import keepalived-2.2.4-6.el9

2023-03-28 10:44:13 +00:00 · 2023-03-28 10:44:13 +00:00 · dd401affd6
commit dd401affd6
parent faa66c3673
3 changed files with 99 additions and 1 deletions
--- a/SOURCES/bz2102493-fix-variable-substitution.patch
+++ b/SOURCES/bz2102493-fix-variable-substitution.patch
@ -0,0 +1,32 @@
+From 332262ec91f85cd4224816d2803d818015239007 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Wed, 29 Jun 2022 09:18:15 +0100
+Subject: [PATCH] parser: optimise fixing recalculating updated line length
+
+Commit 1ffad9a - "recalculate buffer length inside recheck loop"
+resolved the issue but calls strlen(buf) more often than necessary.
+
+This commit only calls strlen(buf) when the line buffer is modified.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ lib/parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/parser.c b/lib/parser.c
+index bcabd07f..2146f38b 100644
+--- a/lib/parser.c
+++ b/lib/parser.c
+@@ -2809,6 +2809,9 @@ read_line(char *buf, size_t size)
+ 					recheck = true;
+ 				if (strchr(buf, '$'))
+ 					recheck = true;
+
+				if (recheck)
+					len = strlen(buf);
+ 			}
+ 		} while (recheck);
+ 	} while (buf[0] == '\0' || check_include(buf));
+-- 
+2.38.1
+
--- a/SOURCES/bz2134749-fix-memory-leak-https-checks.patch
+++ b/SOURCES/bz2134749-fix-memory-leak-https-checks.patch
@ -0,0 +1,48 @@
+From b8b463159d9bcb05505ec128b5c2926ace0b3e92 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Thu, 13 Oct 2022 08:32:17 +0100
+Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to
+ 3.0.4
+
+The memory leak was observed with OpenSSL 3.0.1, and it is resolved
+by version 3.0.5. Also the leak is not observed in v1.1.1n.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/check/check_ssl.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
+index 917ac0d7..50efa824 100644
+--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
+@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req)
+ 		BIO_get_fd(req->bio, &bio_fd);
+ 		if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1)
+ 			log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno);
+-#ifdef HAVE_SSL_SET0_RBIO
+
+		/* There is a memory leak in openSSL at least in version 3.0.1, which is fixed
+		 * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been
+		 * able to identify the OpenSSL patch that resolved the leak, we play safe and
+		 * assume it is in versions 3.0.0 up to 3.0.4.
+		 * The leak is memory allocated by
+		 *   p = OPENSSL_malloc(len);
+		 * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c
+		 *
+		 * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not
+		 * to occur.
+		 */
+#ifdef OPENSSL_VERSION_MAJOR
+#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4
+		SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS);
+#endif
+#endif
+
+#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO
+ 		BIO_up_ref(req->bio);
+ 		SSL_set0_rbio(req->ssl, req->bio);
+ 		SSL_set0_wbio(req->ssl, req->bio);
+-- 
+2.38.1
+
--- a/SPECS/keepalived.spec
+++ b/SPECS/keepalived.spec
@ -1,6 +1,7 @@
 %bcond_without snmp
 %bcond_without vrrp
 %bcond_without sha1
+%bcond_without json
 %bcond_without nftables
 %bcond_with profile
 %bcond_with debug
@ -10,7 +11,7 @@
 Name: keepalived
 Summary: High Availability monitor built upon LVS, VRRP and service pollers
 Version: 2.2.4
-Release: 2%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 URL: http://www.keepalived.org/

@ -18,6 +19,8 @@ Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
 Source1: keepalived.service

 Patch1: bz2028351-fix-dbus-policy-restrictions.patch
+Patch2: bz2102493-fix-variable-substitution.patch
+Patch3: bz2134749-fix-memory-leak-https-checks.patch

 Requires(post): systemd
 Requires(preun): systemd
@ -59,6 +62,8 @@ infrastructures.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1

 %build
 %configure \
@ -68,6 +73,7 @@ infrastructures.
    %{?with_snmp:--enable-snmp --enable-snmp-rfc} \
    %{?with_nftables:--enable-nftables --disable-iptables} \
    %{?with_sha1:--enable-sha1} \
+    %{?with_sha1:--enable-json} \
    --with-init=systemd
 %{__make} %{?_smp_mflags} STRIP=/bin/true

@ -108,6 +114,18 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man8/keepalived.8*

 %changelog
+* Fri Dec 23 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-6
+- Fix unterminated endif in previous patch (#2134749)
+
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-5
+- Fix memory leak in https checks (#2134749)
+
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-4
+- Fix variable substitution in consditional lines (#2101493)
+
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-3
+- Enable JSON support (#2129819)
+
 * Mon Feb 21 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-2
 - Fix DBus policy restrictions (#2028351, CVE-2021-44225)