[gentoo-commits] repo/gentoo:master commit in: app-admin/collectd/files/, app-admin/collectd/

["Thomas Deutschmann" <whissi@gentoo.org>]

commit:     06fd84be0f99d0192caf0f4e4f5a713f85a49a7e
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Thu Apr  6 15:42:46 2017 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Thu Apr  6 15:42:46 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06fd84be

app-admin/collectd: Rev bump to add patch for CVE-2017-7401 (bug #614848)

Package-Manager: Portage-2.3.5, Repoman-2.3.2

 app-admin/collectd/collectd-5.6.2-r2.ebuild        | 531 +++++++++++++++++++++
 .../files/collectd-5.6.2-CVE-2017-7401.patch       |  56 +++
 2 files changed, 587 insertions(+)

diff --git a/app-admin/collectd/collectd-5.6.2-r2.ebuild b/app-admin/collectd/collectd-5.6.2-r2.ebuild
new file mode 100644
index 00000000000..885fbf1a446
--- /dev/null
+++ b/app-admin/collectd/collectd-5.6.2-r2.ebuild
@@ -0,0 +1,531 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+PYTHON_COMPAT=( python{2_7,3_4,3_5} )
+JAVA_PKG_OPT_USE="collectd_plugins_java"
+
+inherit autotools fcaps flag-o-matic java-pkg-opt-2 linux-info multilib perl-functions python-single-r1 systemd user
+
+DESCRIPTION="Collects system statistics and provides mechanisms to store the values"
+
+HOMEPAGE="https://collectd.org/"
+SRC_URI="${HOMEPAGE%/}/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="contrib debug java kernel_Darwin kernel_FreeBSD kernel_linux perl selinux static-libs udev xfs"
+
+# The plugin lists have to follow here since they extend IUSE
+
+# Plugins that don't build (e.g. dependencies not in Gentoo)
+# apple_sensors: Requires libIOKit
+# aquaero:       Requires aerotools-ng/libaquaero5
+# barometer:     Requires libi2c (i2c_smbus_read_i2c_block_data)
+# grpc:          Requires libgrpc
+# lpar:          Requires libperfstat (AIX only)
+# mic:           Requires Intel Many Integrated Core Architecture API
+#                (part of Intel's  Xeon Phi software)
+# netapp:        Requires libnetapp (http://communities.netapp.com/docs/DOC-1110)
+# pf:            Requires BSD packet filter
+# pinba:         Requires MySQL Pinba engine (http://pinba.org/)
+# tape:          Requires libkstat (Solaris only)
+# write_mongodb: https://github.com/collectd/collectd/issues/492
+# write_riemann: Requires riemann-c-client
+# xmms:          Requires libxmms (v1)
+# zone:          Solaris only...
+COLLECTD_IMPOSSIBLE_PLUGINS="apple_sensors aquaero barometer grpc lpar mic
+	netapp pf pinba tape write_kafka write_mongodb write_riemann xmms
+	zone"
+
+# Plugins that have been (compile) tested and can be enabled via COLLECTD_PLUGINS
+COLLECTD_TESTED_PLUGINS="aggregation amqp apache apcups ascent battery bind
+	ceph cgroups chrony conntrack contextswitch cpu cpufreq cpusleep
+	csv curl curl_json curl_xml dbi df disk dns drbd email entropy
+	ethstat exec fhcount filecount fscache gmond gps hddtemp interface
+	ipc ipmi iptables ipvs irq java lua load logfile log_logstash lvm
+	madwifi match_empty_counter match_hashed match_regex match_timediff
+	match_value mbmon md memcachec memcached memory modbus mqtt
+	multimeter mysql netlink network network nfs nginx notify_desktop
+	notify_email notify_nagios ntpd numa nut olsrd onewire openldap
+	openvpn oracle perl ping postgresql powerdns processes protocols
+	python python redis routeros rrdcached rrdtool sensors serial
+	sigrok smart snmp statsd swap syslog table tail tail_csv
+	target_notification target_replace target_scale target_set tcpconns
+	teamspeak2 ted thermal threshold tokyotyrant turbostat unixsock
+	uptime users uuid varnish virt vmem vserver wireless write_graphite
+	write_http write_kafka write_log write_redis write_sensu write_tsdb
+	xencpu zfs_arc zookeeper"
+
+COLLECTD_DISABLED_PLUGINS="${COLLECTD_IMPOSSIBLE_PLUGINS}"
+
+COLLECTD_ALL_PLUGINS=${COLLECTD_TESTED_PLUGINS}
+
+for plugin in ${COLLECTD_ALL_PLUGINS}; do
+	IUSE="${IUSE} collectd_plugins_${plugin}"
+done
+unset plugin
+
+# Now come the dependencies.
