[PR] Using standard 'OOM' instead of 'Out of Memory'

2021-09-18 Thread PR Bot 
Dear list!

Author: SuvP 
Number of patches: 1

This is an automated relay of the Github pull request:
   Using standard 'OOM' instead of 'Out of Memory'

Patch title(s): 
   Using standard 'OOM' instead of 'Out of Memory'

Link:
   https://github.com/haproxy/haproxy/pull/1397

Edit locally:
   wget https://github.com/haproxy/haproxy/pull/1397.patch && vi 1397.patch

Apply locally:
   curl https://github.com/haproxy/haproxy/pull/1397.patch | git am -

Description:
   Refers to #1025 
   Using  well known word 'OOM' instead of 'Out of
   Memory'
   This will reduce binary size as well.
   Have tried to
   keep context wherever required.

Instructions:
   This github pull request will be closed automatically; patch should be
   reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is
   invited to comment, even the patch's author. Please keep the author and
   list CCed in replies. Please note that in absence of any response this
   pull request will be lost.

executable properties (checksec, BinSkim)

2021-09-18 Thread Илья Шипицин 
Hello,

I checked how looks binary shipped in several popular distributions
(ppa:vbernat/haproxy-2.4, docker haproxytech/haproxy-ubuntu, docker
haproxy).

are we aware of those security features ? shall we move them to Makefile ?
or is it up to distribution ?


ppa:vbernat/haproxy-2.4

[root@fedora haproxy-bionic]# ~ilia/checksec.sh/checksec --file=haproxy
RELRO   STACK CANARY  NXPIE RPATH
 RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO  Canary found  NX enabledPIE enabled No RPATH
No RUNPATH   No Symbols  Yes 12 26 haproxy

BinSkim:
Analyzing 'haproxy'...
Analysis completed successfully.


docker haproxytech/haproxy-ubuntu

[fedora haproxy-docker]# ~ilia/checksec.sh/checksec --file=haproxy-tech
RELRO   STACK CANARY  NXPIE RPATH
 RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO  Canary found  NX enabledPIE enabled No RPATH
No RUNPATH   5664) Symbols  Yes 12 26 haproxy-tech

BinSkim
Analyzing 'haproxy-tech'...
/home/ilia/haproxy-docker/haproxy-tech: error BA3004: 'haproxy-tech' is
using debugging dwarf version '4'. The dwarf version 5 contains more
information and should be used. To enable the debugging version 5 use
'-gdwarf-5'.
Analysis completed successfully.

docker haproxy

[ilia@fedora checksec.sh]$ ./checksec
--file=/home/ilia/haproxy-docker/haproxy
RELRO   STACK CANARY  NXPIE RPATH
 RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO   No canary found   NX enabledPIE enabled No RPATH
No RUNPATH   5926) Symbols  Yes 0 20 /home/ilia/haproxy-docker/haproxy

BinSkim

/home/ilia/haproxy-docker/haproxy: error BA3003: The stack protector was
not found in 'haproxy'. This may be because '--stack-protector-strong' was
not used, or because it was explicitly disabled by '-fno-stack-protectors'.
Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
proto_sockpair.c, fd.c, compression.c, mqtt.c, tcp_act.c, raw_sock.c,
frontend.c, http_conv.c, xprt_handshake.c, pool.c, applet.c, mailers.c,
lb_fwrr.c, lb_fwlc.c, lb_fas.c, proto_uxst.c, http.c, action.c, protocol.c,
thread.c, sock_unix.c, proto_udp.c, lb_map.c, sock_inet.c, lru.c,
cfgparse-tcp.c, cfgdiag.c, proto_uxdg.c, ev_select.c, cfgparse-unix.c,
uri_normalizer.c, ebmbtree.c, sha1.c, time.c, signal.c, mworker-prog.c,
hpack-dec.c, fix.c, arg.c, eb64tree.c, chunk.c, shctx.c, regex.c, fcgi.c,
eb32tree.c, eb32sctree.c, dynbuf.c, uri_auth.c, hpack-tbl.c, ebimtree.c,
auth.c, ebsttree.c, ebistree.c, base64.c, wdt.c, pipe.c, http_acl.c,
hpack-enc.c, dict.c, dgram.c, init.c, hpack-huff.c, freq_ctr.c, ebtree.c,
hash.c, version.c, errors.c, http_client.c
/home/ilia/haproxy-docer/haproxy: error BA3004: 'haproxy' is using
debugging dwarf version '4'. The dwarf version 5 contains more information
and should be used. To enable the debugging version 5 use '-gdwarf-5'.
/home/ilia/haproxy-docer/haproxy: error BA3005: The Stack Clash Protection
is missing from this binary, so the stack from 'haproxy' can clash/colide
with another memory region. Ensure you are compiling with the compiler
flags '-fstack-clash-protection' to address this.
Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,