diff --git a/.gitignore b/.gitignore index 1c46cf2..3aba932 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/haproxy-1.8.27.tar.gz +haproxy-3.0.5.tar.gz diff --git a/.haproxy.metadata b/.haproxy.metadata deleted file mode 100644 index 1054205..0000000 --- a/.haproxy.metadata +++ /dev/null @@ -1 +0,0 @@ -5a8a12d07da986d2ecba5f57a07a9e68fe597bfd SOURCES/haproxy-1.8.27.tar.gz diff --git a/RHEL-126652-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch b/RHEL-126652-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch new file mode 100644 index 0000000..f7eceeb --- /dev/null +++ b/RHEL-126652-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch @@ -0,0 +1,86 @@ +From: Willy Tarreau +Date: Mon, 29 Sep 2025 16:34:11 +0000 (+0200) +Subject: BUG/CRITICAL: mjson: fix possible DoS when parsing numbers +X-Git-Tag: v2.4.30~6 +X-Git-Url: http://git.haproxy.org/?p=haproxy-2.4.git;a=commitdiff_plain;h=2b278798cbdf4a8596149b5769ca98b325acc535;hp=d258af5a33893e52504431a46b5ab50a807280b5 + +BUG/CRITICAL: mjson: fix possible DoS when parsing numbers + +Mjson comes with its own strtod() implementation for portability +reasons and probably also because many generic strtod() versions as +provided by operating systems do not focus on resource preservation +and may call malloc(), which is not welcome in a parser. + +The strtod() implementation used here apparently originally comes from +https://gist.github.com/mattn/1890186 and seems to have purposely +omitted a few parts that were considered as not needed in this context +(e.g. skipping white spaces, or setting errno). But when subject to the +relevant test cases of the designated file above, the current function +provides the same results. + +The aforementioned implementation uses pow() to calculate exponents, +but mjson authors visibly preferred not to introduce a libm dependency +and replaced it with an iterative loop in O(exp) time. The problem is +that the exponent is not bounded and that this loop can take a huge +amount of time. There's even an issue already opened on mjson about +this: https://github.com/cesanta/mjson/issues/59. In the case of +haproxy, fortunately, the watchdog will quickly stop a runaway process +but this remains a possible denial of service. + +A first approach would consist in reintroducing pow() like in the +original implementation, but if haproxy is built without Lua nor +51Degrees, -lm is not used so this will not work everywhere. + +Anyway here we're dealing with integer exponents, so an easy alternate +approach consists in simply using shifts and squares, to compute the +exponent in O(log(exp)) time. Not only it doesn't introduce any new +dependency, but it turns out to be even faster than the generic pow() +(85k req/s per core vs 83.5k on the same machine). + +This must be backported as far as 2.4, where mjson was introduced. + +Many thanks to Oula Kivalo for reporting this issue. + +CVE-2025-11230 was assigned to this issue. + +(cherry picked from commit 06675db4bf234ed17e14305f1d59259d2fe78b06) +Signed-off-by: Christopher Faulet +--- + +diff --git a/src/mjson.c b/src/mjson.c +index 73b7a57..2a4106b 100644 +--- a/src/mjson.c ++++ b/src/mjson.c +@@ -767,11 +767,13 @@ static double mystrtod(const char *str, char **end) { + + /* exponential part */ + if ((*p == 'E') || (*p == 'e')) { ++ double exp, f; + int i, e = 0, neg = 0; + p++; + if (*p == '-') p++, neg++; + if (*p == '+') p++; + while (is_digit(*p)) e = e * 10 + *p++ - '0'; ++ i = e; + if (neg) e = -e; + #if 0 + if (d == 2.2250738585072011 && e == -308) { +@@ -785,8 +787,16 @@ static double mystrtod(const char *str, char **end) { + goto done; + } + #endif +- for (i = 0; i < e; i++) d *= 10; +- for (i = 0; i < -e; i++) d /= 10; ++ /* calculate f = 10^i */ ++ exp = 10; ++ f = 1; ++ while (i > 0) { ++ if (i & 1) f *= exp; ++ exp *= exp; ++ i >>= 1; ++ } ++ if (e > 0) d *= f; ++ else if (e < 0) d /= f; + a = p; + } else if (p > str && !is_digit(*(p - 1))) { + a = str; diff --git a/SOURCES/CVE-2023-45539-add-http_path_forbidden_char-function.patch b/SOURCES/CVE-2023-45539-add-http_path_forbidden_char-function.patch deleted file mode 100644 index 8e4539c..0000000 --- a/SOURCES/CVE-2023-45539-add-http_path_forbidden_char-function.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 1d5e49737cf815f3a65d677c26bbf7ce56112458 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 15:24:54 +0200 -Subject: MINOR: http: add new function http_path_has_forbidden_char() - -As its name implies, this function checks if a path component has any -forbidden headers starting at the designated location. The goal is to -seek from the result of a successful ist_find_range() for more precise -chars. Here we're focusing on 0x00-0x1F, 0x20 and 0x23 to make sure -we're not too strict at this point. - -(cherry picked from commit 30f58f4217d585efeac3d85cb1b695ba53b7760b) - [ad: backported for following fix : BUG/MINOR: h2: reject more chars - from the :path pseudo header] -Signed-off-by: Amaury Denoyelle -(cherry picked from commit b491940181a88bb6c69ab2afc24b93a50adfa67c) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit f7666e5e43ce63e804ebffdf224d92cfd3367282) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit c699bb17b7e334c9d56e829422e29e5a204615ec) -[wt: adj minor ctx in http.h] -Signed-off-by: Willy Tarreau -(cherry picked from commit 0f57ac20b046b70275192651d7b6c978032e6a36) -[wt: adj minor ctx in http.h] -Signed-off-by: Willy Tarreau -(cherry picked from commit 921f79588c6180c406e88236228a5be1c5c67c55) -[wt: applied to h2.c like has_forbidden_char since it will be used there] -Signed-off-by: Willy Tarreau -(cherry picked from commit cedfa791d1a5fd03ec6b77bfa495341af37a26c3) -Signed-off-by: Willy Tarreau ---- - src/h2.