+
+COMMON_DEPEND="
+	dev-libs/libgcrypt:=
+	dev-libs/libltdl:0=
+	perl?					( dev-lang/perl:=[ithreads] )
+	udev?					( virtual/udev )
+	xfs?					( sys-fs/xfsprogs )
+	collectd_plugins_amqp?			( net-libs/rabbitmq-c )
+	collectd_plugins_apache?		( net-misc/curl:0= )
+	collectd_plugins_ascent?		( net-misc/curl:0= dev-libs/libxml2:2= )
+	collectd_plugins_bind?			( net-misc/curl:0= dev-libs/libxml2:2= )
+	collectd_plugins_ceph?			( dev-libs/yajl:= )
+	collectd_plugins_curl?			( net-misc/curl:0= )
+	collectd_plugins_curl_json?		( net-misc/curl:0= dev-libs/yajl:= )
+	collectd_plugins_curl_xml?		( net-misc/curl:0= dev-libs/libxml2:2= )
+	collectd_plugins_dbi?			( dev-db/libdbi )
+	collectd_plugins_dns?			( net-libs/libpcap )
+	collectd_plugins_gmond?			( sys-cluster/ganglia )
+	collectd_plugins_gps?			( sci-geosciences/gpsd )
+	collectd_plugins_ipmi?			( >=sys-libs/openipmi-2.0.16-r1 )
+	collectd_plugins_iptables?		( >=net-firewall/iptables-1.4.13:0= )
+	collectd_plugins_log_logstash?		( dev-libs/yajl:= )
+	collectd_plugins_lua?			( dev-lang/lua:0= )
+	collectd_plugins_lvm?			( sys-fs/lvm2 )
+	collectd_plugins_memcachec?		( dev-libs/libmemcached )
+	collectd_plugins_modbus?		( dev-libs/libmodbus )
+	collectd_plugins_mqtt?			( app-misc/mosquitto )
+	collectd_plugins_mysql?			( >=virtual/mysql-5.0 )
+	collectd_plugins_netlink?		( net-libs/libmnl )
+	collectd_plugins_nginx?			( net-misc/curl:0= )
+	collectd_plugins_notify_desktop?	( x11-libs/libnotify )
+	collectd_plugins_notify_email?		( net-libs/libesmtp )
+	collectd_plugins_nut?			( >=sys-power/nut-2.7.2-r2 )
+	collectd_plugins_openldap?		( net-nds/openldap )
+	collectd_plugins_onewire?		( >=sys-fs/owfs-3.1:= )
+	collectd_plugins_oracle?		( dev-db/oracle-instantclient-basic )
+	collectd_plugins_perl?			( dev-lang/perl:=[ithreads] )
+	collectd_plugins_ping?			( net-libs/liboping )
+	collectd_plugins_postgresql?		( dev-db/postgresql:= )
+	collectd_plugins_python?		( ${PYTHON_DEPS} )
+	collectd_plugins_redis?			( dev-libs/hiredis:= )
+	collectd_plugins_routeros?		( net-libs/librouteros )
+	collectd_plugins_rrdcached?		( net-analyzer/rrdtool:= )
+	collectd_plugins_rrdtool?		( net-analyzer/rrdtool:= )
+	collectd_plugins_sensors?		( sys-apps/lm_sensors )
+	collectd_plugins_sigrok?		( <sci-libs/libsigrok-0.4 dev-libs/glib:2 )
+	collectd_plugins_smart?			( dev-libs/libatasmart )
+	collectd_plugins_snmp?			( net-analyzer/net-snmp )
+	collectd_plugins_tokyotyrant?		( net-misc/tokyotyrant )
+	collectd_plugins_varnish?		( www-servers/varnish )
+	collectd_plugins_virt?			( app-emulation/libvirt:= dev-libs/libxml2:2= )
+	collectd_plugins_write_http?		( net-misc/curl:0= dev-libs/yajl:= )
+	collectd_plugins_write_kafka?		( >=dev-libs/librdkafka-0.9.0.99:= dev-libs/yajl:= )
+	collectd_plugins_write_redis?		( dev-libs/hiredis:= )
