import haproxy-2.4.17-3.el9

2022-11-15 01:52:22 -05:00 · 2022-11-15 01:52:22 -05:00 · e1ffe12c62
parent 3b83956724
commit e1ffe12c62
6 changed files with 19 additions and 108 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/haproxy-2.4.7.tar.gz
+SOURCES/haproxy-2.4.17.tar.gz
--- a/.haproxy.metadata
+++ b/.haproxy.metadata
@ -1 +1 @@
-d3f3a4ff293cb2d9ec2085cac324698d260e2739 SOURCES/haproxy-2.4.7.tar.gz
+28a0b8de9a6a4095406d190b83a024a11d7aedf6 SOURCES/haproxy-2.4.17.tar.gz
--- a/SOURCES/bz1984786-fix-openssl-build.patch
+++ b/SOURCES/bz1984786-fix-openssl-build.patch
@ -1,45 +0,0 @@
-From f22b032956bc492dcf47b2a909f91a6fb2c6e49b Mon Sep 17 00:00:00 2001
-From: William Lallemand <wlallemand@haproxy.org>
-Date: Wed, 2 Jun 2021 16:09:11 +0200
-Subject: [PATCH] BUILD: fix compilation for OpenSSL-3.0.0-alpha17
-
-Some changes in the OpenSSL syntax API broke this syntax:
-  #if SSL_OP_NO_TLSv1_3
-
-OpenSSL made this change which broke our usage in commit f04bb0bce490de847ed0482b8ec9eabedd173852:
-
-# define SSL_OP_NO_TLSv1_3                               (uint64_t)0x20000000
-+#define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)
-+# define SSL_OP_NO_TLSv1_3                               SSL_OP_BIT(29)
-
-Which can't be evaluated by the preprocessor anymore.
-This patch replace the test by an openssl version test.
-
-This fix part of #1276 issue.
---
- src/ssl_sock.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index f596a831d..27a4c3531 100644
--- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -2217,13 +2217,13 @@ static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {
- 		: SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
- }
- static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {
-#if SSL_OP_NO_TLSv1_3
-+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
- 	c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)
- 		: SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
- #endif
- }
- static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {
-#if SSL_OP_NO_TLSv1_3
-+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
- 	c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION)
- 		: SSL_set_min_proto_version(ssl, TLS1_3_VERSION);
- #endif
-- 
-2.31.1
-
--- a/SOURCES/bz2059438-fix-undound-loop-set-cookie2.patch
+++ b/SOURCES/bz2059438-fix-undound-loop-set-cookie2.patch
@ -1,48 +0,0 @@
-From 0980912282f20a1db64d7ba0a9a825dfee3cb044 Mon Sep 17 00:00:00 2001
-From: Andrew McDermott <aim@frobware.com>
-Date: Fri, 11 Feb 2022 18:26:49 +0000
-Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
- http_manage_server_side_cookies
-
-Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
-header is found then the while(1) loop in
-http_manage_server_side_cookies() will never terminate, resulting in
-the watchdog firing and the process terminating via SIGABRT.
-
-The while(1) loop becomes unbounded because an unmatched call to
-http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
-calls to check for "Set-Cookie2" will now enumerate from the beginning
-of all the blocks and will once again match on subsequent
-passes (assuming a match first time around), hence the loop becoming
-unbounded.
-
-This issue was introduced with HTX and this fix should be backported
-to all versions supporting HTX.
-
-Many thanks to Grant Spence (gspence@redhat.com) for working through
-this issue with me.
-
-(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
---
- src/http_ana.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/http_ana.c b/src/http_ana.c
-index 4c765cb39..0f40ab3ab 100644
--- a/src/http_ana.c
-+++ b/src/http_ana.c
-@@ -3433,7 +3433,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
- 	while (1) {
- 		int is_first = 1;
- 
-		if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
-+		if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
- 			if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
- 				break;
- 			is_cookie2 = 1;
-- 
-2.33.1
-
--- a/SOURCES/haproxy.service
+++ b/SOURCES/haproxy.service
@ -5,10 +5,10 @@ Wants=network-online.target

 [Service]
 EnvironmentFile=-/etc/sysconfig/haproxy
-Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
-ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS
-ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS
-ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d"
+ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
+ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS
+ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
 ExecReload=/bin/kill -USR2 $MAINPID
 KillMode=mixed
 SuccessExitStatus=143
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@ -7,8 +7,8 @@
 %global _hardened_build 1

 Name:           haproxy
-Version:        2.4.7
-Release:        2%{?dist}
+Version:        2.4.17
+Release:        3%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments

 License:        GPLv2+
@ -21,9 +21,6 @@ Source3:        %{name}.logrotate
 Source4:        %{name}.sysconfig
 Source5:        halog.1

-Patch0:         bz1984786-fix-openssl-build.patch
-Patch1:         bz2059438-fix-undound-loop-set-cookie2.patch
-
 BuildRequires:  gcc
 BuildRequires:  lua-devel
 BuildRequires:  pcre2-devel
@ -51,8 +48,6 @@ availability environments. Indeed, it can:

 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1

 %build
 regparm_opts=
@ -79,6 +74,7 @@ popd
 %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
 %{__install} -d -m 0755 %{buildroot}%{haproxy_homedir}
 %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
+%{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d
 %{__install} -d -m 0755 %{buildroot}%{_bindir}
 %{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog
 %{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange
@ -123,6 +119,7 @@ exit 0
 %license LICENSE
 %dir %{haproxy_homedir}
 %dir %{haproxy_confdir}
+%dir %{haproxy_confdir}/conf.d
 %dir %{haproxy_datadir}
 %{haproxy_datadir}/*
 %config(noreplace) %{haproxy_confdir}/%{name}.cfg
@ -136,8 +133,15 @@ exit 0
 %{_mandir}/man1/*

 %changelog
-* Wed Apr 06 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.7-2
- Fix unbound loop when Set-Cookie2 header is present (#2059438)
+* Mon Jul 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3
+- Fix changelog and rebuild
+
+* Wed Jun 08 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-2
+- Add configuration directory and update systemd unit file (#2093482)
+
+* Wed May 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-1
+- Update to 2.4.17 #(2088532)
+- Fix unbound loop when Set-Cookie2 header is present (#2070448)

 * Wed Oct 13 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.7-1
 - Update to 2.4.7 (#1966688)