New upstream release. Some fixes for CVE-2009-2936.

2010-04-14 12:32:17 +00:00 · 2010-04-14 12:32:17 +00:00 · 272d61ffb5
commit 272d61ffb5
parent 044964ba12
5 changed files with 75 additions and 16 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-varnish-2.0.6.tar.gz
+varnish-2.1.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-d91dc21c636db61c69b5e8f061c5bb95  varnish-2.0.6.tar.gz
+91d92ea69f7dce470e55ef4721ef9b7d  varnish-2.1.tar.gz
--- a/varnish.S-option.patch
+++ b/varnish.S-option.patch
@ -0,0 +1,32 @@
+--- ../varnish-2.1.orig/man/vcl.7so
+++ man/vcl.7so
+@@ -126,7 +126,6 @@ it's saintmode list
+ can be set to the maximum list size. Setting a value of 0 disables
+ saintmode checking entirely for that backend. The value in the backend
+ declaration overrides the parameter.
+-
+ .Ss Directors
+ Directors choose from different backends based on health status and a
+ per-director algorithm.
+--- ../varnish-2.1.orig/bin/varnishd/varnishd.1
+++ bin/varnishd/varnishd.1
+@@ -173,6 +173,9 @@ to the specified
+ See
+ .Sx Run-Time Parameters
+ for a list of parameters.
+.It Fl S Ar file
+Path to a file containing a secret used for authorizing access to the
+management port.
+ .It Fl s Ar type Ns Xo
+ .Op , Ns Ar options
+ .Xc
+--- ../varnish-2.1.orig/redhat/varnish.sysconfig
+++ ./redhat/varnish.sysconfig
+@@ -38,6 +38,7 @@
+              -T localhost:6082 \
+              -f /etc/varnish/default.vcl \
+              -u varnish -g varnish \
+             -S /etc/varnish/secret \
+              -s file,/var/lib/varnish/varnish_storage.bin,1G"
+ 
+ 
--- a/varnish.floor.patch
+++ b/varnish.floor.patch
@ -0,0 +1,15 @@
+Patch by Robert Scheck <robert@fedoraproject.org> for varnish >= 2.1, which adds the
+missing (former implicit) linking to libm. And as implicit linking can be dangerous,
+this changed, see: http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking
+
+--- bin/varnishtest/Makefile.am		2010-03-24 10:44:13.000000000 +0100
+++ bin/varnishtest/Makefile.am.libm	2010-04-07 22:57:03.000000000 +0200
+@@ -25,7 +25,7 @@
+ 		$(top_builddir)/lib/libvarnish/libvarnish.la \
+ 		$(top_builddir)/lib/libvarnishcompat/libvarnishcompat.la \
+ 		$(top_builddir)/lib/libvarnishapi/libvarnishapi.la \
+-		${PTHREAD_LIBS}
+		${LIBM} ${PTHREAD_LIBS}
+ 
+ EXTRA_DIST = $(top_srcdir)/bin/varnishtest/tests/*.vtc \
+ 	$(top_srcdir)/bin/varnishtest/tests/README
--- a/varnish.spec
+++ b/varnish.spec
@ -1,23 +1,25 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
-Version: 2.0.6
-Release: 2%{?dist}
+Version: 2.1.0
+Release: 1%{?dist}
 License: BSD
 Group: System Environment/Daemons
 URL: http://www.varnish-cache.org/
-Source0: http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.gz
-Patch0: varnish.varnishtest_debugflag.patch
-Patch1: varnish.changes-2.0.6.patch
+#Source0: http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.gz
+Source0: http://downloads.sourceforge.net/varnish/varnish-2.1.tar.gz
+patch0: varnish.S-option.patch
+patch1: varnish.floor.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # The svn sources needs autoconf, automake and libtool to generate a suitable
 # configure script. Release tarballs would not need this
-#BuildRequires: automake autoconf libtool
-BuildRequires: ncurses-devel libxslt groff
+BuildRequires: automake autoconf libtool
+BuildRequires: ncurses-devel libxslt groff pcre-devel pkgconfig
 Requires: varnish-libs = %{version}-%{release}
 Requires: logrotate
 Requires: ncurses
+Requires: pcre
 Requires(pre): shadow-utils
-Requires(post): /sbin/chkconfig
+Requires(post): /sbin/chkconfig, /usr/bin/mkpasswd
 Requires(preun): /sbin/chkconfig
 Requires(preun): /sbin/service
 Requires(preun): initscripts
@ -62,7 +64,8 @@ Varnish is a high-performance HTTP accelerator
 #Varnish is a high-performance HTTP accelerator

 %prep
-%setup -q
+#%setup -q
+%setup -q -n varnish-2.1
 #%setup -q -n varnish-cache

 # The svn sources needs to generate a suitable configure script
@ -72,6 +75,9 @@ Varnish is a high-performance HTTP accelerator
 %patch0
 %patch1

+# Makefile.am was patched. Needs to rerun autoconf
+./autogen.sh
+
 # Hack to get 32- and 64-bits tests run concurrently on the same build machine
 case `uname -m` in
 	ppc64 | s390x | x86_64 | sparc64 )
@ -129,11 +135,6 @@ tail -n +11 etc/default.vcl >> redhat/default.vcl
 	redhat/varnish.initrc redhat/varnishlog.initrc redhat/varnishncsa.initrc
 %endif

-# Fix for broken changes-2.0.6.html
-pushd doc
-%{__make} clean; %{__make}
-popd
-
 %check
 # rhel5 on ppc64 is just too strange
 %ifarch ppc64
@ -238,6 +239,7 @@ exit 0
 /sbin/chkconfig --add varnish
 /sbin/chkconfig --add varnishlog
 /sbin/chkconfig --add varnishncsa 
+test -f /etc/varnish/secret || (mkpasswd > /etc/varnish/secret && chmod 0600 /etc/varnish/secret)

 %preun
 if [ $1 -lt 1 ]; then
@ -254,6 +256,16 @@ fi
 %postun libs -p /sbin/ldconfig

 %changelog
+* Tue Apr 06 2010 Ingvar Hagelund <ingvar@linpro.no> - 2.1.0-1
+- New upstream release; note: Configuration changes, see the README
+- Removed unneeded patches 
+- CVE-2009-2936: Added a patch from Debian that adds the -S option 
+  to the varnisdh(1) manpage and to the sysconfig defaults, thus
+  password-protecting the admin interface port (#579536,#579533)
+- Generates that password in the post script, requires mkpasswd
+- Added a patch from Robert Scheck for explicit linking to libm
+- Requires pcre
+
 * Wed Dec 23 2009 Ingvar Hagelund <ingvar@linpro.no> - 2.0.6-2
 - Added a test that enables jemalloc on ppc if the kernel is
  not a rhel5 kernel (as on redhat builders)