rpms/pcp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Back-port pmproxy RESP proxying configuration defaults

Browse Source 
Change pmproxy default configuration for CVE-2024-3019

Resolves: RHEL-30715
This commit is contained in:
Nathan Scott 2024-04-17 10:34:15 +10:00
parent 6bc6ca08e8
commit 158fee1733
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pcp.spec
View File

@ -1,6 +1,6 @@
Name: pcp Name: pcp
Version: 5.3.7 Version: 5.3.7
Release: 19%{?dist} Release: 20%{?dist}
Summary: System-level performance monitoring and performance management Summary: System-level performance monitoring and performance management
License: GPLv2+ and LGPLv2+ and CC-BY License: GPLv2+ and LGPLv2+ and CC-BY
URL: https://pcp.io URL: https://pcp.io
@ -27,6 +27,7 @@ Patch16: redhat-bugzilla-2211263-pmcd-conf-rewrite.patch
Patch17: redhat-build-jsonsl.patch Patch17: redhat-build-jsonsl.patch
Patch18: redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch Patch18: redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch
Patch19: redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch Patch19: redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch
Patch20: redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
# The additional linker flags break out-of-tree PMDAs. # The additional linker flags break out-of-tree PMDAs.
# https://bugzilla.redhat.com/show_bug.cgi?id=2043092 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@ -3365,6 +3366,9 @@ fi
%files zeroconf -f pcp-zeroconf-files.rpm %files zeroconf -f pcp-zeroconf-files.rpm
%changelog %changelog
* Wed Apr 17 2024 Nathan Scott <nathans@redhat.com> - 5.3.7-20
- Disable RESP proxying by default in pmproxy (RHEL-30715)
* Tue Nov 21 2023 Nathan Scott <nathans@redhat.com> - 5.3.7-19 * Tue Nov 21 2023 Nathan Scott <nathans@redhat.com> - 5.3.7-19
- Fix OpenMetrics PMDA mishandling systemd metrics (RHEL-7507) - Fix OpenMetrics PMDA mishandling systemd metrics (RHEL-7507)
- Additional pmlogger_farm service SELinux policy (RHEL-7501) - Additional pmlogger_farm service SELinux policy (RHEL-7501)

27
redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch Normal file
View File

@ -0,0 +1,27 @@
commit 3bde240a2acc85e63e2f7813330713dd9b59386e
Author: Nathan Scott <nathans@redhat.com>
Date: Wed Mar 27 14:51:28 2024 +1100
pmproxy: disable Redis protocol proxying by default
If a redis-server has been locked down in terms of connections,
we want to prevent pmproxy from being allowed to send arbitrary
RESP commands to it.
This protocol proxying doesn't affect PCP functionality at all,
its more of a developer/sysadmin convenience when Redis used in
cluster mode (relatively uncommon compared to localhost mode).
diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
index e54891792e..4cbc1c96af 100644
--- a/src/pmproxy/pmproxy.conf
+++ b/src/pmproxy/pmproxy.conf
@@ -29,7 +29,7 @@ pcp.enabled = true
http.enabled = true
# support Redis protocol proxying
-redis.enabled = true
+redis.enabled = false
# support SSL/TLS protocol wrapping
secure.enabled = true