[#4031] release changes

ChangeLog

@@ -1,3 +1,27 @@
+Kea 3.1.0 (development) released on July 30, 2025
+
+2381.	[build]*		fdupont
+	Moved Botan crypto backend support to version 3.
+	(Gitlab #3553)
+
+2380.	[bug]		tmark
+	kea-dhcp4 now correctly supports option class-tags
+	(i.e."client-classes") in host and config back ends
+	for both MySQL and PosgreSQL.
+	(Gitlab #3770)
+
+2379.	[func]		razvan
+	Added SSL/TLS support for PostgreSQL database connection in
+	the Kea configuration. Available parameters are:
+	"trust-anchor", "cert-file", "key-file" and "ssl-mode".
+	(Gitlab #3927)
+
+2378.	[sec]*		tmark
+	Additional runtime security checks were added
+	to kea-dhcp4,kea-dhcp6,kea-dhcp-ddns, and
+	kea-ctrl-agent
+	(Gitlab #3848)
+
 2377.	[build]		razvan
 	The library version numbers have been bumped up for the Kea 3.1.0
 	development release.

changelog_unreleased/3553-botan-3

@@ -1,3 +0,0 @@
-[build]*		fdupont
-	Moved Botan crypto backend support to version 3.
-	(Gitlab #3553)

changelog_unreleased/3770-examine-cb-command-behavior-for-mulitple-options-with-the-same-code-in-a-given-scope

@@ -1,5 +0,0 @@
-[bug]		tmark
-	kea-dhcp4 now correctly supports option class-tags
-	(i.e."client-classes") in host and config back ends
-	for both MySQL and PosgreSQL.
-	(Gitlab #3770)

changelog_unreleased/3848-security-policy-security-strict-relaxed

@@ -1,5 +0,0 @@
-[sec]*		tmark
-	Additional runtime security checks were added
-	to kea-dhcp4,kea-dhcp6,kea-dhcp-ddns, and
-	kea-ctrl-agent
-	(Gitlab #3848)

changelog_unreleased/3927-add-tls-settings-to-pqconnectdb

@@ -1,5 +0,0 @@
-[func]		razvan
-	Added SSL/TLS support for PostgreSQL database connection in
-	the Kea configuration. Available parameters are:
-	"trust-anchor", "cert-file", "key-file" and "ssl-mode".
-	(Gitlab #3927)

doc/sphinx/grammar/grammar-dhcp4-parser.rst

@@ -343,6 +343,7 @@ This grammar is generated from ``dhcp4_parser.yy``. See :ref:`dhcp4` for more de
                        | trust_anchor
                        | cert_file
                        | key_file
+                       | ssl_mode
                        | cipher_list
                        | unknown_map_entry
 
@@ -392,6 +393,13 @@ This grammar is generated from ``dhcp4_parser.yy``. See :ref:`dhcp4` for more de
 
      key_file ::= "key-file" ":" STRING
 
+     ssl_mode ::= "ssl-mode" ":" ssl_mode
+             | "disable"
+             | "prefer"
+             | "require"
+             | "verify-ca"
+             | "verify-full"
+
      cipher_list ::= "cipher-list" ":" STRING
 
      host_reservation_identifiers ::= "host-reservation-identifiers" ":" "[" host_reservation_identifiers_list "]"

doc/sphinx/grammar/grammar-dhcp6-parser.rst

@@ -320,6 +320,7 @@ This grammar is generated from ``dhcp6_parser.yy``. See :ref:`dhcp6` for more de
                        | trust_anchor
                        | cert_file
                        | key_file
+                       | ssl_mode
                        | cipher_list
                        | unknown_map_entry
 
@@ -369,6 +370,13 @@ This grammar is generated from ``dhcp6_parser.yy``. See :ref:`dhcp6` for more de
 
      key_file ::= "key-file" ":" STRING
 
+     ssl_mode ::= "ssl-mode" ":" ssl_mode
+             | "disable"
+             | "prefer"
+             | "require"
+             | "verify-ca"
+             | "verify-full"
+
      cipher_list ::= "cipher-list" ":" STRING
 
      sanity_checks ::= "sanity-checks" ":" "{" sanity_checks_params "}"

doc/sphinx/kea-messages.rst

@@ -2691,6 +2691,18 @@ Logged at debug log level 10.
 This debug messages is issued when the Command HTTP listener, listening
 at the given address and port, has begun to shutdown.
 
+COMMAND_HTTP_SOCKET_SECURITY_WARNING
+====================================
+
+.. code-block:: text
+
+    command socket configuration is NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and command socket configuration does not use HTTPS/TLS or  baseic HTTP
+authentication. The server will still use the socket as configured but
+is warning that doing so may pose a security risk.
+
 COMMAND_PROCESS_ERROR1
 ======================
 
@@ -2880,6 +2892,30 @@ COMMAND_SOCKET_WRITE_FAIL
 This error message indicates that an error was encountered while
 attempting to send a response to the command socket.
 
+COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING
+=========================================
+
+.. code-block:: text
+
+    unix socket path is NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and the path specified for a control channel unix socket-name does
+not comply with the supported path. The server will still use the
+specified path but is warning that doing so may pose a security risk.
+
+COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING
+================================================
+
+.. code-block:: text
+
+    unix socket permissions are NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and the path specified for a control channel unix socket-name does
+not have the required socket permissions. The server will still use the
+specified path but is warning that doing so may pose a security risk.
+
 COMMAND_WATCH_SOCKET_CLEAR_ERROR
 ================================
 
@@ -3508,6 +3544,19 @@ DCTL_INIT_PROCESS_FAIL
 This error message is issued if the controller could not initialize the
 application and will exit.
 
+DCTL_LOG_PATH_SECURITY_WARNING
+==============================
+
+.. code-block:: text
+
+    Log output path specified is NOT SECURE: %1
+
+This warning message is issued when security enforcement is
+disabled and the output path specified for a given logger does
+not comply with the supported path. The server will still
+use the specified path but is warning that doing so may pose a
+security risk.
+
 DCTL_NOT_RUNNING
 ================
 
@@ -3567,6 +3616,18 @@ The controller has encountered a fatal error while running the
 application and is terminating. The reason for the failure is
 included in the message.
 
+DCTL_ROOT_USER_SECURITY_WARNING
+===============================
+
+.. code-block:: text
+
+    %1 running as root user!
+
+This warning is emitted when the server is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration.
+
 DCTL_RUN_PROCESS
 ================
 
@@ -5829,6 +5890,18 @@ supplied its hostname. The first argument includes the client and the
 transaction identification information. The second argument holds the
 generated hostname.
 
+DHCP4_ROOT_USER_SECURITY_WARNING
+================================
+
+.. code-block:: text
+
+    kea-dhcp4 running as root user!
+
+This warning is emitted when kea-dhcp4 is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration.
+
 DHCP4_SECURITY_CHECKS_DISABLED
 ==============================
 
@@ -8187,6 +8260,18 @@ identification information. The second and third argument contains the
 packet name and type respectively. The fourth argument contains detailed
 packet information.
 
+DHCP6_ROOT_USER_SECURITY_WARNING
+================================
+
+.. code-block:: text
+
+    kea-dhcp6 running as root user!
+
+This warning is emitted when kea-dhcp6 is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration
+
 DHCP6_SECURITY_CHECKS_DISABLED
 ==============================
 
@@ -9964,6 +10049,18 @@ testing but should not be enabled in normal circumstances. Non-persistence
 mode is enabled when 'persist4=no persist6=no' parameters are specified
 in the database access string.
 
+DHCPSRV_MEMFILE_PATH_SECURITY_WARNING
+=====================================
+
+.. code-block:: text
+
+    Lease file path specified is NOT SECURE: %1
+
+This warning message is issued when security enforcement is
+disabled and the lease file path specified for does not comply
+with the supported path. The server will still use the specified
+path but is warning that doing so may pose a security risk.
+
 DHCPSRV_MEMFILE_READ_HWADDR_FAIL
 ================================
 
@@ -11454,6 +11551,18 @@ message but the attempt to send it suffered an unexpected error. This is most
 likely a programmatic error, rather than a communications issue. Some or all
 of the DNS updates requested as part of this request did not succeed.
 
+DHCP_DDNS_TSIG_SECRET_SECURITY_WARNING
+======================================
+
+.. code-block:: text
+
+    use of clear text TSIG 'secret' is NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and TSIG key configuration uses clear text 'secret' rather
+than 'secret-file'. The server will still use the key as configured
+but is warning that doing so may pose a security risk.
+
 DHCP_DDNS_UDP_SENDER_WATCH_SOCKET_CLOSE_ERROR
 =============================================
 
@@ -14489,6 +14598,19 @@ This is most likely due to the installation of a new version of Kea
 without rebuilding the hook library.  A rebuild and re-install of the
 library should fix the problem in most cases.
 
+HOOKS_LIBPATH_SECURITY_WARNING
+==============================
+
+.. code-block:: text
+
+    Library path specified is NOT SECURE: %1
+
+This warning message is issued when security enforcement is
+disabled and the library path specified for a given hook library
+does not comply with the supported path. The server will still load
+the hook library but is warning that doing so may pose a security
+risk.
+
 HOOKS_LIBRARY_CLOSED
 ====================
 
@@ -15975,6 +16097,18 @@ HOST_CACHE_INIT_OK
 This info message indicates that the Host Cache hooks library has been
 loaded successfully. Enjoy!
 
