PR#6: Latest upstream 2.0.1 - rpms/haproxy

rpms / haproxy

#6 Latest upstream 2.0.1

Closed 2 years ago by carlwgeorge. Opened 4 years ago by carlwgeorge.

rpms/ carlwgeorge/haproxy upstream_2.0.0 into rawhide

Latest upstream 2.0.3

Carl George • 4 years ago

bee294f

.gitignore

file modified

+1 -60

		`@@ -1,60 +1,1 @@`
		`- *~`
		`- haproxy-1.4.8.tar.gz`
		`- /haproxy-1.4.11.tar.gz`
		`- /haproxy-1.4.15.tar.gz`
		`- /haproxy-1.4.18.tar.gz`
		`- /haproxy-1.4.19.tar.gz`
		`- /haproxy-1.4.20.tar.gz`
		`- /haproxy-1.4.22.tar.gz`
		`- /haproxy-1.4.23.tar.gz`
		`- /haproxy-1.4.24.tar.gz`
		`- /haproxy-1.4.25.tar.gz`
		`- /haproxy-1.5.0.tar.gz`
		`- /haproxy-1.5.1.tar.gz`
		`- /haproxy-1.5.2.tar.gz`
		`- /haproxy-1.5.3.tar.gz`
		`- /haproxy-1.5.4.tar.gz`
		`- /haproxy-1.5.5.tar.gz`
		`- /haproxy-1.5.6.tar.gz`
		`- /haproxy-1.5.7.tar.gz`
		`- /haproxy-1.5.8.tar.gz`
		`- /haproxy-1.5.9.tar.gz`
		`- /haproxy-1.5.10.tar.gz`
		`- /haproxy-1.5.11.tar.gz`
		`- /haproxy-1.5.12.tar.gz`
		`- /haproxy-1.5.13.tar.gz`
		`- /haproxy-1.5.14.tar.gz`
		`- /haproxy-1.6.0.tar.gz`
		`- /haproxy-1.6.1.tar.gz`
		`- /haproxy-1.6.2.tar.gz`
		`- /haproxy-1.6.3.tar.gz`
		`- /haproxy-1.6.5.tar.gz`
		`- /haproxy-1.6.6.tar.gz`
		`- /haproxy-1.6.7.tar.gz`
		`- /haproxy-1.6.9.tar.gz`
		`- /haproxy-1.6.10.tar.gz`
		`- /haproxy-1.7.0.tar.gz`
		`- /haproxy-1.7.1.tar.gz`
		`- /haproxy-1.7.2.tar.gz`
		`- /haproxy-1.7.3.tar.gz`
		`- /haproxy-1.7.8.tar.gz`
		`- /haproxy-1.7.9.tar.gz`
		`- /haproxy-1.8.1.tar.gz`
		`- /haproxy-1.8.2.tar.gz`
		`- /haproxy-1.8.3.tar.gz`
		`- /haproxy-1.8.4.tar.gz`
		`- /haproxy-1.8.5.tar.gz`
		`- /haproxy-1.8.6.tar.gz`
		`- /haproxy-1.8.7.tar.gz`
		`- /haproxy-1.8.8.tar.gz`
		`- /haproxy-1.8.9.tar.gz`
		`- /haproxy-1.8.10.tar.gz`
		`- /haproxy-1.8.11.tar.gz`
		`- /haproxy-1.8.12.tar.gz`
		`- /haproxy-1.8.13.tar.gz`
		`- /haproxy-1.8.14.tar.gz`
		`- /haproxy-1.8.15.tar.gz`
		`- /haproxy-1.8.16.tar.gz`
		`- /haproxy-1.8.17.tar.gz`
		`- /haproxy-1.8.19.tar.gz`
		`- /haproxy-1.8.20.tar.gz`
		`+ haproxy-*.tar.gz`

