Rebase to 8.2412.0

Resolves: RHEL-70110 Fix $ActionQueueDiscardMark default value to 80% queue size Resolves: RHEL-41153 Fix segfault when $ControlCharacterEscapePrefix is set Resolves: RHEL-35823 Fix segfault due to processing malform queue message Resolves: RHEL-33451 Fix crash on startup when an invalid function is specified Resolves: RHEL-59893 Startup rsyslog service after network-online.target Resolves: RHEL-39284 Harden service file Resolves: RHEL-39237 imjournal: PID nummber is retrieved from the journal by default Resolves: RHEL-39413
2024-12-06 07:46:00 +01:00 · 2024-12-06 07:46:00 +01:00 · 45f06f7194
commit 45f06f7194
parent e7ef06d678
6 changed files with 69 additions and 45 deletions
--- a/.gitignore
+++ b/.gitignore
@ -96,3 +96,5 @@ rsyslog-4.6.3.tar.gz
 /rsyslog-doc-8.2312.0.tar.gz
 /rsyslog-8.2408.0.tar.gz
 /rsyslog-doc-8.2408.0.tar.gz
+/rsyslog-8.2412.0.tar.gz
+/rsyslog-doc-8.2412.0.tar.gz
--- a/disable-openssl-engine.patch
+++ b/disable-openssl-engine.patch
@ -1,72 +1,60 @@
-diff -up rsyslog-8.2408.0/runtime/net_ossl.c.orig rsyslog-8.2408.0/runtime/net_ossl.c
--- rsyslog-8.2408.0/runtime/net_ossl.c.orig	2024-08-21 12:20:02.634846602 +0200
-+++ rsyslog-8.2408.0/runtime/net_ossl.c	2024-08-21 12:23:59.487229756 +0200
-@@ -223,6 +223,7 @@ osslGlblInit(void)
+diff -up rsyslog-8.2412.0/runtime/net_ossl.c.orig rsyslog-8.2412.0/runtime/net_ossl.c
+--- rsyslog-8.2412.0/runtime/net_ossl.c.orig	2024-11-27 13:05:51.327988286 +0100
+++ rsyslog-8.2412.0/runtime/net_ossl.c	2024-11-27 13:06:26.806335104 +0100
+@@ -220,6 +220,7 @@ osslGlblInit(void)
+ 	ERR_load_crypto_strings();
+ #endif
+ 
+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
 PRAGMA_DIAGNOSTIC_PUSH
 PRAGMA_IGNORE_Wdeprecated_declarations
 
-+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
- 	// Initialize OpenSSL engine library
- 	ENGINE_load_builtin_engines();
- 	/* Register all of them for every algorithm they collectively implement */
-@@ -243,6 +244,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
- 	}
+@@ -244,6 +245,8 @@ PRAGMA_IGNORE_Wdeprecated_declarations
 	// Free the engine reference when done
 	ENGINE_free(osslEngine);
-+#endif
 PRAGMA_DIAGNOSTIC_POP
+#endif
+
 }
 
-@@ -251,7 +253,10 @@ void
+ /* globally de-initialize OpenSSL */
+@@ -251,7 +254,9 @@ void
 osslGlblExit(void)
 {
 	DBGPRINTF("openssl: entering osslGlblExit\n");
-+
 +	#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
 	ENGINE_cleanup();
 +	#endif
 	ERR_free_strings();
 	EVP_cleanup();
 	CRYPTO_cleanup_all_ex_data();
-@@ -638,7 +643,7 @@ net_ossl_chkonepeername(net_ossl_t *pThi
- #endif
- 	char *x509name = NULL;
- 	DEFiRet;
-	
-+
- 	if (certpeer == NULL) {
- 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
- 	}
-@@ -1151,6 +1156,8 @@ net_ossl_init_engine(__attribute__((unus
+@@ -1149,6 +1154,7 @@ net_ossl_init_engine(__attribute__((unus
+ 	const char *engine_id = NULL;
+ 	const char *engine_name = NULL;
 