+	collectd_plugins_xencpu?		( app-emulation/xen-tools:= )
+
+	kernel_FreeBSD? (
+		collectd_plugins_disk?		( sys-libs/libstatgrab:= )
+		collectd_plugins_interface?	( sys-libs/libstatgrab:= )
+		collectd_plugins_load?		( sys-libs/libstatgrab:= )
+		collectd_plugins_memory?	( sys-libs/libstatgrab:= )
+		collectd_plugins_swap?		( sys-libs/libstatgrab:= )
+		collectd_plugins_users?		( sys-libs/libstatgrab:= )
+	)"
+
+# Enforcing <=sys-kernel/linux-headers-4.4 due to #577846
+DEPEND="${COMMON_DEPEND}
+	collectd_plugins_iptables?		( <=sys-kernel/linux-headers-4.4 )
+	collectd_plugins_java?			( >=virtual/jdk-1.6 )
+	virtual/pkgconfig"
+
+RDEPEND="${COMMON_DEPEND}
+	collectd_plugins_java?			( >=virtual/jre-1.6 )
+	collectd_plugins_syslog?		( virtual/logger )
+	selinux?				( sec-policy/selinux-collectd )
+	!<sys-apps/openrc-0.18.2"
+
+REQUIRED_USE="
+	collectd_plugins_python?		( ${PYTHON_REQUIRED_USE} )
+	collectd_plugins_smart?			( udev )"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-5.6.0-gentoo.patch
+	"${FILESDIR}"/${PN}-5.6.2-CVE-2017-7401.patch
+)
+
+# @FUNCTION: collectd_plugin_kernel_linux
+# @DESCRIPTION:
+# USAGE: <plugin name> <kernel_options> <severity>
+# kernel_options is a list of kernel configurations options; the check tests whether at least
+#   one of them is enabled. If no, depending on the third argument an elog, ewarn, or eerror message
+#   is emitted.
+collectd_plugin_kernel_linux() {
+	local multi_opt opt
+	if has ${1} ${COLLECTD_ALL_PLUGINS}; then
+		if use collectd_plugins_${1}; then
+			for opt in ${2}; do
+				if linux_chkconfig_present ${opt}; then
+					return 0;
+				fi
+			done
+			multi_opt=${2//\ /\ or\ }
+			case ${3} in
+				(info)
+					elog "The ${1} plugin can use kernel features that are disabled now; enable ${multi_opt} in your kernel"
+				;;
+				(warn)
+					ewarn "The ${1} plugin uses kernel features that are disabled now; enable ${multi_opt} in your kernel"
+				;;
+				(error)
+					eerror "The ${1} plugin needs kernel features that are disabled now; enable ${multi_opt} in your kernel"
+				;;
+				(*)
+					die "function collectd_plugin_kernel_linux called with invalid third argument"
+				;;
+			esac
+		fi
+	fi
+}
+
+collectd_linux_kernel_checks() {
+	if ! linux_chkconfig_present PROC_FS; then
+		ewarn "/proc file system support is disabled, many plugins will not be able to read any statistics from your system unless you enable PROC_FS in your kernel"
+	fi
+
+	if ! linux_chkconfig_present SYSFS; then
+		ewarn "/sys file system support is disabled, many plugins will not be able to read any statistics from your system unless you enable SYSFS in your kernel"
+	fi
+
+	# battery.c: /proc/pmu/battery_%i
+	# battery.c: /proc/acpi/battery
+	collectd_plugin_kernel_linux battery ACPI_BATTERY warn
