Ryan O'Hara
parent
fc07f81c04
commit
7cbd697401
1
.gitignore
vendored
1
.gitignore
vendored
@ -38,3 +38,4 @@
|
||||
/keepalived-2.2.2.tar.gz
|
||||
/keepalived-2.2.3.tar.gz
|
||||
/keepalived-2.2.4.tar.gz
|
||||
/keepalived-2.2.8.tar.gz
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From 763eaa49343acdda5ff359012e8cc49c9ffc8e81 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Bernat <vincent@bernat.ch>
|
||||
Date: Tue, 23 Nov 2021 06:50:59 +0100
|
||||
Subject: [PATCH] dbus: fix policy to not be overly broad
|
||||
|
||||
The DBus policy did not restrict the message destination, allowing any
|
||||
user to inspect and manipulate any property.
|
||||
|
||||
Signed-off-by: Vincent Bernat <vincent@bernat.ch>
|
||||
---
|
||||
keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
|
||||
index 2b78a575..b5ced608 100644
|
||||
--- a/keepalived/dbus/org.keepalived.Vrrp1.conf
|
||||
+++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
|
||||
@@ -3,12 +3,15 @@
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<policy user="root">
|
||||
- <allow own="org.keepalived.Vrrp1"/>
|
||||
- <allow send_destination="org.keepalived.Vrrp1"/>
|
||||
+ <allow own="org.keepalived.Vrrp1" />
|
||||
+ <allow send_destination="org.keepalived.Vrrp1" />
|
||||
</policy>
|
||||
<policy context="default">
|
||||
- <allow send_interface="org.freedesktop.DBus.Introspectable" />
|
||||
- <allow send_interface="org.freedesktop.DBus.Peer" />
|
||||
- <allow send_interface="org.freedesktop.DBus.Properties" />
|
||||
+ <allow send_destination="org.keepalived.Vrrp1"
|
||||
+ send_interface="org.freedesktop.DBus.Introspectable" />
|
||||
+ <allow send_destination="org.keepalived.Vrrp1"
|
||||
+ send_interface="org.freedesktop.DBus.Peer" />
|
||||
+ <allow send_destination="org.keepalived.Vrrp1"
|
||||
+ send_interface="org.freedesktop.DBus.Properties" />
|
||||
</policy>
|
||||
</busconfig>
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,32 +0,0 @@
|
||||
From 332262ec91f85cd4224816d2803d818015239007 Mon Sep 17 00:00:00 2001
|
||||
From: Quentin Armitage <quentin@armitage.org.uk>
|
||||
Date: Wed, 29 Jun 2022 09:18:15 +0100
|
||||
Subject: [PATCH] parser: optimise fixing recalculating updated line length
|
||||
|
||||
Commit 1ffad9a - "recalculate buffer length inside recheck loop"
|
||||
resolved the issue but calls strlen(buf) more often than necessary.
|
||||
|
||||
This commit only calls strlen(buf) when the line buffer is modified.
|
||||
|
||||
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
|
||||
---
|
||||
lib/parser.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/lib/parser.c b/lib/parser.c
|
||||
index bcabd07f..2146f38b 100644
|
||||
--- a/lib/parser.c
|
||||
+++ b/lib/parser.c
|
||||
@@ -2809,6 +2809,9 @@ read_line(char *buf, size_t size)
|
||||
recheck = true;
|
||||
if (strchr(buf, '$'))
|
||||
recheck = true;
|
||||
+
|
||||
+ if (recheck)
|
||||
+ len = strlen(buf);
|
||||
}
|
||||
} while (recheck);
|
||||
} while (buf[0] == '\0' || check_include(buf));
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,48 +0,0 @@
|
||||
From b8b463159d9bcb05505ec128b5c2926ace0b3e92 Mon Sep 17 00:00:00 2001
|
||||
From: Quentin Armitage <quentin@armitage.org.uk>
|
||||
Date: Thu, 13 Oct 2022 08:32:17 +0100
|
||||
Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to
|
||||
3.0.4
|
||||
|
||||
The memory leak was observed with OpenSSL 3.0.1, and it is resolved
|
||||
by version 3.0.5. Also the leak is not observed in v1.1.1n.
