diff --git a/0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch b/0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch new file mode 100644 index 0000000..6ea7a6c --- /dev/null +++ b/0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch @@ -0,0 +1,83 @@ +From 7ccea2642c54f9a07f4fbd29d3b005008cd457a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cyril=20Bont=C3=A9?= +Date: Sun, 4 Jan 2015 15:17:36 +0100 +Subject: [PATCH] BUG/MEDIUM: backend: correctly detect the domain when + use_domain_only is used + +balance hdr() provides on option 'use_domain_only' to match only the +domain part in a header (designed for the Host header). + +Olivier Fredj reported that the hashes were not the same for +'subdomain.domain.tld' and 'domain.tld'. + +This is because the pointer was rewinded one step to far, resulting in a hash +calculated against wrong values : +- '.domai' for 'subdomain.domain.tld' +- ' domai' for 'domain.tld' (beginning with the space in the header line) + +Another special case is when no dot can be found in the header : the hash will +be calculated against an empty string. + +The patch addresses both cases : 'domain' will be used to compute the hash for +'subdomain.domain.tld', 'domain.tld' and 'domain' (using the whole header value +for the last case). + +The fix must be backported to haproxy 1.5 and 1.4. +(cherry picked from commit f607d81d09ab839fb1143b749ff231d6093f2038) +--- + src/backend.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/src/backend.c b/src/backend.c +index ada8370..9980cf8 100644 +--- a/src/backend.c ++++ b/src/backend.c +@@ -408,29 +408,33 @@ struct server *get_server_hh(struct session *s) + hash = gen_hash(px, p, len); + } else { + int dohash = 0; +- p += len - 1; +- start = end = p; ++ p += len; + /* special computation, use only main domain name, not tld/host + * going back from the end of string, start hashing at first + * dot stop at next. + * This is designed to work with the 'Host' header, and requires + * a special option to activate this. + */ ++ end = p; + while (len) { +- if (*p == '.') { +- if (!dohash) { +- dohash = 1; +- start = end = p - 1; +- } +- else ++ if (dohash) { ++ /* Rewind the pointer until the previous char ++ * is a dot, this will allow to set the start ++ * position of the domain. */ ++ if (*(p - 1) == '.') + break; +- } else { +- if (dohash) +- start--; + } +- len--; ++ else if (*p == '.') { ++ /* The pointer is rewinded to the dot before the ++ * tld, we memorize the end of the domain and ++ * can enter the domain processing. */ ++ end = p; ++ dohash = 1; ++ } + p--; ++ len--; + } ++ start = p; + hash = gen_hash(px, start, (end - start)); + } + if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) +-- +2.1.2 + diff --git a/haproxy-1.5.10.tar.gz b/haproxy-1.5.10.tar.gz new file mode 100644 index 0000000..a8b0685 --- /dev/null +++ b/haproxy-1.5.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:090264c834477c290f6ad6da558731d50aede0800996742d15e870b9947fe517 +size 1339873 diff --git a/haproxy-1.5.8-fix-bashisms.patch b/haproxy-1.5.8-fix-bashisms.patch new file mode 100644 index 0000000..7486886 --- /dev/null +++ b/haproxy-1.5.8-fix-bashisms.patch @@ -0,0 +1,76 @@ +diff -Ndur haproxy-1.5.8/examples/build.cfg haproxy-1.5.8-fix-bashisms/examples/build.cfg +--- haproxy-1.5.8/examples/build.cfg 2014-10-31 11:06:53.000000000 +0200 ++++ haproxy-1.5.8-fix-bashisms/examples/build.cfg 2014-11-17 04:09:42.408078486 +0200 +@@ -5,12 +5,12 @@ + PATCH_LIST= + FILE_LIST= + +-function do_compile_only { ++do_compile_only() { + $FLXMAKE CPU_OPTS="-march=$arch -mcpu=$cpu -Os -mpreferred-stack-boundary=2 -momit-leaf-frame-pointer -malign-jumps=0" \ + TARGET=linux24 + } + +-function do_prepack { ++do_prepack() { + mkdir -p $ROOTDIR/sbin/init.d ; cp examples/init.haproxy.flx0 $ROOTDIR/sbin/init.d/haproxy + mkdir -p $ROOTDIR/usr/sbin ; cp haproxy $ROOTDIR/usr/sbin + mkdir -p $ROOTDIR/usr/share/examples/$PKGRADIX/$PKGRADIX-$PKGVER/etc/haproxy/ +diff -Ndur haproxy-1.5.8/examples/haproxy-1.1.21-flx.1.pkg haproxy-1.5.8-fix-bashisms/examples/haproxy-1.1.21-flx.1.pkg +--- haproxy-1.5.8/examples/haproxy-1.1.21-flx.1.pkg 2014-10-31 11:06:53.000000000 +0200 ++++ haproxy-1.5.8-fix-bashisms/examples/haproxy-1.1.21-flx.1.pkg 2014-11-17 04:09:28.396079434 +0200 +@@ -1,10 +1,10 @@ + #!/bin/sh + +-function do_compile { ++do_compile() { + $FLXMAKE COPTS="-march=$arch -mcpu=$cpu -Os -mpreferred-stack-boundary=2 -momit-leaf-frame-pointer -malign-jumps=0 -DNETFILTER -DTRANSPARENT" + } + +-function do_prepack { ++do_prepack() { + mkdir -p $ROOTDIR/sbin/init.d ; cp init.d/haproxy $ROOTDIR/sbin/init.d + mkdir -p $ROOTDIR/usr/sbin ; cp haproxy $ROOTDIR/usr/sbin + mkdir -p $ROOTDIR/usr/share/examples/$PKGRADIX/$PKGRADIX-$PKGVER/etc +diff -Ndur haproxy-1.5.8/examples/haproxy.init haproxy-1.5.8-fix-bashisms/examples/haproxy.init +--- haproxy-1.5.8/examples/haproxy.init 2014-10-31 11:06:53.000000000 +0200 ++++ haproxy-1.5.8-fix-bashisms/examples/haproxy.init 2014-11-17 04:10:05.127076949 +0200 +@@ -116,7 +116,7 @@ + check + ;; + *) +- echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}" ++ echo "Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}" + exit 1 + esac + +diff -Ndur haproxy-1.5.8/examples/init.haproxy haproxy-1.5.8-fix-bashisms/examples/init.haproxy +--- haproxy-1.5.8/examples/init.haproxy 2014-10-31 11:06:53.000000000 +0200 ++++ haproxy-1.5.8-fix-bashisms/examples/init.haproxy 2014-11-17 04:10:58.897073312 +0200 +@@ -19,7 +19,7 @@ + maintfd=0 + fi + +-maxfd=$[$maxconn*2 + $maintfd] ++maxfd=$(($maxconn * 2 + $maintfd)) + if [ $maxfd -lt 100 ]; then + maxfd=100; + fi +@@ -31,7 +31,7 @@ + # ulimit -c unlimited + + # soft stop +-function do_stop { ++do_stop() { + pids=`pidof -o $$ -- $PNAME` + if [ ! -z "$pids" ]; then + echo "Asking $PNAME to terminate gracefully..." +@@ -41,7 +41,7 @@ + } + + # dump status +-function do_status { ++do_status() { + pids=`pidof -o $$ -- $PNAME` + if [ ! -z "$pids" ]; then + echo "Dumping $PNAME status in logs." diff --git a/haproxy-1.5.9.tar.gz b/haproxy-1.5.9.tar.gz deleted file mode 100644 index 3a2de9d..0000000 --- a/haproxy-1.5.