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/src/h2.c b/src/h2.c -index e5351d72e..014e40212 100644 ---- a/src/h2.c -+++ b/src/h2.c -@@ -49,6 +49,26 @@ static int has_forbidden_char(const struct ist ist, const char *start) - return 0; - } - -+/* Looks into for forbidden characters for :path values (0x00..0x1F, -+ * 0x20, 0x23), starting at pointer which must be within . -+ * Returns non-zero if such a character is found, 0 otherwise. When run on -+ * unlikely header match, it's recommended to first check for the presence -+ * of control chars using ist_find_ctl(). -+ */ -+static inline int http_path_has_forbidden_char(const struct ist ist, const char *start) -+{ -+ do { -+ if ((uint8_t)*start <= 0x23) { -+ if ((uint8_t)*start < 0x20) -+ return 1; -+ if ((1U << ((uint8_t)*start & 0x1F)) & ((1<<3) | (1<<0))) -+ return 1; -+ } -+ start++; -+ } while (start < istend(ist)); -+ return 0; -+} -+ - /* Prepare the request line into <*ptr> (stopping at ) from pseudo headers - * stored in . indicates what was found so far. This should be - * called once at the detection of the first general header field or at the end --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-add-ist_find_range-function.patch b/SOURCES/CVE-2023-45539-add-ist_find_range-function.patch deleted file mode 100644 index 042fb5c..0000000 --- a/SOURCES/CVE-2023-45539-add-ist_find_range-function.patch +++ /dev/null @@ -1,92 +0,0 @@ -From e55c2ade33b74ccf636e18feae0d158683bc1b34 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 15:23:19 +0200 -Subject: MINOR: ist: add new function ist_find_range() to find a character - range - -This looks up the character range .. in the input string and -returns a pointer to the first one found. It's essentially the equivalent -of ist_find_ctl() in that it searches by 32 or 64 bits at once, but deals -with a range. - -(cherry picked from commit 197668de975e495f0c0f0e4ff51b96203fa9842d) - [ad: backported for following fix : BUG/MINOR: h2: reject more chars - from the :path pseudo header] -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 451ac6628acc4b9eed3260501a49c60d4e4d4e55) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 3468f7f8e04c9c5ca5c985c7511e05e78fe1eded) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit b375df60341c7f7a4904c2d8041a09c66115c754) -Signed-off-by: Willy Tarreau -(cherry picked from commit edcff741698c9519dc44f3aa13de421baad7ff43) -Signed-off-by: Willy Tarreau -(cherry picked from commit cbac8632582d82a1452ccb3fe3c38196e8ad9f45) -Signed-off-by: Willy Tarreau -(cherry picked from commit 77c014ea018b80095329402264ae8887398ef4e8) -Signed-off-by: Willy Tarreau ---- - include/common/ist.h | 47 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 47 insertions(+) - -diff --git a/include/common/ist.h b/include/common/ist.h -index 986e1df9f..5eb8bf23b 100644 ---- a/include/common/ist.h -+++ b/include/common/ist.h -@@ -407,6 +407,53 @@ static inline const char *ist_find_ctl(const struct ist ist) - return NULL; - } - -+/* Returns a pointer to the first character found that belongs to the -+ * range [min:max] inclusive, or NULL if none is present. The function is -+ * optimized for strings having no such chars by processing up to sizeof(long) -+ * bytes at once on architectures supporting efficient unaligned accesses. -+ * Despite this it is not very fast (~0.43 byte/cycle) and should mostly be -+ * used on low match probability when it can save a call to a much slower -+ * function. Will not work for characters 0x80 and above. It's optimized for -+ * min and max to be known at build time. -+ */ -+static inline const char *ist_find_range(const struct ist ist, unsigned char min, unsigned char max) -+{ -+ const union { unsigned long v; } __attribute__((packed)) *u; -+ const char *curr = (void *)ist.ptr - sizeof(long); -+ const char *last = curr + ist.len; -+ unsigned long l1, l2; -+ -+ /* easier with an exclusive boundary */ -+ max++; -+ -+ do { -+ curr += sizeof(long); -+ if (curr > last) -+ break; -+ u = (void *)curr; -+ /* add 0x.. then subtract -+ * 0x.. to the value to generate a -+ * carry in the lower byte if the byte contains a lower value. -+ * If we generate a bit 7 that was not there, it means the byte -+ * was min..max. -+ */ -+ l2 = u->v; -+ l1 = ~l2 & ((~0UL / 255) * 0x80); /* 0x808080...80 */ -+ l2 += (~0UL / 255) * min; /* 0x.. */ -+ l2 -= (~0UL / 255) * max; /* 0x.. */ -+ } while ((l1 & l2) == 0); -+ -+ last += sizeof(long); -+ if (__builtin_expect(curr < last, 0)) { -+ do { -+ if ((unsigned char)(*curr - min) < (unsigned char)(max - min)) -+ return curr; -+ curr++; -+ } while (curr < last); -+ } -+ return NULL; -+} -+ - /* looks for first occurrence of character in string and returns - * the tail of the string starting with this character, or (ist.end,0) if not - * found. --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-add-istend-function.patch b/SOURCES/CVE-2023-45539-add-istend-function.patch deleted file mode 100644 index a23c52b..0000000 --- a/SOURCES/CVE-2023-45539-add-istend-function.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 7a18c6a2887b542896a2a0242189e7035155f0d5 Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Thu, 22 Oct 2020 14:37:12 +0200 -Subject: MINOR: ist: Add istend() function to return a pointer to the end of - the string - -istend() is a shortcut to istptr() + istlen(). - -(cherry picked from commit cf26623780bdd66f4fff4154d0e5081082aff89b) -[wt: needed for next fix] -Signed-off-by: Willy Tarreau -(cherry picked from commit b12ab9c04a896a90383dbaf5c808a6d9a26cde98) -Signed-off-by: Willy Tarreau -(cherry picked from commit 7a62a17abd2cc6f14a3cca47043db0061e2f6664) -Signed-off-by: Willy Tarreau ---- - include/common/ist.h | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/include/common/ist.h b/include/common/ist.h -index 5eb8bf23b..fbbfcbef7 100644 ---- a/include/common/ist.h -+++ b/include/common/ist.h -@@ -119,6 +119,12 @@ static inline size_t istlen(const struct ist ist) - return ist.len; - } - -+/* returns the pointer to the end the string */ -+static inline char *istend(const struct ist ist) -+{ -+ return (ist.ptr + ist.len); -+} -+ - /* skips to next character in the string, always stops at the end */ - static inline struct ist istnext(const struct ist ist) - { --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-doc-clarify-URL-fragment-handling.patch b/SOURCES/CVE-2023-45539-doc-clarify-URL-fragment-handling.patch deleted file mode 100644 index d8eedd0..0000000 --- a/SOURCES/CVE-2023-45539-doc-clarify-URL-fragment-handling.