From e1ffe12c622eaf06f989d840ab037d7cde73d0b6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 01:52:22 -0500 Subject: [PATCH] import haproxy-2.4.17-3.el9 --- .gitignore | 2 +- .haproxy.metadata | 2 +- SOURCES/bz1984786-fix-openssl-build.patch | 45 ----------------- ...2059438-fix-undound-loop-set-cookie2.patch | 48 ------------------- SOURCES/haproxy.service | 8 ++-- SPECS/haproxy.spec | 22 +++++---- 6 files changed, 19 insertions(+), 108 deletions(-) delete mode 100644 SOURCES/bz1984786-fix-openssl-build.patch delete mode 100644 SOURCES/bz2059438-fix-undound-loop-set-cookie2.patch diff --git a/.gitignore b/.gitignore index b0c7871..743f11c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/haproxy-2.4.7.tar.gz +SOURCES/haproxy-2.4.17.tar.gz diff --git a/.haproxy.metadata b/.haproxy.metadata index 1fef6be..52f1eb4 100644 --- a/.haproxy.metadata +++ b/.haproxy.metadata @@ -1 +1 @@ -d3f3a4ff293cb2d9ec2085cac324698d260e2739 SOURCES/haproxy-2.4.7.tar.gz +28a0b8de9a6a4095406d190b83a024a11d7aedf6 SOURCES/haproxy-2.4.17.tar.gz diff --git a/SOURCES/bz1984786-fix-openssl-build.patch b/SOURCES/bz1984786-fix-openssl-build.patch deleted file mode 100644 index bac19bd..0000000 --- a/SOURCES/bz1984786-fix-openssl-build.patch +++ /dev/null @@ -1,45 +0,0 @@ -From f22b032956bc492dcf47b2a909f91a6fb2c6e49b Mon Sep 17 00:00:00 2001 -From: William Lallemand -Date: Wed, 2 Jun 2021 16:09:11 +0200 -Subject: [PATCH] BUILD: fix compilation for OpenSSL-3.0.0-alpha17 - -Some changes in the OpenSSL syntax API broke this syntax: - #if SSL_OP_NO_TLSv1_3 - -OpenSSL made this change which broke our usage in commit f04bb0bce490de847ed0482b8ec9eabedd173852: - --# define SSL_OP_NO_TLSv1_3 (uint64_t)0x20000000 -+#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n) -+# define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29) - -Which can't be evaluated by the preprocessor anymore. -This patch replace the test by an openssl version test. - -This fix part of #1276 issue. ---- - src/ssl_sock.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index f596a831d..27a4c3531 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2217,13 +2217,13 @@ static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) { - : SSL_set_min_proto_version(ssl, TLS1_2_VERSION); - } - static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) { --#if SSL_OP_NO_TLSv1_3 -+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) - c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) - : SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); - #endif - } - static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) { --#if SSL_OP_NO_TLSv1_3 -+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) - c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION) - : SSL_set_min_proto_version(ssl, TLS1_3_VERSION); - #endif --- -2.31.1 - diff --git a/SOURCES/bz2059438-fix-undound-loop-set-cookie2.patch b/SOURCES/bz2059438-fix-undound-loop-set-cookie2.patch deleted file mode 100644 index 2b80927..0000000 --- a/SOURCES/bz2059438-fix-undound-loop-set-cookie2.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0980912282f20a1db64d7ba0a9a825dfee3cb044 Mon Sep 17 00:00:00 2001 -From: Andrew McDermott -Date: Fri, 11 Feb 2022 18:26:49 +0000 -Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in - http_manage_server_side_cookies - -Ensure calls to http_find_header() terminate. If a "Set-Cookie2" -header is found then the while(1) loop in -http_manage_server_side_cookies() will never terminate, resulting in -the watchdog firing and the process terminating via SIGABRT. - -The while(1) loop becomes unbounded because an unmatched call to -http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent -calls to check for "Set-Cookie2" will now enumerate from the beginning -of all the blocks and will once again match on subsequent -passes (assuming a match first time around), hence the loop becoming -unbounded. - -This issue was introduced with HTX and this fix should be backported -to all versions supporting HTX. - -Many thanks to Grant Spence (gspence@redhat.com) for working through -this issue with me. - -(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8) -Signed-off-by: Willy Tarreau -(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509) -Signed-off-by: Willy Tarreau ---- - src/http_ana.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/http_ana.c b/src/http_ana.c -index 4c765cb39..0f40ab3ab 100644 ---- a/src/http_ana.c -+++ b/src/http_ana.c -@@ -3433,7 +3433,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re - while (1) { - int is_first = 1; - -- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { -+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { - if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) - break; - is_cookie2 = 1; --- -2.33.1 - diff --git a/SOURCES/haproxy.service b/SOURCES/haproxy.service index e128edf..a5524de 100644 --- a/SOURCES/haproxy.service +++ b/SOURCES/haproxy.service @@ -5,10 +5,10 @@ Wants=network-online.target [Service] EnvironmentFile=-/etc/sysconfig/haproxy -Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" -ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS -ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS -ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS +Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d" +ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS +ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS +ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed SuccessExitStatus=143 diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec index d2df0b3..82e20c7 100644 --- a/SPECS/haproxy.spec +++ b/SPECS/haproxy.spec @@ -7,8 +7,8 @@ %global _hardened_build 1 Name: haproxy -Version: 2.4.7 -Release: 2%{?dist} +Version: 2.4.17 +Release: 3%{?dist} Summary: HAProxy reverse proxy for high availability environments License: GPLv2+ @@ -21,9 +21,6 @@ Source3: %{name}.logrotate Source4: %{name}.sysconfig Source5: halog.1 -Patch0: bz1984786-fix-openssl-build.patch -Patch1: bz2059438-fix-undound-loop-set-cookie2.patch - BuildRequires: gcc BuildRequires: lua-devel BuildRequires: pcre2-devel @@ -51,8 +48,6 @@ availability environments. Indeed, it can: %prep %setup -q -%patch0 -p1 -%patch1 -p1 %build regparm_opts= @@ -79,6 +74,7 @@ popd %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 %{__install} -d -m 0755 %{buildroot}%{haproxy_homedir} %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} +%{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d %{__install} -d -m 0755 %{buildroot}%{_bindir} %{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog %{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange @@ -123,6 +119,7 @@ exit 0 %license LICENSE %dir %{haproxy_homedir} %dir %{haproxy_confdir} +%dir %{haproxy_confdir}/conf.d %dir %{haproxy_datadir} %{haproxy_datadir}/* %config(noreplace) %{haproxy_confdir}/%{name}.cfg @@ -136,8 +133,15 @@ exit 0 %{_mandir}/man1/* %changelog -* Wed Apr 06 2022 Ryan O'Hara - 2.4.7-2 -- Fix unbound loop when Set-Cookie2 header is present (#2059438) +* Mon Jul 25 2022 Ryan O'Hara - 2.4.17-3 +- Fix changelog and rebuild + +* Wed Jun 08 2022 Ryan O'Hara - 2.4.17-2 +- Add configuration directory and update systemd unit file (#2093482) + +* Wed May 25 2022 Ryan O'Hara - 2.4.17-1 +- Update to 2.4.17 #(2088532) +- Fix unbound loop when Set-Cookie2 header is present (#2070448) * Wed Oct 13 2021 Ryan O'Hara - 2.4.7-1 - Update to 2.4.7 (#1966688)