* Thu Aug 28 2025 jorik.cronenberg@suse.com
- Update to release 3.0.1
Security Fixes:
* Corrected an issue in kea-dhcp4 that caused the server to abort
if a client sent a unicast request with a particular options,
and Kea failed to find an appropriate subnet for that client.
(CVE-2025-40779)
[bsc#1248801]
Changes:
* Moved Botan crypto backend support to version 3.
* Avoid adding the qualifying-suffix to fully qualified host
names specified in host reservations.
* Tue Jul 29 2025 jorik.cronenberg@suse.com
- Remove `/usr/share/kea/meson-info` directory because it contains
non reproducible files.
[bsc#1246670]
* Mon Jul 07 2025 jorik.cronenberg@suse.com
- Use meson install_umask to set binaries and libraries
permissions.
* Tue Jul 01 2025 jorik.cronenberg@suse.com
- Update to release 3.0.0
Noteworthy changes:
* Lease caching is now enabled by default.
* The control-socket.socket-name and control-socket.socket-type
parameters have been removed from the CB.
* Kea now rejects certain default passwords. If you copied your
Kea configuration from the examples in our documentation using
our sample password, change your password to a unique value.
* The kea-control-agent is now deprecated. The individual Kea
services support HTTP/HTTPS control channels, so the Control
Agent (CA) is no longer needed. The CA is still available but
will be removed in a future release.
* The precedence of options specified in a template class and its
spawned classes has been reversed. An option specified in a
spawned class now takes precedence over the same option
specified in the template class.
* The only-if-required and require-client-classes were renamed to
only-in-additional-list and evaluate-additional-classes.
* Classes included in require-client-classes (now called
evaluate-additional-classes) that do not have test expressions
will now be unconditionally added to a client's list of
matching classes; previously, they were ignored.
* Additional classes are now evaluated in the same order as
option-data, i.e. pools, subnets, and shared networks. In
earlier versions, the order was reversed.
* It is now possible to define multiple client classes when
limiting access to networks, subnets, and pools. The parameter
client-class (a single class name) has been replaced with
client-classes (a list of one or more class names). The older
syntax is still accepted but is now deprecated and will be
removed in the future. You cannot specify both client-class and
client-classes within the same scope.
* Options name value pairs specified in option-data have a new
parameter available: client-classes. This allows the
administrator to place a guard on the option requiring
membership in a class or classes before that particular option
data will be added to the packet. This is intended as a
powerful mechanism to bring back some of the functionality from
the conditional (if) statements that were widely used in ISC
DHCP. See Option Class-Tagging in the ARM for further
information.
* The build system has been switched to meson.
Further detailed information of all changes is available at
https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-3.0.0
and
https://kb.isc.org/docs/things-to-be-aware-of-when-upgrading-to-kea-300
- Set RuntimeDirectoryPreserve=yes in services to prevent deletion
of RuntimeDirectory when one service gets stopped.
* Mon Jun 16 2025 jorik.cronenberg@suse.com
- Change After= from network.target to network-online.target and
add Wants=network-online.target to systemd services to prevent
starting up before ip setup is finished.
* Mon May 26 2025 jorik.cronenberg@suse.com
- Update to release 2.6.3
Security Fixes:
* The default configuration for the Kea Control Agent (CA) has
been updated to enable basic HTTP authentication. Access to
the Kea API will thus require a password.
(CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
[bsc#1243240]
* `kea-dhcp4`, `kea-dhcp6`, `kea-dhcp-ddns`, and
`kea-ctrl-agent` now only load hook libraries from the
default installation directory. For ease of use, the path may
be omitted.
(CVE-2025-32801)
[bsc#1243240]
* The API command `config-write` will now only write to the same
directory as the configuration file used when Kea was started
(passed as a `-c` argument).
(CVE-2025-32802)
[bsc#1243240]
* Lease files can now only be loaded from the data directory
`/var/lib/kea`. This path may be overridden at startup by
setting the environment variable `KEA_DHCP_DATA_DIR` to the
desired path. If a path outside the defined data directory is
used in `lease-database.name`, Kea returns an error and refuses
to start or, if already running, aborts and exits. For ease of
use in specifying a custom file name, simply omit the path
component from `name`.
(CVE-2025-32802)
[bsc#1243240]
* Log files can now only be written to a defined output directory
`/var/log/kea`. This path may be overridden at startup by
setting the environment variable `KEA_LOG_FILE_DIR` to the
desired path. If a path outside the defined output directory is
used in `loggers.output_options.output`, Kea returns an error
and refuses to start or, if already running, aborts and exits.
For ease of use, simply omit the path component from `output`
and specify only the file name.
(CVE-2025-32802)
[bsc#1243240]
* Files created by Kea now have more restrictive file
permissions. Write access by group and any access by others is
now forbidden.
(CVE-2025-32803)
[bsc#1243240]
* Sockets can no longer be created in a world-writable directory,
such as `/tmp`. Sockets must now be created in the more
restricted `/var/run/kea`.
(CVE-2025-32802)
[bsc#1243240]
* Many sample configuration files have been updated to reflect
changes introduced in this release. In the ARM, the Kea
Security section has been moved to a more prominent location,
and a new section concerning securing the Kea Control Agent has
been added.
(CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
[bsc#1243240]
Other changes:
* Fix build with the latest Boost 1.87.
(Obsoletes patch `kea-2.6.1-boost_1.87-compat.patch`)
* Backported a clarification in the ARM about subnet4-delta-add.
- Remove /run/kea from systemd tmpfiles as the creation of this
directory is handled by the services.
- Replace 'chmod -h' and 'chown -h' with 'find' as the '-h' isn't
present in Leap/SLE.
- /run/kea now has mode 0750 for all services.
* Wed Apr 30 2025 jorik.cronenberg@suse.com
- Update owner and perms in %post on modified config files
* Tue Apr 15 2025 jengelh@inai.de
- Add logic to %post for switching from kea.service to the new
split units, kea-*.service.
(Inspiration taken from strongswan.spec.)
* Wed Apr 02 2025 jorik.cronenberg@suse.com
- Split off services into separate ones to allow more fine grained
control for e.g. capabilities.
- Tighten access to state and log directories.
* Wed Mar 26 2025 jorik.cronenberg@suse.com
- Update to release 2.6.2
Bug fixes:
* Fix for inaccurate statistics: Kea was miscalculating
declined and assigned leases.
* Fix for lease conflicts and NAK: Conflicting entries were
created when two relayed HA instances tried to update a shared
lease DB at the same time.
* Fix for `subnetX-del` not removing subnets completely:
`subnetX-del` was not correctly deleting the subnet declaration
from the shared network configuration section.
* Fix for `config-write` and `retry-on-startup` parameter:
`config-write` was improperly storing the `retry-on-startup`
parameter in the config file, causing Kea to fail when
restarting.
* Fix for incorrect DB schema entry: A typo prevented the
upgrade script from working in certain circumstances.
* Fix for mishandling malformed DISCOVER packets:
* Fix for excessive memory utilization when receiving frequent
SIGHUP: Kea was storing a history of configs in memory with
each restart.
* Fix for `config-set` with `output_options`: `config-set` was
omitting the `output_options` section when spelled with "_".
* Fix for store-extended-info breaking lease limits: A specific
combination of vendor classes and storing extended info caused
limits to not be applied.
* Fix for DB connection recovery
* DB upgrade scripts: DB upgrade could fail on some
distributions.