+HOST_CACHE_PATH_SECURITY_WARNING
+================================
+
+.. code-block:: text
+
+    Cache file path specified is NOT SECURE: %1
+
+This warning message is issued when security enforcement is
+disabled and the host cache file path specified does not comply
+with the supported path. The server will still use the specified
+path but is warning that doing so may pose a security risk.
+
 HOST_CMDS_DEINIT_OK
 ===================
 
@@ -16344,6 +16478,18 @@ Logged at debug log level 40.
 This debug message is issued when a multi-threaded HTTP client instance has
 been created.  The argument specifies the maximum number of threads.
 
+HTTP_CLIENT_PASSWORD_SECURITY_WARNING
+=====================================
+
+.. code-block:: text
+
+    use of clear text 'password' is NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and command socket configuration uses clear text 'password' rather
+than 'password-file'. The server will still use the socket as configured
+but is warning that doing so may pose a security risk.
+
 HTTP_CLIENT_QUEUE_SIZE_GROWING
 ==============================
 
@@ -16465,6 +16611,18 @@ This debug message is issued when the HTTP request timeout has occurred and
 the server is going to send a response with Http Request timeout status
 code.
 
+HTTP_CLIENT_USER_SECURITY_WARNING
+=================================
+
+.. code-block:: text
+
+    use of clear text 'user' is NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and command socket configuration uses clear text 'user' rather
+than 'user-file'. The server will still use the socket as configured
+but is warning that doing so may pose a security risk.
+
 HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED
 ===========================================
 
@@ -17039,6 +17197,19 @@ This error message indicates an error loading the Lease Commands
 hooks library. The details of the error are provided as argument of
 the log message.
 
+LEASE_CMDS_PATH_SECURITY_WARNING
+================================
+
+.. code-block:: text
+
+    lease file path specified is NOT SECURE: %1
+
+This warning message is issued when security enforcement is disabled
+and the path portion of the `filename` parameter of the lease4-write
+or lease6-write command does not comply with the supported path. The
+server will still use the specified path but is warning that doing so
+may pose a security risk.
+
 LEASE_CMDS_RESEND_DDNS4
 =======================
 
@@ -17442,6 +17613,19 @@ Logged at debug log level 50.
 A debug message issued when a new MySQL connected is created with TLS.
 The TLS cipher name is logged.
 
+LEGAL_LOG_PATH_SECURITY_WARNING
+===============================
+
+.. code-block:: text
+
+    Forensic log path specified is NOT SECURE: %1
+
+This warning message is issued when security enforcement is
+disabled and the path specified for forensic logging output
+does not comply with the supported path. The server will
+still use the specified path but is warning that doing so may
+pose a security risk.
+
 LEGAL_LOG_PGSQL_COMMIT
 ======================
 

src/bin/agent/agent_lexer.cc

@@ -1,6 +1,6 @@
-#line 2 "agent_lexer.cc"
+#line 1 "agent_lexer.cc"
 
-#line 4 "agent_lexer.cc"
+#line 3 "agent_lexer.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -1624,7 +1624,7 @@ using isc::agent::AgentParser;
 
 /* To avoid the call to exit... oops! */
 #define YY_FATAL_ERROR(msg) isc::agent::ParserContext::fatal(msg)
-#line 1628 "agent_lexer.cc"
+#line 1627 "agent_lexer.cc"
 /* noyywrap disables automatic rewinding for the next file to parse. Since we
    always parse only a single string, there's no need to do any wraps. And
    using yywrap requires linking with -lfl, which provides the default yywrap
@@ -1650,8 +1650,8 @@ using isc::agent::AgentParser;
    by moving it ahead by yyleng bytes. yyleng specifies the length of the
    currently matched token. */
 #define YY_USER_ACTION  driver.loc_.columns(yyleng);
+#line 1653 "agent_lexer.cc"
 #line 1654 "agent_lexer.cc"
-#line 1655 "agent_lexer.cc"
 
 #define INITIAL 0
 #define COMMENT 1
@@ -1965,7 +1965,7 @@ YY_DECL
     }
 
 
-#line 1969 "agent_lexer.cc"
+#line 1968 "agent_lexer.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -2982,7 +2982,7 @@ YY_RULE_SETUP
 #line 835 "agent_lexer.ll"
 ECHO;
 	YY_BREAK
-#line 2986 "agent_lexer.cc"
+#line 2985 "agent_lexer.cc"
 
 	case YY_END_OF_BUFFER:
 		{

src/bin/agent/tests/ca_response_creator_unittests.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2017-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2017-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/d2/d2_lexer.cc

