diff --git a/0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch b/0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch deleted file mode 100644 index 1828405..0000000 --- a/0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f86d9bb6dd56d56e7425246f91a6c105a5f38659 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 24 Jun 2014 17:27:02 +0200 -Subject: [PATCH 1/6] BUG/MEDIUM: http: fetch "base" is not compatible with - set-header - -The sample fetch function "base" makes use of the trash which is also -used by set-header/add-header etc... everything which builds a formated -line. So we end up with some junk in the header if base is in use. Let's -fix this as all other fetches by using a trash chunk instead. - -This bug was reported by Baptiste Assmann, and also affects 1.5. ---- - src/proto_http.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index 231d49a12875..5321f7d53e6a 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -10247,6 +10247,7 @@ smp_fetch_base(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - struct http_txn *txn = l7; - char *ptr, *end, *beg; - struct hdr_ctx ctx; -+ struct chunk *temp; - - CHECK_HTTP_MESSAGE_FIRST(); - -@@ -10255,9 +10256,10 @@ smp_fetch_base(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - return smp_fetch_path(px, l4, l7, opt, args, smp, kw); - - /* OK we have the header value in ctx.line+ctx.val for ctx.vlen bytes */ -- memcpy(trash.str, ctx.line + ctx.val, ctx.vlen); -+ temp = get_trash_chunk(); -+ memcpy(temp->str, ctx.line + ctx.val, ctx.vlen); - smp->type = SMP_T_STR; -- smp->data.str.str = trash.str; -+ smp->data.str.str = temp->str; - smp->data.str.len = ctx.vlen; - - /* now retrieve the path */ --- -1.8.4.5 - diff --git a/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch b/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch new file mode 100644 index 0000000..8573c49 --- /dev/null +++ b/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch @@ -0,0 +1,29 @@ +From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Sat, 12 Jul 2014 17:31:07 +0200 +Subject: [PATCH 1/5] DOC: mention that Squid correctly responds 400 to PPv2 + header + +Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630 +were confirmed to respond correctly here and that any version will do +the same. +(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad) +--- + doc/proxy-protocol.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt +index a2dbcea..a3925a4 100644 +--- a/doc/proxy-protocol.txt ++++ b/doc/proxy-protocol.txt +@@ -692,6 +692,7 @@ presented, even with minimal implementations : + - thttpd 2.20c : 400 Bad Request + abort => pass/optimal + - mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal + - haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal ++ - Squid 3 : 400 Bad Request + abort => pass/optimal + - SSL : + - stud 0.3.47 : connection abort => pass/optimal + - stunnel 4.45 : connection abort => pass/optimal +-- +1.8.4.5 + diff --git a/0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch b/0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch deleted file mode 100644 index fd32686..0000000 --- a/0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 87e56ce15591dbb98046fe9fb923f28769eb6056 Mon Sep 17 00:00:00 2001 -From: Emeric Brun -Date: Tue, 24 Jun 2014 18:26:41 +0200 -Subject: [PATCH 2/6] BUG/MINOR: ssl: Fix external function in order not to - return a pointer on an internal trash buffer. - -'ssl_sock_get_common_name' applied to a connection was also renamed -'ssl_sock_get_remote_common_name'. Currently, this function is only used -with protocol PROXYv2 to retrieve the client certificate's common name. -A further usage could be to retrieve the server certificate's common name -on an outgoing connection. ---- - include/proto/ssl_sock.h | 2 +- - src/connection.c | 5 ++--- - src/ssl_sock.c | 23 +++++++++++------------ - 3 files changed, 14 insertions(+), 16 deletions(-) - -diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h -index 0902fde989bb..3e111cd68490 100644 ---- a/include/proto/ssl_sock.h -+++ b/include/proto/ssl_sock.h -@@ -52,7 +52,7 @@ const char *ssl_sock_get_cipher_name(struct connection *conn); - const char *ssl_sock_get_proto_version(struct connection *conn); - char *ssl_sock_get_version(struct connection *conn); - int ssl_sock_get_cert_used(struct connection *conn); --char *ssl_sock_get_common_name(struct connection *conn); -+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out); - unsigned int ssl_sock_get_verify_result(struct connection *conn); - #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB - int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err); -diff --git a/src/connection.c b/src/connection.c -index 0b154d802a80..20a911bcd41f 100644 ---- a/src/connection.c -+++ b/src/connection.c -@@ -682,9 +682,8 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec - tlv->verify = htonl(ssl_sock_get_verify_result(remote)); - } - if (srv->pp_opts & SRV_PP_V2_SSL_CN) { -- value = ssl_sock_get_common_name(remote); -- if (value) { -- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, strlen(value), value); -+ if (ssl_sock_get_remote_common_name(remote, &trash) > 0) { -+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str); - ssl_tlv_len += tlv_len; - } - } -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 328b97880b8d..375225d19f72 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2654,21 +2654,25 @@ char *ssl_sock_get_version(struct connection *conn) - return (char *)SSL_get_version(conn->xprt_ctx); - } - --/* returns common name, NULL terminated, from client certificate, or NULL if none */ --char *ssl_sock_get_common_name(struct connection *conn) -+/* Extract peer certificate's common name into the chunk dest -+ * Returns -+ * the len of the extracted common name -+ * or 0 if no CN found in DN -+ * or -1 on error case (i.e. no peer certificate) -+ */ -+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *dest) - { - X509 *crt = NULL; - X509_NAME *name; -- struct chunk *cn_trash; - const char find_cn[] = "CN"; - const struct chunk find_cn_chunk = { - .str = (char *)&find_cn, - .len = sizeof(find_cn)-1 - }; -- char *result = NULL; -+ int result = -1; - - if (!ssl_sock_is_ssl(conn)) -- return NULL; -+ goto out; - - /* SSL_get_peer_certificate, it increase X509 * ref count */ - crt = SSL_get_peer_certificate(conn->xprt_ctx); -@@ -2679,13 +2683,8 @@ char *ssl_sock_get_common_name(struct connection *conn) - if (!name) - goto out; - -- cn_trash = get_trash_chunk(); -- if (ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, cn_trash) <= 0) -- goto out; -- cn_trash->str[cn_trash->len] = '\0'; -- result = cn_trash->str; -- -- out: -+ result = ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, dest); -+out: - if (crt) - X509_free(crt); - --- -1.8.4.5 - diff --git a/0002-DOC-fix-typo-in-Unix-Socket-commands.patch b/0002-DOC-fix-typo-in-Unix-Socket-commands.patch new file mode 100644 index 0000000..2305c8e --- /dev/null +++ b/0002-DOC-fix-typo-in-Unix-Socket-commands.patch @@ -0,0 +1,29 @@ +From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cyril=20Bont=C3=A9?= +Date: Sat, 12 Jul 2014 18:22:42 +0200 +Subject: [PATCH 2/5] DOC: fix typo in Unix Socket commands + +Konstantin Romanenko reported a typo in the HTML documentation. The typo is +already present in the raw text version : the "shutdown sessions" command +should be "shutdown sessions server". +(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e) +--- + doc/configuration.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/configuration.txt b/doc/configuration.txt +index ca21f7d..2d71555 100644 +--- a/doc/configuration.txt ++++ b/doc/configuration.txt +@@ -13869,7 +13869,7 @@ shutdown session + endless transfer is ongoing. Such terminated sessions are reported with a 'K' + flag in the logs. + +-shutdown sessions / ++shutdown sessions server / + Immediately terminate all the sessions attached to the specified server. This + can be used to terminate long-running sessions after a server is put into + maintenance mode, for instance. Such terminated sessions are reported with a +-- +1.8.4.5 + diff --git a/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch b/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch new file mode 100644 index 0000000..738acf2 --- /dev/null +++ b/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch @@ -0,0 +1,101 @@ +From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001 +From: Remi Gacogne +Date: Tue, 15 Jul 2014 11:36:40 +0200 +Subject: [PATCH 3/5] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange + +OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), +leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. +This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. + +Note: this fix must be backported to 