From: heil Date: Sun, 12 Jul 2015 19:58:21 +0000 (+0200) Subject: haproxy: bump to version 1.5.14 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=b4b1bcfcf8d1379c88c6df751898ee6f222a1175;p=feed%2Fpackages.git haproxy: bump to version 1.5.14 - this fixes CVE-2015-3281 and CVE-2014-6269 Signed-off-by: heil --- diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index c13d265fa1..6ac8a3a634 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -9,31 +9,64 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.5.2 -PKG_RELEASE:=06 +PKG_VERSION:=1.5.14 +PKG_RELEASE:=00 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ -PKG_MD5SUM:=e854fed32ea751d6db7f366cb910225a +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) +PKG_MD5SUM:=ad9d7262b96ba85a0f8c6acc6cb9edde PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=GPL-2.0 include $(INCLUDE_DIR)/package.mk -define Package/haproxy +define Package/haproxy/Default SUBMENU:=Web Servers/Proxies SECTION:=net CATEGORY:=Network TITLE:=The Reliable, High Performance TCP/HTTP Load Balancer URL:=http://haproxy.1wt.eu/ - DEPENDS:=+libpcre +libltdl +libopenssl +zlib +libpthread endef -define Package/haproxy/conffiles +define Package/haproxy/Default/conffiles /etc/haproxy.cfg endef +define Package/haproxy/Default/description + Open source Reliable, High Performance TCP/HTTP Load Balancer. +endef + +define Package/haproxy + DEPENDS+= +libpcre +libltdl +zlib +libpthread +libopenssl + TITLE+= (with SSL support) + VARIANT:=ssl +$(call Package/haproxy/Default) +endef + +define Package/haproxy/conffiles +$(call Package/haproxy/Default/conffiles) +endef + define Package/haproxy/description - Open source High Performance TCP/HTTP Load Balancer +$(call Package/haproxy/Default/description) + This package is built with SSL support. +endef + +define Package/haproxy-nossl + TITLE+= (without SSL support) + VARIANT:=nossl + DEPENDS+= +libpcre +libltdl +zlib +libpthread + TITLE+= (with SSL support) +$(call Package/haproxy/Default) +endef + +define Package/haproxy-nossl/conffiles +$(call Package/haproxy/Default/conffiles) +endef + +define Package/haproxy-nossl/description +$(call Package/haproxy/Default/description) + This package is built without SSL support. endef ifeq ($(CONFIG_avr32),y) @@ -42,6 +75,12 @@ else LINUX_TARGET:=linux2628 endif +ifeq ($(BUILD_VARIANT),ssl) + USE_OPENSSL=USE_OPENSSL=1 +else + USE_OPENSSL= +endif + define Build/Compile $(MAKE) TARGET=$(LINUX_TARGET) -C $(PKG_BUILD_DIR) \ DESTDIR="$(PKG_INSTALL_DIR)" \ @@ -49,22 +88,16 @@ define Build/Compile CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \ LD="$(TARGET_CC)" \ LDFLAGS="$(TARGET_LDFLAGS)" \ - ADDLIB="-lcrypto" \ - PCREDIR="$(STAGING_DIR)/usr/include" \ + PCREDIR="$(STAGING_DIR)/usr" \ SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \ - USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 USE_OPENSSL=1 \ + USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 $(USE_OPENSSL) \ USE_ZLIB=yes USE_PCRE=1 \ VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \ install $(MAKE) -C $(PKG_BUILD_DIR)/contrib/halog \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - CC="$(TARGET_CC)" \ - CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \ - LD="$(TARGET_CC)" \ - LDFLAGS="$(TARGET_LDFLAGS)" \ - ADDLIB="-lcrypto" \ - VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \ + CC="$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS)" \ + OPTIMIZE="" \ halog endef @@ -79,9 +112,11 @@ define Package/haproxy/install $(INSTALL_BIN) ./files/haproxy.hotplug $(1)/etc/hotplug.d/net/90-haproxy endef +Package/haproxy-nossl/install = $(Package/haproxy/install) + define Package/halog MENU:=1 - $(call Package/haproxy) + $(call Package/haproxy/Default) TITLE+= halog DEPENDS:=haproxy endef @@ -95,5 +130,6 @@ define Package/halog/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/halog/halog $(1)/usr/bin/ endef +$(eval $(call BuildPackage,haproxy-nossl)) $(eval $(call BuildPackage,haproxy)) $(eval $(call BuildPackage,halog)) diff --git a/net/haproxy/patches/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch b/net/haproxy/patches/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch deleted file mode 100644 index f9daf4022f..0000000000 --- a/net/haproxy/patches/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Sat, 12 Jul 2014 17:31:07 +0200 -Subject: [PATCH 1/2] DOC: mention that Squid correctly responds 400 to PPv2 - header - -Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630 -were confirmed to respond correctly here and that any version will do -the