CVS commit: pkgsrc/net/kea

["Takahiro Kambe" <taca%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   taca
Date:           Thu Jun  5 15:00:44 UTC 2025

Modified Files:
        pkgsrc/net/kea: Makefile PLIST distinfo
Removed Files:
        pkgsrc/net/kea/patches: patch-src_lib_asiolink_io__address.cc
            patch-src_lib_asiolink_io__service.cc
            patch-src_lib_asiolink_tcp__endpoint.h
            patch-src_lib_asiolink_udp__endpoint.h
            patch-src_lib_asiolink_unix__domain__socket.cc
            patch-src_lib_dhcp_iface__mgr.cc

Log Message:
net/kea: update to 2.6.3

2.6.2 (2025-03-26)

1. Fix for inaccurate statistics: Kea was miscalculating declined and
   assigned leases.  [#3758, a backport of #3565]

2. Fix for lease conflicts and NAK: Conflicting entries were created when
   two relayed HA instances tried to update a shared lease DB at the same
   time.  [#3798, a backport of #3648]

3. Fix for subnetX-del not removing subnets completely: subnetX-del was not
   correctly deleting the subnet declaration from the shared network
   configuration section.  [#3756, a backport of #3455]

4. Fix for config-write and retry-on-startup parameter: config-write was
   improperly storing the retry-on-startup parameter in the config file,
   causing Kea to fail when restarting.  [#3755, a backport of #3578]

5. Fix for incorrect DB schema entry: A typo prevented the upgrade script
   from working in certain circumstances.  [#3753, a backport of #3631]

6. Fix for mishandling malformed DISCOVER packets: [#3750, a backport of
   #3712].

7. Fix for excessive memory utilization when receiving frequent SIGHUP: Kea
   was storing a history of configs in memory with each restart.  [#3757, a
   backport of #3652].

8. Fix for config-set with output_options: config-set was omitting the
   output_options section when spelled with "_".  [#3754, a backport of
   #3594]

9. Fix for store-extended-info breaking lease limits: A specific combination
   of vendor classes and storing extended info caused limits to not be
   applied.  [#3760, a backport of #3702]

10. Fix for DB connection recovery: [#3751, a backport of #3727]

11. Fix for build system: [#3752, a backport of #3697]

12. DB upgrade scripts: DB upgrade could fail on some distributions.
    [#3794]

2.6.3 (2025-05-28)

1. Security: Default configuration: Running Kea with access to its API
   insufficiently secured poses significant risks and is strongly
   discouraged.  The default configuration for the Kea Control Agent (CA)
   has been updated to enable basic HTTP authentication.  Access to the Kea
   API will thus require a password.  It also contains additional examples
   of stronger authentication, based on TLS certificates that only allow
   access to clients presenting valid TLS certificates.  These changes
   address CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 [#3825,
   #3856].

2. Security: Hooks files: To limit the severity of an attack via an
   insufficiently protected API, kea-dhcp4, kea-dhcp6, kea-dhcp-ddns, and
   kea-ctrl-agent now only load hook libraries from the default installation
   directory.  Kea will not load the hook library if a path other than the
   default is specified.  For ease of use, the path may be omitted.  This
   change addresses CVE-2025-32801 [#3830, #3838].

3. Security: Config files: To limit the scope of an attack on an
   insufficiently protected API, the API command config-write will now only
   write to the same directory as the configuration file used when Kea was
   started (passed as a —c argument).  This change addresses
   CVE-2025-32802 [#3830, #3838].

4. Security: Lease files: To mitigate the severity of an attack on an
   insufficiently protected API, lease files can now only be loaded from a
   defined data directory.  The default data directory is determined during
   compilation: [kea-install-dir]/var/lib/kea.  This path may be overridden
   at startup by setting the environment variable KEA_DHCP_DATA_DIR to the
   desired path.  If a path outside the defined data directory is used in
   lease-database.name, Kea returns an error and refuses to start or, if
   already running, aborts and exits.  For ease of use in specifying a
   custom file name, simply omit the path component from name.  This change
   addresses CVE-2025-32802 [#3831, #3840].

