diff --git a/CVE-2022-0711.patch b/CVE-2022-0711.patch deleted file mode 100644 index fd75f80b8096477c1186ccad3645a61c4337b504..0000000000000000000000000000000000000000 --- a/CVE-2022-0711.patch +++ /dev/null @@ -1,40 +0,0 @@ -From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001 -From: Andrew McDermott -Date: Fri, 11 Feb 2022 18:26:49 +0000 -Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in - http_manage_server_side_cookies - -Ensure calls to http_find_header() terminate. If a "Set-Cookie2" -header is found then the while(1) loop in -http_manage_server_side_cookies() will never terminate, resulting in -the watchdog firing and the process terminating via SIGABRT. - -The while(1) loop becomes unbounded because an unmatched call to -http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent -calls to check for "Set-Cookie2" will now enumerate from the beginning -of all the blocks and will once again match on subsequent -passes (assuming a match first time around), hence the loop becoming -unbounded. - -This issue was introduced with HTX and this fix should be backported -to all versions supporting HTX. - -Many thanks to Grant Spence (gspence@redhat.com) for working through -this issue with me. ---- - src/http_ana.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/http_ana.c b/src/http_ana.c -index 715dd3a5c5..c2d9d9b439 100644 ---- a/src/http_ana.c -+++ b/src/http_ana.c -@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re - while (1) { - int is_first = 1; - -- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { -+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { - if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) - break; - is_cookie2 = 1; diff --git a/haproxy-2.4.8.tar.gz b/haproxy-2.6.6.tar.gz similarity index 33% rename from haproxy-2.4.8.tar.gz rename to haproxy-2.6.6.tar.gz index bb64ff4f46966400ca620f98bbac67ad300b6bed..7707bf151b69360db25377d8a759ba88b29fa944 100644 Binary files a/haproxy-2.4.8.tar.gz and b/haproxy-2.6.6.tar.gz differ diff --git a/haproxy.service b/haproxy.service index b8c8ee4ba8bb51058868d8ee808cb4c1da0fa3c6..4e6799cd8c3ec84ddcd7dad238d730d4c611e82d 100644 --- a/haproxy.service +++ b/haproxy.service @@ -1,15 +1,17 @@ [Unit] Description=HAProxy Load Balancer -After=network.target +After=network-online.target +Wants=network-online.target [Service] -Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" -ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q -# -W: master-worker mode -ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -p $PIDFILE -ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q +EnvironmentFile=-/etc/sysconfig/haproxy +Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d" +ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -f $CFGDIR -c -q $OPTIONS +ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -f $CFGDIR -p $PIDFILE $OPTIONS +ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -f $CFGDIR -c -q $OPTIONS ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed +SuccessExitStatus=143 Type=notify [Install] diff --git a/haproxy.spec b/haproxy.spec index 9415ae4cf7f8154c24bf715d53d9bfb7a383f373..87c00cf572f34939dd371ddc28cb7de01b70ce97 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -4,19 +4,18 @@ %global _hardened_build 1 Name: haproxy -Version: 2.4.8 -Release: 2 +Version: 2.6.6 +Release: 1 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ URL: https://www.haproxy.org/ -Source0: https://www.haproxy.org/download/2.4/src/%{name}-%{version}.tar.gz +Source0: https://www.haproxy.org/download/2.6/src/%{name}-%{version}.tar.gz Source1: %{name}.service Source2: %{name}.cfg Source3: %{name}.logrotate Source4: %{name}.sysconfig -Patch0: CVE-2022-0711.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic Requires(pre): shadow-utils @@ -31,13 +30,9 @@ web sites and powers quite a number of the world's most visited ones. %prep %autosetup -n %{name}-%{version} -p1 %build -use_regparm_opt= -%ifarch %ix86 x86_64 -use_regparm_opt="USE_REGPARM=1" -%endif %make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 \ - USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 ${use_regparm_opt} \ + USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 \ ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}" %make_build admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}" @@ -59,6 +54,7 @@ install -p -D -m 0644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/%{name} install -p -D -m 0644 %{SOURCE4} .%{_sysconfdir}/sysconfig/%{name} install -d -m 0755 .%{_bindir} install -d -m 0755 .%{_localstatedir}/lib/haproxy +install -d -m 0755 .%{_sysconfdir}/haproxy/conf.d install -d -m 0755 .%{_datadir}/haproxy popd @@ -110,16 +106,23 @@ exit 0 %{_bindir}/ip6range %{_sbindir}/%{name} %{_unitdir}/%{name}.service +%dir %{_sysconfdir}/haproxy/conf.d %dir %{_localstatedir}/lib/haproxy %dir %{_datadir}/haproxy %{_datadir}/haproxy/* %files help %defattr(-,root,root) -%doc doc/* examples/* CHANGELOG README ROADMAP VERSION +%doc doc/* examples/* CHANGELOG README VERSION %{_mandir}/man1/* %changelog +* Sat Oct 22 2022 xinghe - 2.6.6-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:upgrade to 2.6.6 + * Fri Mar 11 2022 yaoxin - 2.4.8-2 - Fix CVE-2022-0711