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 379a330ad8a56f6cf1031ff2cd3a093ead7e8585 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 19:35:25 +0200 -Subject: DOC: clarify the handling of URL fragments in requests - -We indicate in path/pathq/url that they may contain '#' if the frontend -is configured with "option accept-invalid-http-request", and that option -mentions the fragment as well. - -(cherry picked from commit 7ab4949ef107a7088777f954de800fe8cf727796) - [ad: backported as a companion to BUG/MINOR: h1: do not accept '#' as - part of the URI component] -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 965fb74eb180ab4f275ef907e018128e7eee0e69) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit e9903d6073ce9ff0ed8b304700e9d2b435ed8050) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit c47814a58ec153a526e8e9e822cda6e66cef5cc2) -[wt: minor ctx adj] -Signed-off-by: Willy Tarreau -(cherry picked from commit 3706e1754b925e56951b604cce63f3bb290ed838) -Signed-off-by: Willy Tarreau -(cherry picked from commit b5062da485e78f4448a617a0f8b67dc5b23065d5) -[wt: dropped pathq] -Signed-off-by: Willy Tarreau -(cherry picked from commit 1ee98d04314d35b694206195b8399c501776afc5) -[wt: allow to run with version 1.8] -Signed-off-by: Willy Tarreau ---- - doc/configuration.txt | 15 ++++++++++++--- - reg-tests/http-rules/fragment_in_uri.vtc | 2 +- - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index b30aaa9fb..c0607519a 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -5433,7 +5433,8 @@ no option accept-invalid-http-request - remaining ones are blocked by default unless this option is enabled. This - option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests - to pass through (no version specified) and multiple digits for both the major -- and the minor version. -+ and the minor version. Finally, this option also allows incoming URLs to -+ contain fragment references ('#' after the path). - - This option should never be enabled by default as it hides application bugs - and open security breaches. It should only be deployed after a problem has -@@ -15328,7 +15329,11 @@ path : string - information from databases and keep them in caches. Note that with outgoing - caches, it would be wiser to use "url" instead. With ACLs, it's typically - used to match exact file names (e.g. "/login.php"), or directory parts using -- the derivative forms. See also the "url" and "base" fetch methods. -+ the derivative forms. See also the "url" and "base" fetch methods. Please -+ note that any fragment reference in the URI ('#' after the path) is strictly -+ forbidden by the HTTP standard and will be rejected. However, if the frontend -+ receiving the request has "option accept-invalid-http-request", then this -+ fragment part will be accepted and will also appear in the path. - - ACL derivatives : - path : exact string match -@@ -15502,7 +15507,11 @@ url : string - "path" is preferred over using "url", because clients may send a full URL as - is normally done with proxies. The only real use is to match "*" which does - not match in "path", and for which there is already a predefined ACL. See -- also "path" and "base". -+ also "path" and "base". Please note that any fragment reference in the URI -+ ('#' after the path) is strictly forbidden by the HTTP standard and will be -+ rejected. However, if the frontend receiving the request has "option -+ accept-invalid-http-request", then this fragment part will be accepted and -+ will also appear in the url. - - ACL derivatives : - url : exact string match -diff --git a/reg-tests/http-rules/fragment_in_uri.vtc b/reg-tests/http-rules/fragment_in_uri.vtc -index 621751356..8de0adeb2 100644 ---- a/reg-tests/http-rules/fragment_in_uri.vtc -+++ b/reg-tests/http-rules/fragment_in_uri.vtc -@@ -1,5 +1,5 @@ - varnishtest "check for fragments in URL" --#REQUIRE_VERSION=2.0 -+#REQUIRE_VERSION=1.8 - - # This reg-test checks that '#' is properly blocked in requests - --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-pass-accept-invalid-http-request-parser.patch b/SOURCES/CVE-2023-45539-pass-accept-invalid-http-request-parser.patch deleted file mode 100644 index 13e3b70..0000000 --- a/SOURCES/CVE-2023-45539-pass-accept-invalid-http-request-parser.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 5f9b9c909399b51498ddabb39341416381fc06a2 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 15:38:28 +0200 -Subject: MINOR: h2: pass accept-invalid-http-request down the request parser - -We're adding a new argument "relaxed" to h2_make_htx_request() so that -we can control its level of acceptance of certain invalid requests at -the proxy level with "option accept-invalid-http-request". The goal -will be to add deactivable checks that are still desirable to have by -default. For now no test is subject to it. - -(cherry picked from commit d93a00861d714313faa0395ff9e2acb14b0a2fca) - [ad: backported for following fix : BUG/MINOR: h2: reject more chars - from the :path pseudo header] -Signed-off-by: Amaury Denoyelle -(cherry picked from commit b6be1a4f858eb6602490c192235114c1a163fef9) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 26fa3a285df0748fc79e73e552161268b66fb527) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 014945a1508f43e88ac4e89950fa9037e4fb0679) -Signed-off-by: Willy Tarreau -(cherry picked from commit f86e994f5fb5851cd6e4f7f6b366e37765014b9f) -[wt: adjusted ctx in h2.h] -Signed-off-by: Willy Tarreau -(cherry picked from commit d87aeb80c45cc504274188f0e5048148f3c4f2ff) -[wt: extended to h2_make_h1_request() as well for legacy mode] -Signed-off-by: Willy Tarreau -(cherry picked from commit f2436eab7d21bab3d85cb750023a1770411f716e) -[wt: only kept the legacy mode part (h2-to-h1)] -Signed-off-by: Willy Tarreau ---- - include/common/h2.h | 2 +- - src/h2.c | 6 +++++- - src/mux_h2.c | 3 ++- - 3 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/include/common/h2.h b/include/common/h2.h -index 0cecc2d4e..ef15f3cda 100644 ---- a/include/common/h2.h -+++ b/include/common/h2.h -@@ -180,7 +180,7 @@ enum h2_err { - - /* various protocol processing functions */ - --int h2_make_h1_request(struct http_hdr *list, char *out, int osize, unsigned int *msgf); -+int h2_make_h1_request(struct http_hdr *list, char *out, int osize, unsigned int *msgf, int relaxed); - - /* - * Some helpful debugging functions. -diff --git a/src/h2.c b/src/h2.c -index 014e40212..cb40b2e1b 100644 ---- a/src/h2.c -+++ b/src/h2.c -@@ -166,8 +166,12 @@ static int h2_prepare_h1_reqline(uint32_t fields, struct ist *phdr, char **ptr, - * - * The Cookie header will be reassembled at the end, and for this, the - * will be used to create a linked list, so its contents may be destroyed. -+ * -+ * When is non-nul, some non-dangerous checks will be ignored. This -+ * is in order to satisfy "option accept-invalid-http-request" for -+ * interoperability purposes. - */ --int h2_make_h1_request(struct http_hdr *list, char *out, int osize, unsigned int *msgf) -+int h2_make_h1_request(struct http_hdr *list, char *out, int osize, unsigned int *msgf, int relaxed) - { - struct ist phdr_val[H2_PHDR_NUM_ENTRIES]; - char *out_end = out + osize; -diff --git a/src/mux_h2.c b/src/mux_h2.c -index 79e70f60b..ecd9c59f8 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -2844,7 +2844,8 @@ static int h2_frt_decode_headers(struct h2s *h2s, struct buffer *buf, int count) - - /* OK now we have our header list in */ - msgf = (h2c->dff & H2_F_DATA_END_STREAM) ? 