Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

haproxy: bump to version 1.5.14

Browse source 
- this fixes CVE-2015-3281 and CVE-2014-6269

Signed-off-by: heil <heil@terminal-consulting.de>
This commit is contained in:
heil 2015-07-12 21:58:21 +02:00
parent bddb5b4b46
commit b4b1bcfcf8
7 changed files with 54 additions and 288 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
net/haproxy/Makefile
View file

@ -9,31 +9,64 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy PKG_NAME:=haproxy
PKG_VERSION:=1.5.2 PKG_VERSION:=1.5.14
PKG_RELEASE:=06 PKG_RELEASE:=00
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_MD5SUM:=e854fed32ea751d6db7f366cb910225a PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_MD5SUM:=ad9d7262b96ba85a0f8c6acc6cb9edde
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de> PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
PKG_LICENSE:=GPL-2.0 PKG_LICENSE:=GPL-2.0
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
define Package/haproxy define Package/haproxy/Default
SUBMENU:=Web Servers/Proxies SUBMENU:=Web Servers/Proxies
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=The Reliable, High Performance TCP/HTTP Load Balancer TITLE:=The Reliable, High Performance TCP/HTTP Load Balancer
URL:=http://haproxy.1wt.eu/ URL:=http://haproxy.1wt.eu/
DEPENDS:=+libpcre +libltdl +libopenssl +zlib +libpthread
endef endef
define Package/haproxy/conffiles define Package/haproxy/Default/conffiles
/etc/haproxy.cfg /etc/haproxy.cfg
endef endef
define Package/haproxy/Default/description
Open source Reliable, High Performance TCP/HTTP Load Balancer.
endef
define Package/haproxy
DEPENDS+= +libpcre +libltdl +zlib +libpthread +libopenssl
TITLE+= (with SSL support)
VARIANT:=ssl
$(call Package/haproxy/Default)
endef
define Package/haproxy/conffiles
$(call Package/haproxy/Default/conffiles)
endef
define Package/haproxy/description define Package/haproxy/description
Open source High Performance TCP/HTTP Load Balancer $(call Package/haproxy/Default/description)
This package is built with SSL support.
endef
define Package/haproxy-nossl
TITLE+= (without SSL support)
VARIANT:=nossl
DEPENDS+= +libpcre +libltdl +zlib +libpthread
TITLE+= (with SSL support)
$(call Package/haproxy/Default)
endef
define Package/haproxy-nossl/conffiles
$(call Package/haproxy/Default/conffiles)
endef
define Package/haproxy-nossl/description
$(call Package/haproxy/Default/description)
This package is built without SSL support.
endef endef
ifeq ($(CONFIG_avr32),y) ifeq ($(CONFIG_avr32),y)
@ -42,6 +75,12 @@ else
LINUX_TARGET:=linux2628 LINUX_TARGET:=linux2628
endif endif
ifeq ($(BUILD_VARIANT),ssl)
USE_OPENSSL=USE_OPENSSL=1
else
USE_OPENSSL=
endif
define Build/Compile define Build/Compile
$(MAKE) TARGET=$(LINUX_TARGET) -C $(PKG_BUILD_DIR) \ $(MAKE) TARGET=$(LINUX_TARGET) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \ DESTDIR="$(PKG_INSTALL_DIR)" \
@ -49,22 +88,16 @@ define Build/Compile
CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \ CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \
LD="$(TARGET_CC)" \ LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_LDFLAGS)" \ LDFLAGS="$(TARGET_LDFLAGS)" \
ADDLIB="-lcrypto" \ PCREDIR="$(STAGING_DIR)/usr" \
PCREDIR="$(STAGING_DIR)/usr/include" \
SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \ SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \
USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 USE_OPENSSL=1 \ USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 $(USE_OPENSSL) \
USE_ZLIB=yes USE_PCRE=1 \ USE_ZLIB=yes USE_PCRE=1 \
VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \ VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
install install
$(MAKE) -C $(PKG_BUILD_DIR)/contrib/halog \ $(MAKE) -C $(PKG_BUILD_DIR)/contrib/halog \
DESTDIR="$(PKG_INSTALL_DIR)" \ CC="$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS)" \
CC="$(TARGET_CC)" \ OPTIMIZE="" \
CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_LDFLAGS)" \
ADDLIB="-lcrypto" \
VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
halog halog
endef endef
@ -79,9 +112,11 @@ define Package/haproxy/install
$(INSTALL_BIN) ./files/haproxy.hotplug $(1)/etc/hotplug.d/net/90-haproxy $(INSTALL_BIN) ./files/haproxy.hotplug $(1)/etc/hotplug.d/net/90-haproxy
endef endef
Package/haproxy-nossl/install = $(Package/haproxy/install)
define Package/halog define Package/halog
MENU:=1 MENU:=1
$(call Package/haproxy) $(call Package/haproxy/Default)
TITLE+= halog TITLE+= halog
DEPENDS:=haproxy DEPENDS:=haproxy
endef endef
@ -95,5 +130,6 @@ define Package/halog/install
$(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/halog/halog $(1)/usr/bin/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/halog/halog $(1)/usr/bin/
endef endef
$(eval $(call BuildPackage,haproxy-nossl))
$(eval $(call BuildPackage,haproxy)) $(eval $(call BuildPackage,haproxy))
$(eval $(call BuildPackage,halog)) $(eval $(call BuildPackage,halog))

