Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-07-21 21:40:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-07-02 15:05:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-07-21 22:34:38.000000000 +0200 @@ -1,0 +2,68 @@ +Fri Jul 18 15:01:53 UTC 2014 - [email protected] + +- added + 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch: + BUG/MEDIUM: connection: fix memory corruption when building a + proxy v2 header + +------------------------------------------------------------------- +Thu Jul 17 10:45:28 UTC 2014 - [email protected] + +- pulled a few fixes from the 1.5 branch: most notable the DHE + memleak fix. Adds the following patches: + 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch + 0002-DOC-fix-typo-in-Unix-Socket-commands.patch + 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch + 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch + +------------------------------------------------------------------- +Sat Jul 12 16:56:27 UTC 2014 - [email protected] + +- update to 1.5.2 + - BUG/MEDIUM: backend: Update hash to use unsigned int throughout + - BUG/MINOR: ssl: Fix external function in order not to return a + pointer on an internal trash buffer. + - DOC: expand the docs for the provided stats. + - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets + upon failure. + - MINOR: stats: fix minor typo in HTML page + - BUG/MEDIUM: http: fetch "base" is not compatible with + set-header + - BUG/MINOR: counters: do not untrack counters before logging + - BUG/MAJOR: sample: correctly reinitialize sample fetch context + before calling sample_process() + - MINOR: stick-table: make stktable_fetch_key() indicate why it + failed + - BUG/MEDIUM: counters: fix track-sc* to wait on unstable + contents + - BUILD: remove TODO from the spec file and add README + - MINOR: log: make MAX_SYSLOG_LEN overridable at build time + - MEDIUM: log: support a user-configurable max log line length + - DOC: provide an example of how to use ssl_c_sha1 + - BUILD: http: fix isdigit & isspace warnings on Solaris + - BUG/MINOR: listener: set the listener's fd to -1 after deletion + - BUG/MEDIUM: unix: failed abstract socket binding is retryable + - MEDIUM: listener: implement a per-protocol pause() function + - MEDIUM: listener: support rebinding during resume() + - BUG/MEDIUM: unix: completely unbind abstract sockets during a + pause() + - DOC: explicitly mention the limits of abstract namespace + sockets + - DOC: minor fix on {sc,src}_kbytes_{in,out} + - DOC: fix alphabetical sort of converters + - BUG/MAJOR: http: correctly rewind the request body after start + of forwarding + - DOC: remove references to CPU=native in the README + - DOC: mention that "compression offload" is ignored in defaults + section +- drop patches including in version upgrade. + - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch + - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch + - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch + - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch + - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch + - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch +- use www.haproxy.org now instead of the old domain which is just + redirecting to haproxy.org now. + +------------------------------------------------------------------- Old: ---- 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch haproxy-1.5.1.tar.gz New: ---- 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch 0002-DOC-fix-typo-in-Unix-Socket-commands.patch 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch haproxy-1.5.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.F9wovU/_old 2014-07-21 22:34:38.000000000 +0200 +++ /var/tmp/diff_new_pack.F9wovU/_new 2014-07-21 22:34:38.000000000 +0200 @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.1 +Version: 1.5.2 Release: 0 # # @@ -51,28 +51,21 @@ %define pkg_name haproxy %define pkg_home /var/lib/%{pkg_name} # -Url: http://haproxy.1wt.eu/ -Source: http://haproxy.1wt.eu/download/1.5/src/haproxy-%{version}.tar.gz +Url: http://www.haproxy.org/ +Source: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz Source1: %{pkg_name}.init -Source2: http://haproxy.1wt.eu/download/contrib/haproxy.vim +Source2: http://www.haproxy.org/download/contrib/haproxy.vim Source3: usr.sbin.haproxy.apparmor Source4: local.usr.sbin.haproxy.apparmor Patch1: haproxy-1.2.16_config_haproxy_user.patch Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch Patch4: haproxy-1.5_check_config_before_start.patch -# PATCH-FIX-UPSTREAM: http: fetch "base" is not compatible with set-header -Patch5: 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch -# PATCH-FIX-UPSTREAM: ssl: Fix external function in order not to return a pointer on an internal trash buffer. -Patch6: 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch -# PATCH-FIX-UPSTREAM: counters: do not untrack counters before logging -Patch7: 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch -# PATCH-FIX-UPSTREAM: sample: correctly reinitialize sample fetch context before calling sample_process() -Patch8: 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch -# PATCH-FIX-UPSTREAM: stick-table: make stktable_fetch_key() indicate why it failed -Patch9: 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch -# PATCH-FIX-UPSTREAM: counters: fix track-sc* to wait on unstable contents -Patch10: 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch +Patch5: 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch +Patch6: 0002-DOC-fix-typo-in-Unix-Socket-commands.patch +Patch7: 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch +Patch8: 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch +Patch9: 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -111,7 +104,6 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p1 %build %{__make} \ ++++++ 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch ++++++ >From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <[email protected]> Date: Sat, 12 Jul 2014 17:31:07 +0200 Subject: [PATCH 1/5] DOC: mention that Squid correctly responds 400 to PPv2 header Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630 were confirmed to respond correctly here and that any version will do the same. (cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad) --- doc/proxy-protocol.