Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package haproxy.16826 for openSUSE:Leap:15.2:Update checked in at 2021-08-19 17:21:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/haproxy.16826 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.haproxy.16826.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy.16826" Thu Aug 19 17:21:38 2021 rev:1 rq:912780 version:2.0.14 Changes: -------- New Changes file: --- /dev/null 2021-07-22 10:06:18.349420535 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.haproxy.16826.new.1899/haproxy.changes 2021-08-19 17:21:39.736712068 +0200 @@ -0,0 +1,3752 @@ +------------------------------------------------------------------- +Thu Aug 12 16:41:18 UTC 2021 - Emil Penchev <emil.penc...@suse.com> + +- Fixes HAProxy vulnerabilities on H2 (bsc#1189366) + Added patch: haproxy-2.0-h2_enforce_checks_on_the_method_syntax_bef.patch. + +------------------------------------------------------------------- +Wed Apr 15 09:50:13 UTC 2020 - pablo.br...@suse.com + +- Removed patch: haproxy-2.0-hpack-tbl.patch as already fixed in 2.0.14 + +- Update to version 2.0.14: (bsc#1169457) + * [RELEASE] Released version 2.0.14 + * BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat + * BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. + * SCRIPTS: announce-release: use mutt -H instead of -i to include the draft + * MINOR: http-htx: Add a function to retrieve the headers size of an HTX message + * MINOR: filters: Forward data only if the last filter forwards something + * BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them + * BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive + * BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered + * MINOR: ist: add an iststop() function + * BUG/MINOR: http: http-request replace-path duplicates the query string + * BUG/MEDIUM: shctx: make sure to keep all blocks aligned + * MINOR: compiler: move CPU capabilities definition from config.h and complete them + * BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support + * BUILD: fix recent build failure on unaligned archs + * CLEANUP: cfgparse: Fix type of second calloc() parameter + * BUG/MINOR: sample: fix the json converter's endian-sensitivity + * BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions + * BUG/MINOR: connection: make sure to correctly tag local PROXY connections + * MINOR: compiler: add new alignment macros + * BUILD: ebtree: improve architecture-specific alignment + * BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch + * BUG/MINOR: dns: ignore trailing dot + * MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics + * MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric + * BUG/MEDIUM: random: initialize the random pool a bit better + * MINOR: tools: add 64-bit rotate operators + * BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG + * MINOR: backend: use a single call to ha_random32() for the random LB algo + * BUG/MINOR: checks/threads: use ha_random() and not rand() + * BUG/MAJOR: list: fix invalid element address calculation + * MINOR: debug: report the task handler's pointer relative to main + * BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump + * MINOR: haproxy: export main to ease access from debugger + * BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled + * DOC: fix incorrect indentation of http_auth_* + * OPTIM: startup: fast unique_id allocation for acl. + * BUG/MINOR: pattern: Do not pass len = 0 to calloc() + * DOC: configuration.txt: fix various typos + * DOC: assorted typo fixes in the documentation and Makefile + * BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits + * BUG/MAJOR: proxy_protocol: Properly validate TLV lengths + * REGTEST: make the PROXY TLV validation depend on version 2.2 + * MINOR: htx: Add a function to return a block at a specific offset + * BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload + * BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload + * BUG/MINOR: http-ana: Reset request analysers on a response side error + * BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not + * BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action + * BUG/MINOR: http-rules: Fix a typo in the reject action function + * BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action + * BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop + * DOC: fix typo about no-tls-tickets + * DOC: improve description of no-tls-tickets + * DOC: ssl: clarify security implications of TLS tickets + * BUILD: wdt: only test for SI_TKILL when compiled with thread support + * BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 + * BUG/MINOR: haproxy: always initialize sleeping_thread_mask + * BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping + * BUG/MINOR: haproxy/threads: try to make all threads leave together + * DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID + * BUILD: on ARM, must be linked to libatomic. + * BUILD: makefile: fix regex syntax in ARM platform detection + * BUILD: makefile: fix expression again to detect ARM platform + * BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. + * DOC: assorted typo fixes in the documentation + * MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. + * BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). + * MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. + * BUG/MINOR: connections: Make sure we free the connection on failure. + * REGTESTS: use "command -v" instead of "which" + * REGTEST: increase timeouts on the seamless-reload test + * BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection + * BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized + * BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL + * BUG/MINOR: peers: Use after free of "peers" section. + * MINOR: listener: add so_name sample fetch + * BUILD: ssl: only pass unsigned chars to isspace() + * BUG/MINOR: stats: Fix color of draining servers on stats page + * DOC: internals: Fix spelling errors in filters.txt + * MINOR: http-rules: Add a flag on redirect rules to know the rule direction + * BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits + * MINOR: http-rules: Handle the rule direction when a redirect is evaluated + * BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data + * BUG/MINOR: filters: Forward everything if no data filters are called + * BUG/MINOR: http-ana: Reset request analysers on error when waiting for response + * BUG/CRITICAL: hpack: never index a header into the headroom after wrapping + +2020/02/13 : 2.0.13 + * BUG/MINOR: checks: refine which errno values are really errors. + * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. + * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. + * MINOR: config: disable busy polling on old processes + * MINOR: ssl: Remove unused variable "need_out". + * BUG/MINOR: h1: Report the right error position when a header value is invalid + * BUG/MINOR: proxy: Fix input data copy when an error is captured + * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied + * BUG/MINOR: channel: inject output data at the end of output + * BUG/MEDIUM: session: do not report a failure when rejecting a session + * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached + * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() + * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch + * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary + * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs + * REGTEST: mcli/mcli_start_progs: start 2 programs + * BUG/MEDIUM: mworker: remain in mworker mode during reload + * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). + * BUG/MAJOR: hashes: fix the signedness of the hash inputs + * REGTEST: add sample_fetches/hashes.vtc to validate hashes + * BUG/MEDIUM: cli: _getsocks must send the peers sockets + * BUG/MINOR: stream: don't mistake match rules for store-request rules + * BUG/MEDIUM: connection: add a mux flag to indicate splice usability + * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns + * BUG/MINOR: cache: Fix leak of cache name in error path + * BUG/MINOR: dns: Make dns_query_id_seed unsigned + * BUG/MINOR: 51d: Fix bug when HTX is enabled + * BUILD: pattern: include errno.h + * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters + * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules + * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing + * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing + * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive + * BUG/MINOR: http_act: don't check capture id in backend + * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. + * BUG/MINOR: stktable: report the current proxy name in error messages + * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" + * BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines + * BUG/MINOR: dns: allow srv record weight set to 0 + * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. + * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack + * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error + * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 + * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. + * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). + * MINOR: memory: Only init the pool spinlock once. + * BUG/MEDIUM: memory: Add a rwlock before freeing memory. + * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. + * BUG/MINOR: ssl: we may only ignore the first 64 errors + * CONTRIB: debug: add missing flags SF_HTX and SF_MUX + * CONTRIB: debug: add the possibility to decode the value as certain types only + * CONTRIB: debug: support reporting multiple values at once + * MINOR: acl: Warn when an ACL is named 'or' + * CONTRIB: debug: also support reading values from stdin + * SCRIPTS: announce-release: place the send command in the mail's header + * SCRIPTS: announce-release: allow the user to force to overwrite old files + * MINOR: build: add linux-glibc-legacy build TARGET + * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit + * MINOR: http: add a new "replace-path" action + * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. + * BUG/MINOR: dns: allow 63 char in hostname + * BUG/MEDIUM: listener: only consider running threads when resuming listeners + * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init + * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener + * DOC: word converter ignores delimiters at the start or end of input string + * BUG/MINOR: tcp: don't try to set defaultmss when value is negative + * SCRIPTS: make announce-release executable again + +2019/12/21 : 2.0.12 + * DOC: Improve documentation of http-re(quest|sponse) replace-(header|value|uri) + * DOC: clarify the fact that replace-uri works on a full URI + * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter + * BUG/MINOR: sample: always check converters' arguments + * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. + * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task + * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing + * BUG/MEDIUM: ssl: Revamp the way early data are handled. + * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute + * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd + * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines + * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream + * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility + +2019/12/11 : 2.0.11 + * BUG/MINOR: stream: init variables when the list is empty + * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones + * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only + * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty + * DOC: Clarify behavior of server maxconn in HTTP mode + * DOC: clarify matching strings on binary fetches + * DOC: move the "group" keyword at the right place + * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data + * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible + * BUG/MEDIUM: listener/thread: fix a race when pausing a listener + * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 + * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending ++++ 3555 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.haproxy.16826.new.1899/haproxy.changes New: ---- _service _servicedata haproxy-1.6.0-makefile_lib.patch haproxy-1.6.0-sec-options.patch haproxy-1.6.0_config_haproxy_user.patch haproxy-2.0-h2_enforce_checks_on_the_method_syntax_bef.patch haproxy-2.0.14.tar.gz haproxy-rpmlintrc haproxy.cfg haproxy.changes haproxy.init haproxy.spec local.usr.sbin.haproxy.apparmor usr.sbin.haproxy.apparmor ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ # # spec file for package haproxy # # Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ %if 0%{?suse_version} >= 1230 %bcond_without tcp_fast_open %bcond_without network_namespace %else %bcond_with tcp_fast_open %bcond_with network_namespace %endif %if 0%{?suse_version} > 1320 %bcond_without lua %else %bcond_with lua %endif %if 0%{?suse_version} >= 1310 %bcond_without systemd %else %bcond_with systemd %endif %if 0%{?suse_version} > 1140 %bcond_without pcre_jit %else %bcond_with pcre_jit %endif %bcond_without apparmor %if 0%{?suse_version} > 1320 %bcond_without apparmor_reload %else %bcond_with apparmor_reload %endif Name: haproxy Version: 2.0.14 Release: 0 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{with apparmor} %if 0%{?suse_version} <= 1315 BuildRequires: apparmor-profiles Recommends: apparmor-profiles %else BuildRequires: apparmor-abstractions Recommends: apparmor-abstractions %endif %if %{with apparmor_reload} BuildRequires: apparmor-rpm-macros %endif %endif BuildRequires: libgcrypt-devel %if %{with lua} BuildRequires: lua-devel >= 5.3 %endif BuildRequires: pcre-devel BuildRequires: zlib-devel BuildRequires: openssl-devel BuildRequires: pkg-config BuildRequires: udev %if %{with systemd} BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(libsystemd) %endif BuildRequires: vim %define pkg_name haproxy %define pkg_home /var/lib/%{pkg_name} # Url: http://www.haproxy.org/ # source URL in _service file Source: haproxy-%{version}.tar.gz Source1: %{pkg_name}.init Source2: usr.sbin.haproxy.apparmor Source3: local.usr.sbin.haproxy.apparmor Source4: haproxy.cfg Patch1: haproxy-1.6.0_config_haproxy_user.patch Patch2: haproxy-1.6.0-makefile_lib.patch Patch3: haproxy-1.6.0-sec-options.patch Patch4: haproxy-2.0-h2_enforce_checks_on_the_method_syntax_bef.patch # Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPL-3.0+ and LGPL-2.1+ Group: Productivity/Networking/Web/Proxy Provides: %{name}-doc = %{version} Obsoletes: %{name}-doc < %{version} Provides: haproxy-1.5 = %{version} Obsoletes: haproxy-1.5 < %{version} # this requires is not strictly needed. we only need it for the ownership of the vim data dir Requires: vim %if %{with systemd} %{?systemd_requires} %endif %{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)} %description HAProxy implements an event-driven, mono-process model which enables support for very high number of simultaneous connections at very high speeds. Multi-process or multi-threaded models can rarely cope with thousands of connections because of memory limits, system scheduler limits, and lock contention everywhere. Event-driven models do not have these problems because implementing all the tasks in user-space allows a finer resource and time management. The down side is that those programs generally don't scale well on multi-processor systems. That's the reason why they must be optimized to get the most work done from every CPU cycle. %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %build make \ TARGET=linux-glibc \ CPU="%{_target_cpu}" \ USE_PCRE=1 \ %if %{with pcre_jit} USE_PCRE_JIT=1 \ %endif USE_PTHREAD_PSHARED=1 \ %ifarch %ix86 USE_REGPARM=1 \ %endif USE_GETADDRINFO=1 \ USE_OPENSSL=1 \ %if %{with lua} USE_LUA=1 \ %endif USE_ZLIB=1 \ %if %{with tcp_fast_open} USE_TFO=1 \ %endif %if %{with network_namespace} USE_NS=1 \ %endif %if %{with systemd} USE_SYSTEMD=1 \ %endif USE_PIE=1 \ USE_STACKPROTECTOR=1 \ USE_RELRO_NOW=1 \ LIB="%{_lib}" \ PREFIX="%{_prefix}" \ EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" \ DEBUG_CFLAGS="%{optflags}" V=1 %if %{with systemd} make -C contrib/systemd PREFIX="%{_prefix}" %endif make -C contrib/halog PREFIX="%{_prefix}" \ DEFINE="%{optflags} -pie -fpie -fstack-protector -Wl,-z,relro,-z,now" %install install -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name} install -d -m 0750 %{buildroot}%{_sysconfdir}/%{pkg_name}/ install -m 0640 %{S:4} %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg install -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog %if %{with systemd} install -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} %else install -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} %endif install -d -m 0750 %{buildroot}%{pkg_home} install -D -m 0644 contrib/syntax-highlight/haproxy.vim %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim install -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1 %if %{with apparmor} install -D -m 0644 %{S:2} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy install -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy %endif rm examples/*init* %pre getent group %{pkg_name} >/dev/null || /usr/sbin/groupadd -r %{pkg_name} getent passwd %{pkg_name} >/dev/null || \ /usr/sbin/useradd -g %{pkg_name} -s /bin/false -r \ -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} %if %{with systemd} %service_add_pre %{pkg_name}.service %post %if %{with apparmor} && %{with apparmor_reload} %apparmor_reload /etc/apparmor.d/usr.sbin.haproxy %endif %service_add_post %{pkg_name}.service %preun %service_del_preun %{pkg_name}.service %postun %service_del_postun %{pkg_name}.service %else %post %fillup_and_insserv %{pkg_name} %if %{with apparmor} && %{with apparmor_reload} %apparmor_reload /etc/apparmor.d/usr.sbin.haproxy %endif %preun %stop_on_removal %{pkg_name} %postun %restart_on_update %{pkg_name} %{insserv_cleanup} %endif %files %defattr(-,root,root,-) %license LICENSE %doc CHANGELOG README %doc ROADMAP doc/* examples/ %doc contrib/netsnmp-perl/ contrib/selinux/ %dir %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name} %config(noreplace) %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}/* %if %{with systemd} %{_unitdir}/%{pkg_name}.service %else %config(noreplace) %{_sysconfdir}/init.d/%{pkg_name} %endif %{_sbindir}/haproxy %{_sbindir}/haproxy-halog %{_sbindir}/rchaproxy %dir %attr(-,root,haproxy) %{pkg_home} %{_mandir}/man1/%{pkg_name}.1.gz %{vim_data_dir}/syntax/%{pkg_name}.vim %if %{with apparmor} %if 0%{?suse_version} == 1110 %dir /etc/apparmor.d/local/ %endif %config(noreplace) /etc/apparmor.d/usr.sbin.haproxy %config(noreplace) /etc/apparmor.d/local/usr.sbin.haproxy %endif %changelog ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="url">http://git.haproxy.org/git/haproxy-2.0.git</param> <param name="scm">git</param> <param