0 : H2_MSGF_BODY; -- outlen = h2_make_h1_request(list, bi_end(buf), try, &msgf); -+ outlen = h2_make_h1_request(list, bi_end(buf), try, &msgf, -+ !!(((const struct session *)h2c->conn->owner)->fe->options2 & PR_O2_REQBUG_OK)); - - if (outlen < 0) { - h2c_error(h2c, H2_ERR_COMPRESSION_ERROR); --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-regtest-verify-pound-char-URI.patch b/SOURCES/CVE-2023-45539-regtest-verify-pound-char-URI.patch deleted file mode 100644 index c67f99f..0000000 --- a/SOURCES/CVE-2023-45539-regtest-verify-pound-char-URI.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 2d848a09fb7a1fb661a418cc07c59496d7eb6b3e Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 19:53:51 +0200 -Subject: REGTESTS: http-rules: verify that we block '#' by default for - normalize-uri - -Since we now block fragments by default, let's add an extra test there -to confirm that it's blocked even when stripping it. - -(cherry picked from commit 4d0175b54b2b4eeb01aa6e31282b0a5b0d7d8ace) - [ad: backported to test conformance of BUG/MINOR: h1: do not accept '#' - as part of the URI component] -Signed-off-by: Amaury Denoyelle -(cherry picked from commit b3f26043df74c661155566a0abd56103e8116078) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 41d161ccbbfa846b4b17ed0166ff08f6bf0c3ea1) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit b6b330eb117d520a890e5b3cd623eaa73479db1b) -Signed-off-by: Willy Tarreau -(cherry picked from commit 73b9b13ac2654ef5384789685e3d65ca5f2f880a) -[wt: rewrote the test for 2.2 without normalize-uri and called it - fragments-in-uri] -Signed-off-by: Willy Tarreau -(cherry picked from commit dbf47600f63ffe161ce08d2f0faef7e0deb32b6e) -[wt: removed tune.idle-pool.shared from global section] -Signed-off-by: Willy Tarreau -(cherry picked from commit f04fec9f3efe7f8b70fbe72d6a4473f01699728c) -Signed-off-by: Willy Tarreau ---- - reg-tests/http-rules/fragment_in_uri.vtc | 35 ++++++++++++++++++++++++ - 1 file changed, 35 insertions(+) - create mode 100644 reg-tests/http-rules/fragment_in_uri.vtc - -diff --git a/reg-tests/http-rules/fragment_in_uri.vtc b/reg-tests/http-rules/fragment_in_uri.vtc -new file mode 100644 -index 000000000..621751356 ---- /dev/null -+++ b/reg-tests/http-rules/fragment_in_uri.vtc -@@ -0,0 +1,35 @@ -+varnishtest "check for fragments in URL" -+#REQUIRE_VERSION=2.0 -+ -+# This reg-test checks that '#' is properly blocked in requests -+ -+feature ignore_unknown_macro -+ -+server s1 { -+ rxreq -+ txresp -hdr "connection: close" -+} -start -+ -+haproxy h1 -conf { -+ global -+ -+ defaults -+ mode http -+ timeout connect 1s -+ timeout client 1s -+ timeout server 1s -+ -+ frontend fe_fragment_block -+ bind "fd@${fe_fragment_block}" -+ default_backend be -+ -+ backend be -+ server s1 ${s1_addr}:${s1_port} -+ -+} -start -+ -+client c11 -connect ${h1_fe_fragment_block_sock} { -+ txreq -url "/#foo" -+ rxresp -+ expect resp.status == 400 -+} -run --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-reject-chars-from-path-pseudo-header.patch b/SOURCES/CVE-2023-45539-reject-chars-from-path-pseudo-header.patch deleted file mode 100644 index d1d950e..0000000 --- a/SOURCES/CVE-2023-45539-reject-chars-from-path-pseudo-header.patch +++ /dev/null @@ -1,76 +0,0 @@ -From d81b4c952dae3468e73f4df701c62ac3a8644ba0 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 15:40:49 +0200 -Subject: BUG/MINOR: h2: reject more chars from the :path pseudo header - -This is the h2 version of this previous fix: - - BUG/MINOR: h1: do not accept '#' as part of the URI component - -In addition to the current NUL/CR/LF, this will also reject all other -control chars, the space and '#' from the :path pseudo-header, to avoid -taking the '#' for a part of the path. It's still possible to fall back -to the previous behavior using "option accept-invalid-http-request". - -This patch modifies the request parser to change the ":path" pseudo header -validation function with a new one that rejects 0x00-0x1F (control chars), -space and '#'. This way such chars will be dropped early in the chain, and -the search for '#' doesn't incur a second pass over the header's value. - -This should be progressively backported to stable versions, along with the -following commits it relies on: - - REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests - REORG: http: move has_forbidden_char() from h2.c to http.h - MINOR: ist: add new function ist_find_range() to find a character range - MINOR: http: add new function http_path_has_forbidden_char() - MINOR: h2: pass accept-invalid-http-request down the request parser - -(cherry picked from commit b3119d4fb4588087e2483a80b01d322683719e29) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 462a8600ce9e478573a957e046b446a7dcffd286) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 648e59e30723b8fd4e71aab02cb679f6ea7446e7) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit c8e07f2fd8b5462527f102f7145d6027c0d041da) -[wt: minor ctx adjustments] -Signed-off-by: Willy Tarreau -(cherry picked from commit af232e47e6264122bed3681210b054ff38ec8de8) -Signed-off-by: Willy Tarreau -(cherry picked from commit e0c9008874b89621449f7ff3e9bc6db4e94fac6d) -[wt: note: added as well for legacy mode, though since h2 is turned - to h1 in this mode, this will be rejected anyway] -Signed-off-by: Willy Tarreau -(cherry picked from commit ad05bf865cdc77e1c48d2e608ef8c39bd6c08c31) -[wt: dropped the htx part] -Signed-off-by: Willy Tarreau ---- - src/h2.