+
+	# cgroups.c: /sys/fs/cgroup/
+	collectd_plugin_kernel_linux cgroups CGROUPS warn
+
+	# cpufreq.c: /sys/devices/system/cpu/cpu%d/cpufreq/
+	collectd_plugin_kernel_linux cpufreq SYSFS warn
+	collectd_plugin_kernel_linux cpufreq CPU_FREQ_STAT warn
+
+	# drbd.c: /proc/drbd
+	collectd_plugin_kernel_linux drbd BLK_DEV_DRBD warn
+
+	# conntrack.c: /proc/sys/net/netfilter/*
+	collectd_plugin_kernel_linux conntrack NETFILTER warn
+
+	# fscache.c: /proc/fs/fscache/stats
+	collectd_plugin_kernel_linux fscache FSCACHE warn
+
+	# nfs.c: /proc/net/rpc/nfs
+	# nfs.c: /proc/net/rpc/nfsd
+	collectd_plugin_kernel_linux nfs NFS_COMMON warn
+
+	# serial.c: /proc/tty/driver/serial
+	# serial.c: /proc/tty/driver/ttyS
+	collectd_plugin_kernel_linux serial SERIAL_CORE warn
+
+	# swap.c: /proc/meminfo
+	collectd_plugin_kernel_linux swap SWAP warn
+
+	# thermal.c: /proc/acpi/thermal_zone
+	# thermal.c: /sys/class/thermal
+	collectd_plugin_kernel_linux thermal ACPI_THERMAL warn
+
+	# turbostat.c: /dev/cpu/%d/msr
+	collectd_plugin_kernel_linux turbostat X86_MSR warn
+
+	# vmem.c: /proc/vmstat
+	collectd_plugin_kernel_linux vmem VM_EVENT_COUNTERS warn
+
+	# vserver.c: /proc/virtual
+	collectd_plugin_kernel_linux vserver VSERVER warn
+
+	# uuid.c: /sys/hypervisor/uuid
+	collectd_plugin_kernel_linux uuid SYSFS info
+
+	# wireless.c: /proc/net/wireless
+	collectd_plugin_kernel_linux wireless "WIRELESS MAC80211 IEEE80211" warn
+
+	# zfs_arc.c: /proc/spl/kstat/zfs/arcstats
+	collectd_plugin_kernel_linux zfs_arc "SPL ZFS" warn
+}
+
+pkg_setup() {
+	if use kernel_linux; then
+		linux-info_pkg_setup
+
+		if linux_config_exists; then
+			einfo "Checking your linux kernel configuration:"
+			collectd_linux_kernel_checks
+		else
+			elog "Cannot find a linux kernel configuration. Continuing anyway."
+		fi
+	fi
+
+	if use collectd_plugins_java; then
+		java-pkg-opt-2_pkg_setup
+	fi
+
+	use collectd_plugins_python && python-single-r1_pkg_setup
+
+	enewgroup collectd
+	enewuser collectd -1 -1 /var/lib/collectd collectd
+}
+
+src_prepare() {
+	default
+
+	# There's some strange prefix handling in the default config file, resulting in
+	# paths like "/usr/var/..."
+	sed -i -e "s:@prefix@/var:/var:g" src/collectd.conf.in || die
+
+	# fix installdirs for perl, bug 444360
+	sed -i -e 's/INSTALL_BASE=$(DESTDIR)$(prefix) //' bindings/Makefile.am || die
+
+	# Adjust upstream's systemd unit
+	#   - Get rid of EnvironmentFile directive; These files don't exist on Gentoo!
+	#   - Add User=collectd to run collectd as user "collectd" per default
+	sed -i \
+		-e '/^EnvironmentFile=.*/d' \
+		-e '/^\[Service\]/aUser=collectd' \
+		contrib/systemd.${PN}.service || die
+
+	if use collectd_plugins_java; then
+		# Set javac -source and -target flags according to (R)DEPEND.