1.5. +(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570) +--- + src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index 375225d..cf8adc7 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -105,6 +105,13 @@ enum { + int sslconns = 0; + int totalsslconns = 0; + ++#ifndef OPENSSL_NO_DH ++static DH *local_dh_1024 = NULL; ++static DH *local_dh_2048 = NULL; ++static DH *local_dh_4096 = NULL; ++static DH *local_dh_8192 = NULL; ++#endif /* OPENSSL_NO_DH */ ++ + #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB + struct certificate_ocsp { + struct ebmb_node key; +@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen) + } + + if (keylen >= 8192) { +- dh = ssl_get_dh_8192(); ++ dh = local_dh_8192; + } + else if (keylen >= 4096) { +- dh = ssl_get_dh_4096(); ++ dh = local_dh_4096; + } + else if (keylen >= 2048) { +- dh = ssl_get_dh_2048(); ++ dh = local_dh_2048; + } + else { +- dh = ssl_get_dh_1024(); ++ dh = local_dh_1024; + } + + return dh; +@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file) + + if (global.tune.ssl_default_dh_param <= 1024) { + /* we are limited to DH parameter of 1024 bits anyway */ +- dh = ssl_get_dh_1024(); +- if (dh == NULL) ++ local_dh_1024 = ssl_get_dh_1024(); ++ if (local_dh_1024 == NULL) + goto end; + +- SSL_CTX_set_tmp_dh(ctx, dh); ++ SSL_CTX_set_tmp_dh(ctx, local_dh_1024); + } + else { + SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh); +@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy + global.tune.ssl_default_dh_param = 1024; + } + ++#ifndef OPENSSL_NO_DH ++ if (global.tune.ssl_default_dh_param >= 1024) { ++ if (local_dh_1024 == NULL) { ++ local_dh_1024 = ssl_get_dh_1024(); ++ } ++ if (global.tune.ssl_default_dh_param >= 2048) { ++ if (local_dh_2048 == NULL) { ++ local_dh_2048 = ssl_get_dh_2048(); ++ } ++ if (global.tune.ssl_default_dh_param >= 4096) { ++ if (local_dh_4096 == NULL) { ++ local_dh_4096 = ssl_get_dh_4096(); ++ } ++ if (global.tune.ssl_default_dh_param >= 8192 && ++ local_dh_8192 == NULL) { ++ local_dh_8192 = ssl_get_dh_8192(); ++ } ++ } ++ } ++ } ++#endif /* OPENSSL_NO_DH */ ++ + SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk); + #if OPENSSL_VERSION_NUMBER >= 0x00907000L + SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); +-- +1.8.4.5 + diff --git a/0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch b/0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch deleted file mode 100644 index 818363c..0000000 --- a/0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ecde57996941ab79f8e3ee5d6114ede49adaaf17 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 25 Jun 2014 15:36:04 +0200 -Subject: [PATCH 3/6] BUG/MINOR: counters: do not untrack counters before - logging - -Baptiste Assmann reported a corner case in the releasing of stick-counters: -we release content-aware counters before logging. In the past it was not a -problem, but since now we can log them it, it prevents one from logging -their value. Simply switching the log production and the release of the -counter fixes the issue. - -This should be backported into 1.5. ---- - src/proto_http.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index 5321f7d53e6a..d566bcc819ec 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -4808,7 +4808,6 @@ void http_end_txn_clean_session(struct session *s) - - s->logs.t_close = tv_ms_elapsed(&s->logs.tv_accept, &now); - session_process_counters(s); -- session_stop_content_counters(s); - - if (s->txn.status) { - int n; -@@ -4842,6 +4841,8 @@ void http_end_txn_clean_session(struct session *s) - s->do_log(s); - } - -+ /* stop tracking content-based counters */ -+ session_stop_content_counters(s); - session_update_time_stats(s); - - s->logs.accept_date = date; /* user-visible date for logging */ --- -1.8.4.5 - diff --git a/0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch b/0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch deleted file mode 100644 index d08b65c..0000000 --- a/0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 6747e44f116b7f20c96514454174cf0c0a2e1a4b Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 25 Jun 2014 16:56:41 +0200 -Subject: [PATCH 4/6] BUG/MAJOR: sample: correctly reinitialize sample fetch - context before calling sample_process() - -We used to only clear flags when reusing the static sample before calling -sample_process(), but that's not enough because there's a context in samples -that can be used by