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5f51aa8e20a8a3a11be16bd5f5ef382a5e95526803a89182fe1c15a428564722 -size 1339917 diff --git a/haproxy.changes b/haproxy.changes index b4bb0c4..396fd15 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,93 @@ +------------------------------------------------------------------- +Tue Jan 6 09:28:16 UTC 2015 - mrueckert@suse.de + +- pull fix from usptream: + 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch + BUG/MEDIUM: backend: correctly detect the domain when + use_domain_only is used + +------------------------------------------------------------------- +Wed Dec 31 22:17:18 UTC 2014 - mrueckert@suse.de + +- update to 1.5.10 + - DOC: fix a few typos + - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 + Unauthorized" + - BUG/MINOR: parse: refer curproxy instead of proxy + - DOC: httplog does not support 'no' + - MINOR: map/acl/dumpstats: remove the "Done." message + - BUG/MEDIUM: sample: fix random number upper-bound + - BUG/MEDIUM: patterns: previous fix was incomplete + - BUG/MEDIUM: payload: ensure that a request channel is available + - BUG/MINOR: tcp-check: don't condition data polling on check + type + - BUG/MEDIUM: tcp-check: don't rely on random memory contents + - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is + an expect + - BUG/MINOR: config: fix typo in condition when propagating + process binding + - BUG/MEDIUM: config: do not propagate processes between stopped + processes + - BUG/MAJOR: stream-int: properly check the memory allocation + return + - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() + - BUG/MEDIUM: compression: correctly report zlib_mem +- drop patches that we pulled from git before: + 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch + 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch + 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch + 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch + 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch + 0006-DOC-fix-a-few-typos.patch + 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch + 0008-DOC-httplog-does-not-support-no.patch + 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch + 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch + 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch + 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch + +------------------------------------------------------------------- +Sat Dec 20 01:20:07 UTC 2014 - mrueckert@suse.de + +- pulled some more fixes from git: + 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch + 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch + 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch + 0006-DOC-fix-a-few-typos.patch + 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch + 0008-DOC-httplog-does-not-support-no.patch + 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch + 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch + 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch + 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch + + see patch headers for details. + +------------------------------------------------------------------- +Fri Nov 28 18:21:43 UTC 2014 - mrueckert@suse.de + +- pulled 2 fixes from git: + - 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch + Dmitry Sivachenko reported that commit + 315ec42 ("BUG/MEDIUM: pattern: don't load more than once a + pattern list.") relies on an uninitialised variable in the + stack. While it used to work fine during the tests, if the + uninitialized variable is non-null, some patterns may be + aggregated if loaded multiple times, resulting in slower + processing, which was the original issue it tried to address. + - 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch + Denys Fedoryshchenko reported a segfault when using certain + sample fetch functions in the "tcp-request connection" rulesets + despite the warnings. This is because some tests for the + existence of the channel were missing. + +------------------------------------------------------------------- +Wed Nov 26 12:29:42 UTC 2014 - ledest@gmail.com + +- fix bashisms in example scripts +- add patches: + * haproxy-1.5.8-fix-bashisms.patch + ------------------------------------------------------------------- Wed Nov 26 11:50:42 UTC 2014 - mrueckert@suse.de diff --git a/haproxy.spec b/haproxy.spec index 96ad973..684575d 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.9 +Version: 1.5.10 Release: 0 # # @@ -60,6 +60,10 @@ Source4: local.usr.sbin.haproxy.apparmor Patch1: haproxy-1.2.16_config_haproxy_user.patch Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch +Patch4: haproxy-1.5.8-fix-bashisms.patch +# PATCH-UPSTREAM +Patch5: 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch +# Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -92,6 +96,8 @@ the most work done from every CPU cycle. %patch1 %patch2 %patch3 +%patch4 -p1 +%patch5 -p1 %build %{__make} \