From 05cb7abee1f39d87fe61ea18066f94216768debc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 22 Jun 2026 09:05:26 +0000 Subject: [PATCH 1/7] Updated dependency 'apache' from version 2.4.67 to 2.4.68 --- deps-packaging/apache/cfbuild-apache.spec | 2 +- deps-packaging/apache/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index 854b8cafd..5456f4f2b 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -1,4 +1,4 @@ -%define apache_version 2.4.67 +%define apache_version 2.4.68 %global __os_install_post %{nil} Summary: CFEngine Build Automation -- apache diff --git a/deps-packaging/apache/distfiles b/deps-packaging/apache/distfiles index e2962e04d..8801b00aa 100644 --- a/deps-packaging/apache/distfiles +++ b/deps-packaging/apache/distfiles @@ -1 +1 @@ -10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 httpd-2.4.67.tar.gz +ed9a9d4500fb48bb28eaffb3ba71d06ccf86d498fa13ab9f781da010cc488498 httpd-2.4.68.tar.gz From 3201a4fcf9dfc55e34234565abec0e8eaa868579 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 22 Jun 2026 09:05:28 +0000 Subject: [PATCH 2/7] Updated dependency 'libcurl' from version 8.17.0 to 8.20.0 --- deps-packaging/libcurl/cfbuild-libcurl.spec | 2 +- deps-packaging/libcurl/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/libcurl/cfbuild-libcurl.spec b/deps-packaging/libcurl/cfbuild-libcurl.spec index 592d6c389..82023bbb7 100644 --- a/deps-packaging/libcurl/cfbuild-libcurl.spec +++ b/deps-packaging/libcurl/cfbuild-libcurl.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl diff --git a/deps-packaging/libcurl/distfiles b/deps-packaging/libcurl/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl/distfiles +++ b/deps-packaging/libcurl/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz From 13666e0a9d57d4b4772c2b04c460693b094d439a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 22 Jun 2026 09:05:28 +0000 Subject: [PATCH 3/7] Updated dependency 'libcurl-hub' from version 8.17.0 to 8.20.0 --- deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec | 2 +- deps-packaging/libcurl-hub/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec index bc9a1045d..61af2fd7e 100644 --- a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec +++ b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl-hub diff --git a/deps-packaging/libcurl-hub/distfiles b/deps-packaging/libcurl-hub/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl-hub/distfiles +++ b/deps-packaging/libcurl-hub/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz From 2f10e59865feee67203b8ddcfde04d0fdf5a81f0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 22 Jun 2026 09:05:31 +0000 Subject: [PATCH 4/7] Updated dependency 'openssl' from version 3.6.2 to 3.6.3 --- deps-packaging/openssl/cfbuild-openssl.spec | 2 +- deps-packaging/openssl/distfiles | 2 +- deps-packaging/openssl/source | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec index c1468813d..908f6034f 100644 --- a/deps-packaging/openssl/cfbuild-openssl.spec +++ b/deps-packaging/openssl/cfbuild-openssl.spec @@ -1,4 +1,4 @@ -%define openssl_version 3.6.2 +%define openssl_version 3.6.3 Summary: CFEngine Build Automation -- openssl Name: cfbuild-openssl diff --git a/deps-packaging/openssl/distfiles b/deps-packaging/openssl/distfiles index 7757c3c4a..c44c5e0ee 100644 --- a/deps-packaging/openssl/distfiles +++ b/deps-packaging/openssl/distfiles @@ -1 +1 @@ -aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f openssl-3.6.2.tar.gz +243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1 openssl-3.6.3.tar.gz diff --git a/deps-packaging/openssl/source b/deps-packaging/openssl/source index 325946a65..f36cdd0b3 100644 --- a/deps-packaging/openssl/source +++ b/deps-packaging/openssl/source @@ -1 +1 @@ -https://github.com/openssl/openssl/releases/download/openssl-3.6.2/ +https://github.com/openssl/openssl/releases/download/openssl-3.6.3/ From a9d0e2ca4180d80b76bd0073e5911deed41ea3dd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 22 Jun 2026 09:05:33 +0000 Subject: [PATCH 5/7] Updated dependency 'php' from version 8.5.6 to 8.5.7 --- deps-packaging/php/cfbuild-php.spec | 2 +- deps-packaging/php/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/php/cfbuild-php.spec b/deps-packaging/php/cfbuild-php.spec index 3662e37ce..4170c2282 