Back-port pmproxy RESP proxying configuration defaults
Change pmproxy default configuration for CVE-2024-3019 Resolves: RHEL-30715
This commit is contained in:
Nathan Scott
parent
6bc6ca08e8
commit
158fee1733
6
pcp.spec
6
pcp.spec
@ -1,6 +1,6 @@
|
||||
Name: pcp
|
||||
Version: 5.3.7
|
||||
Release: 19%{?dist}
|
||||
Release: 20%{?dist}
|
||||
Summary: System-level performance monitoring and performance management
|
||||
License: GPLv2+ and LGPLv2+ and CC-BY
|
||||
URL: https://pcp.io
|
||||
@ -27,6 +27,7 @@ Patch16: redhat-bugzilla-2211263-pmcd-conf-rewrite.patch
|
||||
Patch17: redhat-build-jsonsl.patch
|
||||
Patch18: redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch
|
||||
Patch19: redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch
|
||||
Patch20: redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
|
||||
|
||||
# The additional linker flags break out-of-tree PMDAs.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2043092
|
||||
@ -3365,6 +3366,9 @@ fi
|
||||
%files zeroconf -f pcp-zeroconf-files.rpm
|
||||
|
||||
%changelog
|
||||
* Wed Apr 17 2024 Nathan Scott <nathans@redhat.com> - 5.3.7-20
|
||||
- Disable RESP proxying by default in pmproxy (RHEL-30715)
|
||||
|
||||
* Tue Nov 21 2023 Nathan Scott <nathans@redhat.com> - 5.3.7-19
|
||||
- Fix OpenMetrics PMDA mishandling systemd metrics (RHEL-7507)
|
||||
- Additional pmlogger_farm service SELinux policy (RHEL-7501)
|
||||
|
||||
27
redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
Normal file
27
redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
Normal file
@ -0,0 +1,27 @@
|
||||
commit 3bde240a2acc85e63e2f7813330713dd9b59386e
|
||||
Author: Nathan Scott <nathans@redhat.com>
|
||||
Date: Wed Mar 27 14:51:28 2024 +1100
|
||||
|
||||
pmproxy: disable Redis protocol proxying by default
|
||||
|
||||
If a redis-server has been locked down in terms of connections,
|
||||
we want to prevent pmproxy from being allowed to send arbitrary
|
||||
RESP commands to it.
|
||||
|
||||
This protocol proxying doesn't affect PCP functionality at all,
|
||||
its more of a developer/sysadmin convenience when Redis used in
|
||||
cluster mode (relatively uncommon compared to localhost mode).
|
||||
|
||||
diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
|
||||
index e54891792e..4cbc1c96af 100644
|
||||
--- a/src/pmproxy/pmproxy.conf
|
||||
+++ b/src/pmproxy/pmproxy.conf
|
||||
@@ -29,7 +29,7 @@ pcp.enabled = true
|
||||
http.enabled = true
|
||||
|
||||
# support Redis protocol proxying
|
||||
-redis.enabled = true
|
||||
+redis.enabled = false
|
||||
|
||||
# support SSL/TLS protocol wrapping
|
||||
secure.enabled = true
|
||||
Loading…
Reference in New Issue
Block a user