diff --git a/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch b/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch deleted file mode 100644 index b0c78e6..0000000 --- a/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch +++ /dev/null @@ -1,217 +0,0 @@ -From b7a98f9265ffb5927c4d54c9a30726c76e65bb52 Mon Sep 17 00:00:00 2001 -From: Quentin Armitage -Date: Sat, 10 Nov 2018 19:03:47 +0000 -Subject: [PATCH] Update to support libipset version 7 - -Issue #1058 reported that keepalived failed to build with libipset -version 7. This commit updates keepalived to detect if the version -of the keepalived libraries is pre v7 or not, and compiles -appropriately. - -Signed-off-by: Quentin Armitage ---- - configure.ac | 21 ++++++++++++ - keepalived/include/vrrp_ipset.h | 2 +- - keepalived/vrrp/vrrp_ipset.c | 58 ++++++++++++++++++++++++++++++--- - keepalived/vrrp/vrrp_iptables.c | 2 +- - 4 files changed, 76 insertions(+), 7 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ecec32a2..708b04fe 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1212,6 +1212,27 @@ if test .${enable_libiptc} != .no -a .$enable_vrrp != .no; then - [AC_DEFINE([LIBIPSET_H_ADD_IP_SET_H_GUARD], [1], [Define to add guard _IP_SET_H before including ])]) - ]) - fi -+ -+ if test $USE_LIBIPSET = Yes; then -+ AC_MSG_CHECKING([for libipset version 7 or later]) -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE( -+ [[ -+ #include -+ -+ void test_func(void) -+ { -+ ipset_session_init(NULL, NULL); -+ } -+ ]])], -+ [ -+ AC_MSG_RESULT([yes]) -+ ], -+ [ -+ AC_MSG_RESULT([no]) -+ AC_DEFINE([LIBIPSET_PRE_V7_COMPAT], [ 1 ], [Define to 1 if libipset library version prior to v7]) -+ add_system_opt[LIBIPSET_PRE_V7] -+ ]) -+ fi - ]) - LIBS="$SAV_LIBS" - fi -diff --git a/keepalived/include/vrrp_ipset.h b/keepalived/include/vrrp_ipset.h -index 5a1a9562..5d83b21a 100644 ---- a/keepalived/include/vrrp_ipset.h -+++ b/keepalived/include/vrrp_ipset.h -@@ -29,7 +29,7 @@ - bool add_ipsets(bool); - bool remove_ipsets(void); - bool has_ipset_setname(void*, const char *); --bool ipset_init(void); -+bool ipset_initialise(void); - void* ipset_session_start(void); - void ipset_session_end(void*); - void ipset_entry(void*, int cmd, const ip_address_t*); -diff --git a/keepalived/vrrp/vrrp_ipset.c b/keepalived/vrrp/vrrp_ipset.c -index 4b3ab7cd..dbe248eb 100644 ---- a/keepalived/vrrp/vrrp_ipset.c -+++ b/keepalived/vrrp/vrrp_ipset.c -@@ -43,6 +43,9 @@ - #endif - #include - #include -+#ifndef LIBIPSET_PRE_V7_COMPAT -+#include -+#endif - #include - #include /* For __beXX types in userland */ - #include /* For nf_inet_addr */ -@@ -60,11 +63,18 @@ - #include - - /* The addresses of the functions we want */ -+#ifdef LIBIPSET_PRE_V7_COMPAT - struct ipset_session* (*ipset_session_init_addr)(ipset_outfn outfn); -+#else -+struct ipset_session* (*ipset_session_init_addr)(ipset_print_outfn outfn, void *p); -+#endif - int (*ipset_session_fini_addr)(struct ipset_session *session); - struct ipset_data* (*ipset_session_data_addr)(const struct ipset_session *session); --const char* (*ipset_session_error_addr)(const struct ipset_session *session); -+#ifdef LIBIPSET_PRE_V7_COMPAT - int (*ipset_envopt_parse_addr)(struct ipset_session *session, int env, const char *str); -+#else -+void (*ipset_envopt_set_addr)(struct ipset_session *session, int env); -+#endif - const struct ipset_type* (*ipset_type_get_addr)(struct ipset_session *session, enum ipset_cmd cmd); - int (*ipset_data_set_addr)(struct ipset_data *data, enum ipset_opt opt, const void *value); - int (*ipset_cmd_addr)(struct ipset_session *session, enum ipset_cmd cmd, uint32_t lineno); -@@ -74,8 +84,11 @@ void (*ipset_load_types_addr)(void); - #define ipset_session_init (*ipset_session_init_addr) - #define ipset_session_fini (*ipset_session_fini_addr) - #define ipset_session_data (*ipset_session_data_addr) --#define ipset_session_error (*ipset_session_error_addr) -+#ifdef