From: Razvan Becheriu Date: Thu, 22 May 2025 09:30:01 +0000 (+0300) Subject: [#3840] fix arm env var name X-Git-Tag: Kea-2.6.3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e695954be4d7d60036a11e338fef07b29177c27;p=thirdparty%2Fkea.git [#3840] fix arm env var name --- diff --git a/ChangeLog b/ChangeLog index 0a5a640366..edd243261a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,25 @@ Kea 2.6.3 (stable) released on May 28, 2025 -2266. [build] andrei +2267. [build] andrei The library version numbers have been bumped up for the Kea 2.6.3 stable release. (Gitlab #3891) +2266. [sec]* tmark, fdupont, razvan + All files and sockets created by Kea servers have been + restricted to default paths determined at compile time + which may be overridden by environment variables. This + includes lease files, log files, control channel sockets, + and the output from commands such as lease4-write and + lease6-write. The output of config-write is restricted to + the directory from which the configuration file was read. + Use of unsupported paths will result in servers emitting + errors and refusing to start or rejecting commands. + The specifics including the supported paths and environment + variable names are in the relevant ARM sections. + CVE:2025-32801 + (Gitlab #3831) + 2265. [sec]* fdupont Change the umask to no group write and no other access at the entry of Kea server/agent binaries. diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index c5c7ff8b50..6b65e48f0c 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -370,7 +370,7 @@ that can be used to configure the memfile backend. As of Kea 2.6.3, lease files may only be loaded from the data directory determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``name``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path component from ``name``. diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index af47d52d06..29f5caed98 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -326,7 +326,7 @@ that can be used to configure the memfile backend. As of Kea 2.6.3, lease files may only be loaded from the data directory determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``name``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path component from ``name``. @@ -6240,7 +6240,7 @@ memory lease file into its data directory. By default this directory is files may only be loaded from the directory determined at compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``data-directory``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. diff --git a/doc/sphinx/arm/hooks-lease-cmds.rst b/doc/sphinx/arm/hooks-lease-cmds.rst index 7aa31aaad7..634e7a6d1b 100644 --- a/doc/sphinx/arm/hooks-lease-cmds.rst +++ b/doc/sphinx/arm/hooks-lease-cmds.rst @@ -1094,7 +1094,7 @@ to the previous filename: for example, ``.bak14326``. As of Kea 2.6.3, the lease file may only be written to the data directory determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``filename``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path portion from ``filename``. diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index dadde71b91..2835b3fc49 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -284,7 +284,7 @@ Potential Kea security issues can be minimized by running only those processes r may only be loaded from the directory determined at compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``name`` or ``data-directory``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. This restriction applies to writing lease file using ``lease4-write`` and @@ -382,17 +382,17 @@ Summary of Path Restrictions Path restrictions mentioned through this section can be summarized according to the following table: -+-------------------------------------+---------------------------------------+----------------------------------+ -| Restricted Element | Default Value | Environment Variable Override | -+=====================================+=======================================+==================================+ -| Config Files (``config-write``) | Same Directory as Initial Config File | N/A | -+-------------------------------------+---------------------------------------+----------------------------------+ -| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIRECTORY`` | -+-------------------------------------+---------------------------------------+----------------------------------+ -| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` | -+-------------------------------------+---------------------------------------+----------------------------------+ -| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` | -+-------------------------------------+---------------------------------------+----------------------------------+ ++-------------------------------------+---------------------------------------+-------------------------------+ +| Restricted Element | Default Value | Environment Variable Override | ++=====================================+=======================================+===============================+ +| Config Files (``config-write``) | Same Directory as Initial Config File | N/A | ++-------------------------------------+---------------------------------------+-------------------------------+ +| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIR`` | ++-------------------------------------+---------------------------------------+-------------------------------+ +| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` | ++-------------------------------------+---------------------------------------+-------------------------------+ +| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` | ++-------------------------------------+---------------------------------------+-------------------------------+