upgrade to 2.6.6

2022-10-22 06:59:50 +00:00 · 2022-10-22 06:59:50 +00:00 · f088648ddb
commit f088648ddb
parent a67d40afc9
5 changed files with 21 additions and 56 deletions
--- a/CVE-2022-0711.patch
+++ b/CVE-2022-0711.patch
@ -1,40 +0,0 @@
 From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001
 From: Andrew McDermott <aim@frobware.com>
 Date: Fri, 11 Feb 2022 18:26:49 +0000
 Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
 http_manage_server_side_cookies
 Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
 header is found then the while(1) loop in
 http_manage_server_side_cookies() will never terminate, resulting in
 the watchdog firing and the process terminating via SIGABRT.
 The while(1) loop becomes unbounded because an unmatched call to
 http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
 calls to check for "Set-Cookie2" will now enumerate from the beginning
 of all the blocks and will once again match on subsequent
 passes (assuming a match first time around), hence the loop becoming
 unbounded.
 This issue was introduced with HTX and this fix should be backported
 to all versions supporting HTX.
 Many thanks to Grant Spence (gspence@redhat.com) for working through
 this issue with me.
 ---
 src/http_ana.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/http_ana.c b/src/http_ana.c
 index 715dd3a5c5..c2d9d9b439 100644
 --- a/src/http_ana.c
 +++ b/src/http_ana.c
@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
 	while (1) {
 		int is_first = 1;
 -		if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
 +		if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
 			if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
 				break;
 			is_cookie2 = 1;
--- a/haproxy-2.4.8.tar.gz
+++ b/haproxy-2.4.8.tar.gz
--- a/haproxy-2.6.6.tar.gz
+++ b/haproxy-2.6.6.tar.gz
--- a/haproxy.service
+++ b/haproxy.service
@ -1,15 +1,17 @@
 [Unit]
 Description=HAProxy Load Balancer
-After=network.target
+After=network-online.target            
 Wants=network-online.target
 [Service]
-Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
+EnvironmentFile=-/etc/sysconfig/haproxy
-ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q
+Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d"
-# -W: master-worker mode
+ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -f $CFGDIR -c -q $OPTIONS
-ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -p $PIDFILE
+ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -f $CFGDIR -p $PIDFILE $OPTIONS
-ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q
+ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -f $CFGDIR -c -q $OPTIONS
 ExecReload=/bin/kill -USR2 $MAINPID
 KillMode=mixed
 SuccessExitStatus=143
 Type=notify
 [Install]
--- a/haproxy.spec
+++ b/haproxy.spec
@ -4,19 +4,18 @@
 %global _hardened_build   1
 Name:             haproxy
-Version:          2.4.8
+Version:          2.6.6
-Release:          2
+Release:          1
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 License:          GPLv2+
 URL:              https://www.haproxy.org/
-Source0:          https://www.haproxy.org/download/2.4/src/%{name}-%{version}.tar.gz
+Source0:          https://www.haproxy.org/download/2.6/src/%{name}-%{version}.tar.gz
 Source1:          %{name}.service
 Source2:          %{name}.cfg
 Source3:          %{name}.logrotate
 Source4:          %{name}.sysconfig
 Patch0:           CVE-2022-0711.patch
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 Requires(pre):    shadow-utils
@ -31,13 +30,9 @@ web sites and powers quite a number of the world's most visited ones.
 %prep
 %autosetup -n %{name}-%{version} -p1
 %build
 use_regparm_opt=
 %ifarch %ix86 x86_64
 use_regparm_opt="USE_REGPARM=1"
 %endif
 %make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 \
-    USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 ${use_regparm_opt} \
+    USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 \
    ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
 %make_build admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
@ -59,6 +54,7 @@ install -p -D -m 0644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/%{name}
 install -p -D -m 0644 %{SOURCE4} .%{_sysconfdir}/sysconfig/%{name}
 install -d -m 0755 .%{_bindir}
 install -d -m 0755 .%{_localstatedir}/lib/haproxy
 install -d -m 0755 .%{_sysconfdir}/haproxy/conf.d
 install -d -m 0755 .%{_datadir}/haproxy
 popd
@ -110,16 +106,23 @@ exit 0
 %{_bindir}/ip6range
 %{_sbindir}/%{name}
 %{_unitdir}/%{name}.service
 %dir %{_sysconfdir}/haproxy/conf.d
 %dir %{_localstatedir}/lib/haproxy
 %dir %{_datadir}/haproxy
 %{_datadir}/haproxy/*
 %files help
 %defattr(-,root,root)
-%doc doc/* examples/* CHANGELOG README ROADMAP VERSION
+%doc doc/* examples/* CHANGELOG README VERSION
 %{_mandir}/man1/*
 %changelog
 * Sat Oct 22 2022 xinghe <xinghe2@h-partners.com> - 2.6.6-1
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:upgrade to 2.6.6
 * Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.4.8-2
 - Fix CVE-2022-0711