+		sed -i -e "s/\$(JAVAC)/\0 $(java-pkg_javac-args)/g" bindings/java/Makefile.am || die
+	fi
+
+	ebegin "Removing bundled libltdl"
+	rm -rf libltdl || die
+	eend 0
+
+	eautoreconf
+}
+
+src_configure() {
+	# Now come the lists of os-dependent plugins. Any plugin that is not listed anywhere here
+	# should work independent of the operating system.
+
+	local linux_plugins="barometer battery cpu cpufreq disk drbd entropy
+		ethstat interface iptables ipvs irq ipc load memory md netlink nfs
+		numa processes serial swap tcpconns thermal turbostat users vmem
+		wireless zfc_arc"
+
+	local need_libstatgrab=0
+	local libstatgrab_plugins="cpu disk interface load memory swap users"
+	local bsd_plugins="cpu tcpconns ${libstatgrab_plugins} zfc_arc"
+
+	local darwin_plugins="apple_sensors battery cpu disk interface memory processes tcpconns"
+
+	local osdependent_plugins="${linux_plugins} ${bsd_plugins} ${darwin_plugins}"
+	local myos_plugins=""
+	if use kernel_linux; then
+		einfo "Enabling Linux plugins."
+		myos_plugins=${linux_plugins}
+	elif use kernel_FreeBSD; then
+		einfo "Enabling FreeBSD plugins."
+		myos_plugins=${bsd_plugins}
+	elif use kernel_Darwin; then
+		einfo "Enabling Darwin plugins."
+		myos_plugins=${darwin_plugins}
+	fi
+
+	local myconf="--disable-werror"
+
+	# Do we debug?
+	myconf+=" $(use_enable debug)"
+
+	# udev support?
+	# Required for smart plugin via REQUIRED_USE; Optional for disk plugin
+	if use udev; then
+		myconf+=" --with-libudev"
+	else
+		myconf+=" --without-libudev"
+	fi
+
+	local plugin
+
+	# Disable what needs to be disabled.
+	for plugin in ${COLLECTD_DISABLED_PLUGINS}; do
+		myconf+=" --disable-${plugin}"
+	done
+
+	# Set enable/disable for each single plugin.
+	for plugin in ${COLLECTD_ALL_PLUGINS}; do
+		if has ${plugin} ${osdependent_plugins}; then
+			# plugin is os-dependent ...
+			if has ${plugin} ${myos_plugins}; then
+				# ... and available in this os
+				myconf+=" $(use_enable collectd_plugins_${plugin} ${plugin})"
+				# ... must we link against libstatgrab? Bug #541518
+				if use kernel_FreeBSD && has ${plugin} ${libstatgrab_plugins}; then
+					einfo "We must link against libstatgrab due to plugin \"${plugin}\" ..."
+					need_libstatgrab=1
+				fi
+			else
+				# ... and NOT available in this os
+				if use collectd_plugins_${plugin}; then
+					ewarn "You try to enable the ${plugin} plugin, but it is not available for this"
+					ewarn "kernel. Disabling it automatically."
+				fi
+				myconf+=" --disable-${plugin}"
+			fi
+		elif [[ "${plugin}" = "collectd_plugins_perl" ]]; then
+			if use collectd_plugins_perl && ! use perl; then
+				ewarn "Perl plugin disabled as perl bindings disabled by -perl use flag"
+				myconf+= --disable-perl
+			else
+				myconf+=" $(use_enable collectd_plugins_${plugin} ${plugin})"
+			fi
+		else
+			myconf+=" $(use_enable collectd_plugins_${plugin} ${plugin})"
+		fi
+	done
+
+	if [ "${need_libstatgrab}" -eq 1 ]; then
+		myconf+=" --with-libstatgrab"
+	else
+		myconf+=" --without-libstatgrab"
+	fi
+
+	# JAVA_HOME is set by eclasses.
+	if use collectd_plugins_java; then
+		myconf+=" --with-java"
+	fi
+
+	# Need libiptc ONLY for iptables. If we try to use it otherwise bug 340109 happens.
