commit traefik for openSUSE:Factory

Source-Sync Tue, 28 Jan 2025 06:01:40 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package traefik for openSUSE:Factory checked 
in at 2025-01-28 14:59:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/traefik (Old)
 and      /work/SRC/openSUSE:Factory/.traefik.new.2316 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "traefik"

Tue Jan 28 14:59:44 2025 rev:30 rq:1240748 version:3.3.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/traefik/traefik.changes  2025-01-15 
17:45:28.598336661 +0100
+++ /work/SRC/openSUSE:Factory/.traefik.new.2316/traefik.changes        
2025-01-28 15:00:40.637775477 +0100
@@ -1,0 +2,14 @@
+Tue Jan 21 13:30:26 UTC 2025 - Johannes Weberhofer <jweberho...@weberhofer.at>
+
+- Fix possible privilege escalation when mofing the acme.json file to the new
+  location. Thanks Johannes Segitz (fix for boo#1235408)
+
+- Version 3.3.2
+  - fastproxy
+    * Do not read response body for HEAD requests (gh#traefik/traefik#11442)
+  - metrics,tracing,accesslogs
+    * Fix observability configuration on EntryPoints (gh#traefik/traefik#11446)
+  - webui
+    * Set content-type when serving webui index  (gh#traefik/traefik#11428)
+
+-------------------------------------------------------------------
@@ -2,0 +17 @@
+

Old:
----
  traefik-v3.3.1.src.tar.gz

New:
----
  traefik-v3.3.2.src.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ traefik.spec ++++++
--- /var/tmp/diff_new_pack.YgWOSx/_old  2025-01-28 15:00:41.509811528 +0100
+++ /var/tmp/diff_new_pack.YgWOSx/_new  2025-01-28 15:00:41.509811528 +0100
@@ -23,7 +23,7 @@
 %define buildmode pie
 %endif
 Name:           traefik
-Version:        3.3.1
+Version:        3.3.2
 Release:        0
 Summary:        The Cloud Native Application Proxy
 License:        MIT
@@ -111,11 +111,18 @@
 %post
 %service_add_post %{name}.service
 %{fillup_only -n %{name}}
-# fix ownership for config and logging directory
-chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name}
 
-# try to move acme.json file from old directory to new
+# prepare ownership for operations as root user
+chown -R root: %{_sysconfdir}/%{name}
+chown root: %{_localstatedir}/lib/%{name}
+
 if [ -e "%{_sysconfdir}/%{name}/acme.json" ] ; then
+       # try to move acme.json file from old directory to the new location
+       if [ -L "%{_sysconfdir}/%{name}/acme.json" ] ; then
+               echo "Delete the symbolic link 
%{_sysconfdir}/%{name}/acme.json" 1>&2
+               echo "The ACME file must be placed in 
%{_localstatedir}/lib/traefik" 1>&2
+               exit 0
+       fi
        if [ -s "%{_sysconfdir}/%{name}/acme.json" ] ; then
                if [ -s "%{_localstatedir}/lib/%{name}/acme.json" ] ; then
                        # if not-empty acme.json files exists on old and new 
location, write warning
@@ -125,7 +132,7 @@
                else
                        # if not-empty acme.json exists on old location and no 
file or empty file exists on new location
                        # move it to the new location
-                       mv "%{_sysconfdir}/%{name}/acme.json" 
"%{_localstatedir}/lib/%{name}/acme.json"
+                       mv %{_sysconfdir}/%{name}/acme.json 
%{_localstatedir}/lib/%{name}/acme.json
                        sed -i -e 
's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' 
%{_sysconfdir}/%{name}/%{name}.yml
                fi
        else
@@ -134,9 +141,18 @@
                sed -i -e 
's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' 
%{_sysconfdir}/%{name}/%{name}.yml
        fi
 fi
-
-# fix ownership for acme file
-chown -R traefik: %{_localstatedir}/lib/%{name}/*
+# set correct permissions
+chmod 0750 %{_sysconfdir}/%{name} %{_sysconfdir}/%{name}/conf.d
+find %{_sysconfdir}/%{name} -type d -exec chmod 0750 {} \;
+find %{_sysconfdir}/%{name} -type f -exec chmod 0640 {} \;
+
+chmod 0700 %{_localstatedir}/lib/%{name}
+chmod 0600 %{_localstatedir}/lib/%{name}/*
+
+# set ownership for normal operation
+chown -R root:traefik %{_sysconfdir}/%{name}
+chown -R traefik: %{_localstatedir}/lib/%{name}
+chown -R traefik: %{_localstatedir}/log/%{name}
 
 %preun
 %service_del_preun %{name}.service
@@ -155,13 +171,16 @@
 %{_sbindir}/rc%{name}
 %{_prefix}/lib/sysctl.d/90-%{name}.conf
 
-%defattr(0600, traefik, traefik, 0700)
+# config files are owned by root but can be read by traefik
+%defattr(0640, root, traefik, 0750)
 %dir %{_sysconfdir}/%{name}
 %dir %{_sysconfdir}/%{name}/conf.d
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml
 
+# certificates are visible for traefik only
+%defattr(0600, traefik, traefik, 0700)
 %dir %{_localstatedir}/lib/%{name}
 %config(noreplace) %{_localstatedir}/lib/%{name}/acme.json
 
-%config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml
 %dir %{_localstatedir}/log/%{name}
 

++++++ traefik-v3.3.1.src.tar.gz -> traefik-v3.3.2.src.tar.gz ++++++
/work/SRC/openSUSE:Factory/traefik/traefik-v3.3.1.src.tar.gz 
/work/SRC/openSUSE:Factory/.traefik.new.2316/traefik-v3.3.2.src.tar.gz differ: 
char 26, line 2

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/traefik/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.traefik.new.2316/vendor.tar.gz differ: char 5, line 
1

commit traefik for openSUSE:Factory

Reply via email to