@@ -1,6 +1,6 @@
-#line 2 "d2_lexer.cc"
+#line 1 "d2_lexer.cc"
 
-#line 4 "d2_lexer.cc"
+#line 3 "d2_lexer.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -1214,7 +1214,7 @@ unsigned int comment_start_line = 0;
 
 /* To avoid the call to exit... oops! */
 #define YY_FATAL_ERROR(msg) isc::d2::D2ParserContext::fatal(msg)
-#line 1218 "d2_lexer.cc"
+#line 1217 "d2_lexer.cc"
 /* noyywrap disables automatic rewinding for the next file to parse. Since we
    always parse only a single string, there's no need to do any wraps. And
    using yywrap requires linking with -lfl, which provides the default yywrap
@@ -1240,8 +1240,8 @@ unsigned int comment_start_line = 0;
    by moving it ahead by yyleng bytes. yyleng specifies the length of the
    currently matched token. */
 #define YY_USER_ACTION  driver.loc_.columns(yyleng);
+#line 1243 "d2_lexer.cc"
 #line 1244 "d2_lexer.cc"
-#line 1245 "d2_lexer.cc"
 
 #define INITIAL 0
 #define COMMENT 1
@@ -1561,7 +1561,7 @@ YY_DECL
     }
 
 
-#line 1565 "d2_lexer.cc"
+#line 1564 "d2_lexer.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -2812,7 +2812,7 @@ YY_RULE_SETUP
 #line 1022 "d2_lexer.ll"
 ECHO;
 	YY_BREAK
-#line 2816 "d2_lexer.cc"
+#line 2815 "d2_lexer.cc"
 
 	case YY_END_OF_BUFFER:
 		{

src/bin/d2/tests/d2_controller_unittests.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2013-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2013-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/d2/tests/d2_simple_parser_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2017-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2017-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/dhcp4/dhcp4_lexer.cc

@@ -1,6 +1,6 @@
-#line 2 "dhcp4_lexer.cc"
+#line 1 "dhcp4_lexer.cc"
 
-#line 4 "dhcp4_lexer.cc"
+#line 3 "dhcp4_lexer.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -2297,7 +2297,7 @@ using namespace isc::dhcp;
 
 /* To avoid the call to exit... oops! */
 #define YY_FATAL_ERROR(msg) isc::dhcp::Parser4Context::fatal(msg)
-#line 2301 "dhcp4_lexer.cc"
+#line 2300 "dhcp4_lexer.cc"
 /* noyywrap disables automatic rewinding for the next file to parse. Since we
    always parse only a single string, there's no need to do any wraps. And
    using yywrap requires linking with -lfl, which provides the default yywrap
@@ -2323,8 +2323,8 @@ using namespace isc::dhcp;
    by moving it ahead by yyleng bytes. yyleng specifies the length of the
    currently matched token. */
 #define YY_USER_ACTION  driver.loc_.columns(yyleng);
+#line 2326 "dhcp4_lexer.cc"
 #line 2327 "dhcp4_lexer.cc"
-#line 2328 "dhcp4_lexer.cc"
 
 #define INITIAL 0
 #define COMMENT 1
@@ -2652,7 +2652,7 @@ YY_DECL
     }
 
 
-#line 2656 "dhcp4_lexer.cc"
+#line 2655 "dhcp4_lexer.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -5980,7 +5980,7 @@ YY_RULE_SETUP
 #line 2631 "dhcp4_lexer.ll"
 ECHO;
 	YY_BREAK
-#line 5984 "dhcp4_lexer.cc"
+#line 5983 "dhcp4_lexer.cc"
 
 	case YY_END_OF_BUFFER:
 		{

src/bin/dhcp4/dhcp4_messages.mes

@@ -1042,6 +1042,12 @@ supplied its hostname. The first argument includes the client and the
 transaction identification information. The second argument holds the
 generated hostname.
 
+% DHCP4_ROOT_USER_SECURITY_WARNING kea-dhcp4 running as root user!
+This warning is emitted when kea-dhcp4 is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration.
+
 % DHCP4_SECURITY_CHECKS_DISABLED Invoked with command line option -X, Security checks are disabled!!
 This warning is emitted when internal security checks normally
 performed by kea-dhcp4 have been disabled via command line option '-X'.
@@ -1190,9 +1196,3 @@ expected: the erroneous response is dropped, the request query is displayed.
 An DHCPOFFER for the 0.0.0.0 address was generated for a client requesting
 the v6-only-preferred (108) option but the option is not in the response as
 expected: the erroneous response is dropped, the discover query is displayed.
-
-% DHCP4_ROOT_USER_SECURITY_WARNING kea-dhcp4 running as root user!
-This warning is emitted when kea-dhcp4 is running as a root user.
-While the server will function fully, this mode of operation may
-expose your environment to security vulnerabilities and should
-only be used after careful consideration.