+	# lots of libs are only needed for plugins, if they are disabled, also disable the lib
+	use collectd_plugins_iptables || myconf+=" --with-libiptc=no"
+	use collectd_plugins_openldap || myconf+=" --with-libldap=no"
+	use collectd_plugins_redis    || use collectd_plugins_write_redis || myconf+=" --with-libhiredis=no"
+	use collectd_plugins_smart    || myconf+=" --with-libatasmart=no"
+	use collectd_plugins_gps      || myconf+=" --with-libgps=no"
+
+	if use perl; then
+		myconf+=" --with-perl-bindings=INSTALLDIRS=vendor"
+	else
+		myconf+=" --without-perl-bindings"
+	fi
+
+	# No need for v5upgrade
+	myconf+=" --disable-target_v5upgrade"
+
+	# Python
+	if use collectd_plugins_python; then
+		myconf+=" --with-libpython=yes"
+		export PYTHON_CONFIG=$(python_get_PYTHON_CONFIG)
+	else
+		myconf+=" --with-libpython=no"
+	fi
+
+	# XFS support
+	myconf+=" $(use_enable xfs)"
+
+	# Finally, run econf.
+	KERNEL_DIR="${KERNEL_DIR}" econf --config-cache \
+		$(use_enable static-libs static) \
+		--localstatedir=/var ${myconf}
+}
+
+src_install() {
+	emake DESTDIR="${D%/}" install
+
+	perl_delete_localpod
+
+	find "${ED}"usr/ -name "*.la" -delete || die
+
+	if use collectd_plugins_java; then
+		java-pkg_regjar "${ED}"usr/share/${PN}/java/*.jar
+	fi
+
+	fowners root:collectd /etc/collectd.conf
+	fperms u=rw,g=r,o= /etc/collectd.conf
+
+	dodoc AUTHORS ChangeLog NEWS README TODO
+
+	if use contrib ; then
+		insinto /usr/share/doc/${PF}
+		doins -r contrib
+	fi
+
+	keepdir /var/lib/${PN}
+	fowners collectd:collectd /var/lib/${PN}
+
+	newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
+	newconfd "${FILESDIR}/${PN}.confd-r1" ${PN}
+	systemd_newunit "contrib/systemd.${PN}.service" ${PN}.service
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/${PN}.logrotate" ${PN}
+
+	sed -i -e 's:^.*PIDFile     "/var/run/collectd.pid":PIDFile     "/run/collectd/collectd.pid":' "${ED}"etc/collectd.conf || die
+	sed -i -e 's:^#	SocketFile "/var/run/collectd-unixsock":#	SocketFile "/run/collectd/collectd.socket":' "${ED}"etc/collectd.conf || die
+	sed -i -e 's:^.*LoadPlugin perl$:# The new, correct way to load the perl plugin -- \n# <LoadPlugin perl>\n#   Globals true\n# </LoadPlugin>:' "${ED}"etc/collectd.conf || die
+	sed -i -e 's:^.*LoadPlugin python$:# The new, correct way to load the python plugin -- \n# <LoadPlugin python>\n#   Globals true\n# </LoadPlugin>:' "${ED}"etc/collectd.conf || die
+}
+
+pkg_postinst() {
+	if use filecaps; then
+		local caps=()
+		use collectd_plugins_ceph      && caps+=('CAP_DAC_OVERRIDE')
+		use collectd_plugins_exec      && caps+=('CAP_SETUID' 'CAP_SETGID')
+		use collectd_plugins_iptables  && caps+=('CAP_NET_ADMIN')
+		use collectd_plugins_filecount && caps+=('CAP_DAC_READ_SEARCH')
+
+		if use collectd_plugins_dns || use collectd_plugins_ping; then
+			caps+=('CAP_NET_RAW')
+		fi
+
+		if use collectd_plugins_turbostat || use collectd_plugins_smart; then
+			caps+=('CAP_SYS_RAWIO')
+		fi
+
+		if [ ${#caps[@]} -gt 0 ]; then
+			local caps_str=$(IFS=","; echo "${caps[*]}")
+			fcaps ${caps_str} usr/sbin/collectd
+			elog "Capabilities for ${EROOT}usr/sbin/collectd set to:"
+			elog "  ${caps_str}+EP"
+			elog
+
+			local systemd_unit="${EROOT}usr/lib/systemd/system/collectd.service"
+			if [[ -e "${systemd_unit}" ]]; then
+				caps_str="${caps[*]}"
+				sed -i -e "s:^CapabilityBoundingSet=.*:CapabilityBoundingSet=${caps_str}:" "${systemd_unit}" || \
+					die "Failed to set CapabilityBoundingSet in '${systemd_unit}'"
+
+				elog "CapabilityBoundingSet in '${systemd_unit}'"
+				elog "updated to match capabilities set above."
