import haproxy-2.4.17-6.el9

2023-05-09 05:21:18 +00:00 · 2023-05-09 05:21:18 +00:00 · ac6ed12861
parent 1b7939a901
commit ac6ed12861
4 changed files with 18 additions and 15 deletions
--- a/SOURCES/bz2161140-refuse-response-end-stream-flag.patch
+++ b/SOURCES/bz2161140-refuse-response-end-stream-flag.patch
--- a/SOURCES/bz2169510-reject-empty-http-header-fields.patch
+++ b/SOURCES/bz2169510-reject-empty-http-header-fields.patch
--- a/SOURCES/haproxy.sysusers
+++ b/SOURCES/haproxy.sysusers
@ -0,0 +1 @@
+u haproxy - "haproxy" /var/lib/haproxy
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@ -8,7 +8,7 @@

 Name:           haproxy
 Version:        2.4.17
-Release:        3%{?dist}.2
+Release:        6%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments

 License:        GPLv2+
@ -19,10 +19,11 @@ Source1:        %{name}.service
 Source2:        %{name}.cfg
 Source3:        %{name}.logrotate
 Source4:        %{name}.sysconfig
-Source5:        halog.1
+Source5:        %{name}.sysusers
+Source6:        halog.1

-Patch0: bz2174172-refuse-response-end-stream-flag.patch
-Patch1: bz2174174-reject-empty-http-header-fields.patch
+Patch0: bz2161140-refuse-response-end-stream-flag.patch
+Patch1: bz2169510-reject-empty-http-header-fields.patch

 BuildRequires:  gcc
 BuildRequires:  lua-devel
@ -30,6 +31,7 @@ BuildRequires:  pcre2-devel
 BuildRequires:  openssl-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  make

 Requires(pre):  shadow-utils
@ -76,7 +78,8 @@ popd
 %{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
 %{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 %{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
-%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
+%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_sysusersdir}/%{name}.conf
+%{__install} -p -D -m 0644 %{SOURCE6} %{buildroot}%{_mandir}/man1/halog.1
 %{__install} -d -m 0755 %{buildroot}%{haproxy_homedir}
 %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
 %{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d
@ -102,12 +105,7 @@ do
 done

 %pre
-getent group %{haproxy_group} >/dev/null || \
-    groupadd -r %{haproxy_group}
-getent passwd %{haproxy_user} >/dev/null || \
-    useradd -r -g %{haproxy_user} -d %{haproxy_homedir} \
-    -s /sbin/nologin -c "haproxy" %{haproxy_user}
-exit 0
+%sysusers_create_compat %{SOURCE5}

 %post
 %systemd_post %{name}.service
@ -136,13 +134,17 @@ exit 0
 %{_bindir}/iprange
 %{_bindir}/ip6range
 %{_mandir}/man1/*
+%{_sysusersdir}/%{name}.conf

 %changelog
-* Thu Mar 02 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3.2
- Reject empty http header field names (CVE-2023-25725, #2174174)
+* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-6
+- Reject empty http header field names (CVE-2023-25725, #2169510)

-* Thu Mar 02 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3.1
- Refuse interim responses with end-stream flag set (CVE-2023-0056, #2174172)
+* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-5
+- Refuse interim responses with end-stream flag set (CVE-2023-0056, #2161140)
+
+* Wed Nov 30 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-4
+- Use systemd-sysusers for user/group creation (#2095422)

 * Mon Jul 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3
 - Fix changelog and rebuild