some fetch functions such as auth, headers and cookies, -and not reinitializing it risks that a pointer of a different type is used -in the wrong context. - -An example configuration which triggers the case consists in mixing hdr() -and http_auth_group() which both make use of contexts : - - http-request add-header foo2 %[hdr(host)],%[http_auth_group(foo)] - -The solution is simple, initialize all the sample and not just the flags. -This fix must be backported into 1.5 since it was introduced in 1.5-dev19. ---- - src/proto_http.c | 3 +++ - src/sample.c | 5 +++-- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index d566bcc819ec..01fe62d09246 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -9748,6 +9748,9 @@ smp_prefetch_http(struct proxy *px, struct session *s, void *l7, unsigned int op - return 1; - } - -+/* Note: these functinos *do* modify the sample. Even in case of success, at -+ * least the type and uint value are modified. -+ */ - #define CHECK_HTTP_MESSAGE_FIRST() \ - do { int r = smp_prefetch_http(px, l4, l7, opt, args, smp, 1); if (r <= 0) return r; } while (0) - -diff --git a/src/sample.c b/src/sample.c -index 9f22ef97156f..3a0f3fbbcff2 100644 ---- a/src/sample.c -+++ b/src/sample.c -@@ -905,7 +905,7 @@ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7, - - if (p == NULL) { - p = &temp_smp; -- p->flags = 0; -+ memset(p, 0, sizeof(*p)); - } - - if (!expr->fetch->process(px, l4, l7, opt, expr->arg_p, p, expr->fetch->kw)) -@@ -1160,7 +1160,8 @@ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l - { - struct sample *smp = &temp_smp; - -- smp->flags = 0; -+ memset(smp, 0, sizeof(*smp)); -+ - if (!sample_process(px, l4, l7, opt, expr, smp)) { - if ((smp->flags & SMP_F_MAY_CHANGE) && !(opt & SMP_OPT_FINAL)) - return smp; --- -1.8.4.5 - diff --git a/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch b/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch new file mode 100644 index 0000000..7b885a0 --- /dev/null +++ b/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch @@ -0,0 +1,35 @@ +From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Tue, 15 Jul 2014 21:34:06 +0200 +Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian + version of base32 + +We're using the internal memory representation of base32 here, which is +wrong since these data might be exported to headers for logs or be used +to stick to a server and replicated to other peers. Let's convert base32 +to big endian (network representation) when building the binary block. + +This mistake is also present in 1.5, it would be better to backport it. +(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568) +--- + src/proto_http.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/proto_http.c b/src/proto_http.c +index 94afed7..b7ed85d 100644 +--- a/src/proto_http.c ++++ b/src/proto_http.c +@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in + return 0; + + temp = get_trash_chunk(); +- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint)); +- temp->len += sizeof(smp->data.uint); ++ *(unsigned int *)temp->str = htonl(smp->data.uint); ++ temp->len += sizeof(unsigned int); + + switch (cli_conn->addr.from.ss_family) { + case AF_INET: +-- +1.8.4.5 + diff --git a/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch b/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch new file mode 100644 index 0000000..d358803 --- /dev/null +++ b/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch @@ -0,0 +1,42 @@ +From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001 +From: Dave McCowan <11235david@gmail.com> +Date: Thu, 17 Jul 2014 14:34:01 -0400 +Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when + building a proxy v2 header + +Use temporary trash chunk, instead of global trash chunk in +make_proxy_line_v2() to avoid memory overwrite. + +This fix must also be backported to 1.5. +(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b) +--- + src/connection.