name="filename">haproxy</param> <param name="versionformat">2.0.14</param> <param name="revision">v2.0.14</param> <param name="changesgenerate">enable</param> </service> <service name="recompress" mode="disabled"> <param name="file">haproxy*.tar</param> <param name="compression">gz</param> </service> <service name="set_version" mode="disabled"> <param name="basename">haproxy</param> </service> </services> ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">http://git.haproxy.org/git/haproxy-2.0.git</param> <param name="changesrevision">396d200d414baff193e51d5fa5c8c9fe87ee12ad</param> </service> </servicedata>++++++ haproxy-1.6.0-makefile_lib.patch ++++++ diff --git a/Makefile b/Makefile index d62fead7..33fa6338 100644 --- a/Makefile +++ b/Makefile @@ -619,7 +619,7 @@ PCRE_CONFIG := pcre-config PCREDIR := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local) ifneq ($(PCREDIR),) PCRE_INC := $(PCREDIR)/include -PCRE_LIB := $(PCREDIR)/lib +PCRE_LIB := $(PCREDIR)/$(LIB) endif ifeq ($(USE_STATIC_PCRE),) @@ -638,7 +638,7 @@ PCRE2_CONFIG := pcre2-config PCRE2DIR := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local) ifneq ($(PCRE2DIR),) PCRE2_INC := $(PCRE2DIR)/include -PCRE2_LIB := $(PCRE2DIR)/lib +PCRE2_LIB := $(PCRE2DIR)/$(LIB) ifeq ($(PCRE2_WIDTH),) PCRE2_WIDTH = 8 ++++++ haproxy-1.6.0-sec-options.patch ++++++ commit 88413472b09e2ecd4ad2b4a00992184c14d5723c Author: Kristoffer Gronlund <kgronl...@suse.com> Date: Mon Jun 17 13:00:08 2019 +0000 SUSE: Makefile sec options diff --git a/Makefile b/Makefile index 33fa6338..3777ad6d 100644 --- a/Makefile +++ b/Makefile @@ -675,6 +675,35 @@ endif endif endif +# PIE +ifneq ($(USE_PIE),) +OPTIONS_CFLAGS += -DUSE_PIE +BUILD_OPTIONS += $(call ignore_implicit,USE_PIE) +OPTIONS_LDFLAGS += -pie +# still need to figure out how to express this conditional in the makefile +# %ifarch s390 s390x %sparc +# PIEFLAGS="-fPIE" +# %else +# PIEFLAGS="-fpie" +# %endif +# PIE_FLAGS.s390 = -fPIE +# PIE_FLAGS.i386 = -fpie +# SEC_FLAGS += $(PIE_FLAGS.$(ARCH)) +OPTIONS_CFLAGS += -fpie +endif + +ifneq ($(USE_STACKPROTECTOR),) +OPTIONS_CFLAGS += -DUSE_STACKPROTECTOR +BUILD_OPTIONS += $(call ignore_implicit,USE_STACKPROTECTOR) +OPTIONS_CFLAGS += -fstack-protector +endif + +ifneq ($(USE_RELRO_NOW),) +OPTIONS_CFLAGS += -DUSE_RELRO_NOW +BUILD_OPTIONS += $(call ignore_implicit,USE_RELRO_NOW) +OPTIONS_LDFLAGS += -Wl,-z,relro,-z,now +endif + # This one can be changed to look for ebtree files in an external directory EBTREE_DIR := ebtree ++++++ haproxy-1.6.0_config_haproxy_user.patch ++++++ Index: haproxy-1.6.0/examples/acl-content-sw.cfg =================================================================== --- haproxy-1.6.0.orig/examples/acl-content-sw.cfg +++ haproxy-1.6.0/examples/acl-content-sw.cfg @@ -5,9 +5,9 @@ global log loghost local0 log localhost local0 err maxconn 250 - uid 71 - gid 71 - chroot /var/empty + user haproxy + group haproxy + chroot /var/lib/haproxy pidfile /var/run/haproxy.pid daemon quiet Index: haproxy-1.6.0/examples/content-sw-sample.cfg =================================================================== --- haproxy-1.6.0.orig/examples/content-sw-sample.cfg +++ haproxy-1.6.0/examples/content-sw-sample.cfg @@ -11,9 +11,9 @@ global maxconn 10000 stats socket /var/run/haproxy.stat mode 600 level admin log 127.0.0.1 local0 - uid 200 - gid 200 - chroot /var/empty + user haproxy + group haproxy + chroot /var/lib/haproxy daemon # The public 'www' address in the DMZ Index: haproxy-1.6.0/examples/option-http_proxy.cfg =================================================================== --- haproxy-1.6.0.orig/examples/option-http_proxy.cfg +++ haproxy-1.6.0/examples/option-http_proxy.cfg @@ -6,9 +6,9 @@ global maxconn 20000 ulimit-n 16384 log 127.0.0.1 local0 - uid 200 - gid 200 - chroot /var/empty + chroot /var/lib/haproxy + user haproxy + group haproxy nbproc 4 daemon Index: haproxy-1.6.0/examples/transparent_proxy.cfg =================================================================== --- haproxy-1.6.0.orig/examples/transparent_proxy.cfg +++ haproxy-1.6.0/examples/transparent_proxy.cfg @@ -6,6 +6,10 @@ # global + chroot /var/lib/haproxy + user haproxy + group haproxy + defaults timeout client 30s timeout server 30s ++++++ haproxy-2.0-h2_enforce_checks_on_the_method_syntax_bef.patch ++++++ >From 08f7092fa046b115285bfb0df276a5d1b6d52d37 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <w...