diff --git a/.gitignore b/.gitignore index bd5626b..7da6c8b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/haproxy-1.5.4.tar.gz +SOURCES/haproxy-1.5.14.tar.gz diff --git a/.haproxy.metadata b/.haproxy.metadata index 1918205..43bc9cd 100644 --- a/.haproxy.metadata +++ b/.haproxy.metadata @@ -1 +1 @@ -3387f1038128fb3291fff8be9b94808e32cc0f8d SOURCES/haproxy-1.5.4.tar.gz +159f5beb8fdc6b8059ae51b53dc935d91c0fb51f SOURCES/haproxy-1.5.14.tar.gz diff --git a/SOURCES/haproxy-buffer-slow-realign.patch b/SOURCES/haproxy-buffer-slow-realign.patch deleted file mode 100644 index 2d558e4..0000000 --- a/SOURCES/haproxy-buffer-slow-realign.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 039ee0a1f892c7a6445ad976ced57d395d2d4b43 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Thu, 2 Jul 2015 12:50:23 +0200 -Subject: [PATCH] BUG/MAJOR: buffers: make the buffer_slow_realign() function - respect output data - -The function buffer_slow_realign() was initially designed for requests -only and did not consider pending outgoing data. This causes a problem -when called on responses where data remain in the buffer, which may -happen with pipelined requests when the client is slow to read data. - -The user-visible effect is that if less than bytes are -present in the buffer from a previous response and these bytes cross -the boundary close to the end of the buffer, then a new -response will cause a realign and will destroy these pending data and -move the pointer to what's believed to contain pending output data. -Thus the client receives the crap that lies in the buffer instead of -the original output bytes. - -This new implementation now properly realigns everything including the -outgoing data which are moved to the end of the buffer while the input -data are moved to the beginning. - -This implementation still uses a buffer-to-buffer copy which is not -optimal in terms of performance and which should be replaced by a -buffer switch later. - -Prior to this patch, the following script would return different hashes -on each round when run from a 100 Mbps-connected machine : - - i=0 - while usleep 100000; do - echo round $((i++)) - set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum) - if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi - done - -The file contains 1000 times this request with "Connection: close" on the -last one : - - GET /?s=5k&R=1 HTTP/1.1 - -The config is very simple : - - global - tune.bufsize 16384 - tune.maxrewrite 8192 - - defaults - mode http - timeout client 10s - timeout server 5s - timeout connect 3s - - listen px - bind :8001 - option http-server-close - server s1 127.0.0.1:8000 - -And httpterm-1.7.2 is used as the server on port 8000. - -After the fix, 1 million requests were sent and all returned the same -contents. - -Many thanks to Charlie Smurthwaite of atechmedia.com for his precious -help on this issue, which would not have been diagnosed without his -very detailed traces and numerous tests. - -The patch must be backported to 1.5 which is where the bug was introduced. -(cherry picked from commit 27187ab56a2f1104818c2f21c5139c1edd8b838f) ---- - src/buffer.c | 49 +++++++++++++++++++++++++++++-------------------- - 1 file changed, 29 insertions(+), 20 deletions(-) - -diff --git a/src/buffer.c b/src/buffer.c -index 91bee63..f5c8e1d 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -102,30 +102,39 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len) - return delta; - } - --/* This function realigns input data in a possibly wrapping buffer so that it -- * becomes contiguous and starts at the beginning of the buffer area. The -- * function may only be used when the buffer's output is empty. -+/* This function realigns a possibly wrapping buffer so that the input part is -+ * contiguous and starts at the beginning of the buffer and the output part -+ * ends at the end of