src/bin/dhcp4/parser_context.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2016-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2016-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/dhcp4/parser_context.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2015-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2015-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/dhcp4/tests/config_backend_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2019-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2019-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/dhcp6/dhcp6_lexer.cc

@@ -1,6 +1,6 @@
-#line 2 "dhcp6_lexer.cc"
+#line 1 "dhcp6_lexer.cc"
 
-#line 4 "dhcp6_lexer.cc"
+#line 3 "dhcp6_lexer.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -2266,7 +2266,7 @@ using namespace isc::dhcp;
 
 /* To avoid the call to exit... oops! */
 #define YY_FATAL_ERROR(msg) isc::dhcp::Parser6Context::fatal(msg)
-#line 2270 "dhcp6_lexer.cc"
+#line 2269 "dhcp6_lexer.cc"
 /* noyywrap disables automatic rewinding for the next file to parse. Since we
    always parse only a single string, there's no need to do any wraps. And
    using yywrap requires linking with -lfl, which provides the default yywrap
@@ -2292,8 +2292,8 @@ using namespace isc::dhcp;
    by moving it ahead by yyleng bytes. yyleng specifies the length of the
    currently matched token. */
 #define YY_USER_ACTION  driver.loc_.columns(yyleng);
+#line 2295 "dhcp6_lexer.cc"
 #line 2296 "dhcp6_lexer.cc"
-#line 2297 "dhcp6_lexer.cc"
 
 #define INITIAL 0
 #define COMMENT 1
@@ -2623,7 +2623,7 @@ YY_DECL
     }
 
 
-#line 2627 "dhcp6_lexer.cc"
+#line 2626 "dhcp6_lexer.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -5991,7 +5991,7 @@ YY_RULE_SETUP
 #line 2664 "dhcp6_lexer.ll"
 ECHO;
 	YY_BREAK
-#line 5995 "dhcp6_lexer.cc"
+#line 5994 "dhcp6_lexer.cc"
 
 	case YY_END_OF_BUFFER:
 		{

src/bin/dhcp6/dhcp6_messages.mes

@@ -1060,6 +1060,12 @@ identification information. The second and third argument contains the
 packet name and type respectively. The fourth argument contains detailed
 packet information.
 
+% DHCP6_ROOT_USER_SECURITY_WARNING kea-dhcp6 running as root user!
+This warning is emitted when kea-dhcp6 is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration
+
 % DHCP6_SECURITY_CHECKS_DISABLED Invoked with command line option -X, Security checks are disabled!!
 This warning is emitted when internal security checks normally
 performed by kea-dhcp6 have been disabled via command line option '-X'.
@@ -1167,9 +1173,3 @@ such modification. The clients will remember previous server-id, and will
 use it to extend their leases. As a result, they will have to go through
 a rebinding phase to re-acquire their leases and associate them with a
 new server id.
-
-% DHCP6_ROOT_USER_SECURITY_WARNING kea-dhcp6 running as root user!
-This warning is emitted when kea-dhcp6 is running as a root user.
-While the server will function fully, this mode of operation may
-expose your environment to security vulnerabilities and should
-only be used after careful consideration

src/bin/dhcp6/parser_context.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2016-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2016-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/dhcp6/parser_context.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2015-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2015-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/dhcp6/tests/config_backend_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2019-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2019-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/bin/netconf/netconf_lexer.cc

@@ -1474,7 +1474,7 @@ static const flex_int16_t yy_rule_linenum[64] =
 #define YY_RESTORE_YY_MORE_OFFSET
 char *yytext;
 #line 1 "netconf_lexer.ll"
-/* Copyright (C) 2018-2023 Internet Systems Consortium, Inc. ("ISC")
+/* Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 
    This Source Code Form is subject to the terms of the Mozilla Public
    License, v. 2.0. If a copy of the MPL was not distributed with this

src/hooks/dhcp/lease_cmds/lease_cmds_messages.mes

@@ -105,6 +105,13 @@ This error message indicates an error loading the Lease Commands
 hooks library. The details of the error are provided as argument of
 the log message.
 
