Update to 2.2.8

Resolves: #2215308
2023-06-15 10:04:56 -05:00 · 2023-06-15 10:04:56 -05:00 · 7cbd697401
commit 7cbd697401
parent fc07f81c04
6 changed files with 8 additions and 132 deletions
--- a/.gitignore
+++ b/.gitignore
@ -38,3 +38,4 @@
 /keepalived-2.2.2.tar.gz
 /keepalived-2.2.3.tar.gz
 /keepalived-2.2.4.tar.gz
 /keepalived-2.2.8.tar.gz
--- a/bz2028351-fix-dbus-policy-restrictions.patch
+++ b/bz2028351-fix-dbus-policy-restrictions.patch
@ -1,41 +0,0 @@
 From 763eaa49343acdda5ff359012e8cc49c9ffc8e81 Mon Sep 17 00:00:00 2001
 From: Vincent Bernat <vincent@bernat.ch>
 Date: Tue, 23 Nov 2021 06:50:59 +0100
 Subject: [PATCH] dbus: fix policy to not be overly broad
 The DBus policy did not restrict the message destination, allowing any
 user to inspect and manipulate any property.
 Signed-off-by: Vincent Bernat <vincent@bernat.ch>
 ---
 keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
 index 2b78a575..b5ced608 100644
 --- a/keepalived/dbus/org.keepalived.Vrrp1.conf
 +++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
@@ -3,12 +3,15 @@
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
 	<policy user="root">
 -		<allow own="org.keepalived.Vrrp1"/>
 -		<allow send_destination="org.keepalived.Vrrp1"/>
 +		<allow own="org.keepalived.Vrrp1" />
 +		<allow send_destination="org.keepalived.Vrrp1" />
 	</policy>
 	<policy context="default">
 -		<allow send_interface="org.freedesktop.DBus.Introspectable" />
 -		<allow send_interface="org.freedesktop.DBus.Peer" />
 -		<allow send_interface="org.freedesktop.DBus.Properties" />
 +		<allow send_destination="org.keepalived.Vrrp1"
 +		       send_interface="org.freedesktop.DBus.Introspectable" />
 +		<allow send_destination="org.keepalived.Vrrp1"
 +		       send_interface="org.freedesktop.DBus.Peer" />
 +		<allow send_destination="org.keepalived.Vrrp1"
 +		       send_interface="org.freedesktop.DBus.Properties" />
 	</policy>
 </busconfig>
 -- 
 2.33.1
--- a/bz2102493-fix-variable-substitution.patch
+++ b/bz2102493-fix-variable-substitution.patch
@ -1,32 +0,0 @@
 From 332262ec91f85cd4224816d2803d818015239007 Mon Sep 17 00:00:00 2001
 From: Quentin Armitage <quentin@armitage.org.uk>
 Date: Wed, 29 Jun 2022 09:18:15 +0100
 Subject: [PATCH] parser: optimise fixing recalculating updated line length
 Commit 1ffad9a - "recalculate buffer length inside recheck loop"
 resolved the issue but calls strlen(buf) more often than necessary.
 This commit only calls strlen(buf) when the line buffer is modified.
 Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 ---
 lib/parser.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/parser.c b/lib/parser.c
 index bcabd07f..2146f38b 100644
 --- a/lib/parser.c
 +++ b/lib/parser.c
@@ -2809,6 +2809,9 @@ read_line(char *buf, size_t size)
 					recheck = true;
 				if (strchr(buf, '$'))
 					recheck = true;
 +
 +				if (recheck)
 +					len = strlen(buf);
 			}
 		} while (recheck);
 	} while (buf[0] == '\0' || check_include(buf));
 -- 
 2.38.1
--- a/bz2134749-fix-memory-leak-https-checks.patch
+++ b/bz2134749-fix-memory-leak-https-checks.patch
@ -1,48 +0,0 @@
 From b8b463159d9bcb05505ec128b5c2926ace0b3e92 Mon Sep 17 00:00:00 2001
 From: Quentin Armitage <quentin@armitage.org.uk>
 Date: Thu, 13 Oct 2022 08:32:17 +0100
 Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to
 3.0.4
 The memory leak was observed with OpenSSL 3.0.1, and it is resolved
 by version 3.0.5. Also the leak is not observed in v1.1.1n.
 Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 ---
 keepalived/check/check_ssl.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)
 diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
 index 917ac0d7..50efa824 100644
 --- a/keepalived/check/check_ssl.c
 +++ b/keepalived/check/check_ssl.c
@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req)
 		BIO_get_fd(req->bio, &bio_fd);
 		if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1)
 			log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno);
 -#ifdef HAVE_SSL_SET0_RBIO
 +
 +		/* There is a memory leak in openSSL at least in version 3.0.1, which is fixed
 +		 * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been
 +		 * able to identify the OpenSSL patch that resolved the leak, we play safe and
 +		 * assume it is in versions 3.0.0 up to 3.0.4.
 +		 * The leak is memory allocated by
 +		 *   p = OPENSSL_malloc(len);
 +		 * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c
 +		 *
 +		 * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not
 +		 * to occur.
 +		 */
 +#ifdef OPENSSL_VERSION_MAJOR
 +#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4
 +		SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS);
 +#endif
 +#endif
 +
 +#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO
 		BIO_up_ref(req->bio);
 		SSL_set0_rbio(req->ssl, req->bio);
 		SSL_set0_wbio(req->ssl, req->bio);
 -- 
 2.38.1
--- a/keepalived.spec
+++ b/keepalived.spec
@ -10,18 +10,14 @@
 Name: keepalived
 Summary: High Availability monitor built upon LVS, VRRP and service pollers
-Version: 2.2.4
+Version: 2.2.8
-Release: 6%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 URL: http://www.keepalived.org/
 Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
 Source1: keepalived.service
 Patch1: bz2028351-fix-dbus-policy-restrictions.patch
 Patch2: bz2102493-fix-variable-substitution.patch
 Patch3: bz2134749-fix-memory-leak-https-checks.patch
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@ -61,9 +57,6 @@ infrastructures.
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %build
 %configure \
@ -73,7 +66,7 @@ infrastructures.
    %{?with_snmp:--enable-snmp --enable-snmp-rfc} \
    %{?with_nftables:--enable-nftables --disable-iptables} \
    %{?with_sha1:--enable-sha1} \
-    %{?with_sha1:--enable-json} \
+    %{?with_json:--enable-json} \
    --with-init=systemd
 %{__make} %{?_smp_mflags} STRIP=/bin/true
@ -114,6 +107,9 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man8/keepalived.8*
 %changelog
 * Thu Jun 15 2023 Ryan O'Hara <rohara@redhat.com> - 2.2.8-1
 - Update to 2.2.8 (#2215308)
 * Fri Dec 23 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-6
 - Fix unterminated endif in previous patch (#2134749)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (keepalived-2.2.4.tar.gz) = b8b0f3e7092b7b7093a9927259928076ee95ed176dd26b3a5c38e8c0dc7b83468433944905618dbc9e4b73b81b0cd3f16c2db4234ed4fcdf30f4fc0e532f9422
+SHA512 (keepalived-2.2.8.tar.gz) = dc0ab5b0ef8911a7859422eccc2771a40e942236c855a628158ed748eb5f7dc4b6f4850e9c3057e81fd9d2daa640ab51fb1d7af12748a613280a217b333eb06b
`@ -1 +1 @@`
	`SHA512 (keepalived-2.2.4.tar.gz) = b8b0f3e7092b7b7093a9927259928076ee95ed176dd26b3a5c38e8c0dc7b83468433944905618dbc9e4b73b81b0cd3f16c2db4234ed4fcdf30f4fc0e532f9422`	`SHA512 (keepalived-2.2.8.tar.gz) = dc0ab5b0ef8911a7859422eccc2771a40e942236c855a628158ed748eb5f7dc4b6f4850e9c3057e81fd9d2daa640ab51fb1d7af12748a613280a217b333eb06b`