From 9d9774342f0d8d3f392191723b4f1cd709cd484c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 16 2023 06:07:52 +0000
Subject: import rsyslog-8.2102.0-13.el8


---

diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
new file mode 100644
index 0000000..886e174
--- /dev/null
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
@@ -0,0 +1,23 @@
+--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
++++ rsyslog-8.2102.0/doc/configuration/global/index.html	2022-09-07 13:32:10.426621438 +0200
+@@ -119,6 +119,13 @@
+ <a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
+ Defaults to ptcp.</p>
+ </li>
++<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
++This directive allows to configure multiple additional extra CA files.
++This is intended for SSL certificate chains to work appropriately,
++as the different CA files in the chain need to be specified.
++It must be remarked that this directive only works with the OpenSSL driver.
++</p>
++</li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
+ </li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
+@@ -311,4 +318,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>
diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
new file mode 100644
index 0000000..2308b7f
--- /dev/null
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
@@ -0,0 +1,134 @@
+--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-07 13:32:51.623799582 +0200
+@@ -72,6 +72,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
+ 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
+ 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
+ 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
+--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-07 13:17:02.669696053 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-07 13:56:37.678966129 +0200
+@@ -122,6 +122,7 @@
+ static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+ static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+ static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
+ int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
+ static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
+ static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
+@@ -176,6 +177,7 @@
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
++	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
+ 	{ "maxmessagesize", eCmdHdlrSize, 0 },
+ 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
+ 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
+@@ -307,6 +309,8 @@
+ /* TODO: use custom function which frees existing value */
+ SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
+ /* TODO: use custom function which frees existing value */
++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
++/* TODO: use custom function which frees existing value */
+ 
+ #undef SIMP_PROP
+ #undef SIMP_PROP_SET
+@@ -838,6 +842,12 @@
+ 	return(pszDfltNetstrmDrvrCAF);
+ }
+ 
++/* return the extra CA Files, if needed */
++static uchar*
++GetNetstrmDrvrCAExtraFiles(void)
++{
++      return(pszNetstrmDrvrCAExtraFiles);
++}
+ 
+ /* return the current default netstream driver key File */
+ static uchar*
+@@ -925,6 +935,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles)
+ #ifdef USE_UNLIMITED_SELECT
+ 	SIMP_PROP(FdSetSize)
+ #endif
+@@ -941,6 +952,8 @@
+ 	pszDfltNetstrmDrvr = NULL;
+ 	free(pszDfltNetstrmDrvrCAF);
+ 	pszDfltNetstrmDrvrCAF = NULL;
++	free(pszNetstrmDrvrCAExtraFiles);
++	pszNetstrmDrvrCAExtraFiles = NULL;	
+ 	free(pszDfltNetstrmDrvrKeyFile);
+ 	pszDfltNetstrmDrvrKeyFile = NULL;
+ 	free(pszDfltNetstrmDrvrCertFile);
+@@ -1350,6 +1363,9 @@
+ 			free(pszDfltNetstrmDrvr);
+ 			pszDfltNetstrmDrvr = (uchar*)
+ 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
++		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
++			free(pszNetstrmDrvrCAExtraFiles);
++			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
+ 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name,
+@@ -1546,6 +1562,8 @@
+ 	&pszDfltNetstrmDrvrKeyFile, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
+ 	&pszDfltNetstrmDrvrCertFile, NULL));
++	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
++	&pszNetstrmDrvrCAExtraFiles, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
+--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2022-09-07 13:17:02.705696208 +0200
++++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-07 14:09:18.697256943 +0200
+@@ -88,6 +88,7 @@
+ static short bHaveCA;
+ static short bHaveCert;
+ static short bHaveKey;
++static short bHaveExtraCAFiles;
+ static int bAnonInit;
+ static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
+ 
+@@ -414,7 +415,8 @@
+ {
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering osslGlblInit\n");
+-	const char *caFile, *certFile, *keyFile;
++	const char *caFile, *certFile, *keyFile, *extraCaFile;
++	char *extraCaFiles;
+ 
+ 	/* Setup OpenSSL library */
+ 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
+@@ -451,9 +453,27 @@
+ 	} else {
+ 		bHaveKey = 1;
+ 	}
++	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
++	if(extraCaFiles == NULL) {
++		bHaveExtraCAFiles = 0;
++	} else {
++		bHaveExtraCAFiles = 1;
++	}
+ 
+ 	/* Create main CTX Object */
+ 	ctx = SSL_CTX_new(SSLv23_method());
++	if(bHaveExtraCAFiles == 1) {
++		while((extraCaFile = strsep(&extraCaFiles, ","))) {
++			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
++				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
++					"Check at least: 1) file path is correct, 2) file exist, "
++					"3) permissions are correct, 4) file content is correct. "
++					"Open ssl error info may follow in next messages");
++				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
++				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
++			}
++		}
++	}
+ 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
+ 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
+ 				"Check at least: 1) file path is correct, 2) file exist, "
diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch
new file mode 100644
index 0000000..8e46b35
--- /dev/null
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch
@@ -0,0 +1,20 @@
+diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c
+index 6c24b5a2db..78cfc3bae2 100644
+--- a/plugins/imklog/imklog.c
++++ b/plugins/imklog/imklog.c
+@@ -453,6 +453,7 @@ ENDactivateCnf
+ 
+ BEGINfreeCnf
+ CODESTARTfreeCnf
++	free(pModConf->pszBindRuleset);
+ ENDfreeCnf
+ 
+ 
+@@ -475,7 +476,6 @@ CODESTARTmodExit
+ 	if(pInputName != NULL)
+ 		prop.Destruct(&pInputName);
+ 
+-	free(runModConf->pszBindRuleset);
+ 	/* release objects we used */
+ 	objRelease(glbl, CORE_COMPONENT);
+ 	objRelease(net, CORE_COMPONENT);
diff --git a/SOURCES/rsyslog.log b/SOURCES/rsyslog.log
index b101e32..db85401 100644
--- a/SOURCES/rsyslog.log
+++ b/SOURCES/rsyslog.log
@@ -7,6 +7,6 @@
     missingok
     sharedscripts
     postrotate
-        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
+        /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
     endscript
 }
diff --git a/SPECS/rsyslog.spec b/SPECS/rsyslog.spec
index 7a10898..642aef2 100644
--- a/SPECS/rsyslog.spec
+++ b/SPECS/rsyslog.spec
@@ -6,7 +6,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 10%{?dist}
+Release: 13%{?dist}
 License: (GPLv3+ and ASL 2.0)
 Group: System Environment/Daemons
 ExcludeArch: i686
@@ -64,6 +64,9 @@ Patch12: rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
 Patch13: rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
 Patch14: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
 Patch15: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
+Patch16: rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
+Patch17: rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
+Patch18: rsyslog-8.2102.0-rhbz2157658-imklog.patch
 