0001-BUG-MEDIUM-auth-threads-use-of-crypt-not-thread-safe.patch

file removed

-83

		`@@ -1,83 +0,0 @@`
		`- From a873c161d251abd025008034c0ddef8cd7f39511 Mon Sep 17 00:00:00 2001`
		`- From: Willy Tarreau <w@1wt.eu>`
		`- Date: Mon, 29 Oct 2018 18:02:54 +0100`
		`- Subject: BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe`
		`-`
		`- It was reported here that authentication may fail when threads are`
		`- enabled :`
		`-`
		`- https://bugzilla.redhat.com/show_bug.cgi?id=1643941`
		`-`
		`- While I couldn't reproduce the issue, it's obvious that there is a`
		`- problem with the use of the non-reentrant crypt() function there.`
		`- On Linux systems there's crypt_r() but not on the vast majority of`
		`- other ones. Thus a first approach consists in placing a lock around`
		`- this crypt() call. Another patch may relax it when crypt_r() is`
		`- available.`
		`-`
		`- This fix must be backported to 1.8. Thanks to Ryan O'Hara for the`
		`- quick notification.`
		`-`
		`- (cherry picked from commit 34d4b525a129baa6f52a930ae629ddb1ba4255c2)`
		`- Signed-off-by: Willy Tarreau <w@1wt.eu>`
		`- ---`
		`- include/common/hathreads.h \| 2 ++`
		`- src/auth.c \| 7 +++++++`
		`- 2 files changed, 9 insertions(+)`
		`-`
		`- diff --git a/include/common/hathreads.h b/include/common/hathreads.h`
		`- index 44bd66d1d..24fb1d1a7 100644`
		`- --- a/include/common/hathreads.h`
		`- +++ b/include/common/hathreads.h`
		`- @@ -373,6 +373,7 @@ enum lock_label {`
		`- START_LOCK,`
		`- TLSKEYS_REF_LOCK,`
		`- PENDCONN_LOCK,`
		`- + AUTH_LOCK,`
		`- LOCK_LABELS`
		`- };`
		`- struct lock_stat {`
		`- @@ -495,6 +496,7 @@ static inline const char *lock_label(enum lock_label label)`
		`- case START_LOCK: return "START";`
		`- case TLSKEYS_REF_LOCK: return "TLSKEYS_REF";`
		`- case PENDCONN_LOCK: return "PENDCONN";`
		`- + case AUTH_LOCK: return "AUTH";`
		`- case LOCK_LABELS: break; /* keep compiler happy */`
		`- };`
		`- /* only way to come here is consecutive to an internal bug */`
		`- diff --git a/src/auth.c b/src/auth.c`
		`- index a2c689f76..e0fb13522 100644`
		`- --- a/src/auth.c`
		`- +++ b/src/auth.c`
		`- @@ -28,6 +28,7 @@`
		`- #include <types/global.h>`
		`- #include <common/config.h>`
		`- #include <common/errors.h>`
		`- +#include <common/hathreads.h>`
		`-`
		`- #include <proto/acl.h>`
		`- #include <proto/log.h>`
		`- @@ -37,6 +38,10 @@`
		`-`
		`- struct userlist userlist = NULL; / list of all existing userlists */`
		`-`
		`- +#ifdef CONFIG_HAP_CRYPT`
		`- +__decl_hathreads(static HA_SPINLOCK_T auth_lock);`
		`- +#endif`
		`- +`
		`- /* find targets for selected gropus. The function returns pointer to`
		`- * the userlist struct ot NULL if name is NULL/empty or unresolvable.`
		`- */`
		`- @@ -245,7 +250,9 @@ check_user(struct userlist ul, const char user, const char *pass)`
		`-`
		`- if (!(u->flags & AU_O_INSECURE)) {`
		`- #ifdef CONFIG_HAP_CRYPT`
		`- + HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);`
		`- ep = crypt(pass, u->pass);`
		`- + HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);`
		`- #else`
		`- return 0;`
		`- #endif`
		`- --`
		`- 2.14.4`
		`-`

haproxy.spec

file modified

+7 -4

		`@@ -7,14 +7,14 @@`
		`%global _hardened_build 1`

		`Name: haproxy`
		`- Version: 1.8.20`
		`+ Version: 2.0.3`
		`Release: 1%{?dist}`
		`Summary: HAProxy reverse proxy for high availability environments`

		`License: GPLv2+`

		`URL: http://www.haproxy.org/`
		`- Source0: http://www.haproxy.org/download/1.8/src/haproxy-%{version}.tar.gz`
		`+ Source0: http://www.haproxy.org/download/2.0/src/haproxy-%{version}.tar.gz`
		`Source1: %{name}.service`
		`Source2: %{name}.cfg`
		`Source3: %{name}.logrotate`
		`@@ -55,7 +55,7 @@`
		`regparm_opts="USE_REGPARM=1"`
		`%endif`

		`- %{__make} %{?_smp_mflags} CPU="generic" TARGET="linux2628" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${regparm_opts} ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}"`
		`+ %{__make} %{?_smp_mflags} CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${regparm_opts} ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}"`

		`pushd contrib/halog`
		`%{__make} ${halog} OPTIMIZE="%{optflags} %{build_ldflags}"`
		`@@ -66,7 +66,7 @@`
		`popd`

		`%install`
		`- %{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628"`
		`+ %{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux-glibc"`
		`%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}`

		`%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service`
		`@@ -132,6 +132,9 @@`
		`%{_mandir}/man1/*`

		`%changelog`
		`+ * Fri Jul 26 2019 Carl George <carl@george.computer> - 2.0.3-1`
		`+ - Latest upstream rhbz#1690492`
		`+`
		`* Fri May 17 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.20-1`
		`- Update to 1.8.20`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (haproxy-1.8.20.tar.gz) = c288ccf223da71a29ae0f08f3c9753002735816229ea83ca497d46c860fb8a4bd422077a94652aa475e48aefb78787979cdce7f1bd0b5919dc671ba25212c133`
		`+ SHA512 (haproxy-2.0.3.tar.gz) = dd7eaf7e05c9b3ee162fcc17bc116f81184523437d6f4dbd940b0a6a8e4d01e1984fc8fabafcfc20261203e60e8bd0bc5b0bf813f5eff47b9ba364465bd0633c`

carlwgeorge commented 4 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=1690492

carlwgeorge commented 4 years ago

@rohara Can you review this please?

rohara commented 4 years ago

HAProxy 2.0 will be in the rawhide and the next release (Fedora 31). We can't put 2.0 in Fedora 30 unless it was a module. You're welcome to make a koji build in the meantime.

carlwgeorge commented 4 years ago

I'm not sure I understand what you mean. This is a pull request to rawhide (master branch) to do exactly what you are describing. If merged and built, it will make it into rawhide now, and to F31 after it's branched. This pull request has nothing to do with F30.

rebased onto b1dd53f

4 years ago

carlwgeorge commented 4 years ago

2.0.1 was released upstream, so I amended this pull request commit to use that instead.

carlwgeorge commented 4 years ago

@rohara Please respond. I don't understand your last comment and would like to get this reviewed and merged.

rebased onto bee294f

4 years ago

carlwgeorge commented 4 years ago

Amended to go all the way to 2.0.3, which addresses CVE-2019-14241.

carlwgeorge commented 4 years ago

I see you update the rawhide package yourself.