the buffer. This provides the best conditions since it -+ * allows the largest inputs to be processed at once and ensures that once the -+ * output data leaves, the whole buffer is available at once. - */ - void buffer_slow_realign(struct buffer *buf) - { -- /* two possible cases : -- * - the buffer is in one contiguous block, we move it in-place -- * - the buffer is in two blocks, we move it via the swap_buffer -- */ -- if (buf->i) { -- int block1 = buf->i; -- int block2 = 0; -- if (buf->p + buf->i > buf->data + buf->size) { -- /* non-contiguous block */ -- block1 = buf->data + buf->size - buf->p; -- block2 = buf->p + buf->i - (buf->data + buf->size); -- } -- if (block2) -- memcpy(swap_buffer, buf->data, block2); -- memmove(buf->data, buf->p, block1); -- if (block2) -- memcpy(buf->data + block1, swap_buffer, block2); -+ int block1 = buf->o; -+ int block2 = 0; -+ -+ /* process output data in two steps to cover wrapping */ -+ if (block1 > buf->p - buf->data) { -+ block2 = buf->p - buf->data; -+ block1 -= block2; -+ } -+ memcpy(swap_buffer + buf->size - buf->o, bo_ptr(buf), block1); -+ memcpy(swap_buffer + buf->size - block2, buf->data, block2); -+ -+ /* process input data in two steps to cover wrapping */ -+ block1 = buf->i; -+ block2 = 0; -+ -+ if (block1 > buf->data + buf->size - buf->p) { -+ block1 = buf->data + buf->size - buf->p; -+ block2 = buf->i - block1; - } -+ memcpy(swap_buffer, bi_ptr(buf), block1); -+ memcpy(swap_buffer + block1, buf->data, block2); -+ -+ /* reinject changes into the buffer */ -+ memcpy(buf->data, swap_buffer, buf->i); -+ memcpy(buf->data + buf->size - buf->o, swap_buffer + buf->size - buf->o, buf->o); - - buf->p = buf->data; - } --- -1.8.1.4 - diff --git a/SOURCES/haproxy-tcp-user-timeout.patch b/SOURCES/haproxy-tcp-user-timeout.patch index 4fc3394..1d3153c 100644 --- a/SOURCES/haproxy-tcp-user-timeout.patch +++ b/SOURCES/haproxy-tcp-user-timeout.patch @@ -1,4 +1,4 @@ -From 6248d4bad6a79ca6a39d5a60ac038bf22eb28dae Mon Sep 17 00:00:00 2001 +From a8d1818959a7a2351d94e077b60e84b0b35ec231 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 4 Feb 2015 00:45:58 +0100 Subject: [PATCH] MEDIUM: tcp: implement tcp-ut bind option to set @@ -23,10 +23,10 @@ Thanks to Thijs Houtenbos and John Eckersberg for the suggestion. 3 files changed, 55 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt -index 19df5ae..12b9236 100644 +index 6714afb..e131e99 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt -@@ -8547,6 +8547,19 @@ strict-sni +@@ -8637,6 +8637,19 @@ strict-sni a certificate. The default certificate is not used. See the "crt" option for more information. @@ -59,10 +59,10 @@ index 83b63af..2d71df6 100644 struct list by_fe; /* chaining in frontend's list of listeners */ diff --git a/src/proto_tcp.c b/src/proto_tcp.c -index 72dc92b..f833861 100644 +index cfa62f7..e98a9fb 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c -@@ -829,6 +829,15 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen) +@@ -838,6 +838,15 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen) } } #endif @@ -78,7 +78,7 @@ index 72dc92b..f833861 100644 #if defined(TCP_DEFER_ACCEPT) if (listener->options & LI_O_DEF_ACCEPT) { /* defer accept by up to one second */ -@@ -1973,8 +1982,36 @@ static int bind_parse_mss(char **args, int cur_arg, struct proxy *px, struct bin +@@ -1986,8 +1995,36 @@ static int bind_parse_mss(char **args, int cur_arg, struct proxy *px, struct bin } #endif @@ -116,7 +116,7 @@ index 72dc92b..f833861 100644 static int bind_parse_interface(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { struct listener *l; -@@ -2043,6 +2080,9 @@ static struct bind_kw_list bind_kws = { "TCP", { }, { +@@ -2056,6 +2093,9 @@ static struct bind_kw_list bind_kws = { "TCP", { }, { #ifdef TCP_MAXSEG { "mss", bind_parse_mss, 1 }, /* set MSS of listening socket */ #endif @@ -127,5 +127,5 @@ index 