From fe0bf54177cac88da6d3f84e1d0e1b27c0c905908aac2cf14ffe4a6c9f35e35e Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Fri, 7 Aug 2020 13:38:01 +0000 Subject: [PATCH 1/2] Accepting request 824853 from home:RBrownSUSE:branches:devel:kubic - Update to version 3.4.10 [CVE-2020-15106][boo#1174951]: * version: 3.4.10 * Documentation: note on data encryption * etcdserver: change protobuf field type from int to int64 (#12000) * pkg: consider umask when use MkdirAll * etcdmain: let grpc proxy warn about insecure-skip-tls-verify * etcdmain: fix shadow error * pkg/fileutil: print desired file permission in error log * pkg: Fix dir permission check on Windows * auth: Customize simpleTokenTTL settings. * mvcc: chanLen 1024 is to biger,and it used more memory. 128 seems to be enough. Sometimes the consumption speed is more than the production speed. * auth: return incorrect result 'ErrUserNotFound' when client request without username or username was empty. * etcdmain: fix shadow error * doc: add TLS related warnings * etcdserver:FDUsage set ticker to 10 minute from 5 seconds. This ticker will check File Descriptor Requirements ,and count all fds in used. And recorded some logs when in used >= limit/5*4. Just recorded message. If fds was more than 10K,It's low performance due to FDUsage() works. So need to increase it. * clientv3: cancel watches proactively on client context cancellation * wal: check out of range slice in "ReadAll", "decoder" * etcdctl, etcdmain: warn about --insecure-skip-tls-verify options * Documentation: note on the policy of insecure by default * etcdserver: don't let InternalAuthenticateRequest have password * auth: a new error code for the case of password auth against no password user * Documentation: note on password strength * etcdmain: best effort detection of self pointing in tcp proxy * Discovery: do not allow passing negative cluster size * wal: fix panic when decoder not set * embed: fix compaction runtime err * pkg: check file stats * etcdserver, et al: add --unsafe-no-fsync flag * version: 3.4.9 * wal: add TestValidSnapshotEntriesAfterPurgeWal testcase OBS-URL: https://build.opensuse.org/request/show/824853 OBS-URL: https://build.opensuse.org/package/show/devel:kubic/etcd?expand=0&rev=6 --- _service | 2 +- _servicedata | 2 +- etcd-3.4.10.tar.gz | 3 ++ etcd-3.4.3.tar.gz | 3 -- etcd.changes | 87 ++++++++++++++++++++++++++++++++++++++++++++++ etcd.spec | 5 ++- vendor.tar.gz | 4 +-- 7 files changed, 96 insertions(+), 10 deletions(-) create mode 100644 etcd-3.4.10.tar.gz delete mode 100644 etcd-3.4.3.tar.gz diff --git a/_service b/_service index 3357d9f..c3d22c2 100644 --- a/_service +++ b/_service @@ -3,7 +3,7 @@ git://github.com/etcd-io/etcd.git git .git - v3.4.3 + v3.4.10 @PARENT_TAG@ enable v(.*) diff --git a/_servicedata b/_servicedata index 18e9429..b6ca88c 100644 --- a/_servicedata +++ b/_servicedata @@ -3,4 +3,4 @@ https://github.com/coreos/etcd.git 94745a4eed0425653b3b4275a208d38babceeaec git://github.com/etcd-io/etcd.git - 3cf2f69b5738fb702ba1a935590f36b52b18979b \ No newline at end of file + 18dfb9cca345bb2b2fbe73d5fc31028c2477bef1 \ No newline at end of file diff --git a/etcd-3.4.10.tar.gz b/etcd-3.4.10.tar.gz new file mode 100644 index 0000000..702a3ba --- /dev/null +++ b/etcd-3.4.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:928e86ba51f7ecae42951eef30f53cbd5dde5961dee4bf16e9323cd2355d6174 +size 9064104 diff --git a/etcd-3.4.3.tar.gz b/etcd-3.4.3.tar.gz deleted file mode 100644 index 8e943ec..0000000 --- a/etcd-3.4.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bed9b521a7819bc3b78dbaabac387182bdb246ad3fdc96fe8e11b01d4fb42a17 -size 9051598 diff --git a/etcd.changes b/etcd.changes index 0dea6db..6faccbc 100644 --- a/etcd.changes +++ b/etcd.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Thu Aug 06 09:30:53 UTC 2020 - rbrown@suse.com + +- Update to version 3.4.10 [CVE-2020-15106][boo#1174951]: + * version: 3.4.10 + * Documentation: note on data encryption + * etcdserver: change protobuf field type from int to int64 (#12000) + * pkg: consider umask when use MkdirAll + * etcdmain: let grpc proxy warn about insecure-skip-tls-verify + * etcdmain: fix shadow error + * pkg/fileutil: print desired file permission in error log + * pkg: Fix dir permission check on Windows + * auth: Customize simpleTokenTTL settings. + * mvcc: chanLen 1024 is to biger,and it used more memory. 