Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cups for openSUSE:Factory checked in 
at 2021-11-27 00:50:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cups (Old)
 and      /work/SRC/openSUSE:Factory/.cups.new.1895 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cups"

Sat Nov 27 00:50:44 2021 rev:158 rq:933432 version:2.3.3op2

Changes:
--------
--- /work/SRC/openSUSE:Factory/cups/cups.changes        2021-06-11 
22:30:51.334149081 +0200
+++ /work/SRC/openSUSE:Factory/.cups.new.1895/cups.changes      2021-11-27 
00:51:25.126782509 +0100
@@ -1,0 +2,6 @@
+Fri Oct 15 07:31:10 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_cups.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_cups.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cups.spec ++++++
--- /var/tmp/diff_new_pack.AZSOqB/_old  2021-11-27 00:51:26.194778821 +0100
+++ /var/tmp/diff_new_pack.AZSOqB/_new  2021-11-27 00:51:26.198778807 +0100
@@ -85,6 +85,7 @@
 Patch104:       cups-config-libs.patch
 # Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
 Patch106:       fix-negotiate-authentication-between-CGIs-and-scheduler.patch
+Patch107:      harden_cups.service.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -309,6 +310,7 @@
 %patch104 -b cups-config-libs.orig
 # Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
 %patch106 -p1
+%patch107 -p1
 
 %build
 # Remove ".SILENT" rule for verbose build output






++++++ harden_cups.service.patch ++++++
Index: cups-2.3.3op2/scheduler/cups.service.in
===================================================================
--- cups-2.3.3op2.orig/scheduler/cups.service.in
+++ cups-2.3.3op2/scheduler/cups.service.in
@@ -5,6 +5,17 @@ After=network.target sssd.service ypbind
 Requires=cups.socket
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=@sbindir@/cupsd -l
 Type=notify
 Restart=on-failure

Reply via email to