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/connection.c b/src/connection.c +index 20a911b..3435b1a 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec + char *value = NULL; + struct tlv_ssl *tlv; + int ssl_tlv_len = 0; ++ struct chunk *cn_trash; + #endif + + if (buf_len < PP2_HEADER_LEN) +@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec + tlv->verify = htonl(ssl_sock_get_verify_result(remote)); + } + if (srv->pp_opts & SRV_PP_V2_SSL_CN) { +- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) { +- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str); ++ cn_trash = get_trash_chunk(); ++ if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) { ++ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str); + ssl_tlv_len += tlv_len; + } + } +-- +1.8.4.5 + diff --git a/0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch b/0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch deleted file mode 100644 index fc2db6d..0000000 --- a/0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch +++ /dev/null @@ -1,108 +0,0 @@ -From f0b3bcc98e0d3fc372f0ec658e6c402af8b98412 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 25 Jun 2014 16:20:53 +0200 -Subject: [PATCH 5/6] MINOR: stick-table: make stktable_fetch_key() indicate - why it failed - -stktable_fetch_key() does not indicate whether it returns NULL because -the input sample was not found or because it's unstable. It causes trouble -with track-sc* rules. Just like with sample_fetch_string(), we want it to -be able to give more information to the caller about what it found. Thus, -now we use the pointer to a sample passed by the caller, and fill it with -the information we have about the sample. That way, even if we return NULL, -the caller has the ability to check whether a sample was found and if it is -still changing or not. ---- - include/proto/stick_table.h | 2 +- - src/proto_tcp.c | 4 ++-- - src/session.c | 4 ++-- - src/stick_table.c | 12 +++++++----- - 4 files changed, 12 insertions(+), 10 deletions(-) - -diff --git a/include/proto/stick_table.h b/include/proto/stick_table.h -index 0c26fbea3052..57ca2234317c 100644 ---- a/include/proto/stick_table.h -+++ b/include/proto/stick_table.h -@@ -48,7 +48,7 @@ struct stksess *stktable_lookup_key(struct stktable *t, struct stktable_key *key - struct stksess *stktable_update_key(struct stktable *table, struct stktable_key *key); - struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, - struct session *l4, void *l7, unsigned int opt, -- struct sample_expr *expr); -+ struct sample_expr *expr, struct sample *smp); - int stktable_compatible_sample(struct sample_expr *expr, unsigned long table_type); - int stktable_get_data_type(char *name); - struct proxy *find_stktable(const char *name); -diff --git a/src/proto_tcp.c b/src/proto_tcp.c -index 65c4fdad379e..1aac0d9225d9 100644 ---- a/src/proto_tcp.c -+++ b/src/proto_tcp.c -@@ -1027,7 +1027,7 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit) - continue; - - t = rule->act_prm.trk_ctr.table.t; -- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr); -+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL); - - if (key && (ts = stktable_get_entry(t, key))) { - session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts); -@@ -1228,7 +1228,7 @@ int tcp_exec_req_rules(struct session *s) - continue; - - t = rule->act_prm.trk_ctr.table.t; -- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr); -+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL); - - if (key && (ts = stktable_get_entry(t, key))) - session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts); -diff --git a/src/session.c b/src/session.c -index e26f5ad17a6b..df85170cd13a 100644 ---- a/src/session.c -+++ b/src/session.c -@@ -1458,7 +1458,7 @@ static int process_sticking_rules(struct session *s, struct channel *req, int an - if (ret) { - struct stktable_key *key; - -- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr); -+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr, NULL); - if (!key) - continue; - -@@ -1561,7 +1561,7 @@ static int process_store_rules(struct session *s, struct channel *rep, int an_bi - if (ret) { - struct stktable_key *key; - -- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr); -+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr, NULL); - if (!key) - continue; - -diff --git a/src/stick_table.c b/src/stick_table.c -index c6463ec7b95a..a708d3c53386 100644 ---- a/src/stick_table.c -+++ b/src/stick_table.c -@@ -601,15 +601,17 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = { - * Process a fetch + format conversion as defined by the sample expression - * on request or response considering the parameter. Returns either NULL if - * no key could be extracted, or a pointer to the converted result stored in -- * static_table_key in format . -+ * static_table_key in format . If is not NULL, it will be reset -+ * and