#6 Latest upstream 2.0.1
Opened 2 months ago by carlwgeorge. Modified 22 days ago
rpms/ carlwgeorge/haproxy upstream_2.0.0  into  master

file modified
+1 -60

@@ -1,60 +1,1 @@ 

- *~

- haproxy-1.4.8.tar.gz

- /haproxy-1.4.11.tar.gz

- /haproxy-1.4.15.tar.gz

- /haproxy-1.4.18.tar.gz

- /haproxy-1.4.19.tar.gz

- /haproxy-1.4.20.tar.gz

- /haproxy-1.4.22.tar.gz

- /haproxy-1.4.23.tar.gz

- /haproxy-1.4.24.tar.gz

- /haproxy-1.4.25.tar.gz

- /haproxy-1.5.0.tar.gz

- /haproxy-1.5.1.tar.gz

- /haproxy-1.5.2.tar.gz

- /haproxy-1.5.3.tar.gz

- /haproxy-1.5.4.tar.gz

- /haproxy-1.5.5.tar.gz

- /haproxy-1.5.6.tar.gz

- /haproxy-1.5.7.tar.gz

- /haproxy-1.5.8.tar.gz

- /haproxy-1.5.9.tar.gz

- /haproxy-1.5.10.tar.gz

- /haproxy-1.5.11.tar.gz

- /haproxy-1.5.12.tar.gz

- /haproxy-1.5.13.tar.gz

- /haproxy-1.5.14.tar.gz

- /haproxy-1.6.0.tar.gz

- /haproxy-1.6.1.tar.gz

- /haproxy-1.6.2.tar.gz

- /haproxy-1.6.3.tar.gz

- /haproxy-1.6.5.tar.gz

- /haproxy-1.6.6.tar.gz

- /haproxy-1.6.7.tar.gz

- /haproxy-1.6.9.tar.gz

- /haproxy-1.6.10.tar.gz

- /haproxy-1.7.0.tar.gz

- /haproxy-1.7.1.tar.gz

- /haproxy-1.7.2.tar.gz

- /haproxy-1.7.3.tar.gz

- /haproxy-1.7.8.tar.gz

- /haproxy-1.7.9.tar.gz

- /haproxy-1.8.1.tar.gz

- /haproxy-1.8.2.tar.gz

- /haproxy-1.8.3.tar.gz

- /haproxy-1.8.4.tar.gz

- /haproxy-1.8.5.tar.gz

- /haproxy-1.8.6.tar.gz

- /haproxy-1.8.7.tar.gz

- /haproxy-1.8.8.tar.gz

- /haproxy-1.8.9.tar.gz

- /haproxy-1.8.10.tar.gz

- /haproxy-1.8.11.tar.gz

- /haproxy-1.8.12.tar.gz

- /haproxy-1.8.13.tar.gz

- /haproxy-1.8.14.tar.gz

- /haproxy-1.8.15.tar.gz

- /haproxy-1.8.16.tar.gz

- /haproxy-1.8.17.tar.gz

- /haproxy-1.8.19.tar.gz

- /haproxy-1.8.20.tar.gz

+ haproxy-*.tar.gz

@@ -1,83 +0,0 @@ 

- From a873c161d251abd025008034c0ddef8cd7f39511 Mon Sep 17 00:00:00 2001

- From: Willy Tarreau <w@1wt.eu>

- Date: Mon, 29 Oct 2018 18:02:54 +0100

- Subject: BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe

- 

- It was reported here that authentication may fail when threads are

- enabled :

- 

-     https://bugzilla.redhat.com/show_bug.cgi?id=1643941

- 

- While I couldn't reproduce the issue, it's obvious that there is a

- problem with the use of the non-reentrant crypt() function there.

- On Linux systems there's crypt_r() but not on the vast majority of

- other ones. Thus a first approach consists in placing a lock around

- this crypt() call. Another patch may relax it when crypt_r() is

- available.

- 

- This fix must be backported to 1.8. Thanks to Ryan O'Hara for the

- quick notification.

- 

- (cherry picked from commit 34d4b525a129baa6f52a930ae629ddb1ba4255c2)

- Signed-off-by: Willy Tarreau <w@1wt.eu>

- ---

-  include/common/hathreads.h | 2 ++

-  src/auth.c                 | 7 +++++++

-  2 files changed, 9 insertions(+)

- 

- diff --git a/include/common/hathreads.h b/include/common/hathreads.h

- index 44bd66d1d..24fb1d1a7 100644

- --- a/include/common/hathreads.h

- +++ b/include/common/hathreads.h

- @@ -373,6 +373,7 @@ enum lock_label {

-  	START_LOCK,

-  	TLSKEYS_REF_LOCK,

-  	PENDCONN_LOCK,

- +	AUTH_LOCK,

-  	LOCK_LABELS

-  };

