subject:"Bug#792369\: jessie\-pu\: package haproxy\/1.5.8\-3\+deb8u2"

Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

2015-07-19 Thread Adam D. Barratt

Control: tags -1 + pending

On Tue, 2015-07-14 at 20:11 +0100, Adam D. Barratt wrote:
 Control: tags -1 + confirmed
 
 On Tue, 2015-07-14 at 10:50 +0200, Vincent Bernat wrote:
  When a proxy is marked as disabled, the config parser will
  segfault. This was not the case with the same configuration with
  1.4. This is bug #792116. Upstream marked the severity to medium
  because there was a workaround (commenting the proxy instead of
  disabling it). However, the workaround may be impractical (disabled
  proxies are kept in the configuration to be able to enable them at
  runtime) and people may just not know about it.
  
  The fix is quite small. I have appended another fix which is just
  needed for the patch to apply cleanly. If needed, I can just modify
  the patch to not need the additional fix.
 
 Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

2015-07-14 Thread Vincent Bernat

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hey!

We would like to propose a stable upload for HAProxy. There is already
a security upload (1.5.8-3+deb8u1) which should hit the next stable
release. On top of that, we would like to fix an important regression
when upgrading from 1.4.

When a proxy is marked as disabled, the config parser will
segfault. This was not the case with the same configuration with
1.4. This is bug #792116. Upstream marked the severity to medium
because there was a workaround (commenting the proxy instead of
disabling it). However, the workaround may be impractical (disabled
proxies are kept in the configuration to be able to enable them at
runtime) and people may just not know about it.

The fix is quite small. I have appended another fix which is just
needed for the patch to apply cleanly. If needed, I can just modify
the patch to not need the additional fix.

Debdiff against 1.5.8-3+deb8u1 is attached.

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJVpM1gAAoJEJWkL+g1NSX58mcP/R8uOyJ1QMrUfoEUaXIDT+vm
6zaSlHF0RrEaxtyN86kmWbN8xMF9r0w3wLZmOq3WohatGP9BtJ25GfnS42RFyEmT
St3PWD7r60FCT6cJL3B4lQuhQZUoXrEXD5OX7DunHUrtPhuTe1HB5j25LjGl50AA
W4nbggq0IsbwU/eikpSAAQeFaleMXkiPESEet9H/ZZ0jXTRkTVqrtwGuOeg5zoCA
BvxGwxO1P1tHgzRNqIZ9E9luB4lwh4N7OTbn81LjHIQfL0+5zhDOz2Y2axv81nn5
eLlLrAIcUkNzhpePdh9ku6GnGfKI0dkK9IjsnW2jnCOYsPtx/Z/EZ+gK53bmsq1M
YOvBZ3k/0FyxMMDcI95A2NaejQ6iVPM3ERB+zsQPMEgp4dzlifVzKEOUEHqAYLzy
FnP1c64DIBhgaU1hKHtqe4I2S2SudeOXFGslpXcXNIpnA5Ob5dCJoelrOY+iNJTB
JvqfmJ3eFX/ECTM/M2lB7s2ycSwGGl9I4ujdy7XlsQEYFsbNbvhn7NN4oiWiyPSx
Bu1FFeBKEgWrFYVnY6SCH2Hr1s+TIOgsDJ55l/c78xcl64qNxnSOy285SAQ07Xe0
l0CGFxSYJ39HH5E25H7McWEaWsHcXp8DJV0sgXLRuXvPd4b2AiTrdjBjRVFyyLiU
V1qcrXRo6dZR75HmeZyY
=w4OU
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index 74a07ea3c9ac..5b61f80f2146 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+haproxy (1.5.8-3+deb8u2) jessie; urgency=medium
+
+  * Fix a segfault when parsing a configuration file containing disabled
+proxy sections. Closes: #792116.
+  - BUG/MINOR: config: fix typo in condition when propagating
+   process binding
+  - BUG/MEDIUM: config: do not propagate processes between
+stopped processes
+
+ -- Vincent Bernat ber...@debian.org  Tue, 14 Jul 2015 10:32:26 +0200
+
 haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high
 
   * Fix an information leak. CVE-2015-3281.
diff --git a/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch b/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
new file mode 100644
index ..da4c2e1982a4
--- /dev/null
+++ b/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
@@ -0,0 +1,34 @@
+From ed061c0590109dde6cd77cd963bebc46ba0cd0cc Mon Sep 17 00:00:00 2001
+From: Willy Tarreau w...@1wt.eu
+Date: Thu, 18 Dec 2014 14:00:43 +0100
+Subject: [PATCH] BUG/MEDIUM: config: do not propagate processes between
+ stopped processes
+
+Immo Goltz reported a case of segfault while parsing the config where
+we try to propagate processes across stopped frontends (those with a
+disabled statement). The fix is trivial. The workaround consists in
+commenting out these frontends, although not always easy.
+
+This fix must be backported to 1.5.
+(cherry picked from commit f6b70013389cf9378c6a4d55d3d570de4f95c33c)
+---
+ src/cfgparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index f5eed03cce91..2a27d8b0a0f9 100644
+--- a/src/cfgparse.c
 b/src/cfgparse.c
+@@ -6009,6 +6009,9 @@ void propagate_processes(struct proxy *from, struct proxy *to)
+ 	if (!(from-cap  PR_CAP_FE))
+ 		return;
+ 
++	if (from-state == PR_STSTOPPED)
++		return;
++
+ 	/* default_backend */
+ 	if (from-defbe.be)
+ 		propagate_processes(from, from-defbe.be);
+-- 
+2.1.4
+
diff --git a/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch b/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
new file mode 100644
index ..3636696d0278
--- /dev/null
+++ b/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
@@ -0,0 +1,38 @@
+From 8a95d8cd61c8ec61b9e1c9c9e571405878a40624 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau w...@1wt.eu
+Date: Thu, 18 Dec 2014 13:56:26 +0100
+Subject: [PATCH]

Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

2015-07-14 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Tue, 2015-07-14 at 10:50 +0200, Vincent Bernat wrote:
 When a proxy is marked as disabled, the config parser will
 segfault. This was not the case with the same configuration with
 1.4. This is bug #792116. Upstream marked the severity to medium
 because there was a workaround (commenting the proxy instead of
 disabling it). However, the workaround may be impractical (disabled
 proxies are kept in the configuration to be able to enable them at
 runtime) and people may just not know about it.
 
 The fix is quite small. I have appended another fix which is just
 needed for the patch to apply cleanly. If needed, I can just modify
 the patch to not need the additional fix.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

3 matches

Site Navigation

Mail list logo

Footer information