From: Razvan Becheriu Date: Thu, 22 May 2025 09:23:31 +0000 (+0300) Subject: [#3839] fix arm env var name X-Git-Tag: Kea-2.4.2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6af034fff30bf7d3ee52847e82bf87205828ed6f;p=thirdparty%2Fkea.git [#3839] fix arm env var name --- diff --git a/ChangeLog b/ChangeLog index fe51357b32..e0e147d0b6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,25 @@ Kea 2.4.2 (stable) released on May 28, 2025 -2172. [build] andrei +2173. [build] andrei The library version numbers have been bumped up for the Kea 2.4.2 stable release. (Gitlab #3890) +2172. [sec]* tmark, fdupont, razvan + All files and sockets created by Kea servers have been + restricted to default paths determined at compile time + which may be overridden by environment variables. This + includes lease files, log files, control channel sockets, + and the output from commands such as lease4-write and + lease6-write. The output of config-write is restricted to + the directory from which the configuration file was read. + Use of unsupported paths will result in servers emitting + errors and refusing to start or rejecting commands. + The specifics including the supported paths and environment + variable names are in the relevant ARM sections. + CVE:2025-32801 + (Gitlab #3831) + 2171. [sec]* fdupont Change the umask to no group write and no other access at the entry of Kea server/agent binaries. diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index 553962f361..624f5508a9 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -370,7 +370,7 @@ that can be used to configure the memfile backend. As of Kea 2.4.2, lease files may only be loaded from the data directory determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``name``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path component from ``name``. diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 480e7764e0..6685995bcb 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -326,7 +326,7 @@ that can be used to configure the memfile backend. As of Kea 2.4.2, lease files may only be loaded from the data directory determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``name``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path component from ``name``. @@ -6047,7 +6047,7 @@ memory lease file into its data directory. By default this directory is files may only be loaded from the directory determined at compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``data-directory``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. diff --git a/doc/sphinx/arm/hooks-lease-cmds.rst b/doc/sphinx/arm/hooks-lease-cmds.rst index 28bac6ae6a..947d30b5cb 100644 --- a/doc/sphinx/arm/hooks-lease-cmds.rst +++ b/doc/sphinx/arm/hooks-lease-cmds.rst @@ -1071,7 +1071,7 @@ to the previous filename. For example ``.bak14326``. As of Kea 2.4.2, the lease file may only be written to the data directory determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``filename``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path portion from ``filename``. diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index 8815220f32..fb409c5a77 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -284,7 +284,7 @@ Potential Kea security issues can be minimized by running only those processes r may only be loaded from the directory determined at compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable - ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + ``KEA_DHCP_DATA_DIR`` to the desired path. If a path other than this value is used in ``name`` or ``data-directory``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. This restriction applies to writing lease file using ``lease4-write`` and @@ -382,17 +382,17 @@ Summary of Path Restrictions Path restrictions mentioned through this section can be summarized according to the following table: -+-------------------------------------+---------------------------------------+----------------------------------+ -| Restricted Element | Default Value | Environment Variable Override | -+=====================================+=======================================+==================================+ -| Config Files (``config-write``) | Same Directory as Initial Config File | N/A | -+-------------------------------------+---------------------------------------+----------------------------------+ -| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIRECTORY`` | -+-------------------------------------+---------------------------------------+----------------------------------+ -| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` | -+-------------------------------------+---------------------------------------+----------------------------------+ -| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` | -+-------------------------------------+---------------------------------------+----------------------------------+ ++-------------------------------------+---------------------------------------+-------------------------------+ +| Restricted Element | Default Value | Environment Variable Override | ++=====================================+=======================================+===============================+ +| Config Files (``config-write``) | Same Directory as Initial Config File | N/A | ++-------------------------------------+---------------------------------------+-------------------------------+ +| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIR`` | ++-------------------------------------+---------------------------------------+-------------------------------+ +| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` | ++-------------------------------------+---------------------------------------+-------------------------------+ +| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` | ++-------------------------------------+---------------------------------------+-------------------------------+