 %package crypto
 Summary: Encryption support
@@ -165,8 +168,8 @@ BuildRequires: postgresql-devel
 Summary: RELP protocol support for rsyslog
 Group: System Environment/Daemons
 Requires: %name = %version-%release
-Requires: librelp >= 1.0.3
-BuildRequires: librelp-devel >= 1.2.16
+Requires: librelp >= 1.9.0
+BuildRequires: librelp-devel >= 1.9.0
 
 %package snmp
 Summary: SNMP protocol support for rsyslog
@@ -304,6 +307,9 @@ mv build doc
 %patch13 -p1 -b .ossl-ciphers-behaviour
 %patch14 -p1 -b .CVE-24903
 %patch15 -p1 -b .gnutls-error-handling
+%patch16 -p1 -b .extra-ca-files
+%patch17 -p1 -b .extra-ca-files-doc
+%patch18 -p1 -b .imklog-heap
 
 %build
 %ifarch sparc64
@@ -548,6 +554,20 @@ done
 %{_libdir}/rsyslog/omudpspoof.so
 
 %changelog
+* Mon Jan 09 2023 Attila Lakatos <alaktos@redhat.com> - 8.2102.0-13
+- Make rsyslog-relp require librelp>= 1.9.0
+  resolves: rhbz#2029352
+- Reorder logrotate parameters to work with POSIXLY_CORRECT env var
+  resolves: rhbz#2070496
+
+* Fri Jan 06 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-12
+- Fix invalid memory adressing in imklog that could cause abort
+  resolves: rhbz#2157658
+
+* Tue Sep 06 2022 Sergio Arroutbi <sarroutb@redhat.com> - 8.2102.0-11
+- Enable multiple SSL CA files
+  resolves: rhbz#2124934
+
 * Wed Apr 13 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-10
 - openssl: Correct gnutlsPriorityString (custom ciphers) behaviour
 - Fix error handling in gtlsRecordRecv that can cause 100 percent CPU usage