LIBIPSET_PRE_V7_COMPAT - #define ipset_envopt_parse (*ipset_envopt_parse_addr) -+#else -+#define ipset_envopt_set (*ipset_envopt_set_addr) -+#endif - #define ipset_type_get (*ipset_type_get_addr) - #define ipset_data_set (*ipset_data_set_addr) - /* Unfortunately ipset_cmd conflicts with struct ipset_cmd */ -@@ -87,6 +100,22 @@ static void* libipset_handle; - #define ipset_cmd1 ipset_cmd - #endif - -+#ifndef LIBIPSET_PRE_V7_COMPAT -+static int -+ipset_printf(__attribute ((__unused__)) struct ipset_session *session, void *p, const char *fmt, ...) -+{ -+ va_list args; -+ -+ log_message(LOG_INFO, "libipset message from %s", (const char *)p); -+ -+ va_start(args, fmt); -+ vlog_message(LOG_INFO, fmt, args); -+ va_end(args); -+ -+ return 0; -+} -+#endif -+ - static bool - do_ipset_cmd(struct ipset_session* session, enum ipset_cmd cmd, const char *setname, - const ip_address_t *addr, uint32_t timeout, const char* iface) -@@ -162,7 +191,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i - { - struct ipset_session *session; - -+#ifdef LIBIPSET_PRE_V7_COMPAT - session = ipset_session_init(printf); -+#else -+ session = ipset_session_init(ipset_printf, "create_sets"); -+#endif - if (!session) { - log_message(LOG_INFO, "Cannot initialize ipset session."); - return false; -@@ -171,7 +204,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i - /* If we aren't reloading, don't worry if sets already exists. With the - * IPSET_ENV_EXIST option set, any existing entries in the set are removed. */ - if (!reload) -+#ifdef LIBIPSET_PRE_V7_COMPAT - ipset_envopt_parse(session, IPSET_ENV_EXIST, NULL); -+#else -+ ipset_envopt_set(session, IPSET_ENV_EXIST); -+#endif - - if (block_ipv4) { - if (!reload || !has_ipset_setname(session, addr4)) -@@ -220,7 +257,7 @@ bool set_match_loaded(void) - return found; - } - --bool ipset_init(void) -+bool ipset_initialise(void) - { - #ifdef _LIBIPSET_DYNAMIC_ - if (libipset_handle) -@@ -252,8 +289,11 @@ bool ipset_init(void) - if (!(ipset_session_init_addr = dlsym(libipset_handle, "ipset_session_init")) || - !(ipset_session_fini_addr = dlsym(libipset_handle, "ipset_session_fini")) || - !(ipset_session_data_addr = dlsym(libipset_handle,"ipset_session_data")) || -- !(ipset_session_error_addr = dlsym(libipset_handle,"ipset_session_error")) || -+#ifdef LIBIPSET_PRE_V7_COMPAT - !(ipset_envopt_parse_addr = dlsym(libipset_handle,"ipset_envopt_parse")) || -+#else -+ !(ipset_envopt_set_addr = dlsym(libipset_handle,"ipset_envopt_set")) || -+#endif - !(ipset_type_get_addr = dlsym(libipset_handle,"ipset_type_get")) || - !(ipset_data_set_addr = dlsym(libipset_handle,"ipset_data_set")) || - !(ipset_cmd_addr = dlsym(libipset_handle,"ipset_cmd")) || -@@ -285,7 +325,11 @@ bool remove_ipsets(void) - return true; - #endif - -+#ifdef LIBIPSET_PRE_V7_COMPAT - session = ipset_session_init(printf); -+#else -+ session = ipset_session_init(ipset_printf, "remove_ipsets"); -+#endif - if (!session) { - log_message(LOG_INFO, "Cannot initialize ipset session."); - return false; -@@ -311,7 +355,11 @@ bool add_ipsets(bool reload) - - void* ipset_session_start(void) - { -- return ipset_session_init(NULL); -+#ifdef LIBIPSET_PRE_V7_COMPAT -+ return ipset_session_init(printf); -+#else -+ return ipset_session_init(ipset_printf, "session_start"); -+#endif - } - - void ipset_session_end(void* vsession) -diff --git a/keepalived/vrrp/vrrp_iptables.c b/keepalived/vrrp/vrrp_iptables.c -index 874b0d0b..9b05ca66 100644 ---- a/keepalived/vrrp/vrrp_iptables.c -+++ b/keepalived/vrrp/vrrp_iptables.c -@@ -468,7 +468,7 @@ iptables_init_lib(void) - #endif - - #ifdef _HAVE_LIBIPSET_ -- if (global_data->using_ipsets && !ipset_init()) -+ if (global_data->using_ipsets && !ipset_initialise()) - global_data->using_ipsets = false; - #endif - diff --git a/keepalived-2.0.10.tar.gz b/keepalived-2.0.10.tar.gz new file mode 100644 index 0000000..f1468c7 --- /dev/null +++ b/keepalived-2.0.