@1wt.eu> Date: Wed, 11 Aug 2021 11:12:46 +0200 Subject: BUG/MAJOR: h2: enforce checks on the method syntax before translating to HTX MIME-Version: 1.0 Content-Type: text/plain; charset=latin1 Content-Transfer-Encoding: 8bit The situation with message components in H2 is always troubling. They're produced by the HPACK layer which contains a dictionary of well-known hardcoded values, yet wants to remain binary transparent and protocol- agnostic with HTTP just being one user, yet at the H2 layer we're supposed to enforce some checks on some selected pseudo-headers that come from internal constants... The :method pseudo-header is no exception and is not tested when coming from the HPACK layer. This makes it possible to pass random chars into methods, that can be serialized on another H2 connection (where they would not harm), or worse, on an H1 connection where they can be used to transform the forwareded request. This is similar to the request line injection described here: https://portswigger.net/research/http2 A workaround here is to reject malformed methods by placing this rule in the frontend or backend, at least before leaving haproxy in H1: http-request reject if { method -m reg [^A-Z0-9] } Alternately H2 may be globally disabled by commenting out the "alpn" directive on "bind" lines, and by rejecting H2 streams creation by adding the following statement to the global section: tune.h2.max-concurrent-streams 0 This patch adds a check for each character of the method to be part of the ones permitted in a token, as mentioned in RFC7231#4.1. This should be backported to versions 2.0 and above, maybe even 1.8. For older versions not having HTX_FL_PARSING_ERROR, a "goto fail" works as well as it results in a protocol error at the stream level. Non-HTX versions were initially thought to be safe but must be carefully rechecked since they transcode the request into H1 before processing it. Thanks to Tim D?sterhus for reporting that one. (cherry picked from commit b4be735a0a7c4a00bf3d774334763536774d7eea) Signed-off-by: Willy Tarreau <w...@1wt.eu> (cherry picked from commit 6b827f661374704e91322a82197bbfbfbf910f70) [wt: adapted since no meth_sl in 2.3] Signed-off-by: Willy Tarreau <w...@1wt.eu> (cherry picked from commit fbeb053d1a83faedbf3edbe04bde39bc7304cddd) Signed-off-by: Willy Tarreau <w...@1wt.eu> (cherry picked from commit c91c37a122784de872b79ec6832fe8a9cfe675e0) [wt: context adjustment; non-htx is safe since nul/cr/lf forbidden in any header, and other invalid chars blocked by H1 parser] Signed-off-by: Willy Tarreau <w...@1wt.eu> --- src/h2.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/h2.c b/src/h2.c index 719b1743b..bfc0bdafe 100644 --- a/src/h2.c +++ b/src/h2.c @@ -571,6 +571,14 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, } } + /* The method is a non-empty token (RFC7231#4.1) */ + if (!phdr[H2_PHDR_IDX_METH].len) + goto fail; + for (i = 0; i < phdr[H2_PHDR_IDX_METH].len; i++) { + if (!HTTP_IS_TOKEN(phdr[H2_PHDR_IDX_METH].ptr[i])) + htx->flags |= HTX_FL_PARSING_ERROR; + } + /* 7540#8.1.2.3: :path must not be empty */ if (!phdr[uri_idx].len) goto fail; -- 2.28.0 ++++++ haproxy-rpmlintrc ++++++ addFilter('wrong-file-end-of-line-encoding .*/examples/errorfiles/.*\.http$') addFilter('file-contains-current-date /usr/share/doc/packages/haproxy/examples/haproxy.spec') ++++++ haproxy.cfg ++++++ global log /dev/log daemon maxconn 32768 chroot /var/lib/haproxy user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats user haproxy group haproxy mode 0640 level operator tune.bufsize 32768 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH defaults log global mode http option log-health-checks option log-separate-errors option dontlog-normal option dontlognull option httplog option socket-stats retries 3 option redispatch maxconn 10000 timeout connect 5s timeout client 50s timeout server 450s listen stats bind 0.0.0.0:80 bind :::80 v6only stats enable stats uri / stats refresh 5s rspadd Server:\ haproxy/2.0 ++++++ haproxy.init ++++++ #!/bin/sh # ### BEGIN INIT INFO # Provides: haproxy # Required-Start: $syslog $remote_fs # Should-Start: $time ypbind sendmail # Required-Stop: $syslog $remote_fs # Should-Stop: $time ypbind sendmail # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: haproxy # Description: Start haproxy a reliable, high performance TCP/HTTP load balancer ### END INIT INFO # # Any extensions to the keywords given above should be preceeded by # X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. # # Notes on Required-Start/Should-Start: # * There are two different issues that are solved by Required-Start # and Should-Start # (a) Hard dependencies: This is used by the runlevel editor to determine # which services absolutely need to be started to make the start of # this service make sense. Example: nfsserver should have # Required-Start: $portmap # Also, required services are started before the dependent ones. # The runlevel editor will warn about such missing hard dependencies # and suggest enabling. During system startup, you may expect an error, # if the