @@ -287,7 +304,11 @@ %{_sbindir}/* %dir %attr(750,quagga,quagga) %{_sysconfdir}/quagga/ %config(noreplace) %attr(640,quagga,quagga) %{_sysconfdir}/%{name}/*.conf +%if 0%{?suse_version} > 1500 +%{_distconfdir}/logrotate.d/* +%else %config(noreplace) %{_sysconfdir}/logrotate.d/* +%endif %{_fillupdir}/sysconfig.quagga %if %{with systemd} %{_unitdir}/*.service ++++++ harden_bgpd.service.patch ++++++ Index: quagga-1.2.4/redhat/bgpd.service =================================================================== --- quagga-1.2.4.orig/redhat/bgpd.service +++ quagga-1.2.4/redhat/bgpd.service @@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/bgpd.con Documentation=man:bgpd [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/bgpd.pid EnvironmentFile=/etc/sysconfig/quagga ++++++ harden_isisd.service.patch ++++++ Index: quagga-1.2.4/redhat/isisd.service =================================================================== --- quagga-1.2.4.orig/redhat/isisd.service +++ quagga-1.2.4/redhat/isisd.service @@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/isisd.co Documentation=man:isisd [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/isisd.pid EnvironmentFile=/etc/sysconfig/quagga ++++++ harden_ospf6d.service.patch ++++++ Index: quagga-1.2.4/redhat/ospf6d.service =================================================================== --- quagga-1.2.4.orig/redhat/ospf6d.service +++ quagga-1.2.4/redhat/ospf6d.service @@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ospf6d.c Documentation=man:ospf6d [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/ospf6d.pid EnvironmentFile=/etc/sysconfig/quagga ++++++ harden_ospfd.service.patch ++++++ Index: quagga-1.2.4/redhat/ospfd.service =================================================================== --- quagga-1.2.4.orig/redhat/ospfd.service +++ quagga-1.2.4/redhat/ospfd.service @@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ospfd.co Documentation=man:ospfd [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/ospfd.pid EnvironmentFile=/etc/sysconfig/quagga ++++++ harden_ripd.service.patch ++++++ Index: quagga-1.2.4/redhat/ripd.service =================================================================== --- quagga-1.2.4.orig/redhat/ripd.service +++ quagga-1.2.4/redhat/ripd.service @@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ripd.con Documentation=man:ripd [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/ripd.pid EnvironmentFile=/etc/sysconfig/quagga ++++++ harden_ripngd.service.patch ++++++ Index: quagga-1.2.4/redhat/ripngd.service =================================================================== --- quagga-1.2.4.orig/redhat/ripngd.service +++ quagga-1.2.4/redhat/ripngd.service @@ -8,6 +8,17 @@ ConditionPathExists=/etc/quagga/ripngd.c Documentation=man:ripngd [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/zebra.pid EnvironmentFile=/etc/sysconfig/quagga ++++++ harden_zebra.service.patch ++++++ Index: quagga-1.2.4/redhat/zebra.service =================================================================== --- quagga-1.2.4.orig/redhat/zebra.service +++ quagga-1.2.4/redhat/zebra.service @@ -6,6 +6,17 @@ ConditionPathExists=/etc/quagga/zebra.co Documentation=man:zebra [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/run/quagga/zebra.pid EnvironmentFile=-/etc/sysconfig/quagga