its flags will be initialized so that the caller gets a copy of the input -+ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present). - */ - struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7, -- unsigned int opt, -- struct sample_expr *expr) -+ unsigned int opt, struct sample_expr *expr, struct sample *smp) - { -- struct sample *smp; -+ if (smp) -+ memset(smp, 0, sizeof(*smp)); - -- smp = sample_process(px, l4, l7, opt, expr, NULL); -+ smp = sample_process(px, l4, l7, opt, expr, smp); - if (!smp) - return NULL; - --- -1.8.4.5 - diff --git a/0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch b/0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch deleted file mode 100644 index 2c51a23..0000000 --- a/0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 08901b038aa0837786fbb1049508fb28c92a15d7 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 25 Jun 2014 17:01:56 +0200 -Subject: [PATCH 6/6] BUG/MEDIUM: counters: fix track-sc* to wait on unstable - contents - -I've been facing multiple configurations which involved track-sc* rules -in tcp-request content without the "if ..." to force it to wait for the -contents, resulting in random behaviour with contents sometimes retrieved -and sometimes not. - -Reading the doc doesn't make it clear either that the tracking will be -performed only if data are already there and that waiting on an ACL is -the only way to avoid this. - -Since this behaviour is not natural and we now have the ability to fix -it, this patch ensures that if input data are still moving, instead of -silently dropping them, we naturally wait for them to stabilize up to -the inspect-delay. This way it's not needed anymore to implement an -ACL-based condition to force to wait for data, eventhough the behaviour -is not changed for when an ACL is present. - -The most obvious usage will be when track-sc is followed by any HTTP -sample expression, there's no need anymore for adding "if HTTP". - -It's probably worth backporting this to 1.5 to avoid further configuration -issues. Note that it requires previous patch. ---- - src/proto_tcp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/proto_tcp.c b/src/proto_tcp.c -index 1aac0d9225d9..e9dbc9c0b6de 100644 ---- a/src/proto_tcp.c -+++ b/src/proto_tcp.c -@@ -1022,12 +1022,16 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit) - * applies. - */ - struct stktable_key *key; -+ struct sample smp; - - if (stkctr_entry(&s->stkctr[tcp_trk_idx(rule->action)])) - continue; - - t = rule->act_prm.trk_ctr.table.t; -- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL); -+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp); -+ -+ if (smp.flags & SMP_F_MAY_CHANGE) -+ goto missing_data; - - if (key && (ts = stktable_get_entry(t, key))) { - session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts); --- -1.8.4.5 - diff --git a/haproxy-1.5.1.tar.gz b/haproxy-1.5.1.tar.gz deleted file mode 100644 index 166e1d7..0000000 --- a/haproxy-1.5.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:69b54be39247b4a7556b4a7d3bd90ffd4acf35799ffa7125bbadebab8e5df5b4 -size 1329710 diff --git a/haproxy-1.5.2.tar.gz b/haproxy-1.5.2.tar.gz new file mode 100644 index 0000000..04234bd --- /dev/null +++ b/haproxy-1.5.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9cc9fcb30e5d998d4690331a0183a6970ca768833cc0ac68ad2a89600403d53 +size 1334897 diff --git a/haproxy.changes b/haproxy.changes index bd8acd1..429fa9f 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Fri Jul 18 15:01:53 UTC 2014 - mrueckert@suse.de + +- added + 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch: + BUG/MEDIUM: connection: fix memory corruption when building a + proxy v2 header + +------------------------------------------------------------------- +Thu Jul 17 10:45:28 UTC 2014 - mrueckert@suse.de + +- pulled a few fixes from the 1.5 branch: most notable the DHE + memleak fix. Adds the following patches: + 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch + 0002-DOC-fix-typo-in-Unix-Socket-commands.patch + 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch + 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch + +------------------------------------------------------------------- +Sat Jul 12 16:56:27 UTC 2014 - mrueckert@suse.de + +- update to 1.5.2 + - BUG/MEDIUM: backend: Update hash to use unsigned int throughout + - BUG/MINOR: ssl: Fix external function in order not to return