5. Security: Log files: To mitigate the severity of an attack on an
   insufficiently protected API, log files can now only be written to a
   defined output directory.  The default directory is determined during
   compilation: [kea-install-dir]/var/log/kea.  This path may be overridden
   at startup by setting the environment variable KEA_LOG_FILE_DIR to the
   desired path.  If a path outside the defined output directory is used in
   loggers.output_options.output, Kea returns an error and refuses to start
   or, if already running, aborts and exits.  For ease of use, simply omit
   the path component from output and specify only the file name.  This
   change addresses CVE-2025-32802 [#3831, #3840].

6. Security: File permissions: To prevent exposure of potentially
   confidential data, files created by Kea now have more restrictive file
   permissions.  Write access by group and any access by others is now
   forbidden.  This change addresses CVE-2025-32803 [#3832, #3842].

7. Security: Sockets: To prevent unauthorized access and potential denial of
   service, sockets can no longer be created in a world-writable directory,
   such as /tmp.  Sockets must now be created in the more restricted
   [kea-install-dir]/var/run/kea.  This change addresses CVE-2025-32802
   [#3831, #3840].

8. Security: Documentation: Many sample configuration files have been
   updated to reflect changes introduced in this release.  In the ARM, the
   Kea Security section has been moved to a more prominent location, and a
   new section concerning securing the Kea Control Agent has been added.
   These changes address CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803
   [#3833, #3844].

9. Build improvements: The source code was updated to build with the latest
   Boost 1.87 [#3696, #3823].

10. Documentation update: Backported a clarification in the ARM about
    subnet4-delta-add [#3773, #3869].


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/kea/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/kea/PLIST
cvs rdiff -u -r1.4 -r1.5 pkgsrc/net/kea/distinfo
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/net/kea/patches/patch-src_lib_asiolink_io__address.cc \
    pkgsrc/net/kea/patches/patch-src_lib_asiolink_io__service.cc \
    pkgsrc/net/kea/patches/patch-src_lib_asiolink_tcp__endpoint.h \
    pkgsrc/net/kea/patches/patch-src_lib_asiolink_udp__endpoint.h \
    pkgsrc/net/kea/patches/patch-src_lib_asiolink_unix__domain__socket.cc \
    pkgsrc/net/kea/patches/patch-src_lib_dhcp_iface__mgr.cc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/kea/Makefile
diff -u pkgsrc/net/kea/Makefile:1.14 pkgsrc/net/kea/Makefile:1.15
--- pkgsrc/net/kea/Makefile:1.14        Tue Mar  4 09:37:38 2025
+++ pkgsrc/net/kea/Makefile     Thu Jun  5 15:00:44 2025
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.14 2025/03/04 09:37:38 nia Exp $
+# $NetBSD: Makefile,v 1.15 2025/06/05 15:00:44 taca Exp $
 
 DISTNAME=      kea-${VERSION}
 COMMENT=       Next-generation ISC Dynamic Host Configuration Protocol (DHCP) Server
-PKGREVISION=   2
 
 .include "options.mk"
 
@@ -13,7 +12,7 @@ MAINTAINER=           sekiya%NetBSD.org@localhost
 HOMEPAGE=              https://www.isc.org/kea/
 LICENSE=               mpl-2.0
 
-VERSION=               2.6.1
+VERSION=               2.6.3
 
 .include "../../mk/bsd.prefs.mk"
 