72dc92b..f833861 100644 { "tfo", bind_parse_tfo, 0 }, /* enable TCP_FASTOPEN of listening socket */ #endif -- -1.8.1.4 +1.9.3 diff --git a/SOURCES/haproxy.service b/SOURCES/haproxy.service index 64f1cc6..c1852bd 100644 --- a/SOURCES/haproxy.service +++ b/SOURCES/haproxy.service @@ -3,7 +3,8 @@ Description=HAProxy Load Balancer After=syslog.target network.target [Service] -ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid +EnvironmentFile=/etc/sysconfig/haproxy +ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS ExecReload=/bin/kill -USR2 $MAINPID [Install] diff --git a/SOURCES/haproxy.sysconfig b/SOURCES/haproxy.sysconfig new file mode 100644 index 0000000..2b38e35 --- /dev/null +++ b/SOURCES/haproxy.sysconfig @@ -0,0 +1,4 @@ +# Add extra options to the haproxy daemon here. This can be useful for +# specifying multiple configuration files with multiple -f options. +# See haproxy(1) for a complete list of options. +OPTIONS="" diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec index 3753dfa..32b76f3 100644 --- a/SPECS/haproxy.spec +++ b/SPECS/haproxy.spec @@ -7,8 +7,8 @@ %global _hardened_build 1 Name: haproxy -Version: 1.5.4 -Release: 4%{?dist}.1 +Version: 1.5.14 +Release: 3%{?dist} Summary: TCP/HTTP proxy and load balancer for high availability environments Group: System Environment/Daemons @@ -19,12 +19,12 @@ Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.g Source1: %{name}.service Source2: %{name}.cfg Source3: %{name}.logrotate -Source4: halog.1 +Source4: %{name}.sysconfig +Source5: halog.1 Patch0: halog-unused-variables.patch Patch1: iprange-return-type.patch Patch2: haproxy-tcp-user-timeout.patch -Patch3: haproxy-buffer-slow-realign.patch BuildRequires: pcre-devel BuildRequires: zlib-devel @@ -55,7 +55,6 @@ availability environments. Indeed, it can: %patch0 -p0 %patch1 -p0 %patch2 -p1 -%patch3 -p1 %build regparm_opts= @@ -80,7 +79,8 @@ popd %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service %{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg %{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} -%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_mandir}/man1/halog.1 +%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} +%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 %{__install} -d -m 0755 %{buildroot}%{haproxy_home} %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} %{__install} -d -m 0755 %{buildroot}%{_bindir} @@ -130,6 +130,7 @@ exit 0 %{haproxy_datadir}/* %config(noreplace) %{haproxy_confdir}/%{name}.cfg %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%config(noreplace) %{_sysconfdir}/sysconfig/%{name} %{_unitdir}/%{name}.service %{_sbindir}/%{name} %{_sbindir}/%{name}-systemd-wrapper @@ -139,14 +140,26 @@ exit 0 %attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home} %changelog -* Thu Jul 16 2015 Ryan O'Hara - 1.5.4-4.1 -- Fix buffer_slow_realign() function to respect output data (CVE-2015-3281, #1241537) +* Tue Aug 25 2015 Ryan O'Hara - 1.5.14-3 +- Add EnvironmentFile to systemd service (#1191675) -* Thu May 21 2015 Ryan O'Hara - 1.5.4-4 -- Define TCP_USER_TIMEOUT at build time (#1198791) +* Mon Jul 06 2015 Ryan O'Hara - 1.5.14-1 +- Update to stable release 1.5.14 (CVE-2015-3281, #1212193) -* Tue May 05 2015 Ryan O'Hara - 1.5.4-3 -- Add tcp-ut bind option to set TCP_USER_TIMEOUT (#1198791) +* Wed Jun 24 2015 Ryan O'Hara - 1.5.12-2 +- Rebase TCP uset timeout patch for 1.5.12 release (#1212193) + +* Tue Jun 23 2015 Ryan O'Hara - 1.5.12-1 +- Update to stable release 1.5.12 (#1212193) + +* Thu May 21 2015 Ryan O'Hara - 1.5.4-5 +- Define TCP_USER_TIMEOUT at build time (#1190776) + +* Wed Mar 04 2015 Ryan O'Hara - 1.5.4-4 +- Read sysconfig file for extra options (#1191675) + +* Wed Mar 04 2015 Ryan O'Hara - 1.5.4-3 +- Add tcp-ut bind option to set TCP_USER_TIMEOUT (#1190776) * Tue Nov 18 2014 Ryan O'Hara - 1.5.4-2 - Fix date in changelog