a + pointer on an internal trash buffer. + - DOC: expand the docs for the provided stats. + - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets + upon failure. + - MINOR: stats: fix minor typo in HTML page + - BUG/MEDIUM: http: fetch "base" is not compatible with + set-header + - BUG/MINOR: counters: do not untrack counters before logging + - BUG/MAJOR: sample: correctly reinitialize sample fetch context + before calling sample_process() + - MINOR: stick-table: make stktable_fetch_key() indicate why it + failed + - BUG/MEDIUM: counters: fix track-sc* to wait on unstable + contents + - BUILD: remove TODO from the spec file and add README + - MINOR: log: make MAX_SYSLOG_LEN overridable at build time + - MEDIUM: log: support a user-configurable max log line length + - DOC: provide an example of how to use ssl_c_sha1 + - BUILD: http: fix isdigit & isspace warnings on Solaris + - BUG/MINOR: listener: set the listener's fd to -1 after deletion + - BUG/MEDIUM: unix: failed abstract socket binding is retryable + - MEDIUM: listener: implement a per-protocol pause() function + - MEDIUM: listener: support rebinding during resume() + - BUG/MEDIUM: unix: completely unbind abstract sockets during a + pause() + - DOC: explicitly mention the limits of abstract namespace + sockets + - DOC: minor fix on {sc,src}_kbytes_{in,out} + - DOC: fix alphabetical sort of converters + - BUG/MAJOR: http: correctly rewind the request body after start + of forwarding + - DOC: remove references to CPU=native in the README + - DOC: mention that "compression offload" is ignored in defaults + section +- drop patches including in version upgrade. + - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch + - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch + - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch + - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch + - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch + - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch +- use www.haproxy.org now instead of the old domain which is just + redirecting to haproxy.org now. + ------------------------------------------------------------------- Tue Jul 1 12:13:33 UTC 2014 - kgronlund@suse.com diff --git a/haproxy.spec b/haproxy.spec index 76f111e..3864eec 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.1 +Version: 1.5.2 Release: 0 # # @@ -51,28 +51,21 @@ BuildRequires: vim %define pkg_name haproxy %define pkg_home /var/lib/%{pkg_name} # -Url: http://haproxy.1wt.eu/ -Source: http://haproxy.1wt.eu/download/1.5/src/haproxy-%{version}.tar.gz +Url: http://www.haproxy.org/ +Source: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz Source1: %{pkg_name}.init -Source2: http://haproxy.1wt.eu/download/contrib/haproxy.vim +Source2: http://www.haproxy.org/download/contrib/haproxy.vim Source3: usr.sbin.haproxy.apparmor Source4: local.usr.sbin.haproxy.apparmor Patch1: haproxy-1.2.16_config_haproxy_user.patch Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch Patch4: haproxy-1.5_check_config_before_start.patch -# PATCH-FIX-UPSTREAM: http: fetch "base" is not compatible with set-header -Patch5: 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch -# PATCH-FIX-UPSTREAM: ssl: Fix external function in order not to return a pointer on an internal trash buffer. -Patch6: 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch -# PATCH-FIX-UPSTREAM: counters: do not untrack counters before logging -Patch7: 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch -# PATCH-FIX-UPSTREAM: sample: correctly reinitialize sample fetch context before calling sample_process() -Patch8: 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch -# PATCH-FIX-UPSTREAM: stick-table: make stktable_fetch_key() indicate why it failed -Patch9: 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch -# PATCH-FIX-UPSTREAM: counters: fix track-sc* to wait on unstable contents -Patch10: 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch +Patch5: 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch +Patch6: 0002-DOC-fix-typo-in-Unix-Socket-commands.patch +Patch7: 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch +Patch8: 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch +Patch9: 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -111,7 +104,6 @@ the most work done from every CPU cycle. %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p1 %build %{__make} \