Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2015-07-05 18:03:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2015-06-30 10:19:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2015-07-05 18:03:15.000000000 +0200 @@ -1,0 +2,7 @@ +Fri Jul 3 16:37:55 UTC 2015 - kgronl...@suse.com + +- Update to 1.5.14 (CVE-2015-3281) (bsc#937042) + + BUILD/MINOR: tools: rename popcount to my_popcountl + + BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data + +------------------------------------------------------------------- Old: ---- haproxy-1.5.13.tar.gz New: ---- haproxy-1.5.14.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.zNURpP/_old 2015-07-05 18:03:15.000000000 +0200 +++ /var/tmp/diff_new_pack.zNURpP/_new 2015-07-05 18:03:15.000000000 +0200 @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.13 +Version: 1.5.14 Release: 0 # # ++++++ haproxy-1.5.13.tar.gz -> haproxy-1.5.14.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/CHANGELOG new/haproxy-1.5.14/CHANGELOG --- old/haproxy-1.5.13/CHANGELOG 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/CHANGELOG 2015-07-03 17:35:11.000000000 +0200 @@ -1,6 +1,10 @@ ChangeLog : =========== +2015/07/03 : 1.5.14 + - BUILD/MINOR: tools: rename popcount to my_popcountl + - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data + 2015/06/26 : 1.5.13 - BUG/MINOR: check: fix tcpcheck error message - CLEANUP: deinit: remove codes for cleaning p->block_rules diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/README new/haproxy-1.5.14/README --- old/haproxy-1.5.13/README 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/README 2015-07-03 17:35:11.000000000 +0200 @@ -1,9 +1,9 @@ ---------------------- HAProxy how-to ---------------------- - version 1.5.13 + version 1.5.14 willy tarreau - 2015/06/26 + 2015/07/02 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/VERDATE new/haproxy-1.5.14/VERDATE --- old/haproxy-1.5.13/VERDATE 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/VERDATE 2015-07-03 17:35:11.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2015/06/23 +2015/07/02 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/VERSION new/haproxy-1.5.14/VERSION --- old/haproxy-1.5.13/VERSION 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/VERSION 2015-07-03 17:35:11.000000000 +0200 @@ -1 +1 @@ -1.5.13 +1.5.14 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/doc/configuration.txt new/haproxy-1.5.14/doc/configuration.txt --- old/haproxy-1.5.13/doc/configuration.txt 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/doc/configuration.txt 2015-07-03 17:35:11.000000000 +0200 @@ -2,9 +2,9 @@ HAProxy Configuration Manual ---------------------- - version 1.5.13 + version 1.5.14 willy tarreau - 2015/06/26 + 2015/07/02 This document covers the configuration language as implemented in the version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/examples/haproxy.spec new/haproxy-1.5.14/examples/haproxy.spec --- old/haproxy-1.5.13/examples/haproxy.spec 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/examples/haproxy.spec 2015-07-03 17:35:11.000000000 +0200 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.5.13 +Version: 1.5.14 Release: 1 License: GPL Group: System Environment/Daemons @@ -76,6 +76,9 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Fri Jul 3 2015 Willy Tarreau <w...@1wt.eu> +- updated to 1.5.14 + * Fri Jun 26 2015 Willy Tarreau <w...@1wt.eu> - updated to 1.5.13 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/include/common/standard.h new/haproxy-1.5.14/include/common/standard.h --- old/haproxy-1.5.13/include/common/standard.h 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/include/common/standard.h 2015-07-03 17:35:11.000000000 +0200 @@ -565,8 +565,8 @@ return result; } -/* Simple popcount implementation. It returns the number of ones in a word */ -static inline unsigned int popcount(unsigned long a) +/* Simple popcountl implementation. It returns the number of ones in a word */ +static inline unsigned int my_popcountl(unsigned long a) { unsigned int cnt; for (cnt = 0; a; a >>= 1) { @@ -576,7 +576,7 @@ return cnt; } -/* Build a word with the <bits> lower bits set (reverse of popcount) */ +/* Build a word with the <bits> lower bits set (reverse of my_popcountl) */ static inline unsigned long nbits(int bits) { if (--bits < 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/src/buffer.c new/haproxy-1.5.14/src/buffer.c --- old/haproxy-1.5.13/src/buffer.c 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/src/buffer.c 2015-07-03 17:35:11.000000000 +0200 @@ -107,30 +107,39 @@ return delta; } -/* This function realigns input data in a possibly wrapping buffer so that it - * becomes contiguous and starts at the beginning of the buffer area. The - * function may only be used when the buffer's output is empty. +/* This function realigns a possibly wrapping buffer so that the input part is + * contiguous and starts at the beginning of the buffer and the output part + * ends at the end of the buffer. This provides the best conditions since it + * allows the largest inputs to be processed at once and ensures that once the + * output data leaves, the whole buffer is available at once. */ void buffer_slow_realign(struct buffer *buf) { - /* two possible cases : - * - the buffer is in one contiguous block, we move it in-place - * - the buffer is in two blocks, we move it via the swap_buffer - */ - if (buf->i) { - int block1 = buf->i; - int block2 = 0; - if (buf->p + buf->i > buf->data + buf->size) { - /* non-contiguous block */ - block1 = buf->data + buf->size - buf->p; - block2 = buf->p + buf->i - (buf->data + buf->size); - } - if (block2) - memcpy(swap_buffer, buf->data, block2); - memmove(buf->data, buf->p, block1); - if (block2) - memcpy(buf->data + block1, swap_buffer, block2); + int block1 = buf->o; + int block2 = 0; + + /* process output data in two steps to cover wrapping */ + if (block1 > buf->p - buf->data) { + block2 = buf->p - buf->data; + block1 -= block2; } + memcpy(swap_buffer + buf->size - buf->o, bo_ptr(buf), block1); + memcpy(swap_buffer + buf->size - block2, buf->data, block2); + + /* process input data in two steps to cover wrapping */ + block1 = buf->i; + block2 = 0; + + if (block1 > buf->data + buf->size - buf->p) { + block1 = buf->data + buf->size - buf->p; + block2 = buf->i - block1; + } + memcpy(swap_buffer, bi_ptr(buf), block1); + memcpy(swap_buffer + block1, buf->data, block2); + + /* reinject changes into the buffer */ + memcpy(buf->data, swap_buffer, buf->i); + memcpy(buf->data + buf->size - buf->o, swap_buffer + buf->size - buf->o, buf->o); buf->p = buf->data; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/src/cfgparse.c new/haproxy-1.5.14/src/cfgparse.c --- old/haproxy-1.5.13/src/cfgparse.c 2015-06-26 12:20:45.000000000 +0200 +++ new/haproxy-1.5.14/src/cfgparse.c 2015-07-03 17:35:11.000000000 +0200 @@ -6130,7 +6130,7 @@ /* an explicit bind-process was specified, let's check how many * processes remain. */ - nbproc = popcount(curproxy->bind_proc); + nbproc = my_popcountl(curproxy->bind_proc); curproxy->bind_proc &= nbits(global.nbproc); if (!curproxy->bind_proc && nbproc == 1) { @@ -6155,7 +6155,7 @@ mask &= curproxy->bind_proc; /* mask cannot be null here thanks to the previous checks */ - nbproc = popcount(bind_conf->bind_proc); + nbproc = my_popcountl(bind_conf->bind_proc); bind_conf->bind_proc &= mask; if (!bind_conf->bind_proc && nbproc == 1) { @@ -7092,7 +7092,7 @@ mask &= bind_conf->bind_proc; /* stop here if more than one process is used */ - if (popcount(mask) > 1) + if (my_popcountl(mask) > 1) break; } if (&bind_conf->by_fe != &global.stats_fe->conf.bind) { @@ -7155,7 +7155,7 @@ unsigned int next_id; int nbproc; - nbproc = popcount(curproxy->bind_proc & nbits(global.nbproc)); + nbproc = my_popcountl(curproxy->bind_proc & nbits(global.nbproc)); #ifdef USE_OPENSSL /* Configure SSL for each bind line. @@ -7272,7 +7272,7 @@ int count, maxproc = 0; list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) { - count = popcount(bind_conf->bind_proc); + count = my_popcountl(bind_conf->bind_proc); if (count > maxproc) maxproc = count; } @@ -7421,13 +7421,13 @@ Warning("Removing incomplete section 'peers %s' (no peer named '%s').\n", curpeers->id, localpeer); } - else if (popcount(curpeers->peers_fe->bind_proc) != 1) { + else if (my_popcountl(curpeers->peers_fe->bind_proc) != 1) { /* either it's totally stopped or too much used */ if (curpeers->peers_fe->bind_proc) { Alert("Peers section '%s': peers referenced by sections " "running in different processes (%d different ones). " "Check global.nbproc and all tables' bind-process " - "settings.\n", curpeers->id, popcount(curpeers->peers_fe->bind_proc)); + "settings.\n", curpeers->id, my_popcountl(curpeers->peers_fe->bind_proc)); cfgerr++; } stop_proxy(curpeers->peers_fe);