Pullup ticket #6152 - requested by adam
net/haproxy: security fix (CVE-2020-11100)
Revisions pulled up:
- net/haproxy/Makefile 1.60
- net/haproxy/distinfo 1.53
- net/haproxy/options.mk 1.9
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Apr 3 16:34:13 UTC 2020
Modified Files:
pkgsrc/net/haproxy: Makefile distinfo options.mk
Log Message:
haproxy: updated to 2.1.4
2.1.4
- SCRIPTS: make announce-release executable again
- BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat
- BUG/MEDIUM: muxes: Use the right argument when calling the destroy method.
- BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param
- MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex
- SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
- MINOR: http-htx: Add a function to retrieve the headers size of an HTX message
- MINOR: filters: Forward data only if the last filter forwards something
- BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them
- BUG/MINOR: http-htx: Don't return error if authority is updated without changes
- BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
- MINOR: http-ana: Match on the path if the monitor-uri starts by a /
- BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
- MINOR: ist: add an iststop() function
- BUG/MINOR: http: http-request replace-path duplicates the query string
- BUG/MEDIUM: shctx: make sure to keep all blocks aligned
- MINOR: compiler: move CPU capabilities definition from config.h and complete them
- BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support
- BUILD: fix recent build failure on unaligned archs
- CLEANUP: cfgparse: Fix type of second calloc() parameter
- BUG/MINOR: sample: fix the json converter's endian-sensitivity
- BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions
- BUG/MINOR: connection: make sure to correctly tag local PROXY connections
- MINOR: compiler: add new alignment macros
- BUILD: ebtree: improve architecture-specific alignment
- BUG/MINOR: h2: reject again empty :path pseudo-headers
- BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
- BUG/MINOR: dns: ignore trailing dot
- BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name
- MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics
- MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric
- BUG/MEDIUM: random: initialize the random pool a bit better
- MINOR: tools: add 64-bit rotate operators
- BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
- MINOR: backend: use a single call to ha_random32() for the random LB algo
- BUG/MINOR: checks/threads: use ha_random() and not rand()
- BUG/MAJOR: list: fix invalid element address calculation
- MINOR: debug: report the task handler's pointer relative to main
- BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump
- MINOR: haproxy: export main to ease access from debugger
- BUILD: tools: remove obsolete and conflicting trace() from standard.c
- BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled
- DOC: fix incorrect indentation of http_auth_*
- OPTIM: startup: fast unique_id allocation for acl.
- BUG/MINOR: pattern: Do not pass len = 0 to calloc()
- DOC: configuration.txt: fix various typos
- DOC: assorted typo fixes in the documentation and Makefile
- BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits
- BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
- REGTEST: make the PROXY TLV validation depend on version 2.2
- BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data
- BUG/MINOR: filters: Forward everything if no data filters are called
- MINOR: htx: Add a function to return a block at a specific offset
- BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload
- BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload
- BUG/MINOR: http-ana: Reset request analysers on a response side error
- BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
- BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
- BUG/MINOR: http-rules: Fix a typo in the reject action function
- BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
- BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop
- DOC: fix typo about no-tls-tickets
- DOC: improve description of no-tls-tickets
- DOC: assorted typo fixes in the documentation
- DOC: ssl: clarify security implications of TLS tickets
- BUILD: wdt: only test for SI_TKILL when compiled with thread support
- BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL;
- MINOR: mt_lists: Appease gcc.
- BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
- BUG/MEDIUM: pools: Always update free_list in pool_gc().
- BUG/MINOR: haproxy: always initialize sleeping_thread_mask
- BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping
- BUG/MINOR: haproxy/threads: try to make all threads leave together
- DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
- DOC: correct typo in alert message about rspirep
- BUILD: on ARM, must be linked to libatomic.
- BUILD: makefile: fix regex syntax in ARM platform detection
- BUILD: makefile: fix expression again to detect ARM platform
- BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
- DOC: assorted typo fixes in the documentation
- MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h.
- BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue().
- MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc.
- BUG/MINOR: connections: Make sure we free the connection on failure.
- REGTESTS: use "command -v" instead of "which"
- REGTEST: increase timeouts on the seamless-reload test
- BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection
- BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
- BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
- BUG/MINOR: peers: Use after free of "peers" section.
- MINOR: listener: add so_name sample fetch
- BUILD: ssl: only pass unsigned chars to isspace()
- BUG/MINOR: stats: Fix color of draining servers on stats page
- DOC: internals: Fix spelling errors in filters.txt
- MINOR: http-rules: Add a flag on redirect rules to know the rule direction
- BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits
- MINOR: http-rules: Handle the rule direction when a redirect is evaluated
- BUG/MINOR: http-ana: Reset request analysers on error when waiting for response
- BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
(bsiegert)
diff -r1.59 -r1.59.2.1 pkgsrc/net/haproxy/Makefile| @@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.59 2020/02/13 07:57:55 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.59.2.1 2020/04/09 10:57:11 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= haproxy-2.1.3 | 3 | DISTNAME= haproxy-2.1.4 | |
| 4 | CATEGORIES= net www | 4 | CATEGORIES= net www | |
| 5 | MASTER_SITES= https://www.haproxy.org/download/${PKGVERSION_NOREV:R}/src/ | 5 | MASTER_SITES= https://www.haproxy.org/download/${PKGVERSION_NOREV:R}/src/ | |
| 6 | 6 | |||
| 7 | MAINTAINER= morr@NetBSD.org | 7 | MAINTAINER= morr@NetBSD.org | |
| 8 | HOMEPAGE= https://www.haproxy.org/ | 8 | HOMEPAGE= https://www.haproxy.org/ | |
| 9 | COMMENT= Reliable, high performance TCP/HTTP load balancer | 9 | COMMENT= Reliable, high performance TCP/HTTP load balancer | |
| 10 | LICENSE= gnu-gpl-v2 | 10 | LICENSE= gnu-gpl-v2 | |
| 11 | 11 | |||
| 12 | USE_LANGUAGES= c | 12 | USE_LANGUAGES= c | |
| 13 | USE_TOOLS+= gmake | 13 | USE_TOOLS+= gmake | |
| 14 | BUILD_MAKE_FLAGS+= ADDLIB=${COMPILER_RPATH_FLAG}${PREFIX}/lib | 14 | BUILD_MAKE_FLAGS+= ADDLIB=${COMPILER_RPATH_FLAG}${PREFIX}/lib | |
| 15 | BUILD_MAKE_FLAGS+= CC=${CC:Q} | 15 | BUILD_MAKE_FLAGS+= CC=${CC:Q} | |
| 16 | BUILD_MAKE_FLAGS+= CFLAGS=${CFLAGS:Q} | 16 | BUILD_MAKE_FLAGS+= CFLAGS=${CFLAGS:Q} |
| @@ -1,14 +1,10 @@ | @@ -1,14 +1,10 @@ | |||
| 1 | $NetBSD: distinfo,v 1.52 2020/03/26 06:34:00 rillig Exp $ | 1 | $NetBSD: distinfo,v 1.52.2.1 2020/04/09 10:57:11 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (deviceatlas-enterprise-c-2.1.zip) = fbd4a4198307616d51518e50d09666aeac2eea29 | 3 | SHA1 (haproxy-2.1.4.tar.gz) = 79bde694574d8cec2d3cc5de593d66654c89b6cb | |
