packages/haproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update haproxy to 2.4.8

Browse Source
This commit is contained in:
yangl777 2021-12-07 21:25:06 +08:00
parent bd0ada7c19
commit 68131294c3
4 changed files with 22 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
CVE-2021-40346.patch
View File

@ -1,65 +0,0 @@
From 86f4f281efb933900ebcc4fdaef95f566382d907 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 26 Aug 2021 16:23:37 +0200
Subject: BUG/MAJOR: htx: fix missing header name length check in
htx_add_header/trailer
Shachar Menashe for JFrog Security reported that htx_add_header() and
htx_add_trailer() were missing a length check on the header name. While
this does not allow to overwrite any memory area, it results in bits of
the header name length to slip into the header value length and may
result in forging certain header names on the input. The sad thing here
is that a FIXME comment was present suggesting to add the required length
checks :-(
The injected headers are visible to the HTTP internals and to the config
rules, so haproxy will generally stay synchronized with the server. But
there is one exception which is the content-length header field, because
it is already deduplicated on the input, but before being indexed. As
such, injecting a content-length header after the deduplication stage
may be abused to present a different, shorter one on the other side and
help build a request smuggling attack, or even maybe a response splitting
attack.
As a mitigation measure, it is sufficient to verify that no more than
one such header is present in any message, which is normally the case
thanks to the duplicate checks:
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
This must be backported to all HTX-enabled versions, hence as far as 2.0.
In 2.3 and earlier, the functions are in src/htx.c instead.
Many thanks to Shachar for his work and his responsible report!
[wt: code is in src/htx.c in 2.3 and older]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
src/htx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/src/htx.c
+++ b/src/htx.c
@@ -859,7 +859,9 @@ struct htx_blk *htx_add_header(struct ht
{
struct htx_blk *blk;
- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */
+ if (name.len > 255 || value.len > 1048575)
+ return NULL;
+
blk = htx_add_blk(htx, HTX_BLK_HDR, name.len + value.len);
if (!blk)
return NULL;
@@ -878,7 +880,9 @@ struct htx_blk *htx_add_trailer(struct h
{
struct htx_blk *blk;
- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */
+ if (name.len > 255 || value.len > 1048575)
+ return NULL;
+
blk = htx_add_blk(htx, HTX_BLK_TLR, name.len + value.len);
if (!blk)
return NULL;

BIN
haproxy-2.2.16.tar.gz
View File

Binary file not shown.

BIN
haproxy-2.4.8.tar.gz Normal file
View File

Binary file not shown.

45
haproxy.spec
View File

@ -4,25 +4,21 @@
%global _hardened_build 1 %global _hardened_build 1
Name: haproxy Name: haproxy
Version: 2.2.16 Version: 2.4.8
Release: 2 Release: 1
Summary: The Reliable, High Performance TCP/HTTP Load Balancer Summary: The Reliable, High Performance TCP/HTTP Load Balancer
License: GPLv2+ License: GPLv2+
URL: https://www.haproxy.org/ URL: https://www.haproxy.org/
Source0: https://www.haproxy.org/download/2.2/src/%{name}-%{version}.tar.gz Source0: https://www.haproxy.org/download/2.4/src/%{name}-%{version}.tar.gz
Source1: %{name}.service Source1: %{name}.service
Source2: %{name}.cfg Source2: %{name}.cfg
Source3: %{name}.logrotate Source3: %{name}.logrotate
Source4: %{name}.sysconfig Source4: %{name}.sysconfig
Patch0001: CVE-2021-40346.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic
Requires(pre): shadow-utils Requires(pre): shadow-utils
Requires(post): systemd %{?systemd_requires}
Requires(preun): systemd
Requires(postun): systemd
%package_help %package_help
%description %description
@ -38,16 +34,14 @@ use_regparm_opt=
use_regparm_opt="USE_REGPARM=1" use_regparm_opt="USE_REGPARM=1"
%endif %endif
%make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 \ %make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 \
USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${use_regparm_opt} \ USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 ${use_regparm_opt} \
ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}" EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
pushd contrib/halog %make_build admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
%make_build ${halog} OPTIMIZE="%{optflags} %{build_ldflags}"
popd
pushd contrib/iprange pushd admin/iprange
%make_build iprange OPTIMIZE="%{optflags} %{build_ldflags}" %make_build OPTIMIZE="%{build_cflags}" LDFLAGS="%{build_ldflags}"
popd popd
%install %install
@ -66,8 +60,9 @@ install -d -m 0755 .%{_localstatedir}/lib/haproxy
install -d -m 0755 .%{_datadir}/haproxy install -d -m 0755 .%{_datadir}/haproxy
popd popd
install -p -m 0755 ./contrib/halog/halog %{buildroot}%{_bindir}/halog install -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog
install -p -m 0755 ./contrib/iprange/iprange %{buildroot}%{_bindir}/iprange install -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange
install -p -m 0755 ./admin/iprange/ip6range %{buildroot}%{_bindir}/ip6range
install -p -m 0644 ./examples/errorfiles/* %{buildroot}%{_datadir}/haproxy install -p -m 0644 ./examples/errorfiles/* %{buildroot}%{_datadir}/haproxy
for httpfile in $(find ./examples/errorfiles/ -type f) for httpfile in $(find ./examples/errorfiles/ -type f)
@ -110,6 +105,7 @@ exit 0
%config(noreplace) %{_sysconfdir}/sysconfig/%{name} %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_bindir}/halog %{_bindir}/halog
%{_bindir}/iprange %{_bindir}/iprange
%{_bindir}/ip6range
%{_sbindir}/%{name} %{_sbindir}/%{name}
%{_unitdir}/%{name}.service %{_unitdir}/%{name}.service
%dir %{_localstatedir}/lib/haproxy %dir %{_localstatedir}/lib/haproxy
@ -122,16 +118,19 @@ exit 0
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Sat Sep 18 yaoxin <yaoxin30@huawei.com> - 2.2.16-2 * Tue Dec 07 2021 yanglu <yanglu72@huawei.com> - 2.4.8-1
- update haproxy to 2.4.8
* Sat Sep 18 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-2
- Fix CVE-2021-40346 - Fix CVE-2021-40346
* Mon Aug 30 yaoxin <yaoxin30@huawei.com> - 2.2.16-1 * Mon Aug 30 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-1
- Upgrade 2.2.16 to fix CVE-2021-39240 - Upgrade 2.2.16 to fix CVE-2021-39240
* Thu Aug 26 liwu <liwu13@huawei.com> - 2.2.1-2 * Thu Aug 26 2021 liwu <liwu13@huawei.com> - 2.2.1-2
- fix CVE-2021-39241,CVE-2021-39242 - fix CVE-2021-39241,CVE-2021-39242
* Thu July 1 huanghaitao <huanghaitao8@huawei.com> - 2.2.1-1 * Thu Jul 1 2021 huanghaitao <huanghaitao8@huawei.com> - 2.2.1-1
- update to 2.2.1 - update to 2.2.1
* Tue Sep 15 2020 Ge Wang <wangge20@huawei.com> - 2.0.17-1 * Tue Sep 15 2020 Ge Wang <wangge20@huawei.com> - 2.0.17-1