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt index a2dbcea..a3925a4 100644 --- a/doc/proxy-protocol.txt +++ b/doc/proxy-protocol.txt @@ -692,6 +692,7 @@ presented, even with minimal implementations : - thttpd 2.20c : 400 Bad Request + abort => pass/optimal - mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal - haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal + - Squid 3 : 400 Bad Request + abort => pass/optimal - SSL : - stud 0.3.47 : connection abort => pass/optimal - stunnel 4.45 : connection abort => pass/optimal -- 1.8.4.5 ++++++ 0002-DOC-fix-typo-in-Unix-Socket-commands.patch ++++++ >From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <[email protected]> Date: Sat, 12 Jul 2014 18:22:42 +0200 Subject: [PATCH 2/5] DOC: fix typo in Unix Socket commands Konstantin Romanenko reported a typo in the HTML documentation. The typo is already present in the raw text version : the "shutdown sessions" command should be "shutdown sessions server". (cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e) --- doc/configuration.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index ca21f7d..2d71555 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13869,7 +13869,7 @@ shutdown session <id> endless transfer is ongoing. Such terminated sessions are reported with a 'K' flag in the logs. -shutdown sessions <backend>/<server> +shutdown sessions server <backend>/<server> Immediately terminate all the sessions attached to the specified server. This can be used to terminate long-running sessions after a server is put into maintenance mode, for instance. Such terminated sessions are reported with a -- 1.8.4.5 ++++++ 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch ++++++ >From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001 From: Remi Gacogne <rgacogne[at]aquaray[dot]fr> Date: Tue, 15 Jul 2014 11:36:40 +0200 Subject: [PATCH 3/5] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5. (cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570) --- src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 375225d..cf8adc7 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -105,6 +105,13 @@ enum { int sslconns = 0; int totalsslconns = 0; +#ifndef OPENSSL_NO_DH +static DH *local_dh_1024 = NULL; +static DH *local_dh_2048 = NULL; +static DH *local_dh_4096 = NULL; +static DH *local_dh_8192 = NULL; +#endif /* OPENSSL_NO_DH */ + #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB struct certificate_ocsp { struct ebmb_node key; @@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen) } if (keylen >= 8192) { - dh = ssl_get_dh_8192(); + dh = local_dh_8192; } else if (keylen >= 4096) { - dh = ssl_get_dh_4096(); + dh = local_dh_4096; } else if (keylen >= 2048) { - dh = ssl_get_dh_2048(); + dh = local_dh_2048; } else { - dh = ssl_get_dh_1024(); + dh = local_dh_1024; } return dh; @@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file) if (global.tune.ssl_default_dh_param <= 1024) { /* we are limited to DH parameter of 1024 bits anyway */ - dh = ssl_get_dh_1024(); - if (dh == NULL) + local_dh_1024 = ssl_get_dh_1024(); + if (local_dh_1024 == NULL) goto end; - SSL_CTX_set_tmp_dh(ctx, dh); + SSL_CTX_set_tmp_dh(ctx, local_dh_1024); } else { SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh); @@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy global.tune.ssl_default_dh_param = 1024; } +#ifndef OPENSSL_NO_DH + if (global.tune.ssl_default_dh_param >= 1024) { + if (local_dh_1024 == NULL) { + local_dh_1024 = ssl_get_dh_1024(); + } + if (global.tune.ssl_default_dh_param >= 2048) { + if (local_dh_2048 == NULL) { + local_dh_2048 = ssl_get_dh_2048(); + } + if (global.tune.ssl_default_dh_param >= 4096) { + if (local_dh_4096 == NULL) { + local_dh_4096 = ssl_get_dh_4096(); + } + if (global.tune.ssl_default_dh_param >= 8192 && + local_dh_8192 == NULL) { + local_dh_8192 = ssl_get_dh_8192(); + } + } + } + } +#endif /* OPENSSL_NO_DH */ + SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk); #if OPENSSL_VERSION_NUMBER >= 0x00907000L SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); -- 1.8.4.5 ++++++ 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch ++++++ >From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <[email protected]> Date: Tue, 15 Jul 2014 21:34:06 +0200 Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian version of base32 We're using the internal memory representation of base32 here, which is wrong since these data might be exported to headers for logs or be used to stick to a server and replicated to other peers. Let's convert base32 to big endian (network representation) when building the binary block. This mistake is also present in 1.5, it would be better to backport it. (cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568) --- src/proto_http.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index 94afed7..b7ed85d 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in return 0; temp = get_trash_chunk(); - memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint)); - temp->len += sizeof(smp->data.uint); + *(unsigned int *)temp->str = htonl(smp->data.uint); + temp->len += sizeof(unsigned int); switch (cli_conn->addr.from.ss_family) { case AF_INET: -- 1.8.4.5 ++++++ 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch ++++++ >From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001 From: Dave McCowan <[email protected]> Date: Thu, 17 Jul 2014 14:34:01 -0400 Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header Use temporary trash chunk, instead of global trash chunk in make_proxy_line_v2() to avoid memory overwrite. This fix must also be backported to 1.5. (cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b) --- src/connection.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/connection.c b/src/connection.c index 20a911b..3435b1a 100644 --- a/src/connection.c +++ b/src/connection.c @@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec char *value = NULL; struct tlv_ssl *tlv; int ssl_tlv_len = 0; + struct chunk *cn_trash; #endif if (buf_len < PP2_HEADER_LEN) @@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec tlv->verify = htonl(ssl_sock_get_verify_result(remote)); } if (srv->pp_opts & SRV_PP_V2_SSL_CN) { - if (ssl_sock_get_remote_common_name(remote, &trash) > 0) { - tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str); + cn_trash = get_trash_chunk(); + if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) { + tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str); ssl_tlv_len += tlv_len; } } -- 1.8.4.5 ++++++ haproxy-1.5.1.tar.gz -> haproxy-1.5.2.tar.gz ++++++ ++++ 1677 lines of diff (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