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/h2.c b/src/h2.c -index cb40b2e1b..ff8ae4572 100644 ---- a/src/h2.c -+++ b/src/h2.c -@@ -208,9 +208,15 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize, unsigned int - /* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of - * rejecting NUL, CR and LF characters. - */ -- ctl = ist_find_ctl(list[idx].v); -- if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl)) -- goto fail; -+ if (phdr == H2_PHDR_IDX_PATH && !relaxed) { -+ ctl = ist_find_range(list[idx].v, 0, '#'); -+ if (unlikely(ctl) && http_path_has_forbidden_char(list[idx].v, ctl)) -+ goto fail; -+ } else { -+ ctl = ist_find_ctl(list[idx].v); -+ if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl)) -+ goto fail; -+ } - - if (phdr > 0 && phdr < H2_PHDR_NUM_ENTRIES) { - /* insert a pseudo header by its index (in phdr) and value (in value) */ --- -2.35.3 - diff --git a/SOURCES/CVE-2023-45539-reject-pound-char-URI-component.patch b/SOURCES/CVE-2023-45539-reject-pound-char-URI-component.patch deleted file mode 100644 index ccc7ef0..0000000 --- a/SOURCES/CVE-2023-45539-reject-pound-char-URI-component.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 4e98c0c1d36104ed426d3b198a176e1a5df814fa Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 8 Aug 2023 16:17:22 +0200 -Subject: BUG/MINOR: h1: do not accept '#' as part of the URI component - -Seth Manesse and Paul Plasil reported that the "path" sample fetch -function incorrectly accepts '#' as part of the path component. This -can in some cases lead to misrouted requests for rules that would apply -on the suffix: - - use_backend static if { path_end .png .jpg .gif .css .js } - -Note that this behavior can be selectively configured using -"normalize-uri fragment-encode" and "normalize-uri fragment-strip". - -The problem is that while the RFC says that this '#' must never be -emitted, as often it doesn't suggest how servers should handle it. A -diminishing number of servers still do accept it and trim it silently, -while others are rejecting it, as indicated in the conversation below -with other implementers: - - https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html - -Looking at logs from publicly exposed servers, such requests appear at -a rate of roughly 1 per million and only come from attacks or poorly -written web crawlers incorrectly following links found on various pages. - -Thus it looks like the best solution to this problem is to simply reject -such ambiguous requests by default, and include this in the list of -controls that can be disabled using "option accept-invalid-http-request". - -We're already rejecting URIs containing any control char anyway, so we -should also reject '#'. - -In the H1 parser for the H1_MSG_RQURI state, there is an accelerated -parser for bytes 0x21..0x7e that has been tightened to 0x24..0x7e (it -should not impact perf since 0x21..0x23 are not supposed to appear in -a URI anyway). This way '#' falls through the fine-grained filter and -we can add the special case for it also conditionned by a check on the -proxy's option "accept-invalid-http-request", with no overhead for the -vast majority of valid URIs. Here this information is available through -h1m->err_pos that's set to -2 when the option is here (so we don't need -to change the API to expose the proxy). Example with a trivial GET -through netcat: - - [08/Aug/2023:16:16:52.651] frontend layer1 (#2): invalid request - backend (#-1), server (#-1), event #0, src 127.0.0.1:50812 - buffer starts at 0 (including 0 out), 16361 free, - len 23, wraps at 16336, error at position 7 - H1 connection flags 0x00000000, H1 stream flags 0x00000810 - H1 msg state MSG_RQURI(4), H1 msg flags 0x00001400 - H1 chunk len 0 bytes, H1 body len 0 bytes : - - 00000 GET /aa#bb HTTP/1.0\r\n - 00021 \r\n - -This should be progressively backported to all stable versions along with -the following patch: - - REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests - -Similar fixes for h2 and h3 will come in followup patches. - -Thanks to Seth Manesse and Paul Plasil for reporting this problem with -detailed explanations. - -(cherry picked from commit 2eab6d354322932cfec2ed54de261e4347eca9a6) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 9bf75c8e22a8f2537f27c557854a8803087046d0) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 9facd01c9ac85fe9bcb331594b80fa08e7406552) -Signed-off-by: Amaury Denoyelle -(cherry picked from commit 832b672eee54866c7a42a1d46078cc9ae0d544d9) -Signed-off-by: Willy Tarreau -(cherry picked from commit e5a741f94977840c58775b38f8ed830207f7e4d0) -Signed-off-by: Willy Tarreau -(cherry picked from commit 178cea76b1c9d9413afa6961b6a4576fcb5b26fa) -[wt: applied the same to http_parse_reqline() in http_msg.c] -Signed-off-by: Willy Tarreau -(cherry picked from commit 4ad6fd9eeb3078685fffdc58f1c6d4eb97e05d98) -[wt: dropped the HTX part, adapted the legacy one in http_msg.c] -Signed-off-by: Willy Tarreau ---- - src/h1.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/h1.c b/src/h1.c -index d3a20c2ed..57be42f31 100644 ---- a/src/h1.c -+++ b/src/h1.c -@@ -341,11 +341,11 @@ const char *http_parse_reqline(struct http_msg *msg, - defined(__ARM_ARCH_7A__) - /* speedup: skip bytes not between 0x21 and 0x7e inclusive */ - while (ptr <= end - sizeof(int)) { -- int x = *(int *)ptr - 0x21212121; -+ int x = *(int *)ptr - 0x24242424; - if (x & 0x80808080) - break; - -- x -= 0x5e5e5e5e; -+ x -= 0x5b5b5b5b; - if (!(x & 0x80808080)) - break; - -@@ -357,8 +357,15 @@ const char *http_parse_reqline(struct http_msg *msg, - goto http_msg_ood; - } - http_msg_rquri2: -- if (likely((unsigned char)(*ptr - 33) <= 93)) /* 33 to 126 included */ -+ if (likely((unsigned char)(*ptr - 33) <= 93)) { /* 33 to 126 included */ -+ if (*ptr == '#') { -+ if (msg->err_pos < -1) /* PR_O2_REQBUG_OK not set */ -+ goto invalid_char; -+ if (msg->err_pos == -1) /* PR_O2_REQBUG_OK set: just log */ -+ msg->err_pos = ptr - msg_start; -+ } - EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rquri2, http_msg_ood, state, HTTP_MSG_RQURI); -+ } - - if (likely(HTTP_IS_SPHT(*ptr))) { - msg->sl.rq.u_l = ptr - msg_start - msg->sl.rq.u; --- -2.35.3 - diff --git a/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch b/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch deleted file mode 100644 index 2c20482..0000000 --- a/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 58b3d8676bbef52bc76dd79ecfcf74582c34ec97 Mon Sep 17 00:00:00 2001 -From: William Lallemand -Date: Thu, 17 Dec 2020 18:48:06 +0100 -Subject: [PATCH] BUG/MEDIUM: mworker: fix again copy_argv() - -When backporting patch df6c5a8 ("BUG/MEDIUM: mworker: fix the copy of -options in copy_argv()") part of the patch was removed by mistake. -Letting the bug #644 unfixed. - -This patch fixes the problem by reintroducing the missing part. - -1.8 only, no backport needed. ---- - src/haproxy.