+% LEASE_CMDS_PATH_SECURITY_WARNING lease file path specified is NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and the path portion of the `filename` parameter of the lease4-write
+or lease6-write command does not comply with the supported path. The
+server will still use the specified path but is warning that doing so
+may pose a security risk.
+
 % LEASE_CMDS_RESEND_DDNS4 lease4-resend-ddns command successful: %1
 A request to update DNS for the requested IPv4 lease has been
 successfully queued for transmission to kea-dhcp-ddns.
@@ -166,10 +173,3 @@ are logged.
 % LEASE_CMDS_WIPE6_FAILED lease6-wipe command failed (parameters: %1, reason: %2)
 The lease6-wipe command has failed. Both the reason as well as the
 parameters passed are logged.
-
-% LEASE_CMDS_PATH_SECURITY_WARNING lease file path specified is NOT SECURE: %1
-This warning message is issued when security enforcement is disabled
-and the path portion of the `filename` parameter of the lease4-write
-or lease6-write command does not comply with the supported path. The
-server will still use the specified path but is warning that doing so
-may pose a security risk.

src/hooks/dhcp/mysql/mysql_cb_dhcp4.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/hooks/dhcp/mysql/mysql_cb_impl.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/hooks/dhcp/mysql/tests/mysql_cb_dhcp4_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/hooks/dhcp/pgsql/pgsql_cb_dhcp4.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/hooks/dhcp/pgsql/pgsql_cb_impl.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/hooks/dhcp/pgsql/tests/pgsql_cb_dhcp4_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/asiolink/botan_tls.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/asiolink/botan_tls.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/cc/data.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2010-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2010-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/config/config_messages.mes

@@ -48,6 +48,12 @@ Logged at debug log level 10.
 This debug messages is issued when the Command HTTP listener, listening
 at the given address and port, has begun to shutdown.
 
+% COMMAND_HTTP_SOCKET_SECURITY_WARNING command socket configuration is NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and command socket configuration does not use HTTPS/TLS or  baseic HTTP
+authentication. The server will still use the socket as configured but
+is warning that doing so may pose a security risk.
+
 % COMMAND_PROCESS_ERROR1 Error while processing command: %1
 This warning message indicates that the server encountered an error while
 processing received command. Additional information will be provided, if
@@ -135,6 +141,18 @@ over command socket identifier by the specified file descriptor.
 This error message indicates that an error was encountered while
 attempting to send a response to the command socket.
 
+% COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING unix socket path is NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and the path specified for a control channel unix socket-name does
+not comply with the supported path. The server will still use the
+specified path but is warning that doing so may pose a security risk.
+
+% COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING unix socket permissions are NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and the path specified for a control channel unix socket-name does
+not have the required socket permissions. The server will still use the
+specified path but is warning that doing so may pose a security risk.
+
 % COMMAND_WATCH_SOCKET_CLEAR_ERROR watch socket failed to clear: %1
 This error message is issued when the command manager was unable to reset
 the ready status after completing a send. This is a programmatic error
@@ -180,21 +198,3 @@ control commands.
 % HTTP_COMMAND_MGR_SERVICE_STOPPING Server is stopping %1 service %2
 This informational message indicates that the server has stopped
 HTTP/HTTPS service. When known the address and port are displayed.
-
-% COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING unix socket path is NOT SECURE: %1
-This warning message is issued when security enforcement is disabled
-and the path specified for a control channel unix socket-name does
-not comply with the supported path. The server will still use the
-specified path but is warning that doing so may pose a security risk.
-
-% COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING unix socket permissions are NOT SECURE: %1
-This warning message is issued when security enforcement is disabled
-and the path specified for a control channel unix socket-name does
-not have the required socket permissions. The server will still use the
-specified path but is warning that doing so may pose a security risk.
-
-% COMMAND_HTTP_SOCKET_SECURITY_WARNING command socket configuration is NOT SECURE: %1
-This warning message is issued when security enforcement is disabled
-and command socket configuration does not use HTTPS/TLS or  baseic HTTP
-authentication. The server will still use the socket as configured but
-is warning that doing so may pose a security risk.

src/lib/config/tests/http_command_response_creator_factory_unittests.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/config/tests/http_command_response_creator_unittests.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/cryptolink/botan_hmac.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2011-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2011-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/d2srv/d2_config.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2013-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2013-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/d2srv/d2_messages.mes

@@ -446,6 +446,12 @@ message but the attempt to send it suffered an unexpected error. This is most
 likely a programmatic error, rather than a communications issue. Some or all
 of the DNS updates requested as part of this request did not succeed.
 
