import haproxy-2.4.17-3.el9

This commit is contained in:
CentOS Sources 2022-11-15 01:52:22 -05:00 committed by Stepan Oksanichenko
parent 3b83956724
commit e1ffe12c62
6 changed files with 19 additions and 108 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/haproxy-2.4.7.tar.gz SOURCES/haproxy-2.4.17.tar.gz

View File

@ -1 +1 @@
d3f3a4ff293cb2d9ec2085cac324698d260e2739 SOURCES/haproxy-2.4.7.tar.gz 28a0b8de9a6a4095406d190b83a024a11d7aedf6 SOURCES/haproxy-2.4.17.tar.gz

View File

@ -1,45 +0,0 @@
From f22b032956bc492dcf47b2a909f91a6fb2c6e49b Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Wed, 2 Jun 2021 16:09:11 +0200
Subject: [PATCH] BUILD: fix compilation for OpenSSL-3.0.0-alpha17
Some changes in the OpenSSL syntax API broke this syntax:
#if SSL_OP_NO_TLSv1_3
OpenSSL made this change which broke our usage in commit f04bb0bce490de847ed0482b8ec9eabedd173852:
-# define SSL_OP_NO_TLSv1_3 (uint64_t)0x20000000
+#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n)
+# define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29)
Which can't be evaluated by the preprocessor anymore.
This patch replace the test by an openssl version test.
This fix part of #1276 issue.
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f596a831d..27a4c3531 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2217,13 +2217,13 @@ static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {
: SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
}
static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {
-#if SSL_OP_NO_TLSv1_3
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)
: SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
#endif
}
static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {
-#if SSL_OP_NO_TLSv1_3
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_3_VERSION);
#endif
--
2.31.1

View File

@ -1,48 +0,0 @@
From 0980912282f20a1db64d7ba0a9a825dfee3cb044 Mon Sep 17 00:00:00 2001
From: Andrew McDermott <aim@frobware.com>
Date: Fri, 11 Feb 2022 18:26:49 +0000
Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
http_manage_server_side_cookies
Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
header is found then the while(1) loop in
http_manage_server_side_cookies() will never terminate, resulting in
the watchdog firing and the process terminating via SIGABRT.
The while(1) loop becomes unbounded because an unmatched call to
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
calls to check for "Set-Cookie2" will now enumerate from the beginning
of all the blocks and will once again match on subsequent
passes (assuming a match first time around), hence the loop becoming
unbounded.
This issue was introduced with HTX and this fix should be backported
to all versions supporting HTX.
Many thanks to Grant Spence (gspence@redhat.com) for working through
this issue with me.
(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
src/http_ana.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/http_ana.c b/src/http_ana.c
index 4c765cb39..0f40ab3ab 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -3433,7 +3433,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
while (1) {
int is_first = 1;
- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
break;
is_cookie2 = 1;
--
2.33.1

View File

@ -5,10 +5,10 @@ Wants=network-online.target
[Service] [Service]
EnvironmentFile=-/etc/sysconfig/haproxy EnvironmentFile=-/etc/sysconfig/haproxy
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d"
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed KillMode=mixed
SuccessExitStatus=143 SuccessExitStatus=143

View File

@ -7,8 +7,8 @@
%global _hardened_build 1 %global _hardened_build 1
Name: haproxy Name: haproxy
Version: 2.4.7 Version: 2.4.17
Release: 2%{?dist} Release: 3%{?dist}
Summary: HAProxy reverse proxy for high availability environments Summary: HAProxy reverse proxy for high availability environments
License: GPLv2+ License: GPLv2+
@ -21,9 +21,6 @@ Source3: %{name}.logrotate
Source4: %{name}.sysconfig Source4: %{name}.sysconfig
Source5: halog.1 Source5: halog.1
Patch0: bz1984786-fix-openssl-build.patch
Patch1: bz2059438-fix-undound-loop-set-cookie2.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: lua-devel BuildRequires: lua-devel
BuildRequires: pcre2-devel BuildRequires: pcre2-devel
@ -51,8 +48,6 @@ availability environments. Indeed, it can:
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch1 -p1
%build %build
regparm_opts= regparm_opts=
@ -79,6 +74,7 @@ popd
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
%{__install} -d -m 0755 %{buildroot}%{haproxy_homedir} %{__install} -d -m 0755 %{buildroot}%{haproxy_homedir}
%{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
%{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d
%{__install} -d -m 0755 %{buildroot}%{_bindir} %{__install} -d -m 0755 %{buildroot}%{_bindir}
%{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog %{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog
%{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange %{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange
@ -123,6 +119,7 @@ exit 0
%license LICENSE %license LICENSE
%dir %{haproxy_homedir} %dir %{haproxy_homedir}
%dir %{haproxy_confdir} %dir %{haproxy_confdir}
%dir %{haproxy_confdir}/conf.d
%dir %{haproxy_datadir} %dir %{haproxy_datadir}
%{haproxy_datadir}/* %{haproxy_datadir}/*
%config(noreplace) %{haproxy_confdir}/%{name}.cfg %config(noreplace) %{haproxy_confdir}/%{name}.cfg
@ -136,8 +133,15 @@ exit 0
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Wed Apr 06 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.7-2 * Mon Jul 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3
- Fix unbound loop when Set-Cookie2 header is present (#2059438) - Fix changelog and rebuild
* Wed Jun 08 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-2
- Add configuration directory and update systemd unit file (#2093482)
* Wed May 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-1
- Update to 2.4.17 #(2088532)
- Fix unbound loop when Set-Cookie2 header is present (#2070448)
* Wed Oct 13 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.7-1 * Wed Oct 13 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.7-1
- Update to 2.4.7 (#1966688) - Update to 2.4.7 (#1966688)