| 4 | RMD160 (deviceatlas-enterprise-c-2.1.zip) = fc4b78bc18c80cc19e36fa5b8776cbf8b959abd7 | 4 | RMD160 (haproxy-2.1.4.tar.gz) = 7744d6100b37426a8a5369869aca409fd9f39337 | |
| 5 | SHA512 (deviceatlas-enterprise-c-2.1.zip) = 99a8e89f3d1c084a93b184685108ea65d1fd925e0c8b52599a42dbe70af3126103da0a9fd284b14ddf59b996204334d360a12651025413bc4d7f76054779275b | 5 | SHA512 (haproxy-2.1.4.tar.gz) = fd029ac1ec877fa89a9410944439b66795b1392b6c8416aaa7978943170530c3826ba50ea706366f3f7785b7cffed58497cb362fc2480dd6920a99af4f920d98 | |
| 6 | Size (deviceatlas-enterprise-c-2.1.zip) = 504286 bytes | 6 | Size (haproxy-2.1.4.tar.gz) = 2684568 bytes | |
| 7 | SHA1 (haproxy-2.1.3.tar.gz) = 6904ebe6b1742d5e70592e85b1f664ac74b7280b | |||
| 8 | RMD160 (haproxy-2.1.3.tar.gz) = 613b731a1ec7387b85f200c1eaf3c10b699928fe | |||
| 9 | SHA512 (haproxy-2.1.3.tar.gz) = 4728c1177b2bba69465cbc56b1ed73a1b2d36891ba2d94d29bb49714ad98ccfac4b52947735aded211f0cd8070002f5406ddd77cabd2f8230b00438189dd7a60 | |||
| 10 | Size (haproxy-2.1.3.tar.gz) = 2675529 bytes | |||
| 11 | SHA1 (patch-Makefile) = 790242ebde13ac1a9d95a16cba29e30a9bccd57c | 7 | SHA1 (patch-Makefile) = 790242ebde13ac1a9d95a16cba29e30a9bccd57c | |
| 12 | SHA1 (patch-src_cli.c) = 4bc5cf0116df121ac4c3c38b8f962c3a62d536e5 | 8 | SHA1 (patch-src_cli.c) = 4bc5cf0116df121ac4c3c38b8f962c3a62d536e5 | |
| 13 | SHA1 (patch-src_haproxy.c) = badb172013541087d84f03726ea928c6f5634dc3 | 9 | SHA1 (patch-src_haproxy.c) = badb172013541087d84f03726ea928c6f5634dc3 | |
| 14 | SHA1 (patch-src_proto__sockpair.c) = 1f2a318f3b7c74a191774f8bb3511c23401c10ef | 10 | SHA1 (patch-src_proto__sockpair.c) = 1f2a318f3b7c74a191774f8bb3511c23401c10ef |
| @@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
| 1 | # $NetBSD: options.mk,v 1.8 2020/01/01 21:18:07 adam Exp $ | 1 | # $NetBSD: options.mk,v 1.8.2.1 2020/04/09 10:57:11 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | PKG_OPTIONS_VAR= PKG_OPTIONS.haproxy | 3 | PKG_OPTIONS_VAR= PKG_OPTIONS.haproxy | |
| 4 | PKG_SUPPORTED_OPTIONS= deviceatlas lua prometheus ssl | 4 | PKG_SUPPORTED_OPTIONS= lua prometheus ssl | |
| 5 | PKG_OPTIONS_OPTIONAL_GROUPS= regex | 5 | PKG_OPTIONS_OPTIONAL_GROUPS= regex | |
| 6 | PKG_OPTIONS_GROUP.regex= pcre pcre2 pcre2-jit | 6 | PKG_OPTIONS_GROUP.regex= pcre pcre2 pcre2-jit | |
| 7 | PKG_SUGGESTED_OPTIONS= pcre ssl | 7 | PKG_SUGGESTED_OPTIONS= pcre ssl | |
| 8 | 8 | |||
| 9 | .include "../../mk/bsd.options.mk" | 9 | .include "../../mk/bsd.options.mk" | |
| 10 | 10 | |||
| 11 | ### | 11 | ### | |