+% DHCP_DDNS_TSIG_SECRET_SECURITY_WARNING use of clear text TSIG 'secret' is NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and TSIG key configuration uses clear text 'secret' rather
+than 'secret-file'. The server will still use the key as configured
+but is warning that doing so may pose a security risk.
+
 % DHCP_DDNS_UPDATE_REQUEST_SENT Request ID %1: %2 to server: %3
 Logged at debug log level 50.
 This is a debug message issued when DHCP_DDNS sends a DNS request to a DNS
@@ -455,9 +461,3 @@ server.
 Logged at debug log level 50.
 This is a debug message issued when DHCP_DDNS receives sends a DNS update
 response from a DNS server.
-
-% DHCP_DDNS_TSIG_SECRET_SECURITY_WARNING use of clear text TSIG 'secret' is NOT SECURE: %1 
-This warning message is issued when security enforcement is disabled
-and TSIG key configuration uses clear text 'secret' rather
-than 'secret-file'. The server will still use the key as configured
-but is warning that doing so may pose a security risk.

src/lib/database/dbaccess_parser.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2012-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2012-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcp/classify.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2014-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2014-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcp/tests/classify_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2011-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2011-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/cb_ctl_dhcp.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2019-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2019-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/cb_ctl_dhcp4.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2019-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2019-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/cb_ctl_dhcp6.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2019-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2019-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/cfg_globals.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/cfg_globals.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2021-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/cfg_option.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2014-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2014-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/config_backend_dhcp4.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2021 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/config_backend_pool_dhcp4.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2021 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/config_backend_pool_dhcp4.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2022 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/dhcpsrv_messages.mes

@@ -789,6 +789,12 @@ testing but should not be enabled in normal circumstances. Non-persistence
 mode is enabled when 'persist4=no persist6=no' parameters are specified
 in the database access string.
 
+% DHCPSRV_MEMFILE_PATH_SECURITY_WARNING Lease file path specified is NOT SECURE: %1
+This warning message is issued when security enforcement is
+disabled and the lease file path specified for does not comply
+with the supported path. The server will still use the specified
+path but is warning that doing so may pose a security risk.
+
 % DHCPSRV_MEMFILE_READ_HWADDR_FAIL failed to read hardware address from lease file: %1
 A warning message issued when read attempt of the hardware address stored in
 a disk file failed. The parameter should provide the exact nature of the failure.
@@ -1003,12 +1009,6 @@ included in the message.
 The database access string specified a database type (given in the
 message) that is unknown to the software. This is a configuration error.
 
-% DHCPSRV_MEMFILE_PATH_SECURITY_WARNING Lease file path specified is NOT SECURE: %1
-This warning message is issued when security enforcement is
-disabled and the lease file path specified for does not comply
-with the supported path. The server will still use the specified
-path but is warning that doing so may pose a security risk.
-
 % LEGAL_LOG_PATH_SECURITY_WARNING Forensic log path specified is NOT SECURE: %1
 This warning message is issued when security enforcement is
 disabled and the path specified for forensic logging output

src/lib/dhcpsrv/parsers/host_reservation_parser.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2014-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2014-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/parsers/host_reservation_parser.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2014-2023 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2014-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/parsers/option_data_parser.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2017-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2017-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/parsers/simple_parser4.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2016-2020 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2016-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/parsers/simple_parser6.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2016-2020 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2016-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/tests/host_reservation_parser_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2014-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2014-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/testutils/generic_backend_unittest.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2023 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/testutils/generic_cb_dhcp4_unittest.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2022-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2022-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/testutils/generic_host_data_source_unittest.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2015-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2015-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/testutils/host_data_source_utils.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2024 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/dhcpsrv/testutils/test_config_backend_dhcp4.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2021 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/eval/lexer.cc

@@ -1,6 +1,6 @@
-#line 2 "lexer.cc"
+#line 1 "lexer.cc"
 
-#line 4 "lexer.cc"
+#line 3 "lexer.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -1055,7 +1055,7 @@ namespace {
 
 /* To avoid the call to exit... oops! */
 #define YY_FATAL_ERROR(msg) isc::eval::EvalContext::fatal(msg)
-#line 1059 "lexer.cc"
+#line 1058 "lexer.cc"
 /* noyywrap disables automatic rewinding for the next file to parse. Since we
    always parse only a single string, there's no need to do any wraps. And
    using yywrap requires linking with -lfl, which provides the default yywrap
@@ -1080,8 +1080,8 @@ namespace {
    by moving it ahead by yyleng bytes. yyleng specifies the length of the
    currently matched token. */
 #define YY_USER_ACTION  loc.columns(evalleng);
+#line 1083 "lexer.cc"
 #line 1084 "lexer.cc"
-#line 1085 "lexer.cc"
 
 #define INITIAL 0
 
@@ -1380,7 +1380,7 @@ YY_DECL
 
 
 
-#line 1384 "lexer.cc"
+#line 1383 "lexer.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -1889,7 +1889,7 @@ YY_RULE_SETUP
 #line 251 "lexer.ll"
 ECHO;
 	YY_BREAK
-#line 1893 "lexer.cc"
+#line 1892 "lexer.cc"
 
 	case YY_END_OF_BUFFER:
 		{

src/lib/hooks/hooks_messages.mes

@@ -1,4 +1,4 @@
-# Copyright (C) 2013-2024 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2013-2025 Internet Systems Consortium, Inc. ("ISC")
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -86,6 +86,13 @@ This is most likely due to the installation of a new version of Kea
 without rebuilding the hook library.  A rebuild and re-install of the
 library should fix the problem in most cases.
 
