Updated dependencies (3.27.x)

build-scripts/compile-options

@@ -32,10 +32,6 @@ export PROJECT
 # It's a flag: if it's set to 1 - then we use system OpenSSL.
 # Otherwise, we build it.
 if [ -z "$SYSTEM_SSL" ]; then
-    # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl.
-    if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then
-        SYSTEM_SSL=1
-    fi
     if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then
         if [ "$OS_VERSION_MAJOR" -ge "15" ]; then
             SYSTEM_SSL=1
@@ -126,7 +122,6 @@ solaris | aix)
     ;;
 esac
 
-# We use system bundled SSL on RHEL >= 8
 if [ "$SYSTEM_SSL" != 1 ]; then
     # zlib is a compression library which is a dependency of OpenSSL.
     # TODO: can we remove zlib dependency? (CFE-4013)

build-scripts/package

@@ -195,13 +195,6 @@ rpm | lpp)
             exit 1
         fi
         log_debug "SELinux policy version: $SELINUX_POLICY_VERSION"
-        # Get OpenSSL version to ensure compatibility
-        OPENSSL_VERSION=$(rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort -n | tail -1)
-        if [ -z "$OPENSSL_VERSION" ]; then
-            log_error "Unable to determine OpenSSL package version"
-            exit 1
-        fi
-        log_debug "OpenSSL version: $OPENSSL_VERSION"
     fi
 
     # Generate RPM spec file from template, substituting version info and scripts
@@ -210,7 +203,6 @@ rpm | lpp)
         -e "s/@@VERSION@@/$RPM_VERSION/g" \
         -e "s/@@RELEASE@@/$safe_prefix$RPM_RELEASE/g" \
         -e "s/@@SELINUX_POLICY_VERSION@@/$SELINUX_POLICY_VERSION/g" \
-        -e "s/@@OPENSSL_VERSION@@/$OPENSSL_VERSION/g" \
         -e "/^%pre\$/r $PREINSTALL" \
         -e "/^%post\$/r $POSTINSTALL" \
         -e "/^%preun\$/r $PREREMOVE" \

ci/fix-buildhost.sh

@@ -14,11 +14,10 @@ if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then
     . /etc/profile
   fi
 fi
-
-# while ENT-13750 is in progress we need to ensure that OTHER builds include openssl devel packages on redhat-based platforms
+# ENT-13750 we return to vendored openssl on rpm platforms so remove possibly installed development packages
 if command -v zypper >/dev/null 2>/dev/null; then
-  sudo zypper install -y libopenssl-devel || true
+  sudo zypper remove -y libopenssl-devel || true
 fi
 if command -v yum >/dev/null 2>/dev/null; then
-  sudo yum install -y openssl-devel || true
+  sudo yum erase -y openssl-devel || true
 fi

deps-packaging/apache/cfbuild-apache.spec

@@ -1,4 +1,4 @@
-%define apache_version 2.4.67
+%define apache_version 2.4.68
 %global __os_install_post %{nil}
 
 Summary: CFEngine Build Automation -- apache

deps-packaging/apache/distfiles

@@ -1 +1 @@
-10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77  httpd-2.4.67.tar.gz
+ed9a9d4500fb48bb28eaffb3ba71d06ccf86d498fa13ab9f781da010cc488498  httpd-2.4.68.tar.gz

deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec

@@ -1,4 +1,4 @@
-%define curl_version 8.17.0
+%define curl_version 8.20.0
 
 Summary: CFEngine Build Automation -- libcurl
 Name: cfbuild-libcurl-hub
@@ -18,12 +18,7 @@ AutoReqProv: no
 mkdir -p %{_builddir}
 %setup -q -n curl-%{curl_version}
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7
-%define ssl_prefix /usr
-%else
 %define ssl_prefix %{prefix}
-%endif
 
 ./configure \
     --with-sysroot=%{prefix} \

deps-packaging/libcurl-hub/distfiles

@@ -1 +1 @@
-e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910  curl-8.17.0.tar.gz
+fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0  curl-8.20.0.tar.gz

deps-packaging/libcurl/cfbuild-libcurl.spec

@@ -1,4 +1,4 @@
-%define curl_version 8.17.0
+%define curl_version 8.20.0
 
 Summary: CFEngine Build Automation -- libcurl
 Name: cfbuild-libcurl
@@ -18,8 +18,7 @@ AutoReqProv: no
 mkdir -p %{_builddir}
 %setup -q -n curl-%{curl_version}
 