29
net/haproxy/patches/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
View file

@ -1,29 +0,0 @@
From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 12 Jul 2014 17:31:07 +0200
Subject: [PATCH 1/2] DOC: mention that Squid correctly responds 400 to PPv2
header
Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630
were confirmed to respond correctly here and that any version will do
the same.
(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad)
---
doc/proxy-protocol.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index a2dbcea..a3925a4 100644
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -692,6 +692,7 @@ presented, even with minimal implementations :
- thttpd 2.20c : 400 Bad Request + abort => pass/optimal
- mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal
- haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal
+ - Squid 3 : 400 Bad Request + abort => pass/optimal
- SSL :
- stud 0.3.47 : connection abort => pass/optimal
- stunnel 4.45 : connection abort => pass/optimal
--
1.8.5.5

29
net/haproxy/patches/0002-DOC-fix-typo-in-Unix-Socket-commands.patch
View file

@ -1,29 +0,0 @@
From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
Date: Sat, 12 Jul 2014 18:22:42 +0200
Subject: [PATCH 2/2] DOC: fix typo in Unix Socket commands
Konstantin Romanenko reported a typo in the HTML documentation. The typo is
already present in the raw text version : the "shutdown sessions" command
should be "shutdown sessions server".
(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index ca21f7d..2d71555 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13869,7 +13869,7 @@ shutdown session <id>
endless transfer is ongoing. Such terminated sessions are reported with a 'K'
flag in the logs.
-shutdown sessions <backend>/<server>
+shutdown sessions server <backend>/<server>
Immediately terminate all the sessions attached to the specified server. This
can be used to terminate long-running sessions after a server is put into
maintenance mode, for instance. Such terminated sessions are reported with a
--
1.8.5.5

101
net/haproxy/patches/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
View file