| 12 | ### Use libpcre rather than libc for header processing regexp | 12 | ### Use libpcre rather than libc for header processing regexp | |
| 13 | ### | 13 | ### | |
| 14 | .if !empty(PKG_OPTIONS:Mpcre) | 14 | .if !empty(PKG_OPTIONS:Mpcre) | |
| 15 | . include "../../devel/pcre/buildlink3.mk" | 15 | . include "../../devel/pcre/buildlink3.mk" | |
| 16 | BUILD_MAKE_FLAGS+= USE_PCRE=1 | 16 | BUILD_MAKE_FLAGS+= USE_PCRE=1 | |
| 17 | .endif | 17 | .endif | |
| @@ -35,38 +35,19 @@ LUA_VERSIONS_ACCEPTED= 53 | @@ -35,38 +35,19 @@ LUA_VERSIONS_ACCEPTED= 53 | |||
| 35 | BUILD_MAKE_FLAGS+= USE_LUA=1 | 35 | BUILD_MAKE_FLAGS+= USE_LUA=1 | |
| 36 | BUILD_MAKE_FLAGS+= LUA_LIB_NAME=lua5.3 | 36 | BUILD_MAKE_FLAGS+= LUA_LIB_NAME=lua5.3 | |
| 37 | . include "../../lang/lua/buildlink3.mk" | 37 | . include "../../lang/lua/buildlink3.mk" | |
| 38 | .endif | 38 | .endif | |
| 39 | 39 | |||
| 40 | ### | 40 | ### | |
| 41 | ### Use Prometheus | 41 | ### Use Prometheus | |
| 42 | ### | 42 | ### | |
| 43 | .if !empty(PKG_OPTIONS:Mprometheus) | 43 | .if !empty(PKG_OPTIONS:Mprometheus) | |
| 44 | BUILD_MAKE_FLAGS+= EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" | 44 | BUILD_MAKE_FLAGS+= EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" | |
| 45 | .endif | 45 | .endif | |
| 46 | 46 | |||
| 47 | ### | 47 | ### | |
| 48 | ### Support DeviceAtlas detection. | |||
| 49 | ### | |||
| 50 | .if !empty(PKG_OPTIONS:Mpcre) && !empty(PKG_OPTIONS:Mdeviceatlas) | |||
| 51 | DEVICEATLAS_VERSION= 2.1 | |||
| 52 | DEVICEATLAS_DISTFILE= deviceatlas-enterprise-c-${DEVICEATLAS_VERSION} | |||
| 53 | DISTFILES= ${DISTNAME}.tar.gz ${DEVICEATLAS_DISTFILE}.zip | |||
| 54 | DEVICEATLAS_HOMEPAGE= https://www.deviceatlas.com/deviceatlas-haproxy-module | |||
| 55 | ||||
| 56 | BUILD_MAKE_FLAGS+= USE_DEVICEATLAS=1 DEVICEATLAS_SRC=../${DEVICEATLAS_DISTFILE} | |||
| 57 | ||||
| 58 | . if !exists(${DISTDIR}/${DEVICEATLAS_DISTFILE}.zip) | |||
| 59 | FETCH_MESSAGE= "Please fetch ${DEVICEATLAS_DISTFILE}.zip manually from" | |||
| 60 | FETCH_MESSAGE+= "${DEVICEATLAS_HOMEPAGE}" | |||
| 61 | FETCH_MESSAGE+= "and put into" | |||
| 62 | FETCH_MESSAGE+= "${DISTDIR}" | |||
| 63 | . endif | |||
| 64 | .endif | |||
| 65 | ||||
| 66 | ### | |||
| 67 | ### Support OpenSSL for termination. | 48 | ### Support OpenSSL for termination. | |
| 68 | ### | 49 | ### | |
| 69 | .if !empty(PKG_OPTIONS:Mssl) | 50 | .if !empty(PKG_OPTIONS:Mssl) | |
| 70 | . include "../../security/openssl/buildlink3.mk" | 51 | . include "../../security/openssl/buildlink3.mk" | |
| 71 | BUILD_MAKE_FLAGS+= USE_OPENSSL=1 | 52 | BUILD_MAKE_FLAGS+= USE_OPENSSL=1 | |
| 72 | .endif | 53 | .endif |