100644 --- a/deps-packaging/php/cfbuild-php.spec +++ b/deps-packaging/php/cfbuild-php.spec @@ -1,4 +1,4 @@ -%define php_version 8.5.6 +%define php_version 8.5.7 Summary: CFEngine Build Automation -- php Name: cfbuild-php diff --git a/deps-packaging/php/distfiles b/deps-packaging/php/distfiles index 718f64fcb..a6bc2db63 100644 --- a/deps-packaging/php/distfiles +++ b/deps-packaging/php/distfiles @@ -1 +1 @@ -169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd php-8.5.6.tar.gz +e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049 php-8.5.7.tar.gz From 44e600aa59e61f320f8a19a680c9f60cae7f896e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 22 Jun 2026 09:05:35 +0000 Subject: [PATCH 6/7] Updated dependency 'rsync' from version 3.4.3 to 3.4.4 --- deps-packaging/rsync/cfbuild-rsync.spec | 2 +- deps-packaging/rsync/distfiles | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps-packaging/rsync/cfbuild-rsync.spec b/deps-packaging/rsync/cfbuild-rsync.spec index e66605fb7..c000d8c76 100644 --- a/deps-packaging/rsync/cfbuild-rsync.spec +++ b/deps-packaging/rsync/cfbuild-rsync.spec @@ -1,4 +1,4 @@ -%define rsync_version 3.4.3 +%define rsync_version 3.4.4 Summary: CFEngine Build Automation -- rsync Name: cfbuild-rsync diff --git a/deps-packaging/rsync/distfiles b/deps-packaging/rsync/distfiles index 2d0543c64..0424dd772 100644 --- a/deps-packaging/rsync/distfiles +++ b/deps-packaging/rsync/distfiles @@ -1 +1 @@ -c72e63ca3021cbc80ba86ec30102773f4c5631fbc492b52e773b3958f82a53d3 rsync-3.4.3.tar.gz +bd88cf82fa653da32314fb229136407c5c90f80d1758d8f4b091767877d8fa96 rsync-3.4.4.tar.gz From 0a10843126232d53e39a862b17785e9515399856 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 15 May 2026 16:31:58 -0500 Subject: [PATCH 7/7] Changed all rhel-based packages to use vendored openssl Previous issues with libpam modules linking to a different openssl version/api are no longer an issue. Ticket: ENT-13750 Changelog: title (cherry picked from commit 0e1f4e3b1ebc0323dcf1a2b7944f681d86d03cc7) Conflicts: README.md ci/cfengine-build-host-setup.cf ci/fix-buildhost.sh Had to adjust host setup including or not openssl devel packages since we added code to REMOVE those in master and ADD them in LTS branches. --- build-scripts/compile-options | 5 ---- build-scripts/package | 8 ------ ci/fix-buildhost.sh | 7 +++-- .../libcurl-hub/cfbuild-libcurl-hub.spec | 5 ---- deps-packaging/libcurl/cfbuild-libcurl.spec | 3 +-- deps-packaging/openldap/cfbuild-openldap.spec | 5 ---- .../cfengine-nova-hub.spec.in | 26 ------------------- packaging/cfengine-nova/cfengine-nova.spec.in | 15 ----------- 8 files changed, 4 insertions(+), 70 deletions(-) diff --git a/build-scripts/compile-options b/build-scripts/compile-options index a7e416308..4206536d1 100644 --- a/build-scripts/compile-options +++ b/build-scripts/compile-options @@ -32,10 +32,6 @@ export PROJECT # It's a flag: if it's set to 1 - then we use system OpenSSL. # Otherwise, we build it. if [ -z "$SYSTEM_SSL" ]; then - # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl. - if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then - SYSTEM_SSL=1 - fi if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then if [ "$OS_VERSION_MAJOR" -ge "15" ]; then SYSTEM_SSL=1 @@ -126,7 +122,6 @@ solaris | aix) ;; esac -# We use system bundled SSL on RHEL >= 8 if [ "$SYSTEM_SSL" != 1 ]; then # zlib is a compression library which is a dependency of OpenSSL. # TODO: can we remove zlib dependency? (CFE-4013) diff --git a/build-scripts/package b/build-scripts/package index f156b8ac7..768083f15 100755 --- a/build-scripts/package +++ b/build-scripts/package @@ -195,13 +195,6 @@ rpm | lpp) exit 1 fi log_debug "SELinux policy version: $SELINUX_POLICY_VERSION" - # Get OpenSSL version to ensure compatibility - OPENSSL_VERSION=$(rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort -n | tail -1) - if [ -z "$OPENSSL_VERSION" ]; then - log_error "Unable to determine OpenSSL package version" - exit 1 - fi - log_debug "OpenSSL version: $OPENSSL_VERSION" fi # Generate RPM spec file from template, substituting version info and scripts @@ -210,7 +203,6 @@ rpm | lpp) -e "s/@@VERSION@@/$RPM_VERSION/g" \ -e "s/@@RELEASE@@/$safe_prefix$RPM_RELEASE/g" \ -e "s/@@SELINUX_POLICY_VERSION@@/$SELINUX_POLICY_VERSION/g" \ - -e "s/@@OPENSSL_VERSION@@/$OPENSSL_VERSION/g" \ -e "/^%pre\$/r $PREINSTALL" \ -e "/^%post\$/r $POSTINSTALL" \ -e "/^%preun\$/r $PREREMOVE" \ diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index 2569da40f..1b6c1a31f 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -14,11 +14,10 @@ if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then . /etc/profile fi fi - -# while ENT-13750 is in progress we need to ensure that OTHER builds include openssl devel packages on redhat-based platforms +# ENT-13750 we return to vendored openssl on rpm platforms so remove possibly installed development packages if command -v zypper >/dev/null 2>/dev/null; then - sudo zypper install -y libopenssl-devel || true + sudo zypper remove -y libopenssl-devel || true fi if command -v yum >/dev/null 2>/dev/null; then - sudo yum install -y openssl-devel || true + sudo yum erase -y openssl-devel || true fi diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec index 61af2fd7e..bdf2e2a9f 100644 --- a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec +++ b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec @@ -18,12 +18,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n curl-%{curl_version} -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 -%define ssl_prefix /usr -%else %define ssl_prefix %{prefix} -%endif ./configure \ --with-sysroot=%{prefix} \ diff --git a/deps-packaging/libcurl/cfbuild-libcurl.spec b/deps-packaging/libcurl/cfbuild-libcurl.spec index 82023bbb7..90e6d8585 100644 --- a/deps-packaging/libcurl/cfbuild-libcurl.spec +++ b/deps-packaging/libcurl/cfbuild-libcurl.spec @@ -18,8 +18,7 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n curl-%{curl_version} -# we don't bundle OpenSSL on RHEL 8 & SUSE 15 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 || %{?suse_version}%{!?suse_version:0} >= 1500 +%if 0%{?SYSTEM_SSL} %define ssl_prefix /usr %else %define ssl_prefix %{prefix} diff --git a/deps-packaging/openldap/cfbuild-openldap.spec b/deps-packaging/openldap/cfbuild-openldap.spec index 91ba0ddef..bc8fc15ac 100644 --- a/deps-packaging/openldap/cfbuild-openldap.spec +++ b/deps-packaging/openldap/cfbuild-openldap.spec @@ -21,12 +21,7 @@ mkdir -p %{_builddir} %patch0 -p0 -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} > 7 -CPPFLAGS=-I%{buildprefix}/include:/usr/include -%else CPPFLAGS=-I%{buildprefix}/include -%endif # # glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU. diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index 26d966570..9b13166c3 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -31,23 +31,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} == 8 -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -Requires: openssl -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: openssl -%endif - # cfbs/Build requires Python 3.5+ (not available on RHEL 6) %if %{?rhel}%{!?rhel:0} == 7 Requires: python3 >= 3.5 @@ -106,10 +89,6 @@ rm -f %{prefix}/ssl/misc/tsget rm -f %{prefix}/ssl/openssl.cnf.dist rm -f %{prefix}/ssl/misc/tsget.pl -# Add an openssl symlink if openssl binary doesn't exist -if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then - ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl -fi # Hub does not need cf-upgrade, it is only present in host packages rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade @@ -253,16 +232,11 @@ exit 0 # init.d script enterprise part %{prefix}/bin/cfengine3-nova-hub-init-d.sh -# OpenSSL tools (we don't bundle OpenSSL on RHEL 8) -# Note that prefix/bin/openssl is outside of `if`, since -# on RHEL8 it's a symlink to a system-wide openssl binary %{prefix}/bin/openssl -%if %{?rhel}%{!?rhel:0} <= 7 %dir %{prefix}/ssl %{prefix}/ssl/openssl.cnf %{prefix}/ssl/ct_log_list.cnf %{prefix}/ssl/ct_log_list.cnf.dist -%endif %prefix/bin/git %prefix/bin/gitk diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in index afe2d65f4..81b018910 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.in @@ -23,21 +23,6 @@ Recommends: gzip Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# We don't bundle OpenSSL on RHEL >= 8 and SuSE >= 15 -%if 0%{?SYSTEM_SSL} -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -%endif - AutoReqProv: no %if %{?with_debugsym}%{!?with_debugsym:0}