+				elog
+			fi
+		fi
+	fi
+
+	elog "Note: Collectd is only the collector."
+	elog "      You need to install 'data' sources (applications) locally or"
+	elog "      remotely on your own."
+
+	elog
+	elog "Collectd is configured to run as unprivileged user by default."
+	elog "You may want to revisit the configuration."
+	elog
+
+	if use collectd_plugins_email; then
+		ewarn "The email plug-in is deprecated. To submit statistics please use the unixsock plugin."
+	fi
+
+	if use collectd_plugins_smart; then
+		elog ""
+		elog "If you are using smart plugin and don't run collectd as root make sure"
+		elog "that the collectd user is allowed to access the disk you want to monitor"
+		elog "(can be done via udev rule for example) and that collectd has the required"
+		elog "capabilities set (which is the default when package was emerged with"
+		elog "'filecaps' USE flag set)."
+	fi
+
+	if use contrib; then
+		elog "The scripts in /usr/share/doc/${PF}/collection3 for generating graphs need dev-perl/HTML-Parser,"
+		elog "dev-perl/config-general, dev-perl/regexp-common, and net-analyzer/rrdtool[perl] to be installed."
+	fi
+}

diff --git a/app-admin/collectd/files/collectd-5.6.2-CVE-2017-7401.patch b/app-admin/collectd/files/collectd-5.6.2-CVE-2017-7401.patch
new file mode 100644
index 00000000000..7c23ac18d8f
--- /dev/null
+++ b/app-admin/collectd/files/collectd-5.6.2-CVE-2017-7401.patch
@@ -0,0 +1,56 @@
+From f6be4f9b49b949b379326c3d7002476e6ce4f211 Mon Sep 17 00:00:00 2001
+From: Pavel Rochnyack <pavel2000@ngs.ru>
+Date: Mon, 3 Apr 2017 11:57:09 +0600
+Subject: [PATCH] network plugin: Fix endless loop DOS in parse_packet()
+
+When correct 'Signature part' is received by Collectd, configured without
+AuthFile option, condition for endless loop occurs due to missing increase
+of pointer to next unprocessed part.
+
+This is a forward-port of #2233.
+
+Fixes: CVE-2017-7401
+Closes: #2174
+Signed-off-by: Florian Forster <octo@collectd.org>
+---
+ src/network.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/network.c b/src/network.c
+index be4c3ba..2ff09af 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1003,14 +1003,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+   buffer_len = *ret_buffer_len;
+   buffer_offset = 0;
+ 
+-  if (se->data.server.userdb == NULL) {
+-    c_complain(
+-        LOG_NOTICE, &complain_no_users,
+-        "network plugin: Received signed network packet but can't verify it "
+-        "because no user DB has been configured. Will accept it.");
+-    return (0);
+-  }
+-
+   /* Check if the buffer has enough data for this structure. */
+   if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+     return (-ENOMEM);
+@@ -1027,6 +1019,18 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+     return (-1);
+   }
+ 
++  if (se->data.server.userdb == NULL) {
++    c_complain(
++        LOG_NOTICE, &complain_no_users,
++        "network plugin: Received signed network packet but can't verify it "
++        "because no user DB has been configured. Will accept it.");
++
++    *ret_buffer = buffer + pss_head_length;
++    *ret_buffer_len -= pss_head_length;
++
++    return (0);
++  }
++
+   /* Copy the hash. */
+   BUFFER_READ(pss.hash, sizeof(pss.hash));
+