!57 upgrade to 2.6.6
From: @xinghe_1 Reviewed-by: @gitee-cmd Signed-off-by: @gitee-cmd
This commit is contained in:
openeuler-ci-bot
Gitee
commit
5b314f1dca
@ -1,40 +0,0 @@
|
||||
From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew McDermott <aim@frobware.com>
|
||||
Date: Fri, 11 Feb 2022 18:26:49 +0000
|
||||
Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
|
||||
http_manage_server_side_cookies
|
||||
|
||||
Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
|
||||
header is found then the while(1) loop in
|
||||
http_manage_server_side_cookies() will never terminate, resulting in
|
||||
the watchdog firing and the process terminating via SIGABRT.
|
||||
|
||||
The while(1) loop becomes unbounded because an unmatched call to
|
||||
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
|
||||
calls to check for "Set-Cookie2" will now enumerate from the beginning
|
||||
of all the blocks and will once again match on subsequent
|
||||
passes (assuming a match first time around), hence the loop becoming
|
||||
unbounded.
|
||||
|
||||
This issue was introduced with HTX and this fix should be backported
|
||||
to all versions supporting HTX.
|
||||
|
||||
Many thanks to Grant Spence (gspence@redhat.com) for working through
|
||||
this issue with me.
|
||||
---
|
||||
src/http_ana.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/http_ana.c b/src/http_ana.c
|
||||
index 715dd3a5c5..c2d9d9b439 100644
|
||||
--- a/src/http_ana.c
|
||||
+++ b/src/http_ana.c
|
||||
@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
|
||||
while (1) {
|
||||
int is_first = 1;
|
||||
|
||||
- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
||||
+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
||||
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
|
||||
break;
|
||||
is_cookie2 = 1;
|
||||
Binary file not shown.
BIN
haproxy-2.6.6.tar.gz
Normal file
BIN
haproxy-2.6.6.tar.gz
Normal file
Binary file not shown.
@ -1,15 +1,17 @@
|
||||
[Unit]
|
||||
Description=HAProxy Load Balancer
|
||||
After=network.target
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
|
||||
ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q
|
||||
# -W: master-worker mode
|
||||
ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -p $PIDFILE
|
||||
ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q
|
||||
EnvironmentFile=-/etc/sysconfig/haproxy
|
||||
Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d"
|
||||
ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -f $CFGDIR -c -q $OPTIONS
|
||||
ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -f $CFGDIR -p $PIDFILE $OPTIONS
|
||||
ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -f $CFGDIR -c -q $OPTIONS
|
||||
ExecReload=/bin/kill -USR2 $MAINPID
|
||||
KillMode=mixed
|
||||
SuccessExitStatus=143
|
||||
Type=notify
|
||||
|
||||
[Install]
|
||||
|
||||
23
haproxy.spec
23
haproxy.spec
@ -4,19 +4,18 @@
|
||||
%global _hardened_build 1
|
||||
|
||||
Name: haproxy
|
||||
Version: 2.4.8
|
||||
Release: 2
|
||||
Version: 2.6.6
|
||||
Release: 1
|
||||
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
|
||||
|
||||
License: GPLv2+
|
||||
URL: https://www.haproxy.org/
|
||||
Source0: https://www.haproxy.org/download/2.4/src/%{name}-%{version}.tar.gz
|
||||
Source0: https://www.haproxy.org/download/2.6/src/%{name}-%{version}.tar.gz
|
||||
Source1: %{name}.service
|
||||
Source2: %{name}.cfg
|
||||
Source3: %{name}.logrotate
|
||||
Source4: %{name}.sysconfig
|
||||
|
||||
Patch0: CVE-2022-0711.patch
|
||||
|
||||
BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
|
||||
Requires(pre): shadow-utils
|
||||
@ -31,13 +30,9 @@ web sites and powers quite a number of the world's most visited ones.
|
||||
%prep
|
||||
%autosetup -n %{name}-%{version} -p1
|
||||
%build
|
||||
use_regparm_opt=
|
||||
%ifarch %ix86 x86_64
|
||||
use_regparm_opt="USE_REGPARM=1"
|
||||
%endif
|
||||
|
||||
%make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 \
|
||||
USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 ${use_regparm_opt} \
|
||||
USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 \
|
||||
ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
|
||||
|
||||
%make_build admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
|
||||
@ -59,6 +54,7 @@ install -p -D -m 0644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/%{name}
|
||||
install -p -D -m 0644 %{SOURCE4} .%{_sysconfdir}/sysconfig/%{name}
|
||||
install -d -m 0755 .%{_bindir}
|
||||
install -d -m 0755 .%{_localstatedir}/lib/haproxy
|
||||
install -d -m 0755 .%{_sysconfdir}/haproxy/conf.d
|
||||
install -d -m 0755 .%{_datadir}/haproxy
|
||||
popd
|
||||
|
||||
@ -110,16 +106,23 @@ exit 0
|
||||
%{_bindir}/ip6range
|
||||
%{_sbindir}/%{name}
|
||||
%{_unitdir}/%{name}.service
|
||||
%dir %{_sysconfdir}/haproxy/conf.d
|
||||
%dir %{_localstatedir}/lib/haproxy
|
||||
%dir %{_datadir}/haproxy
|
||||
%{_datadir}/haproxy/*
|
||||
|
||||
%files help
|
||||
%defattr(-,root,root)
|
||||
%doc doc/* examples/* CHANGELOG README ROADMAP VERSION
|
||||
%doc doc/* examples/* CHANGELOG README VERSION
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Sat Oct 22 2022 xinghe <xinghe2@h-partners.com> - 2.6.6-1
|
||||
- Type:enhancement
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:upgrade to 2.6.6
|
||||
|
||||
* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.4.8-2
|
||||
- Fix CVE-2022-0711
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user