128 seems to be enough. Sometimes the consumption speed is more than the production speed. + * auth: return incorrect result 'ErrUserNotFound' when client request without username or username was empty. + * etcdmain: fix shadow error + * doc: add TLS related warnings + * etcdserver:FDUsage set ticker to 10 minute from 5 seconds. This ticker will check File Descriptor Requirements ,and count all fds in used. And recorded some logs when in used >= limit/5*4. Just recorded message. If fds was more than 10K,It's low performance due to FDUsage() works. So need to increase it. + * clientv3: cancel watches proactively on client context cancellation + * wal: check out of range slice in "ReadAll", "decoder" + * etcdctl, etcdmain: warn about --insecure-skip-tls-verify options + * Documentation: note on the policy of insecure by default + * etcdserver: don't let InternalAuthenticateRequest have password + * auth: a new error code for the case of password auth against no password user + * Documentation: note on password strength + * etcdmain: best effort detection of self pointing in tcp proxy + * Discovery: do not allow passing negative cluster size + * wal: fix panic when decoder not set + * embed: fix compaction runtime err + * pkg: check file stats + * etcdserver, et al: add --unsafe-no-fsync flag + * version: 3.4.9 + * wal: add TestValidSnapshotEntriesAfterPurgeWal testcase + * wal: fix crc mismatch crash bug + * rafthttp: log snapshot download duration + * version: 3.4.8 + * rafthttp: improve snapshot send logging + * *: make sure snapshot save downloads SHA256 checksum + * etcdserver/api/snap: exclude orphaned defragmentation files in snapNames + * etcdserver: continue releasing snap db in case of error + * etcdserver,wal: fix inconsistencies in WAL and snapshot + * cherry pick of #11564 (#11880) + * mvcc: fix deadlock bug + * auth: optimize lock scope for CheckPassword + * auth: ensure RoleGrantPermission is compatible with older versions + * etcdserver: print warn log when failed to apply request + * auth: cleanup saveConsistentIndex in NewAuthStore + * auth: print warning log when error is ErrAuthOldRevision + * auth: add new metric 'etcd_debugging_auth_revision' + * tools/etcd-dump-db: add auth decoder, optimize print format + * *: fix auth revision corruption bug + * etcdserver: watch stream got closed once one request is not permitted (#11708) + * version: 3.4.7 + * wal: add "etcd_wal_writes_bytes_total" + * pkg/ioutil: add "FlushN" + * test: auto detect branch when finding merge base + * mvcc/kvstore:when the number key-value is greater than one million, compact take too long and blocks other requests + * version: 3.4.6 + * lease: fix memory leak in LeaseGrant when node is follower + * version: 3.4.5 + * words: whitelist "racey" + * Revert "version: 3.4.5" + * words: whitelist "hasleader" + * version: 3.4.5 + * etcdserver/api/v3rpc: handle api version metadata, add metrics + * clientv3: embed api version in metadata + * etcdserver/api/etcdhttp: log server-side /health checks + * proxy/grpcproxy: add return on error for metrics handler + * etcdctl: fix member add command + * version: 3.4.4 + * etcdserver: fix quorum calculation when promoting a learner member + * etcdserver: corruption check via http + * mvcc/backend: check for nil boltOpenOptions + * mvcc/backend: Delete orphaned db.tmp files before defrag + * auth: correct logging level + * e2e: test curl auth on onoption user + * auth: fix NoPassWord check when add user + * auth: fix user.Options nil pointer + * mvcc/kvstore:fixcompactbug + * mvcc: update to "etcd_debugging_mvcc_total_put_size_in_bytes" + * mvcc: add "etcd_mvcc_put_size_in_bytes" to monitor the throughput of put request. + * clientv3: fix retry/streamer error message + * etcdserver: wait purge file loop during shutdown + * integration: disable TestV3AuthOldRevConcurrent + * etcdserver: remove auth validation loop + * scripts/release: list GPG key only when tagging is needed + ------------------------------------------------------------------- Sun Jun 7 21:09:20 UTC 2020 - Dirk Mueller diff --git a/etcd.spec b/etcd.spec index eef23b7..197157b 100644 --- a/etcd.spec +++ b/etcd.spec @@ -22,7 +22,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: etcd -Version: 3.4.3 +Version: 3.4.10 Release: 0 Summary: Highly-available key value store for configuration and service discovery License: Apache-2.0 @@ -33,8 +33,7 @@ Source1: vendor.tar.gz Source11: %{name}.conf Source12: %{name}.service Source15: README.security -BuildRequires: go1.12 >= 1.12.9 -BuildRequires: golang(API) = 1.12 +BuildRequires: golang(API) = 1.14 BuildRequires: golang-packaging BuildRequires: shadow BuildRequires: systemd-rpm-macros diff --git a/vendor.tar.gz b/vendor.tar.gz index f39ce8a..09084c4 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:874ea09dac1f5b266ab52a2f4d483dce9dd56b76a8b6e5ce74845c7eb7e41e9c -size 3126011 +oid sha256:4ccf0cf0cf8dd0637c3beb7736f7c1f7d19e59088865cb7499d1921bd96c199c +size 3162210 From a9e888d29c539756f30c346b9ce7cc14421862e254e2aac3a58176f20adb1451 Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Tue, 11 Aug 2020 16:39:58 +0000 Subject: [PATCH 2/2] Accepting request 825818 from home:dannysauer:branches:devel:kubic Minor change: remove duplicate install line in spec file. OBS-URL: https://build.opensuse.org/request/show/825818 OBS-URL: https://build.opensuse.org/package/show/devel:kubic/etcd?expand=0&rev=7 --- etcd.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/etcd.spec b/etcd.spec index 197157b..a82702a 100644 --- a/etcd.spec +++ b/etcd.spec @@ -90,7 +90,6 @@ install -D -m 0755 etcdctl/etcdctl %{buildroot}/%{_bindir}/etcdctl # Service install -D -p -m 0644 %{SOURCE12} %{buildroot}%{_unitdir}/%{name}.service -install -d %{buildroot}/%{_sbindir} ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} # Sysconfig