-# we don't bundle OpenSSL on RHEL 8 & SUSE 15 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7 || %{?suse_version}%{!?suse_version:0} >= 1500
+%if 0%{?SYSTEM_SSL}
 %define ssl_prefix /usr
 %else
 %define ssl_prefix %{prefix}

deps-packaging/libcurl/distfiles

@@ -1 +1 @@
-e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910  curl-8.17.0.tar.gz
+fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0  curl-8.20.0.tar.gz

deps-packaging/openldap/cfbuild-openldap.spec

@@ -21,12 +21,7 @@ mkdir -p %{_builddir}
 
 %patch0 -p0
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7
-CPPFLAGS=-I%{buildprefix}/include:/usr/include
-%else
 CPPFLAGS=-I%{buildprefix}/include
-%endif
 
 #
 # glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU.

deps-packaging/openssl/cfbuild-openssl.spec

@@ -1,4 +1,4 @@
-%define openssl_version 3.6.2
+%define openssl_version 3.6.3
 
 Summary: CFEngine Build Automation -- openssl
 Name: cfbuild-openssl

deps-packaging/openssl/distfiles

@@ -1 +1 @@
-aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f  openssl-3.6.2.tar.gz
+243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1  openssl-3.6.3.tar.gz

deps-packaging/openssl/source

@@ -1 +1 @@
-https://github.com/openssl/openssl/releases/download/openssl-3.6.2/
+https://github.com/openssl/openssl/releases/download/openssl-3.6.3/

deps-packaging/php/cfbuild-php.spec

@@ -1,4 +1,4 @@
-%define php_version 8.5.6
+%define php_version 8.5.7
 
 Summary: CFEngine Build Automation -- php
 Name: cfbuild-php

deps-packaging/php/distfiles

@@ -1 +1 @@
-169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd  php-8.5.6.tar.gz
+e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049  php-8.5.7.tar.gz

deps-packaging/rsync/cfbuild-rsync.spec

@@ -1,4 +1,4 @@
-%define rsync_version 3.4.3
+%define rsync_version 3.4.4
 
 Summary: CFEngine Build Automation -- rsync
 Name: cfbuild-rsync

deps-packaging/rsync/distfiles

@@ -1 +1 @@
-c72e63ca3021cbc80ba86ec30102773f4c5631fbc492b52e773b3958f82a53d3  rsync-3.4.3.tar.gz
+bd88cf82fa653da32314fb229136407c5c90f80d1758d8f4b091767877d8fa96  rsync-3.4.4.tar.gz

packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in

@@ -31,23 +31,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} == 8
-Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
-Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
-Requires: openssl
-%endif
-
-# We build against systems with the latest available dependencies such as OpenSSL.
-# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
-# OPENSSL_VERSION is determined in build-scripts/package script.
-# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
-%if %{?rhel}%{!?rhel:0} > 8
-Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: openssl
-%endif
-
 # cfbs/Build requires Python 3.5+ (not available on RHEL 6)
 %if %{?rhel}%{!?rhel:0} == 7
 Requires: python3 >= 3.5
@@ -106,10 +89,6 @@ rm -f %{prefix}/ssl/misc/tsget
 rm -f %{prefix}/ssl/openssl.cnf.dist
 rm -f %{prefix}/ssl/misc/tsget.pl
 
-# Add an openssl symlink if openssl binary doesn't exist
-if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then
-  ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl
-fi
 
 # Hub does not need cf-upgrade, it is only present in host packages
 rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade
@@ -253,16 +232,11 @@ exit 0
 # init.d script enterprise part
 %{prefix}/bin/cfengine3-nova-hub-init-d.sh
 
-# OpenSSL tools (we don't bundle OpenSSL on RHEL 8)
-# Note that prefix/bin/openssl is outside of `if`, since
-# on RHEL8 it's a symlink to a system-wide openssl binary
 %{prefix}/bin/openssl
-%if %{?rhel}%{!?rhel:0} <= 7
 %dir %{prefix}/ssl
 %{prefix}/ssl/openssl.cnf
 %{prefix}/ssl/ct_log_list.cnf
 %{prefix}/ssl/ct_log_list.cnf.dist
-%endif
 
 %prefix/bin/git
 %prefix/bin/gitk

packaging/cfengine-nova/cfengine-nova.spec.in

@@ -23,21 +23,6 @@ Recommends: gzip
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
-# We don't bundle OpenSSL on RHEL >= 8 and SuSE >= 15
-%if 0%{?SYSTEM_SSL}
-Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
-Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
-%endif
-
-# We build against systems with the latest available dependencies such as OpenSSL.
-# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
-# OPENSSL_VERSION is determined in build-scripts/package script.
-# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
-%if %{?rhel}%{!?rhel:0} > 8
-Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-%endif
-
 AutoReqProv: no
 
 %if %{?with_debugsym}%{!?with_debugsym:0}