From 272d61ffb5ae38ffb6d56dd3598486ddd60e4290 Mon Sep 17 00:00:00 2001 From: Ingvar Hagelund Date: Wed, 14 Apr 2010 12:32:17 +0000 Subject: [PATCH] New upstream release. Some fixes for CVE-2009-2936. --- .cvsignore | 2 +- sources | 2 +- varnish.S-option.patch | 32 ++++++++++++++++++++++++++++++++ varnish.floor.patch | 15 +++++++++++++++ varnish.spec | 40 ++++++++++++++++++++++++++-------------- 5 files changed, 75 insertions(+), 16 deletions(-) create mode 100644 varnish.S-option.patch create mode 100644 varnish.floor.patch diff --git a/.cvsignore b/.cvsignore index 72c39af..e795082 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -varnish-2.0.6.tar.gz +varnish-2.1.tar.gz diff --git a/sources b/sources index 57e2edc..5c0e157 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d91dc21c636db61c69b5e8f061c5bb95 varnish-2.0.6.tar.gz +91d92ea69f7dce470e55ef4721ef9b7d varnish-2.1.tar.gz diff --git a/varnish.S-option.patch b/varnish.S-option.patch new file mode 100644 index 0000000..fdb261d --- /dev/null +++ b/varnish.S-option.patch @@ -0,0 +1,32 @@ +--- ../varnish-2.1.orig/man/vcl.7so ++++ man/vcl.7so +@@ -126,7 +126,6 @@ it's saintmode list + can be set to the maximum list size. Setting a value of 0 disables + saintmode checking entirely for that backend. The value in the backend + declaration overrides the parameter. +- + .Ss Directors + Directors choose from different backends based on health status and a + per-director algorithm. +--- ../varnish-2.1.orig/bin/varnishd/varnishd.1 ++++ bin/varnishd/varnishd.1 +@@ -173,6 +173,9 @@ to the specified + See + .Sx Run-Time Parameters + for a list of parameters. ++.It Fl S Ar file ++Path to a file containing a secret used for authorizing access to the ++management port. + .It Fl s Ar type Ns Xo + .Op , Ns Ar options + .Xc +--- ../varnish-2.1.orig/redhat/varnish.sysconfig ++++ ./redhat/varnish.sysconfig +@@ -38,6 +38,7 @@ + -T localhost:6082 \ + -f /etc/varnish/default.vcl \ + -u varnish -g varnish \ ++ -S /etc/varnish/secret \ + -s file,/var/lib/varnish/varnish_storage.bin,1G" + + diff --git a/varnish.floor.patch b/varnish.floor.patch new file mode 100644 index 0000000..c8252d2 --- /dev/null +++ b/varnish.floor.patch @@ -0,0 +1,15 @@ +Patch by Robert Scheck for varnish >= 2.1, which adds the +missing (former implicit) linking to libm. And as implicit linking can be dangerous, +this changed, see: http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking + +--- bin/varnishtest/Makefile.am 2010-03-24 10:44:13.000000000 +0100 ++++ bin/varnishtest/Makefile.am.libm 2010-04-07 22:57:03.000000000 +0200 +@@ -25,7 +25,7 @@ + $(top_builddir)/lib/libvarnish/libvarnish.la \ + $(top_builddir)/lib/libvarnishcompat/libvarnishcompat.la \ + $(top_builddir)/lib/libvarnishapi/libvarnishapi.la \ +- ${PTHREAD_LIBS} ++ ${LIBM} ${PTHREAD_LIBS} + + EXTRA_DIST = $(top_srcdir)/bin/varnishtest/tests/*.vtc \ + $(top_srcdir)/bin/varnishtest/tests/README diff --git a/varnish.spec b/varnish.spec index ec2bd66..7fef031 100644 --- a/varnish.spec +++ b/varnish.spec @@ -1,23 +1,25 @@ Summary: High-performance HTTP accelerator Name: varnish -Version: 2.0.6 -Release: 2%{?dist} +Version: 2.1.0 +Release: 1%{?dist} License: BSD Group: System Environment/Daemons URL: http://www.varnish-cache.org/ -Source0: http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.gz -Patch0: varnish.varnishtest_debugflag.patch -Patch1: varnish.changes-2.0.6.patch +#Source0: http://downloads.sourceforge.net/varnish/varnish-%{version}.tar.gz +Source0: http://downloads.sourceforge.net/varnish/varnish-2.1.tar.gz +patch0: varnish.S-option.patch +patch1: varnish.floor.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # The svn sources needs autoconf, automake and libtool to generate a suitable # configure script. Release tarballs would not need this -#BuildRequires: automake autoconf libtool -BuildRequires: ncurses-devel libxslt groff +BuildRequires: automake autoconf libtool +BuildRequires: ncurses-devel libxslt groff pcre-devel pkgconfig Requires: varnish-libs = %{version}-%{release} Requires: logrotate Requires: ncurses +Requires: pcre Requires(pre): shadow-utils -Requires(post): /sbin/chkconfig +Requires(post): /sbin/chkconfig, /usr/bin/mkpasswd Requires(preun): /sbin/chkconfig Requires(preun): /sbin/service Requires(preun): initscripts @@ -62,7 +64,8 @@ Varnish is a high-performance HTTP accelerator #Varnish is a high-performance HTTP accelerator %prep -%setup -q +#%setup -q +%setup -q -n varnish-2.1 #%setup -q -n varnish-cache # The svn sources needs to generate a suitable configure script @@ -72,6 +75,9 @@ Varnish is a high-performance HTTP accelerator %patch0 %patch1 +# Makefile.am was patched. Needs to rerun autoconf +./autogen.sh + # Hack to get 32- and 64-bits tests run concurrently on the same build machine case `uname -m` in ppc64 | s390x | x86_64 | sparc64 ) @@ -129,11 +135,6 @@ tail -n +11 etc/default.vcl >> redhat/default.vcl redhat/varnish.initrc redhat/varnishlog.initrc redhat/varnishncsa.initrc %endif -# Fix for broken changes-2.0.6.html -pushd doc -%{__make} clean; %{__make} -popd - %check # rhel5 on ppc64 is just too strange %ifarch ppc64 @@ -238,6 +239,7 @@ exit 0 /sbin/chkconfig --add varnish /sbin/chkconfig --add varnishlog /sbin/chkconfig --add varnishncsa +test -f /etc/varnish/secret || (mkpasswd > /etc/varnish/secret && chmod 0600 /etc/varnish/secret) %preun if [ $1 -lt 1 ]; then @@ -254,6 +256,16 @@ fi %postun libs -p /sbin/ldconfig %changelog +* Tue Apr 06 2010 Ingvar Hagelund - 2.1.0-1 +- New upstream release; note: Configuration changes, see the README +- Removed unneeded patches +- CVE-2009-2936: Added a patch from Debian that adds the -S option + to the varnisdh(1) manpage and to the sysconfig defaults, thus + password-protecting the admin interface port (#579536,#579533) +- Generates that password in the post script, requires mkpasswd +- Added a patch from Robert Scheck for explicit linking to libm +- Requires pcre + * Wed Dec 23 2009 Ingvar Hagelund - 2.0.6-2 - Added a test that enables jemalloc on ppc if the kernel is not a rhel5 kernel (as on redhat builders)