@ -1,101 +0,0 @@
From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
Date: Tue, 15 Jul 2014 11:36:40 +0200
Subject: [PATCH 3/3] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(),
leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange.
This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time.
Note: this fix must be backported to 1.5.
(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570)
---
src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 36 insertions(+), 7 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 375225d..cf8adc7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -105,6 +105,13 @@ enum {
int sslconns = 0;
int totalsslconns = 0;
+#ifndef OPENSSL_NO_DH
+static DH *local_dh_1024 = NULL;
+static DH *local_dh_2048 = NULL;
+static DH *local_dh_4096 = NULL;
+static DH *local_dh_8192 = NULL;
+#endif /* OPENSSL_NO_DH */
+
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
struct certificate_ocsp {
struct ebmb_node key;
@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
}
if (keylen >= 8192) {
- dh = ssl_get_dh_8192();
+ dh = local_dh_8192;
}
else if (keylen >= 4096) {
- dh = ssl_get_dh_4096();
+ dh = local_dh_4096;
}
else if (keylen >= 2048) {
- dh = ssl_get_dh_2048();
+ dh = local_dh_2048;
}
else {
- dh = ssl_get_dh_1024();
+ dh = local_dh_1024;
}
return dh;
@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
if (global.tune.ssl_default_dh_param <= 1024) {
/* we are limited to DH parameter of 1024 bits anyway */
- dh = ssl_get_dh_1024();
- if (dh == NULL)
+ local_dh_1024 = ssl_get_dh_1024();
+ if (local_dh_1024 == NULL)
goto end;
- SSL_CTX_set_tmp_dh(ctx, dh);
+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
}
else {
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
global.tune.ssl_default_dh_param = 1024;
}
+#ifndef OPENSSL_NO_DH
+ if (global.tune.ssl_default_dh_param >= 1024) {
+ if (local_dh_1024 == NULL) {
+ local_dh_1024 = ssl_get_dh_1024();
+ }
+ if (global.tune.ssl_default_dh_param >= 2048) {
+ if (local_dh_2048 == NULL) {
+ local_dh_2048 = ssl_get_dh_2048();
+ }
+ if (global.tune.ssl_default_dh_param >= 4096) {
+ if (local_dh_4096 == NULL) {
+ local_dh_4096 = ssl_get_dh_4096();
+ }
+ if (global.tune.ssl_default_dh_param >= 8192 &&
+ local_dh_8192 == NULL) {
+ local_dh_8192 = ssl_get_dh_8192();
+ }
+ }
+ }
+ }
+#endif /* OPENSSL_NO_DH */
+
SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
--
1.8.5.5

35
net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
View file

@ -1,35 +0,0 @@
From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 15 Jul 2014 21:34:06 +0200
Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
version of base32
We're using the internal memory representation of base32 here, which is
wrong since these data might be exported to headers for logs or be used
to stick to a server and replicated to other peers. Let's convert base32
to big endian (network representation) when building the binary block.
This mistake is also present in 1.5, it would be better to backport it.
(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568)
---
src/proto_http.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 94afed7..b7ed85d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in
return 0;
temp = get_trash_chunk();
- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
- temp->len += sizeof(smp->data.uint);
+ *(unsigned int *)temp->str = htonl(smp->data.uint);
+ temp->len += sizeof(unsigned int);
switch (cli_conn->addr.from.ss_family) {
case AF_INET:
--
1.8.5.5

42
net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
View file

@ -1,42 +0,0 @@
From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
From: Dave McCowan <11235david@gmail.com>
Date: Thu, 17 Jul 2014 14:34:01 -0400
Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
building a proxy v2 header
Use temporary trash chunk, instead of global trash chunk in
make_proxy_line_v2() to avoid memory overwrite.
This fix must also be backported to 1.5.
(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
---
src/connection.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/connection.c b/src/connection.c
index 20a911b..3435b1a 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
char *value = NULL;
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
+ struct chunk *cn_trash;
#endif
if (buf_len < PP2_HEADER_LEN)
@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
+ cn_trash = get_trash_chunk();
+ if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len;
}
}
--
1.8.5.5

34
net/haproxy/patches/0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch
View file

@ -1,34 +0,0 @@
From 04b80cd29b23d02f373c095569e871275d128b43 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 19 Jul 2014 06:37:33 +0200
Subject: [PATCH 6/6] BUG/MEDIUM: connection: fix proxy v2 header again!
Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory corruption
when building a proxy v2 header") was wrong, using &cn_trash instead
of cn_trash resulting in a warning and the client's SSL cert CN not
being stored at the proper location.
Thanks to Lukas Tribus for spotting this quickly.
This should be backported to 1.5 after the patch above is backported.
(cherry picked from commit 3b9a0c9d4d083d749846d66f9bd4caabafe4ee78)
---
src/connection.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/connection.c b/src/connection.c
index 3435b1a..2dd2c02 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -684,7 +684,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
cn_trash = get_trash_chunk();
- if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
+ if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len;
}
--
1.8.5.5