-  struct lock_stat {

- @@ -495,6 +496,7 @@ static inline const char *lock_label(enum lock_label label)

-  	case START_LOCK:           return "START";

-  	case TLSKEYS_REF_LOCK:     return "TLSKEYS_REF";

-  	case PENDCONN_LOCK:        return "PENDCONN";

- +	case AUTH_LOCK:            return "AUTH";

-  	case LOCK_LABELS:          break; /* keep compiler happy */

-  	};

-  	/* only way to come here is consecutive to an internal bug */

- diff --git a/src/auth.c b/src/auth.c

- index a2c689f76..e0fb13522 100644

- --- a/src/auth.c

- +++ b/src/auth.c

- @@ -28,6 +28,7 @@

-  #include <types/global.h>

-  #include <common/config.h>

-  #include <common/errors.h>

- +#include <common/hathreads.h>

-  

-  #include <proto/acl.h>

-  #include <proto/log.h>

- @@ -37,6 +38,10 @@

-  

-  struct userlist *userlist = NULL;    /* list of all existing userlists */

-  

- +#ifdef CONFIG_HAP_CRYPT

- +__decl_hathreads(static HA_SPINLOCK_T auth_lock);

- +#endif

- +

-  /* find targets for selected gropus. The function returns pointer to

-   * the userlist struct ot NULL if name is NULL/empty or unresolvable.

-   */

- @@ -245,7 +250,9 @@ check_user(struct userlist *ul, const char *user, const char *pass)

-  

-  	if (!(u->flags & AU_O_INSECURE)) {

-  #ifdef CONFIG_HAP_CRYPT

- +		HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);

-  		ep = crypt(pass, u->pass);

- +		HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);

-  #else

-  		return 0;

-  #endif

- -- 

- 2.14.4

- 

file modified
+7 -4

@@ -7,14 +7,14 @@ 

  %global _hardened_build 1

  

  Name:           haproxy

- Version:        1.8.20

+ Version:        2.0.3

  Release:        1%{?dist}

  Summary:        HAProxy reverse proxy for high availability environments

  

  License:        GPLv2+

  

  URL:            http://www.haproxy.org/

- Source0:        http://www.haproxy.org/download/1.8/src/haproxy-%{version}.tar.gz

+ Source0:        http://www.haproxy.org/download/2.0/src/haproxy-%{version}.tar.gz

  Source1:        %{name}.service

  Source2:        %{name}.cfg

  Source3:        %{name}.logrotate

@@ -55,7 +55,7 @@ 

  regparm_opts="USE_REGPARM=1"

  %endif

  

- %{__make} %{?_smp_mflags} CPU="generic" TARGET="linux2628" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${regparm_opts} ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}"

+ %{__make} %{?_smp_mflags} CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${regparm_opts} ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}"

  

  pushd contrib/halog

  %{__make} ${halog} OPTIMIZE="%{optflags} %{build_ldflags}"

@@ -66,7 +66,7 @@ 

  popd

  

  %install

- %{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628"

+ %{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux-glibc"

  %{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}

  

  %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service

@@ -132,6 +132,9 @@ 

  %{_mandir}/man1/*

  

  %changelog

+ * Fri Jul 26 2019 Carl George <carl@george.computer> - 2.0.3-1

+ - Latest upstream rhbz#1690492

+ 

  * Fri May 17 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.20-1

  - Update to 1.8.20

  

file modified
+1 -1

@@ -1,1 +1,1 @@ 

- SHA512 (haproxy-1.8.20.tar.gz) = c288ccf223da71a29ae0f08f3c9753002735816229ea83ca497d46c860fb8a4bd422077a94652aa475e48aefb78787979cdce7f1bd0b5919dc671ba25212c133

+ SHA512 (haproxy-2.0.3.tar.gz) = dd7eaf7e05c9b3ee162fcc17bc116f81184523437d6f4dbd940b0a6a8e4d01e1984fc8fabafcfc20261203e60e8bd0bc5b0bf813f5eff47b9ba364465bd0633c

HAProxy 2.0 will be in the rawhide and the next release (Fedora 31). We can't put 2.0 in Fedora 30 unless it was a module. You're welcome to make a koji build in the meantime.

I'm not sure I understand what you mean. This is a pull request to rawhide (master branch) to do exactly what you are describing. If merged and built, it will make it into rawhide now, and to F31 after it's branched. This pull request has nothing to do with F30.

rebased onto b1dd53f

2 months ago

2.0.1 was released upstream, so I amended this pull request commit to use that instead.

@rohara Please respond. I don't understand your last comment and would like to get this reviewed and merged.

rebased onto bee294f

a month ago

Amended to go all the way to 2.0.3, which addresses CVE-2019-14241.

I see you update the rawhide package yourself.

https://src.fedoraproject.org/rpms/haproxy/c/49707947a2f16633aa37739a5bca66546228193a

Are pull requests not welcome for this package?