import haproxy-2.4.17-3.el9
This commit is contained in:
		
							parent
							
								
									3b83956724
								
							
						
					
					
						commit
						e1ffe12c62
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | |||||||
| SOURCES/haproxy-2.4.7.tar.gz | SOURCES/haproxy-2.4.17.tar.gz | ||||||
|  | |||||||
| @ -1 +1 @@ | |||||||
| d3f3a4ff293cb2d9ec2085cac324698d260e2739 SOURCES/haproxy-2.4.7.tar.gz | 28a0b8de9a6a4095406d190b83a024a11d7aedf6 SOURCES/haproxy-2.4.17.tar.gz | ||||||
|  | |||||||
| @ -1,45 +0,0 @@ | |||||||
| From f22b032956bc492dcf47b2a909f91a6fb2c6e49b Mon Sep 17 00:00:00 2001 |  | ||||||
| From: William Lallemand <wlallemand@haproxy.org> |  | ||||||
| Date: Wed, 2 Jun 2021 16:09:11 +0200 |  | ||||||
| Subject: [PATCH] BUILD: fix compilation for OpenSSL-3.0.0-alpha17 |  | ||||||
| 
 |  | ||||||
| Some changes in the OpenSSL syntax API broke this syntax: |  | ||||||
|   #if SSL_OP_NO_TLSv1_3 |  | ||||||
| 
 |  | ||||||
| OpenSSL made this change which broke our usage in commit f04bb0bce490de847ed0482b8ec9eabedd173852: |  | ||||||
| 
 |  | ||||||
| -# define SSL_OP_NO_TLSv1_3                               (uint64_t)0x20000000
 |  | ||||||
| +#define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)
 |  | ||||||
| +# define SSL_OP_NO_TLSv1_3                               SSL_OP_BIT(29)
 |  | ||||||
| 
 |  | ||||||
| Which can't be evaluated by the preprocessor anymore. |  | ||||||
| This patch replace the test by an openssl version test. |  | ||||||
| 
 |  | ||||||
| This fix part of #1276 issue. |  | ||||||
| ---
 |  | ||||||
|  src/ssl_sock.c | 4 ++-- |  | ||||||
|  1 file changed, 2 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 |  | ||||||
| index f596a831d..27a4c3531 100644
 |  | ||||||
| --- a/src/ssl_sock.c
 |  | ||||||
| +++ b/src/ssl_sock.c
 |  | ||||||
| @@ -2217,13 +2217,13 @@ static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {
 |  | ||||||
|  		: SSL_set_min_proto_version(ssl, TLS1_2_VERSION); |  | ||||||
|  } |  | ||||||
|  static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) { |  | ||||||
| -#if SSL_OP_NO_TLSv1_3
 |  | ||||||
| +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 |  | ||||||
|  	c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) |  | ||||||
|  		: SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); |  | ||||||
|  #endif |  | ||||||
|  } |  | ||||||
|  static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) { |  | ||||||
| -#if SSL_OP_NO_TLSv1_3
 |  | ||||||
| +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 |  | ||||||
|  	c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION) |  | ||||||
|  		: SSL_set_min_proto_version(ssl, TLS1_3_VERSION); |  | ||||||
|  #endif |  | ||||||
| -- 
 |  | ||||||
| 2.31.1 |  | ||||||
| 
 |  | ||||||
| @ -1,48 +0,0 @@ | |||||||
| From 0980912282f20a1db64d7ba0a9a825dfee3cb044 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Andrew McDermott <aim@frobware.com> |  | ||||||
| Date: Fri, 11 Feb 2022 18:26:49 +0000 |  | ||||||
| Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in |  | ||||||
|  http_manage_server_side_cookies |  | ||||||
| 
 |  | ||||||
| Ensure calls to http_find_header() terminate. If a "Set-Cookie2" |  | ||||||
| header is found then the while(1) loop in |  | ||||||
| http_manage_server_side_cookies() will never terminate, resulting in |  | ||||||
| the watchdog firing and the process terminating via SIGABRT. |  | ||||||
| 
 |  | ||||||
| The while(1) loop becomes unbounded because an unmatched call to |  | ||||||
| http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent |  | ||||||
| calls to check for "Set-Cookie2" will now enumerate from the beginning |  | ||||||
| of all the blocks and will once again match on subsequent |  | ||||||
| passes (assuming a match first time around), hence the loop becoming |  | ||||||
| unbounded. |  | ||||||
| 
 |  | ||||||
| This issue was introduced with HTX and this fix should be backported |  | ||||||
| to all versions supporting HTX. |  | ||||||
| 
 |  | ||||||
| Many thanks to Grant Spence (gspence@redhat.com) for working through |  | ||||||
| this issue with me. |  | ||||||
| 
 |  | ||||||
| (cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8) |  | ||||||
| Signed-off-by: Willy Tarreau <w@1wt.eu> |  | ||||||
| (cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509) |  | ||||||
| Signed-off-by: Willy Tarreau <w@1wt.eu> |  | ||||||
| ---
 |  | ||||||
|  src/http_ana.c | 2 +- |  | ||||||
|  1 file changed, 1 insertion(+), 1 deletion(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http_ana.c b/src/http_ana.c
 |  | ||||||
| index 4c765cb39..0f40ab3ab 100644
 |  | ||||||
| --- a/src/http_ana.c
 |  | ||||||
| +++ b/src/http_ana.c
 |  | ||||||
| @@ -3433,7 +3433,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
 |  | ||||||
|  	while (1) { |  | ||||||
|  		int is_first = 1; |  | ||||||
|   |  | ||||||
| -		if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