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/src/haproxy.c b/src/haproxy.c -index 5ddf4d05..3947505b 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -1328,6 +1328,21 @@ static char **copy_argv(int argc, char **argv) - } - break; - -+ case 'C': -+ case 'n': -+ case 'm': -+ case 'N': -+ case 'L': -+ case 'f': -+ case 'p': -+ /* these options have only 1 parameter which must be copied and can start with a '-' */ -+ *newargv++ = *argv++; -+ argc--; -+ if (argc == 0) -+ goto error; -+ *newargv++ = *argv++; -+ argc--; -+ break; - default: - /* for other options just copy them without parameters, this is also done - * for options like "--foo", but this will fail in the argument parser. --- -2.26.2 - diff --git a/SOURCES/rhbz1941446-fix-short-http-responses.patch b/SOURCES/rhbz1941446-fix-short-http-responses.patch deleted file mode 100644 index 59c3107..0000000 --- a/SOURCES/rhbz1941446-fix-short-http-responses.patch +++ /dev/null @@ -1,25 +0,0 @@ -From eaf1d768085a924a5322cfc77439ba5a4945bbae Mon Sep 17 00:00:00 2001 -From: Ryan O'Hara -Date: Thu, 14 Oct 2021 14:08:39 -0500 -Subject: [PATCH] Fix short HTTP responses to client - ---- - src/raw_sock.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/raw_sock.c b/src/raw_sock.c -index ad0210105..fbf20ae35 100644 ---- a/src/raw_sock.c -+++ b/src/raw_sock.c -@@ -302,7 +302,7 @@ static int raw_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - if (ret > 0) { - buf->i += ret; - done += ret; -- if (ret < try) { -+ if (0 && ret < try) { - /* unfortunately, on level-triggered events, POLL_HUP - * is generally delivered AFTER the system buffer is - * empty, unless the poller supports POLL_RDHUP. If --- -2.31.1 - diff --git a/SOURCES/halog.1 b/halog.1 similarity index 100% rename from SOURCES/halog.1 rename to halog.1 diff --git a/SOURCES/haproxy.cfg b/haproxy.cfg similarity index 100% rename from SOURCES/haproxy.cfg rename to haproxy.cfg diff --git a/SOURCES/haproxy.logrotate b/haproxy.logrotate similarity index 100% rename from SOURCES/haproxy.logrotate rename to haproxy.logrotate diff --git a/SOURCES/haproxy.service b/haproxy.service similarity index 93% rename from SOURCES/haproxy.service rename to haproxy.service index 356668d..a5524de 100644 --- a/SOURCES/haproxy.service +++ b/haproxy.service @@ -4,14 +4,14 @@ After=network-online.target Wants=network-online.target [Service] +EnvironmentFile=-/etc/sysconfig/haproxy Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d" -EnvironmentFile=/etc/sysconfig/haproxy ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS ExecReload=/bin/kill -USR2 $MAINPID -SuccessExitStatus=143 KillMode=mixed +SuccessExitStatus=143 Type=notify [Install] diff --git a/SPECS/haproxy.spec b/haproxy.spec similarity index 54% rename from SPECS/haproxy.spec rename to haproxy.spec index 4012c92..9f68b1f 100644 --- a/SPECS/haproxy.spec +++ b/haproxy.spec @@ -7,43 +7,33 @@ %global _hardened_build 1 Name: haproxy -Version: 1.8.27 -Release: 5%{?dist}.1 +Version: 3.0.5 +Release: 4%{?dist}.1 Summary: HAProxy reverse proxy for high availability environments -Group: System Environment/Daemons -License: GPLv2+ +License: GPL-2.0-or-later URL: http://www.haproxy.org/ -Source0: http://www.haproxy.org/download/1.8/src/haproxy-%{version}.tar.gz +Source0: %{url}/download/3.0/src/haproxy-%{version}.tar.gz Source1: %{name}.service Source2: %{name}.cfg Source3: %{name}.logrotate Source4: %{name}.sysconfig -Source5: halog.1 - -Patch0: rhbz1838319-mworker-fix-again-copy_argv.patch -Patch1: rhbz1941446-fix-short-http-responses.patch -Patch2: CVE-2023-45539-reject-pound-char-URI-component.patch -Patch3: CVE-2023-45539-regtest-verify-pound-char-URI.patch -Patch4: CVE-2023-45539-doc-clarify-URL-fragment-handling.patch -Patch5: CVE-2023-45539-add-ist_find_range-function.patch -Patch6: CVE-2023-45539-add-istend-function.patch -Patch7: CVE-2023-45539-add-http_path_forbidden_char-function.patch -Patch8: CVE-2023-45539-pass-accept-invalid-http-request-parser.patch -Patch9: CVE-2023-45539-reject-chars-from-path-pseudo-header.patch +Source5: %{name}.sysusers +Source6: halog.1 +Patch0: RHEL-126652-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch +BuildRequires: gcc BuildRequires: lua-devel -BuildRequires: pcre-devel -BuildRequires: zlib-devel +BuildRequires: pcre2-devel BuildRequires: openssl-devel BuildRequires: systemd-devel -BuildRequires: systemd-units +BuildRequires: systemd +BuildRequires: systemd-rpm-macros +BuildRequires: make -Requires(pre): shadow-utils -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +Requires(pre): shadow-utils +%{?systemd_requires} %description HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high @@ -61,73 +51,53 @@ availability environments. Indeed, it can: %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%autopatch -p1 %build -regparm_opts= -%ifarch %ix86 x86_64 -regparm_opts="USE_REGPARM=1" -%endif +make %{?_smp_mflags} CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}" -%{__make} %{?_smp_mflags} CPU="generic" TARGET="linux2628" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${regparm_opts} ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}" +make admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}" -pushd contrib/halog -%{__make} ${halog} OPTIMIZE="%{optflags} %{build_ldflags}" LDFLAGS= -popd - -pushd contrib/iprange -%{__make} ${iprange} OPTIMIZE="%{optflags} %{build_ldflags}" LDFLAGS= +pushd admin/iprange +make OPTIMIZE="%{build_cflags}" LDFLAGS="%{build_ldflags}" popd %install -%{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628" -%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix} +make install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628" +make install-man DESTDIR=%{buildroot} PREFIX=%{_prefix} -%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service -%{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg -%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} -%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} -%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 -%{__install} -d -m 0755 %{buildroot}%{haproxy_homedir} -%{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} -%{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d -%{__install} -d -m 0755 %{buildroot}%{_bindir} -%{__install} -p -m 0755 ./contrib/halog/halog %{buildroot}%{_bindir}/halog -%{__install} -p -m 0755 ./contrib/iprange/iprange %{buildroot}%{_bindir}/iprange -%{__install} -p -m 0644 ./examples/errorfiles/* %{buildroot}%{haproxy_datadir} +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service +install -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg +install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +install -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} +install -p -D -m 0644 %{SOURCE5} %{buildroot}%{_sysusersdir}/%{name}.conf +install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_mandir}/man1/halog.1 +install -d -m 0755 %{buildroot}%{haproxy_homedir} +install -d -m 0755 %{buildroot}%{haproxy_datadir} +install -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d +install -d -m 0755 %{buildroot}%{_bindir} +install -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog +install -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange +install -p -m 0755 ./admin/iprange/ip6range %{buildroot}%{_bindir}/ip6range for httpfile in $(find ./examples/errorfiles/ -type f) do - %{__install} -p -m 0644 $httpfile %{buildroot}%{haproxy_datadir} + install -p -m 0644 $httpfile %{buildroot}%{haproxy_datadir} done -%{__rm} -rf ./examples/errorfiles/ +rm -rf ./examples/errorfiles/ -find ./examples/* -type f ! -name "*.cfg" -exec %{__rm} -f "{}" \; +find ./examples/* -type f ! -name "*.cfg" -exec rm -f "{}" \; for textfile in $(find ./ -type f -name '*.txt') do - %{__mv} $textfile $textfile.old + mv $textfile $textfile.old iconv --from-code ISO8859-1 --to-code UTF-8 --output $textfile $textfile.old - %{__rm} -f $textfile.old + rm -f $textfile.old done %pre -getent group %{haproxy_group} >/dev/null || \ - groupadd -r %{haproxy_group} -getent passwd %{haproxy_user} >/dev/null || \ - useradd -r -g %{haproxy_user} -d %{haproxy_homedir} \ - -s /sbin/nologin -c "haproxy" %{haproxy_user} -exit 0 +%sysusers_create_compat %{SOURCE5} %post %systemd_post %{name}.service @@ -139,9 +109,8 @@ exit 0 %systemd_postun_with_restart %{name}.service %files -%defattr(-,root,root,-) %doc doc/* examples/* -%doc CHANGELOG README ROADMAP VERSION +%doc CHANGELOG README VERSION %license LICENSE %dir %{haproxy_homedir} %dir %{haproxy_confdir} @@ -155,73 +124,304 @@ exit 0 %{_sbindir}/%{name} %{_bindir}/halog %{_bindir}/iprange +%{_bindir}/ip6range %{_mandir}/man1/* +%{_sysusersdir}/%{name}.conf %changelog -* Thu Sep 05 2024 Ryan O'Hara - 1.8.27-5.1 -- Reject "#" as part of URI path component (CVE-2023-45539, RHEL-18168) +* Thu Nov 6 2025 Oyvind Albrigtsen - 3.0.5-4.1 +- Fix denial of service vulnerability in mjson library (CVE-2025-11230) + Resolves: RHEL-126652 -* Fri Jun 03 2022 Ryan O'Hara - 1.8.27-5 -- Add configuration directory and update systemd unit file (#1943869) +* Wed Jan 8 2025 Oyvind Albrigtsen - 3.0.5-4 +- Fix CVE-2024-53008 + Resolves: RHEL-69415 -* Tue Jan 18 2022 Ryan O'Hara - 1.8.27-4 -- Apply patch (#1941446) +* Wed Oct 30 2024 Ryan O'Hara - 3.0.5-1 +- Fix potential infinite loop condition h2_send (CVE-2024-45506, RHEL-57105) -* Fri Oct 15 2021 Ryan O'Hara - 1.8.27-3 -- Fix short HTTP responses (#1941446) +* Tue Oct 29 2024 Troy Dawson - 3.0.3-2 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Thu Dec 17 2020 Ryan O'Hara - 1.8.27-2 -- Fix copy_argv for arguments that begin with hypen (#1838319) +* Tue Jul 16 2024 Ryan O'Hara - 3.0.3-1 +- Update to 3.0.3 (RHEL-40620) -* Thu Dec 10 2020 Ryan O'Hara - 1.8.27-1 -- Update to 1.8.27 (#1905663, #1838319) +* Mon Jun 24 2024 Troy Dawson - 2.9.4-2 +- Bump release for June 2024 mass rebuild -* Thu Jun 18 2020 Ryan O'Hara - 1.8.23-5 -- Use OPTIONS from systemd EnvironmentFile (#1845611) +* Thu Feb 08 2024 Ryan O'Hara - 2.9.4-1 +- Update to 2.9.4 (#2250339) -* Wed Jun 17 2020 Ryan O'Hara - 1.8.23-4 -- Wait for network to be online before starting (#1756714) +* Wed Jan 24 2024 Fedora Release Engineering - 2.8.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Wed Apr 01 2020 Ryan O'Hara - 1.8.23-3 -- Fix hapack zero byte input causing overwrite (CVE-2020-11100, #1819519) +* Sat Jan 20 2024 Fedora Release Engineering - 2.8.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Fri Dec 13 2019 Ryan O'Hara - 1.8.23-2 -- Consider exist status 143 as success (#1778844) +* Mon Sep 25 2023 Ryan O'Hara - 2.8.3-1 +- Update to 2.8.3 (#2219397) -* Mon Dec 02 2019 Ryan O'Hara - 1.8.23-1 -- Update to 1.8.23 (#1774745) +* Fri Aug 04 2023 Ryan O'Hara - 2.8.1-1 +- Update to 2.8.1 (#2219397) -* Fri Jul 19 2019 Ryan O'Hara - 1.8.15-6 -- Add gating tests (#1682106) +* Fri Aug 04 2023 Ryan O'Hara - 2.8.0-3 +- Migrate to SPDX license -* Wed Jan 09 2019 Ryan O'Hara - 1.8.15-5 -- Resolve CVE-2018-20615 (#1664533) +* Thu Jul 20 2023 Fedora Release Engineering - 2.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Sun Dec 16 2018 Ryan O'Hara - 1.8.15-4 -- Use empty LDFLAGS to prevent stripping, maintain hardened build +* Thu Jun 08 2023 Ryan O'Hara - 2.8.0-1 +- Update to 2.8.0 (#2203868) -* Sat Dec 15 2018 Ryan O'Hara - 1.8.15-3 -- Use LDFLAGS when building contib tools to prevent binary stripping +* Tue Apr 04 2023 Ryan O'Hara - 2.7.6-1 +- Update to 2.7.6 (#2182310) -* Fri Dec 14 2018 Ryan O'Hara - 1.8.15-2 -- Bump release +* Thu Mar 23 2023 Ryan O'Hara - 2.7.5-1 +- Update to 2.7.5 (#2154925) + +* Wed Feb 15 2023 Ryan O'Hara - 2.7.3-1 +- Update to 2.7.3 (#2154925) +- Reject invalid response header (CVE-2023-0056, #2161138) +- Fix request smuggling attack (CVE-2023-25725, #2169823) + +* Thu Jan 19 2023 Fedora Release Engineering - 2.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Dec 05 2022 Ryan O'Hara - 2.7.0-1 +- Update to 2.7.0 (#2150028) + +* Tue Nov 29 2022 Ryan O'Hara - 2.6.6-4 +- Fix Source0 URL (#2139126) + +* Tue Oct 11 2022 Ryan O'Hara - 2.6.6-3 +- Use systemd-sysusers (#2134206) + +* Tue Oct 11 2022 Ryan O'Hara - 2.6.6-2 +- Remove USE_REGPARM (#2097885) + +* Tue Oct 11 2022 Ryan O'Hara - 2.6.6-1 +- Update to 2.6.6 (#2099745) + +* Thu Jul 21 2022 Fedora Release Engineering - 2.6.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Fri Jun 03 2022 Ryan O'Hara - 2.6.0-2 +- Add conf.d directory and update systemd unit file (#2093483) + +* Fri Jun 03 2022 Ryan O'Hara - 2.6.0-1 +- Update to 2.6.0 (#2092069) + +* Wed May 25 2022 Ryan O'Hara - 2.5.7-1 +- Update to 2.5.7 (#2026009) + +* Thu Jan 20 2022 Fedora Release Engineering - 2.4.