Index: pkgsrc/net/kea/PLIST
diff -u pkgsrc/net/kea/PLIST:1.3 pkgsrc/net/kea/PLIST:1.4
--- pkgsrc/net/kea/PLIST:1.3    Wed Nov 13 14:37:28 2024
+++ pkgsrc/net/kea/PLIST        Thu Jun  5 15:00:44 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2024/11/13 14:37:28 taca Exp $
+@comment $NetBSD: PLIST,v 1.4 2025/06/05 15:00:44 taca Exp $
 include/kea/asiodns/asiodns_messages.h
 include/kea/asiodns/io_fetch.h
 include/kea/asiodns/logger.h
@@ -59,6 +59,7 @@ include/kea/config/config_log.h
 include/kea/config/config_messages.h
 include/kea/config/hooked_command_mgr.h
 include/kea/config/timeouts.h
+include/kea/config/unix_command_config.h
 include/kea/config_backend/base_config_backend.h
 include/kea/config_backend/base_config_backend_mgr.h
 include/kea/config_backend/base_config_backend_pool.h
@@ -810,7 +811,8 @@ share/kea/scripts/mysql/upgrade_018_to_0
 share/kea/scripts/mysql/upgrade_019_to_020.sh
 share/kea/scripts/mysql/upgrade_020_to_021.sh
 share/kea/scripts/mysql/upgrade_021_to_022.sh
-share/kea/scripts/mysql/upgrade_022_to_022.1.sh
+share/kea/scripts/mysql/upgrade_022.0_to_022.1.sh
+share/kea/scripts/mysql/upgrade_022.1_to_022.2.sh
 share/kea/scripts/mysql/wipe_data.sh
 share/kea/scripts/pgsql/dhcpdb_create.pgsql
 share/kea/scripts/pgsql/dhcpdb_drop.pgsql
@@ -841,5 +843,6 @@ share/kea/scripts/pgsql/upgrade_018_to_0
 share/kea/scripts/pgsql/upgrade_019_to_020.sh
 share/kea/scripts/pgsql/upgrade_020_to_021.sh
 share/kea/scripts/pgsql/upgrade_021_to_022.sh
-share/kea/scripts/pgsql/upgrade_022_to_022.1.sh
+share/kea/scripts/pgsql/upgrade_022.0_to_022.1.sh
+share/kea/scripts/pgsql/upgrade_022.1_to_022.2.sh
 share/kea/scripts/pgsql/wipe_data.sh

Index: pkgsrc/net/kea/distinfo
diff -u pkgsrc/net/kea/distinfo:1.4 pkgsrc/net/kea/distinfo:1.5
--- pkgsrc/net/kea/distinfo:1.4 Wed Jan 15 06:05:13 2025
+++ pkgsrc/net/kea/distinfo     Thu Jun  5 15:00:44 2025
@@ -1,14 +1,8 @@
-$NetBSD: distinfo,v 1.4 2025/01/15 06:05:13 wiz Exp $
+$NetBSD: distinfo,v 1.5 2025/06/05 15:00:44 taca Exp $
 
-BLAKE2s (kea-2.6.1.tar.gz) = fbc82aa775b8cb7624d6051ba6276283b387d1e5273e4737e56ad96f380ae890
-SHA512 (kea-2.6.1.tar.gz) = 23a4c431117097538a15afd8a28016b49db5490f866aa03abd2bdfef5eaab5031491320acdf3097899d4b071cccff4b53c032ff076b13cab853e063aaa2810ec
-Size (kea-2.6.1.tar.gz) = 10467190 bytes
+BLAKE2s (kea-2.6.3.tar.gz) = cc62f7905be8fb087286f3b6b20dbb309eef82bf64c1d5582f787fdd34a050e0
+SHA512 (kea-2.6.3.tar.gz) = d7781c0b95529bfe89c19615c1dd5952fd4c4b60274e187a641992dad81ef5af921dfb15050ec43169a0c2ad267639642b2e294c5d43405f85a5fb11bb1a939a
+Size (kea-2.6.3.tar.gz) = 10498882 bytes
 SHA1 (patch-config.h.in) = 854ce1d2685f378ee4dcc06d1901e0c7a371bc32
 SHA1 (patch-configure.ac) = 9d70489a402e91fa9db9d576860bcf152d773249
-SHA1 (patch-src_lib_asiolink_io__address.cc) = 9f4d36fe5dd84a47d10f77059e934ec14bf477d7
-SHA1 (patch-src_lib_asiolink_io__service.cc) = 0b64596b9903cb2872866ae92cd7844479be0519
-SHA1 (patch-src_lib_asiolink_tcp__endpoint.h) = 7d4df393abf0a636f40037f723160eacbcb328df
-SHA1 (patch-src_lib_asiolink_udp__endpoint.h) = d1b0e39cc005cfebb25b89b01018bebd75c6baf2
-SHA1 (patch-src_lib_asiolink_unix__domain__socket.cc) = aff0cc2b9c240d7064d966bc287d93e88968d4a8
-SHA1 (patch-src_lib_dhcp_iface__mgr.cc) = 82bb7a4518bc4f8468d41d1f1e38c51a4155b6b3
 SHA1 (patch-src_lib_dhcp_pkt__filter__bpf.cc) = 42f0e2c23a6dc8467dd28669b032f63fa11566d4