 |  | ||||||
| +		if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
 |  | ||||||
|  			if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) |  | ||||||
|  				break; |  | ||||||
|  			is_cookie2 = 1; |  | ||||||
| -- 
 |  | ||||||
| 2.33.1 |  | ||||||
| 
 |  | ||||||
| @ -5,10 +5,10 @@ Wants=network-online.target | |||||||
| 
 | 
 | ||||||
| [Service] | [Service] | ||||||
| EnvironmentFile=-/etc/sysconfig/haproxy | EnvironmentFile=-/etc/sysconfig/haproxy | ||||||
| Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" | Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d" | ||||||
| ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS | ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS | ||||||
| ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS | ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS | ||||||
| ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS | ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS | ||||||
| ExecReload=/bin/kill -USR2 $MAINPID | ExecReload=/bin/kill -USR2 $MAINPID | ||||||
| KillMode=mixed | KillMode=mixed | ||||||
| SuccessExitStatus=143 | SuccessExitStatus=143 | ||||||
|  | |||||||
| @ -7,8 +7,8 @@ | |||||||
| %global _hardened_build 1 | %global _hardened_build 1 | ||||||
| 
 | 
 | ||||||
| Name:           haproxy | Name:           haproxy | ||||||
| Version:        2.4.7 | Version:        2.4.17 | ||||||
| Release:        2%{?dist} | Release:        3%{?dist} | ||||||
| Summary:        HAProxy reverse proxy for high availability environments | Summary:        HAProxy reverse proxy for high availability environments | ||||||
| 
 | 
 | ||||||
| License:        GPLv2+ | License:        GPLv2+ | ||||||
| @ -21,9 +21,6 @@ Source3:        %{name}.logrotate | |||||||
| Source4:        %{name}.sysconfig | Source4:        %{name}.sysconfig | ||||||
| Source5:        halog.1 | Source5:        halog.1 | ||||||
| 
 | 
 | ||||||
| Patch0:         bz1984786-fix-openssl-build.patch |  | ||||||
| Patch1:         bz2059438-fix-undound-loop-set-cookie2.patch |  | ||||||
| 
 |  | ||||||
| BuildRequires:  gcc | BuildRequires:  gcc | ||||||
| BuildRequires:  lua-devel | BuildRequires:  lua-devel | ||||||
| BuildRequires:  pcre2-devel | BuildRequires:  pcre2-devel | ||||||
| @ -51,8 +48,6 @@ availability environments. Indeed, it can: | |||||||
| 
 | 
 | ||||||
| %prep | %prep | ||||||
| %setup -q | %setup -q | ||||||
| %patch0 -p1 |  | ||||||
| %patch1 -p1 |  | ||||||
| 
 | 
 | ||||||
| %build | %build | ||||||
| regparm_opts= | regparm_opts= | ||||||
| @ -79,6 +74,7 @@ popd | |||||||
| %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 | %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 | ||||||
| %{__install} -d -m 0755 %{buildroot}%{haproxy_homedir} | %{__install} -d -m 0755 %{buildroot}%{haproxy_homedir} | ||||||
| %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} | %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} | ||||||
|  | %{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d | ||||||
| %{__install} -d -m 0755 %{buildroot}%{_bindir} | %{__install} -d -m 0755 %{buildroot}%{_bindir} | ||||||
| %{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog | %{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog | ||||||
| %{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange | %{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange | ||||||
| @ -123,6 +119,7 @@ exit 0 | |||||||
| %license LICENSE | %license LICENSE | ||||||
| %dir %{haproxy_homedir} | %dir %{haproxy_homedir} | ||||||
| %dir %{haproxy_confdir} | %dir %{haproxy_confdir} | ||||||
|  | %dir %{haproxy_confdir}/conf.d | ||||||
| %dir %{haproxy_datadir} | %dir %{haproxy_datadir} | ||||||
| %{haproxy_datadir}/* | %{haproxy_datadir}/* | ||||||
| %config(noreplace) %{haproxy_confdir}/%{name}.cfg | %config(noreplace) %{haproxy_confdir}/%{name}.cfg | ||||||
| @ -136,8 +133,15 @@ exit 0 | |||||||
| %{_mandir}/man1/* | %{_mandir}/man1/* | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
| * Wed Apr 06 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.7-2 | * Mon Jul 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3 | ||||||
| - Fix unbound loop when Set-Cookie2 header is present (#2059438) | - Fix changelog and rebuild | ||||||
|  | 
 | ||||||
|  | * Wed Jun 08 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-2 | ||||||
|  | - Add configuration directory and update systemd unit file (#2093482) | ||||||
|  | 
 | ||||||
|  | * Wed May 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-1 | ||||||
|  | - Update to 2.4.17 #(2088532) | ||||||
|  | - Fix unbound loop when Set-Cookie2 header is present (#2070448) | ||||||
| 
 | 
 | ||||||
| * Wed Oct 13 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.7-1 | * Wed Oct 13 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.7-1 | ||||||
| - Update to 2.4.7 (#1966688) | - Update to 2.4.7 (#1966688) | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user