+% HOOKS_LIBPATH_SECURITY_WARNING Library path specified is NOT SECURE: %1
+This warning message is issued when security enforcement is
+disabled and the library path specified for a given hook library
+does not comply with the supported path. The server will still load
+the hook library but is warning that doing so may pose a security
+risk.
+
 % HOOKS_LIBRARY_CLOSED hooks library %1 successfully closed
 This information message is issued when a user-supplied hooks library
 has been successfully closed.
@@ -215,10 +222,3 @@ in a hook library during the unload process, called, and returned success.
 This error message is issued if the version() function in the specified
 hooks library was called and generated an exception.  The library is
 considered unusable and will not be loaded.
-
-% HOOKS_LIBPATH_SECURITY_WARNING Library path specified is NOT SECURE: %1
-This warning message is issued when security enforcement is
-disabled and the library path specified for a given hook library
-does not comply with the supported path. The server will still load
-the hook library but is warning that doing so may pose a security
-risk.

src/lib/http/auth_messages.mes

@@ -1,4 +1,4 @@
-# Copyright (C) 2021 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -6,6 +6,12 @@
 
 $NAMESPACE isc::http
 
+% HTTP_CLIENT_PASSWORD_SECURITY_WARNING use of clear text 'password' is NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and command socket configuration uses clear text 'password' rather
+than 'password-file'. The server will still use the socket as configured
+but is warning that doing so may pose a security risk.
+
 % HTTP_CLIENT_REQUEST_AUTHORIZED received HTTP request authorized for '%1'
 This information message is issued when the server receives with a matching
 authentication header. The argument provides the user id.
@@ -23,12 +29,6 @@ provided incorrect user id and/or password.
 This information message is issued when the server receives a request without
 a required authentication header.
 
-% HTTP_CLIENT_PASSWORD_SECURITY_WARNING use of clear text 'password' is NOT SECURE: %1
-This warning message is issued when security enforcement is disabled
-and command socket configuration uses clear text 'password' rather
-than 'password-file'. The server will still use the socket as configured
-but is warning that doing so may pose a security risk.
-
 % HTTP_CLIENT_USER_SECURITY_WARNING use of clear text 'user' is NOT SECURE: %1
 This warning message is issued when security enforcement is disabled
 and command socket configuration uses clear text 'user' rather

src/lib/pgsql/testutils/pgsql_schema.cc

@@ -1,4 +1,4 @@
-// Copyright (C) 2016-2022 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2016-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/pgsql/testutils/pgsql_schema.h

@@ -1,4 +1,4 @@
-// Copyright (C) 2016-2022 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2016-2025 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this

src/lib/process/process_messages.mes

@@ -78,6 +78,13 @@ to create and initialize its application instance.
 This error message is issued if the controller could not initialize the
 application and will exit.
 
+% DCTL_LOG_PATH_SECURITY_WARNING Log output path specified is NOT SECURE: %1
+This warning message is issued when security enforcement is
+disabled and the output path specified for a given logger does
+not comply with the supported path. The server will still
+use the specified path but is warning that doing so may pose a
+security risk.
+
 % DCTL_NOT_RUNNING %1 application instance is not running
 A warning message is issued when an attempt is made to shut down the
 application when it is not running.
@@ -107,6 +114,12 @@ The controller has encountered a fatal error while running the
 application and is terminating. The reason for the failure is
 included in the message.
 
+% DCTL_ROOT_USER_SECURITY_WARNING %1 running as root user!
+This warning is emitted when the server is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration.
+
 % DCTL_RUN_PROCESS %1 starting application event loop
 Logged at debug log level 0.
 This debug message is issued just before the controller invokes
@@ -145,16 +158,3 @@ This is a debug message indicating that the application received an
 unsupported signal.  This is a programming error indicating that the
 application has registered to receive the signal but no associated
 processing logic has been added.
-
-% DCTL_LOG_PATH_SECURITY_WARNING Log output path specified is NOT SECURE: %1
-This warning message is issued when security enforcement is
-disabled and the output path specified for a given logger does
-not comply with the supported path. The server will still
-use the specified path but is warning that doing so may pose a
-security risk.
-
-% DCTL_ROOT_USER_SECURITY_WARNING %1 running as root user!
-This warning is emitted when the server is running as a root user.
-While the server will function fully, this mode of operation may
-expose your environment to security vulnerabilities and should
-only be used after careful consideration.