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Nov 15 2021 Ryan O'Hara - 2.4.8-3 +- Fix OpenSSL 3.0 build (#2022031) + +* Thu Nov 04 2021 Matt Raffert - 2.4.8-2 +- Increase available sticky counters (#2012912) + +* Thu Nov 04 2021 Ryan O'Hara - 2.4.8-1 +- Update to 2.4.8 (#2019823) + +* Wed Oct 13 2021 Ryan O'Hara - 2.4.7-1 +- Update to 2.4.7 (#2009817) + +* Tue Sep 14 2021 Sahana Prasad - 2.4.4-2 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Sep 07 2021 Ryan O'Hara - 2.4.4-1 +- Update to 2.4.4 (#2002008) + +* Tue Aug 17 2021 Ryan O'Hara - 2.4.3-1 +- Update to 2.4.3 (#1960565) + +* Thu Jul 22 2021 Fedora Release Engineering - 2.4.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 14 2021 Petr Pisar - 2.4.2-2 +- Rebuild against pcre2-10.37 (bug #1965025) + +* Mon Jul 12 2021 Ryan O'Hara - 2.4.2-1 +- Update to 2.4.2 (#1960565) + +* Thu Jun 03 2021 Ryan O'Hara - 2.4.0-5 +- Fix usage of build flags + +* Mon May 17 2021 Ryan O'Hara - 2.4.0-4 +- Fix path of contrib/admin tools + +* Mon May 17 2021 Ryan O'Hara - 2.4.0-3 +- Use SLZ instead of ZLIB + +* Mon May 17 2021 Ryan O'Hara - 2.4.0-2 +- Add USE_PROMEX=1 for prometheus exporter + +* Mon May 17 2021 Ryan O'Hara - 2.4.0-1 +- Update to 2.4.0 (#1960565) + +* Mon Apr 26 2021 Ryan O'Hara - 2.3.10-1 +- Update to 2.3.10 (#1953018) + +* Tue Apr 06 2021 Ryan O'Hara - 2.3.9-1 +- Update to 2.3.9 (#1934647) + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.3.5-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 08 2021 Ryan O'Hara - 2.3.5-2 +- Fix source URL + +* Mon Feb 08 2021 Ryan O'Hara - 2.3.5-1 +- Update to 2.3.5 (#1925774) + +* Tue Jan 26 2021 Fedora Release Engineering - 2.3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Jan 14 2021 Ryan O'Hara - 2.3.4-1 +- Update to 2.3.4 (#1914447) + +* Tue Dec 08 2020 Ryan O'Hara - 2.3.2-1 +- Update to 2.3.2 (#1894994) + +* Thu Oct 01 2020 Ryan O'Hara - 2.2.4-1 +- Update to 2.2.4 (#1883742) + +* Thu Sep 17 2020 Ryan O'Hara - 2.2.3-2 +- Fix build for late loading of libgcc_s + +* Mon Sep 14 2020 Ryan O'Hara - 2.2.3-1 +- Update to 2.2.3 (#1876932) + +* Fri Jul 31 2020 Ryan O'Hara - 2.2.2-1 +- Update to 2.2.2 (#1862400) + +* Mon Jul 27 2020 Ryan O'Hara - 2.2.1-1 +- Update to 2.2.1 (#1859846) + +* Wed Jul 15 2020 Ryan O'Hara - 2.2.0-3 +- Update systemd service file + +* Fri Jul 10 2020 Tom Callaway - 2.2.0-2 +- Fix build against lua 5.4 + +* Thu Jul 09 2020 Ryan O'Hara - 2.2.0-1 +- Update to 2.2.0 (#1854519) + +* Mon Jun 15 2020 Ryan O'Hara - 2.1.7-1 +- Update to 2.1.7 (#1845001) + +* Mon Jun 08 2020 Ryan O'Hara - 2.1.6-1 +- Update to 2.1.6 (#1845001) + +* Mon Jun 01 2020 Ryan O'Hara - 2.1.5-1 +- Update to 2.1.5 (#1841837) + +* Thu Apr 02 2020 Ryan O'Hara - 2.1.4-1 +- Update to 2.1.4 (CVE-2010-11100, #1820200) + +* Mon Mar 16 2020 Ryan O'Hara - 2.1.3-2 +- Fix invalid element address calculation (#1801109) + +* Wed Feb 12 2020 Ryan O'Hara - 2.1.3-1 +- Update to 2.1.3 (#1802233) + +* Wed Jan 29 2020 Fedora Release Engineering - 2.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 02 2020 Ryan O'Hara - 2.1.2-1 +- Update to 2.1.2 (#1782472) + +* Mon Nov 25 2019 Ryan O'Hara - 2.0.10-1 +- Update to 2.0.10 (#1772961) + +* Wed Nov 06 2019 Ryan O'Hara - 2.0.8-1 +- Update to 2.0.8 (#1764483) + +* Mon Oct 21 2019 Ryan O'Hara - 2.0.7-2 +- Build with Prometheus exporter service (#1755839) + +* Mon Oct 21 2019 Ryan O'Hara - 2.0.7-1 +- Update to 2.0.7 (#1742544) + +* Fri Sep 13 2019 Ryan O'Hara - 2.0.6-1 +- Update to 2.0.6 (#1742544) + +* Mon Aug 19 2019 Ryan O'Hara - 2.0.5-1 +- Update to 2.0.5 (#1742544) + +* Tue Jul 30 2019 Ryan O'Hara - 2.0.3-1 +- Update to 2.0.3 (#1690492) + +* Tue Jul 30 2019 Ryan O'Hara - 1.8.20-3 +- Build with PCRE2 (#1669217) + +* Thu Jul 25 2019 Fedora Release Engineering - 1.8.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 17 2019 Ryan O'Hara - 1.8.20-1 +- Update to 1.8.20 + +* Wed Feb 13 2019 Ryan O'Hara - 1.8.19-1 +- Update to 1.8.19 + +* Fri Feb 01 2019 Fedora Release Engineering - 1.8.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jan 24 2019 Petr Pisar - 1.8.17-3 +- Rebuild against patched libpcreposix library (bug #1667614) + +* Mon Jan 14 2019 Björn Esser - 1.8.17-2 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Wed Jan 09 2019 Ryan O'Hara - 1.8.17-1 +- Update to 1.8.17 +- Fix handling of priority flag in HEADERS frame in HTTP/2 decoder (CVE-2018-20615) + +* Sat Dec 22 2018 Ryan O'Hara - 1.8.16-1 +- Update to 1.8.16 * Thu Dec 13 2018 Ryan O'Hara - 1.8.15-1 -- Update to 1.8.15 (#1631815) -- Resolve CVE-2018-20102 (#1659017) -- Resolve CVE-2018-20103 (#1659019) +- Update to 1.8.15 +- Fix denial of service attack via infinite recursion (CVE-2018-20103, #1658881) +- Fix out-of-bound reads in dns_validate_dns_response (CVE-2018-20102, #1658882) -* Tue Oct 02 2018 Ryan O'Hara - 1.8.14-1 -- Update to 1.8.14 (#1631815) -- Resolve CVE-2018-14645 (#1631539) +* Sat Dec 01 2018 Ryan O'Hara - 1.8.14-2 +- Use of crpyt() is not thread safe (#1643941) -* Wed Jul 25 2018 Ryan O'Hara - 1.8.12-2 -- Fix ownership of /var/lib/haproxy/ to avoid selinux DAC override errors +* Thu Sep 20 2018 Ryan O'Hara - 1.8.14-1 +- Update to 1.8.14 (#1610066) -* Mon Jul 02 2018 Ryan O'Hara - 1.8.12-1 -- Update to 1.8.12 -- Resolve CVE-2018-10184 (#1569643) -- Resolve CVE-2018-11469 (#1584787) +* Mon Aug 20 2018 Ryan O'Hara - 1.8.13-1 +- Update to 1.8.13 (#1610066) + +* Thu Aug 16 2018 Ryan O'Hara - 1.8.12-4 +- Add BuildRequires gcc (#1604308) + +* Fri Jul 13 2018 Fedora Release Engineering - 1.8.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 10 2018 Ryan O'Hara - 1.8.12-2 +- Fix ownership of /var/lib/haproxy/ to avoid selinux DAC override errors (#1597076) + +* Thu Jun 28 2018 Ryan O'Hara - 1.8.12-1 +- Update to 1.8.12 (#1580036) + +* Wed Jun 27 2018 Ryan O'Hara - 1.8.11-1 +- Update to 1.8.11 (#1580036) + +* Mon Jun 25 2018 Ryan O'Hara - 1.8.10-1 +- Update to 1.8.10 (#1580036) + +* Mon May 21 2018 Ryan O'Hara - 1.8.9-1 +- Update to 1.8.9 (#1580036) + +* Thu May 10 2018 Ryan O'Hara - 1.8.8-2 +- Build with USE_GETADDRINFO option * Thu Apr 19 2018 Ryan O'Hara - 1.8.8-1 - Update to 1.8.8 (#1560121) diff --git a/SOURCES/haproxy.sysconfig b/haproxy.sysconfig similarity index 100% rename from SOURCES/haproxy.sysconfig rename to haproxy.sysconfig diff --git a/haproxy.sysusers b/haproxy.sysusers new file mode 100644 index 0000000..f17003a --- /dev/null +++ b/haproxy.sysusers @@ -0,0 +1 @@ +u haproxy - "haproxy" /var/lib/haproxy diff --git a/sources b/sources new file mode 100644 index 0000000..6fbccff --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (haproxy-3.0.5.tar.gz) = 8c16b026d5e26fc030178ecd354c68e8ea32c2b971f143cb2aa2f1b2d16fbfc0a27e3975f78873a0cefe3f904b5f1999f8d75622a04234b9cf88f90161d9ea91