dependency is not fulfilled. # (b) Specifying the init script ordering, not real (hard) dependencies. # This is needed by insserv to determine which service should be # started first (and at a later stage what services can be started # in parallel). The tag Should-Start: is used for this. # It tells, that if a service is available, it should be started # before. If not, never mind. # * When specifying hard dependencies or ordering requirements, you can # use names of services (contents of their Provides: section) # or pseudo names starting with a $. The following ones are available # according to LSB (1.1): # $local_fs all local file systems are mounted # (most services should need this!) # $remote_fs all remote file systems are mounted # (note that /usr may be remote, so # many services should Require this!) # $syslog system logging facility up # $network low level networking (eth card, ...) # $named hostname resolution available # $netdaemons all network daemons are running # The $netdaemons pseudo service has been removed in LSB 1.2. # For now, we still offer it for backward compatibility. # These are new (LSB 1.2): # $time the system time has been set correctly # $portmap SunRPC portmapping service available # UnitedLinux extensions: # $ALL indicates that a script should be inserted # at the end # * The services specified in the stop tags # (Required-Stop/Should-Stop) # specify which services need to be still running when this service # is shut down. Often the entries there are just copies or a subset # from the respective start tag. # * Should-Start/Stop are now part of LSB as of 2.0, # formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. # insserv does support both variants. # * X-UnitedLinux-Default-Enabled: yes/no is used at installation time # (%fillup_and_insserv macro in %post of many RPMs) to specify whether # a startup script should default to be enabled after installation. # It's not used by insserv. # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix. # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance HAPROXY_BIN=/usr/sbin/haproxy test -x $HAPROXY_BIN || { echo "$HAPROXY_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } HAPROXY_PID="/var/run/haproxy.pid" HAPROXY_CONF="/etc/haproxy/haproxy.cfg" ## Check for existence of needed config file and read it #HAPROXY_CONFIG=/etc/sysconfig/haproxy #test -r $HAPROXY_CONFIG || { echo "$HAPROXY_CONFIG not existing"; # if [ "$1" = "stop" ]; then exit 0; # else exit 6; fi; } # ## Read config #. $HAPROXY_CONFIG # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. function haproxy_check() { HAPROXY_CONFIG_CHECK="$($HAPROXY_BIN -c -q -f $HAPROXY_CONF 2>&1)" if [ $? -ne 0 ] ; then echo "" >&2 echo "$HAPROXY_CONFIG_CHECK" >&2 rc_failed rc_status -v exit 1 else return 0 fi } case "$1" in start) echo -n "Starting haproxy " ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. haproxy_check /sbin/startproc $HAPROXY_BIN -D -f $HAPROXY_CONF -p $HAPROXY_PID # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down haproxy " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. /sbin/killproc -TERM $HAPROXY_BIN # Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then # we us reload here for a graceful restart during update $0 reload else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. haproxy_check $0 stop $0 start # Remember status and be quiet rc_status ;; check) ## Stop the service and regardless of whether it was ## running or not, start it again. echo -n "Checking config of haproxy " haproxy_check rc_status -v ;; reload|force-reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!) haproxy_check # If it supports signaling: echo -n "Reload service haproxy " $HAPROXY_BIN -p $HAPROXY_PID -D -f $HAPROXY_CONF -sf $(cat $HAPROXY_PID) rc_status -v ;; status) echo -n "Checking for service haproxy " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc -p $HAPROXY_PID $HAPROXY_BIN # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $HAPROXY_CONF -nt $HAPROXY_PID && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ local.usr.sbin.haproxy.apparmor ++++++ # Site-specific additions and overrides for usr.sbin.haproxy.apparmor ++++++ usr.sbin.haproxy.apparmor ++++++ #include <tunables/global> /usr/sbin/haproxy { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_resource, capability sys_chroot, # those are needed for the stats socket creation capability chown, capability fowner, capability fsetid, network inet tcp, network inet6 tcp, /etc/haproxy/* r, /usr/sbin/haproxy rmix, /var/lib/haproxy/stats rwl, /var/lib/haproxy/stats.*.bak rwl, /var/lib/haproxy/stats.*.tmp rwl, /{,var/}run/haproxy.pid rw, /{,var/}run/haproxy-master.sock* rwlk, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.haproxy> }