same. -(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad) ---- - doc/proxy-protocol.txt | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt -index a2dbcea..a3925a4 100644 ---- a/doc/proxy-protocol.txt -+++ b/doc/proxy-protocol.txt -@@ -692,6 +692,7 @@ presented, even with minimal implementations : - - thttpd 2.20c : 400 Bad Request + abort => pass/optimal - - mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal - - haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal -+ - Squid 3 : 400 Bad Request + abort => pass/optimal - - SSL : - - stud 0.3.47 : connection abort => pass/optimal - - stunnel 4.45 : connection abort => pass/optimal --- -1.8.5.5 - diff --git a/net/haproxy/patches/0002-DOC-fix-typo-in-Unix-Socket-commands.patch b/net/haproxy/patches/0002-DOC-fix-typo-in-Unix-Socket-commands.patch deleted file mode 100644 index 2a463c8788..0000000000 --- a/net/haproxy/patches/0002-DOC-fix-typo-in-Unix-Socket-commands.patch +++ /dev/null @@ -1,29 +0,0 @@ -From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Cyril=20Bont=C3=A9?= -Date: Sat, 12 Jul 2014 18:22:42 +0200 -Subject: [PATCH 2/2] DOC: fix typo in Unix Socket commands - -Konstantin Romanenko reported a typo in the HTML documentation. The typo is -already present in the raw text version : the "shutdown sessions" command -should be "shutdown sessions server". -(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e) ---- - doc/configuration.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index ca21f7d..2d71555 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -13869,7 +13869,7 @@ shutdown session - endless transfer is ongoing. Such terminated sessions are reported with a 'K' - flag in the logs. - --shutdown sessions / -+shutdown sessions server / - Immediately terminate all the sessions attached to the specified server. This - can be used to terminate long-running sessions after a server is put into - maintenance mode, for instance. Such terminated sessions are reported with a --- -1.8.5.5 - diff --git a/net/haproxy/patches/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch b/net/haproxy/patches/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch deleted file mode 100644 index 08c94eb094..0000000000 --- a/net/haproxy/patches/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Tue, 15 Jul 2014 11:36:40 +0200 -Subject: [PATCH 3/3] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange - -OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), -leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. -This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. - -Note: this fix must be backported to 1.5. -(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570) ---- - src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++------- - 1 file changed, 36 insertions(+), 7 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 375225d..cf8adc7 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -105,6 +105,13 @@ enum { - int sslconns = 0; - int totalsslconns = 0; - -+#ifndef OPENSSL_NO_DH -+static DH *local_dh_1024 = NULL; -+static DH *local_dh_2048 = NULL; -+static DH *local_dh_4096 = NULL; -+static DH *local_dh_8192 = NULL; -+#endif /* OPENSSL_NO_DH */ -+ - #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB - struct certificate_ocsp { - struct ebmb_node key; -@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen) - } - - if (keylen >= 8192) { -- dh = ssl_get_dh_8192(); -+ dh = local_dh_8192; - } - else if (keylen >= 4096) { -- dh = ssl_get_dh_4096(); -+ dh = local_dh_4096; - } - else if (keylen >= 2048) { -- dh = ssl_get_dh_2048(); -+ dh = local_dh_2048; - } - else { -- dh = ssl_get_dh_1024(); -+ dh = local_dh_1024; - } - - return dh; -@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file) - - if (global.tune.ssl_default_dh_param <= 1024) { - /* we are limited to DH parameter of 1024 bits anyway */ -- dh = ssl_get_dh_1024(); -- if (dh == NULL) -+ local_dh_1024 = ssl_get_dh_1024(); -+ if (local_dh_1024 == NULL) - goto end; - -- SSL_CTX_set_tmp_dh(ctx, dh); -+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024); - } - else { - SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh); -@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy - global.tune.ssl_default_dh_param = 1024; - } - -+#ifndef OPENSSL_NO_DH -+ if (global.tune.ssl_default_dh_param >= 1024) { -+ if (local_dh_1024 == NULL) { -+ local_dh_1024 = ssl_get_dh_1024(); -+ } -+ if (global.tune.ssl_default_dh_param >= 2048) { -+ if (local_dh_2048 == NULL) { -+ local_dh_2048 = ssl_get_dh_2048(); -+ } -+ if (global.tune.ssl_default_dh_param >= 4096) { -+ if (local_dh_4096 == NULL) { -+ local_dh_4096 = ssl_get_dh_4096(); -+ } -+ if (global.tune.ssl_default_dh_param >= 8192 && -+ local_dh_8192 == NULL) { -+ local_dh_8192 = ssl_get_dh_8192(); -+ } -+ } -+ } -+ } -+#endif /* OPENSSL_NO_DH */ -+ - SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk); - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); --- -1.8.5.5 - diff --git a/net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch b/net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch deleted file mode 100644 index 80c5ec52da..0000000000 --- a/net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 15 Jul 2014 21:34:06 +0200 -Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian - version of base32 - -We're using the internal memory representation of base32 here, which is -wrong since these data might be exported to headers for logs or be used -to stick to a server and replicated to other peers. Let's convert base32 -to big endian (network representation) when building the binary block. - -This mistake is also present in 1.5, it would be better to backport it. -(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568) ---- - src/proto_http.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index 94afed7..b7ed85d 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in - return 0; - - temp = get_trash_chunk(); -- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint)); -- temp->len += sizeof(smp->data.uint); -+ *(unsigned int *)temp->str = htonl(smp->data.uint); -+ temp->len += sizeof(unsigned int); - - switch (cli_conn->addr.from.ss_family) { - case AF_INET: --- -1.8.5.5 - diff --git a/net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch b/net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch deleted file mode 100644 index 20321fa76a..0000000000 --- a/net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001 -From: Dave McCowan <11235david@gmail.com> -Date: Thu, 17 Jul 2014 14:34:01 -0400 -Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when - building a proxy v2 header - -Use temporary trash chunk, instead of global trash chunk in -make_proxy_line_v2() to avoid memory overwrite. - -This fix must also be backported to 1.5. -(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b) ---- - src/connection.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/connection.c b/src/connection.c -index 20a911b..3435b1a 100644 ---- a/src/connection.c -+++ b/src/connection.c -@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec - char *value = NULL; - struct tlv_ssl *tlv; - int ssl_tlv_len = 0; -+ struct chunk *cn_trash; - #endif - - if (buf_len < PP2_HEADER_LEN) -@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec - tlv->verify = htonl(ssl_sock_get_verify_result(remote)); - } - if (srv->pp_opts & SRV_PP_V2_SSL_CN) { -- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) { -- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str); -+ cn_trash = get_trash_chunk(); -+ if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) { -+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str); - ssl_tlv_len += tlv_len; - } - } --- -1.8.5.5 - diff --git a/net/haproxy/patches/0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch b/net/haproxy/patches/0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch deleted file mode 100644 index 3b4cb82e0f..0000000000 --- a/net/haproxy/patches/0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 04b80cd29b23d02f373c095569e871275d128b43 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Sat, 19 Jul 2014 06:37:33 +0200 -Subject: [PATCH 6/6] BUG/MEDIUM: connection: fix proxy v2 header again! - -Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory corruption -when building a proxy v2 header") was wrong, using &cn_trash instead -of cn_trash resulting in a warning and the client's SSL cert CN not -being stored at the proper location. - -Thanks to Lukas Tribus for spotting this quickly. - -This should be backported to 1.5 after the patch above is backported. -(cherry picked from commit 3b9a0c9d4d083d749846d66f9bd4caabafe4ee78) ---- - src/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/connection.c b/src/connection.c -index 3435b1a..2dd2c02 100644 ---- a/src/connection.c -+++ b/src/connection.c -@@ -684,7 +684,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec - } - if (srv->pp_opts & SRV_PP_V2_SSL_CN) { - cn_trash = get_trash_chunk(); -- if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) { -+ if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) { - tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str); - ssl_tlv_len += tlv_len; - } --- -1.8.5.5 -