commit sslh for openSUSE:Factory

Source-Sync Thu, 08 May 2025 09:27:59 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sslh for openSUSE:Factory checked in 
at 2025-05-08 18:23:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslh (Old)
 and      /work/SRC/openSUSE:Factory/.sslh.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "sslh"

Thu May  8 18:23:08 2025 rev:15 rq:1275417 version:2.2.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/sslh/sslh.changes        2025-04-07 
18:41:49.652574912 +0200
+++ /work/SRC/openSUSE:Factory/.sslh.new.30101/sslh.changes     2025-05-08 
18:25:53.166746622 +0200
@@ -1,0 +2,14 @@
+Thu May  8 06:57:12 UTC 2025 - Michael Vetter <mvet...@suse.com>
+
+- Update to 2.2.3:
+  * Reverse older commit: version.h cannot be included without breaking
+    the build (everything recompiles every time) and the release archive
+    creation (which relies on git tags).
+
+-------------------------------------------------------------------
+Thu May  8 06:56:55 UTC 2025 - Michael Vetter <mvet...@suse.com>
+
+- Update to 2.2.2:
+  * Fix potential vulnerability similar to CVE-2020-28935
+
+-------------------------------------------------------------------

Old:
----
  v2.2.1.tar.gz

New:
----
  v2.2.3.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sslh.spec ++++++
--- /var/tmp/diff_new_pack.C3I8PQ/_old  2025-05-08 18:25:53.742770646 +0200
+++ /var/tmp/diff_new_pack.C3I8PQ/_new  2025-05-08 18:25:53.742770646 +0200
@@ -18,7 +18,7 @@
 
 
 Name:           sslh
-Version:        2.2.1
+Version:        2.2.3
 Release:        0
 Summary:        SSL/SSH multiplexer
 License:        GPL-2.0-or-later

++++++ v2.2.1.tar.gz -> v2.2.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/.gitignore new/sslh-2.2.3/.gitignore
--- old/sslh-2.2.1/.gitignore   2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/.gitignore   2025-05-04 11:47:44.000000000 +0200
@@ -10,6 +10,7 @@
 systemd-sslh-generator
 sslh.8.gz
 tags
+version.h
 /config.status
 /config.log
 /config.h
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/ChangeLog new/sslh-2.2.3/ChangeLog
--- old/sslh-2.2.1/ChangeLog    2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/ChangeLog    2025-05-04 11:47:44.000000000 +0200
@@ -1,3 +1,12 @@
+v2.2.3:
+       Reverse older commit: version.h cannot be included
+       without breaking the build (everything recompiles
+       every time) and the release archive creation (which
+       relies on git tags).
+
+v2.2.2:
+       Fix potential vulnerability similar to CVE-2020-28935
+
 v2.2.1:
        Added a boolean setting "is_unix" for listen and
        protocol entries. This will use the 'host' setting
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/Makefile.in new/sslh-2.2.3/Makefile.in
--- old/sslh-2.2.1/Makefile.in  2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/Makefile.in  2025-05-04 11:47:44.000000000 +0200
@@ -70,9 +70,8 @@
 $(OBJS_A): $(OBJS)
        $(AR) rcs $(OBJS_A) $(OBJS)
 
-version.h: .FORCE
+version.h:
        ./genver.sh >version.h
-.FORCE:        
 
 $(OBJS) $(FORK_OBJS) $(SELECT_OBJS) $(EV_OBJS): argtable3.h collection.h 
common.h gap.h hash.h log.h probe.h processes.h sslh-conf.h tcp-listener.h 
tcp-probe.h tls.h udp-listener.h version.h
 
@@ -145,7 +144,6 @@
 
 clean:
        rm -f sslh-fork sslh-select $(CONDITIONAL_TARGETS) echosrv version.h 
$(MAN) systemd-sslh-generator *.o *.gcov *.gcno *.gcda *.png *.html *.css *.info
-       echo "// this is a placeholder for version.h, to make code-checking 
editors happy" > version.h
 
 tags:
        ctags --globals -T *.[ch]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/common.c new/sslh-2.2.3/common.c
--- old/sslh-2.2.1/common.c     2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/common.c     2025-05-04 11:47:44.000000000 +0200
@@ -986,26 +986,48 @@
     }
 }
 
+
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
+
 /* Writes my PID */
 void write_pid_file(const char* pidfile)
 {
-    FILE *f;
-    int res;
+    int fd;
+    char pidbuf[32];
+    size_t len, written = 0;
+    ssize_t res;
 
-    f = fopen(pidfile, "w");
-    if (!f) {
+    /* Format PID as string */
+    len = snprintf(pidbuf, sizeof(pidbuf), "%d\n", getpid());
+    if (len >= sizeof(pidbuf)) {
+        print_message(msg_system_error, "write_pid_file: PID string too 
long\n");
+        return;
+    }
+
+    /* Open file with O_NOFOLLOW to prevent symlink attacks (Similar to 
CVE-2020-28935) */
+    fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW ,0644);
+
+    if (fd == -1) {
         print_message(msg_system_error, "write_pid_file: %s: %s\n", pidfile, 
strerror(errno));
         return;
     }
 
-    res = fprintf(f, "%d\n", getpid());
-    if (res < 0) {
-        print_message(msg_system_error, "write_pid_file: fprintf: %s\n", 
strerror(errno));
+    /* Write PID to file with proper error handling */
+    while (written < len) {
+        res = write(fd, pidbuf + written, len - written);
+        if (res == -1) {
+            if (errno == EINTR || errno == EAGAIN)
+                continue;
+            print_message(msg_system_error, "write_pid_file: write: %s\n", 
strerror(errno));
+            break;
+        }
+        written += res;
     }
 
-    res = fclose(f);
-    if (res == EOF) {
-        print_message(msg_system_error, "write_pid_file: fclose: %s\n", 
strerror(errno));
-        return;
+    /* Close file */
+    if (close(fd) == -1) {
+        print_message(msg_system_error, "write_pid_file: close: %s\n", 
strerror(errno));
     }
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/common.h new/sslh-2.2.3/common.h
--- old/sslh-2.2.1/common.h     2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/common.h     2025-05-04 11:47:44.000000000 +0200
@@ -34,6 +34,10 @@
 #include <sys/capability.h>
 #endif
 
+#ifdef __APPLE__
+#include <AvailabilityMacros.h>
+#endif
+
 #include "config.h"
 #include "version.h"
 
@@ -182,6 +186,10 @@
 extern struct addrinfo *addr_listen;
 extern const char* server_type;
 
+#if defined(__APPLE__) && (MAC_OS_X_VERSION_MIN_REQUIRED < 1080)
+extern int hosts_ctl();
+#endif
+
 /* sslh-fork.c */
 void start_shoveler(int);
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/proxyprotocol.c 
new/sslh-2.2.3/proxyprotocol.c
--- old/sslh-2.2.1/proxyprotocol.c      2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/proxyprotocol.c      2025-05-04 11:47:44.000000000 +0200
@@ -20,6 +20,8 @@
 
 */
 
+#include "config.h"
+
 #ifdef HAVE_PROXYPROTOCOL
 
 #include <proxy_protocol.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslh-2.2.1/version.h new/sslh-2.2.3/version.h
--- old/sslh-2.2.1/version.h    2025-04-06 11:59:51.000000000 +0200
+++ new/sslh-2.2.3/version.h    1970-01-01 01:00:00.000000000 +0100
@@ -1,5 +0,0 @@
-#ifndef VERSION_H 
-#define VERSION_H 
-
-#define VERSION "v2.2.0-dirty"
-#endif

commit sslh for openSUSE:Factory

Reply via email to