+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
 PRAGMA_DIAGNOSTIC_PUSH
 PRAGMA_IGNORE_Wdeprecated_declarations
-+#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
-+
 	// Get the default RSA engine
- 	ENGINE *default_engine = ENGINE_get_default_RSA();
- 	if (default_engine) {
-@@ -1188,6 +1195,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
- 	} else {
+@@ -1189,7 +1195,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
 		DBGPRINTF("net_ossl_init_engine: use openssl default Engine");
 	}
-+#endif
 PRAGMA_DIAGNOSTIC_POP
- 
+-
+#endif // ENABLE_OPENSSL_ENGINES_DOWNSTREAM
 	RETiRet;
-diff -up rsyslog-8.2408.0/runtime/net_ossl.h.orig rsyslog-8.2408.0/runtime/net_ossl.h
--- rsyslog-8.2408.0/runtime/net_ossl.h.orig	2024-08-21 12:19:42.902648065 +0200
-+++ rsyslog-8.2408.0/runtime/net_ossl.h	2024-08-21 12:23:14.053772607 +0200
-@@ -31,7 +31,11 @@
+ }
+ 
+diff -up rsyslog-8.2412.0/runtime/net_ossl.h.orig rsyslog-8.2412.0/runtime/net_ossl.h
+--- rsyslog-8.2412.0/runtime/net_ossl.h.orig	2024-11-27 13:06:01.138084180 +0100
+++ rsyslog-8.2412.0/runtime/net_ossl.h	2024-11-27 13:06:30.536372456 +0100
+@@ -31,7 +31,9 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
 #	include <openssl/bioerr.h>
 #endif
-#include <openssl/engine.h>
-+
 +#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
-+#	include <openssl/engine.h>
+ #include <openssl/engine.h>
 +#endif
-+
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 
--- a/rsyslog.conf
+++ b/rsyslog.conf
@ -18,6 +18,8 @@ module(load="imuxsock"    # provides support for local system logging (e.g. via
       SysSock.Use="off") # Turn off message reception via local log socket; 
                          # local messages are retrieved through imjournal now.
 module(load="imjournal"             # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
+       FileCreateMode="0644" # Set the access permissions for the state file
       StateFile="imjournal.state") # File to store the position in the journal

 # Include all config files in /etc/rsyslog.d/
--- a/rsyslog.service
+++ b/rsyslog.service
@ -1,6 +1,8 @@
 [Unit]
 Description=System Logging Service
 ;Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
 Documentation=man:rsyslogd(8)
 Documentation=https://www.rsyslog.com/doc/

@ -12,6 +14,18 @@ ExecReload=/usr/bin/kill -HUP $MAINPID
 UMask=0066
 StandardOutput=null
 Restart=on-failure
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=net
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @raw-io @reboot @swap @cpu-emulation @obsolete
+LockPersonality=yes
+MemoryDenyWriteExecute=yes

 # Increase the default a bit in order to allow many simultaneous
 # files to be monitored, we might need a lot of fds.
--- a/rsyslog.spec
+++ b/rsyslog.spec
@ -36,8 +36,8 @@

 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.2408.0
-Release: 2%{?dist}
+Version: 8.2412.0
+Release: 1%{?dist}
 License: GPL-3.0-or-later AND Apache-2.0
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -767,6 +767,24 @@ done


 %changelog
+* Thu Dec 05 2024 Attila Lakatos <alakatos@redhat.com> - 8.2412.0-1
+- Rebase to 8.2412.0
+  Resolves: RHEL-70110
+- Fix $ActionQueueDiscardMark default value to 80% queue size
+  Resolves: RHEL-41153
+- Fix segfault when $ControlCharacterEscapePrefix is set
+  Resolves: RHEL-35823
+- Fix segfault due to processing malform queue message
+  Resolves: RHEL-33451
+- Fix crash on startup when an invalid function is specified
+  Resolves: RHEL-59893
+- Startup rsyslog service after network-online.target
+  Resolves: RHEL-39284
+- Harden service file
+  Resolves: RHEL-39237
+- imjournal: PID nummber is retrieved from the journal by default 
+  Resolves: RHEL-39413
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 8.2408.0-2
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
--- a/4
+++ b/4
@ -1,3 +1,3 @@
 SHA512 (qpid-proton-0.39.0.tar.gz) = df5c5469ee82ba02de62dce15b73b81aab2aae07c7db668182df690cea4ff7584111bd12143fe5e3569469a9ddf4950ac68d60b53d1a7815da4748052948cd1b
-SHA512 (rsyslog-8.2408.0.tar.gz) = 86901f76290aa451dfc8dc3d2c7eb2ea82bdbf39875fe2872169a3aa44933aff064dd5ea9b80964881fd07c34c17da25ec6a0efc1c5b7f4d6884435639fa0338
-SHA512 (rsyslog-doc-8.2408.0.tar.gz) = 9982688880b8362ca2ecd5f076f12aaf31b966144bd9b291761e660307e4c31e8c3ccc17b6b2b0cb2ccf2e30ba81927126991f9539562c2f02966a59fd1624aa
+SHA512 (rsyslog-8.2412.0.tar.gz) = fdd8bb096c9578fe2c4ed8cdb13179d7b3333d0f9be1b2c921b5b040f1e1414c3f9f8106e44444aaefba22f235a44d17c0c5b80cd114fe540a2aebb30e3eba72
+SHA512 (rsyslog-doc-8.2412.0.tar.gz) = 9b5d453b5774b027a6a4ba232133953d8a8058df4bfff31f835504656d7b01008cec5c0d28667bed0052799cf7389c0bafea7c76c3190bdcdf3d8a2eedf19b4e