Hi, this is haproxy update, the two temporary patches are unnecessary now.
Kind regards.
Index: Makefile =================================================================== RCS file: /cvs/ports/net/haproxy/Makefile,v retrieving revision 1.30 diff -u -p -r1.30 Makefile --- Makefile 15 Jun 2016 06:55:58 -0000 1.30 +++ Makefile 27 Jun 2016 08:16:46 -0000 @@ -2,7 +2,7 @@ COMMENT = reliable, high performance TCP/HTTP load balancer -DISTNAME = haproxy-1.6.5 +DISTNAME = haproxy-1.6.6 REVISION = 0 CATEGORIES = net www HOMEPAGE = http://www.haproxy.org/ Index: distinfo =================================================================== RCS file: /cvs/ports/net/haproxy/distinfo,v retrieving revision 1.17 diff -u -p -r1.17 distinfo --- distinfo 13 May 2016 03:34:28 -0000 1.17 +++ distinfo 27 Jun 2016 08:16:46 -0000 @@ -1,2 +1,2 @@ -SHA256 (haproxy-1.6.5.tar.gz) = xLP7k4h0q7u9UngghxF8wlkCY694/c6G1k5KEaz+hd4= -SIZE (haproxy-1.6.5.tar.gz) = 1563272 +SHA256 (haproxy-1.6.6.tar.gz) = /bA9YweMw8aIu205/HXcwVjWU1bkyOHEWQM+vt3/VfU= +SIZE (haproxy-1.6.6.tar.gz) = 1565046 Index: patches/patch-include_types_proto_http_h =================================================================== RCS file: patches/patch-include_types_proto_http_h diff -N patches/patch-include_types_proto_http_h --- patches/patch-include_types_proto_http_h 15 Jun 2016 06:55:58 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-include_types_proto_http_h,v 1.1 2016/06/15 06:55:58 jasper Exp $ - -Security fix for CVE-2016-5360 -http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b - ---- include/types/proto_http.h.orig Tue May 10 15:42:00 2016 -+++ include/types/proto_http.h Tue Jun 14 15:10:23 2016 -@@ -362,7 +362,6 @@ struct http_txn { - unsigned int flags; /* transaction flags */ - enum http_meth_t meth; /* HTTP method */ - /* 1 unused byte here */ -- short rule_deny_status; /* HTTP status from rule when denying */ - short status; /* HTTP status from the server, negative if from proxy */ - - char *uri; /* first line if log needed, NULL otherwise */ Index: patches/patch-src_proto_http_c =================================================================== RCS file: patches/patch-src_proto_http_c diff -N patches/patch-src_proto_http_c --- patches/patch-src_proto_http_c 15 Jun 2016 06:55:58 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,77 +0,0 @@ -$OpenBSD: patch-src_proto_http_c,v 1.3 2016/06/15 06:55:58 jasper Exp $ - -Security fix for CVE-2016-5360 -http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b - ---- src/proto_http.c.orig Tue May 10 15:42:00 2016 -+++ src/proto_http.c Tue Jun 14 15:10:23 2016 -@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, str - * further processing of the request (auth, deny, ...), and defaults to - * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or - * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT -- * on txn->flags if it encounters a tarpit rule. -+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL -+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny -+ * status. - */ - enum rule_result --http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s) -+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status) - { - struct session *sess = strm_sess(s); - struct http_txn *txn = s->txn; -@@ -3539,12 +3541,14 @@ resume_execution: - return HTTP_RULE_RES_STOP; - - case ACT_ACTION_DENY: -- txn->rule_deny_status = rule->deny_status; -+ if (deny_status) -+ *deny_status = rule->deny_status; - return HTTP_RULE_RES_DENY; - - case ACT_HTTP_REQ_TARPIT: - txn->flags |= TX_CLTARPIT; -- txn->rule_deny_status = rule->deny_status; -+ if (deny_status) -+ *deny_status = rule->deny_status; - return HTTP_RULE_RES_DENY; - - case ACT_HTTP_REQ_AUTH: -@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct c - struct redirect_rule *rule; - struct cond_wordlist *wl; - enum rule_result verdict; -+ int deny_status = HTTP_ERR_403; - - if (unlikely(msg->msg_state < HTTP_MSG_BODY)) { - /* we need more data */ -@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct c - - /* evaluate http-request rules */ - if (!LIST_ISEMPTY(&px->http_req_rules)) { -- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s); -+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status); - - switch (verdict) { - case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */ -@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct c - - /* parse the whole stats request and extract the relevant information */ - http_handle_stats(s, req); -- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s); -+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status); - /* not all actions implemented: deny, allow, auth */ - - if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */ -@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct c - manage_client_side_cookies(s, req); - - txn->flags |= TX_CLDENY; -- txn->status = http_err_codes[txn->rule_deny_status]; -+ txn->status = http_err_codes[deny_status]; - s->logs.tv_request = now; -- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status)); -+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status)); - stream_inc_http_err_ctr(s); - sess->fe->fe_counters.denied_req++; - if (sess->fe != s->be)