|
||||
|
||||
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
|
||||
---
|
||||
keepalived/check/check_ssl.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
|
||||
index 917ac0d7..50efa824 100644
|
||||
--- a/keepalived/check/check_ssl.c
|
||||
+++ b/keepalived/check/check_ssl.c
|
||||
@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req)
|
||||
BIO_get_fd(req->bio, &bio_fd);
|
||||
if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1)
|
||||
log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno);
|
||||
-#ifdef HAVE_SSL_SET0_RBIO
|
||||
+
|
||||
+ /* There is a memory leak in openSSL at least in version 3.0.1, which is fixed
|
||||
+ * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been
|
||||
+ * able to identify the OpenSSL patch that resolved the leak, we play safe and
|
||||
+ * assume it is in versions 3.0.0 up to 3.0.4.
|
||||
+ * The leak is memory allocated by
|
||||
+ * p = OPENSSL_malloc(len);
|
||||
+ * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c
|
||||
+ *
|
||||
+ * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not
|
||||
+ * to occur.
|
||||
+ */
|
||||
+#ifdef OPENSSL_VERSION_MAJOR
|
||||
+#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4
|
||||
+ SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS);
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
+#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO
|
||||
BIO_up_ref(req->bio);
|
||||
SSL_set0_rbio(req->ssl, req->bio);
|
||||
SSL_set0_wbio(req->ssl, req->bio);
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -10,18 +10,14 @@
|
||||
|
||||
Name: keepalived
|
||||
Summary: High Availability monitor built upon LVS, VRRP and service pollers
|
||||
Version: 2.2.4
|
||||
Release: 6%{?dist}
|
||||
Version: 2.2.8
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://www.keepalived.org/
|
||||
|
||||
Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
|
||||
Source1: keepalived.service
|
||||
|
||||
Patch1: bz2028351-fix-dbus-policy-restrictions.patch
|
||||
Patch2: bz2102493-fix-variable-substitution.patch
|
||||
Patch3: bz2134749-fix-memory-leak-https-checks.patch
|
||||
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
@ -61,9 +57,6 @@ infrastructures.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -73,7 +66,7 @@ infrastructures.
|
||||
%{?with_snmp:--enable-snmp --enable-snmp-rfc} \
|
||||
%{?with_nftables:--enable-nftables --disable-iptables} \
|
||||
%{?with_sha1:--enable-sha1} \
|
||||
%{?with_sha1:--enable-json} \
|
||||
%{?with_json:--enable-json} \
|
||||
--with-init=systemd
|
||||
%{__make} %{?_smp_mflags} STRIP=/bin/true
|
||||
|
||||
@ -114,6 +107,9 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
|
||||
%{_mandir}/man8/keepalived.8*
|
||||
|
||||
%changelog
|
||||
* Thu Jun 15 2023 Ryan O'Hara <rohara@redhat.com> - 2.2.8-1
|
||||
- Update to 2.2.8 (#2215308)
|
||||
|
||||
* Fri Dec 23 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-6
|
||||
- Fix unterminated endif in previous patch (#2134749)
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (keepalived-2.2.4.tar.gz) = b8b0f3e7092b7b7093a9927259928076ee95ed176dd26b3a5c38e8c0dc7b83468433944905618dbc9e4b73b81b0cd3f16c2db4234ed4fcdf30f4fc0e532f9422
|
||||
SHA512 (keepalived-2.2.8.tar.gz) = dc0ab5b0ef8911a7859422eccc2771a40e942236c855a628158ed748eb5f7dc4b6f4850e9c3057e81fd9d2daa640ab51fb1d7af12748a613280a217b333eb06b
|
||||
|
||||
Loading…
Reference in New Issue
Block a user