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40e0e55afed9ca313d621a9c5878579696fafb5504dab521aadaf20ba6e7f597 +size 927631 diff --git a/keepalived-2.0.9.tar.gz b/keepalived-2.0.9.tar.gz deleted file mode 100644 index b5a670e..0000000 --- a/keepalived-2.0.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3930b2e43bc8e7109ddb17d32f88cdd58071f2a9a41efa55852ca9ee26cd52c5 -size 924455 diff --git a/keepalived.changes b/keepalived.changes index 21af91f..a18b7d6 100644 --- a/keepalived.changes +++ b/keepalived.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Wed Nov 28 12:27:13 UTC 2018 - Marcus Rueckert + +- update to 2.0.10 + - Fix compiling on Alpine Linux. + - Stop printf compiler warning on Alpine Linux due to rlim_t. + - manpage cosmetic. + - Fix removing snmpd read threads when snmpd becomes unavailable. + - Update to support libipset version 7. + - Use ipset_printf for ipset messages so can go to log. + - When opening files for write, ensure files can only be read by + root. Issue #1048 referred to CVE-2018-19046 regarding files + used for debugging purposes could potentially be read by non + root users. This commit ensures that such log files cannot be + opened by non root users. + - Disable fopen_safe() append mode by default If a non privileged + user creates /tmp/keepalived.log and has it open for read (e.g. + tail -f), then even though keepalived will change the owner to + root and remove all read/write permissions from non owners, the + application which already has the file open will be able to + read the added log entries. Accordingly, opening a file in + append mode is disabled by default, and only enabled if + --enable-smtp-alert-debug or --enable-log-file (which are + debugging options and unset by default) are enabled. This + should further alleviate security concerns related to + CVE-2018-19046. + - vrrp: add support to constant time memcmp. Just an update to + use best practise security design pattern. While comparing + password or hmac you need to ensure comparison function is time + constant in order to figth against any timing attacks. We turn + off potential compiler optimizations for this particular + function to avoid any short circuit. + - Make sure a non privileged user cannot read keepalived file + output Ensure that when a file such as /tmp/keepalived.data is + written, no non privileged can have a previous version of that + file already open, thereby allowing them to read the data. + This should fully resolve CVE-2018-19046. +- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in + update + ------------------------------------------------------------------- Sat Nov 10 21:01:14 UTC 2018 - Marcus Rueckert diff --git a/keepalived.spec b/keepalived.spec index 2f3cb09..39c675d 100644 --- a/keepalived.spec +++ b/keepalived.spec @@ -34,7 +34,7 @@ %bcond_without json Name: keepalived -Version: 2.0.9 +Version: 2.0.10 Release: 0 Summary: A keepalive facility for Linux License: GPL-2.0-or-later @@ -45,7 +45,6 @@ Source2: keepalive-rpmlintrc Patch1: keepalive-init.patch # PATCH-FIX-UPSTREAM: https://github.com/acassen/keepalived/commit/947248af144bcab6376ccddab8dc40f313b14281.patch Patch2: linux-4.15.patch -Patch3: b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch BuildRequires: libnfnetlink-devel %if %{with json} BuildRequires: libjson-c-devel @@ -86,12 +85,6 @@ BuildRequires: systemd-rpm-macros %else Requires(pre): %insserv_prereq %endif -# remove when you remove b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool - -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This project provides facilities for load balancing and high-availability to @@ -109,11 +102,9 @@ resilient infrastructures. %setup -q %patch1 -p1 %patch2 -p1 -%patch3 -p1 chmod 644 doc/samples/* %build -autoreconf -fi export STRIP=true export CPPFLAGS="$(pkg-config --cflags libnfnetlink libiptc libipset xtables)" export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN"