[arch-commits] Commit in haproxy/repos (18 files)
Johannes Löthberg
demize at archlinux.org
Wed Jul 20 14:10:19 UTC 2016
Date: Wednesday, July 20, 2016 @ 14:10:18
Author: demize
Revision: 183627
db-move: moved haproxy from [community-testing] to [community] (i686, x86_64)
Added:
haproxy/repos/community-i686/PKGBUILD
(from rev 183626, haproxy/repos/community-testing-i686/PKGBUILD)
haproxy/repos/community-i686/haproxy.cfg
(from rev 183626, haproxy/repos/community-testing-i686/haproxy.cfg)
haproxy/repos/community-i686/haproxy.install
(from rev 183626, haproxy/repos/community-testing-i686/haproxy.install)
haproxy/repos/community-x86_64/PKGBUILD
(from rev 183626, haproxy/repos/community-testing-x86_64/PKGBUILD)
haproxy/repos/community-x86_64/haproxy.cfg
(from rev 183626, haproxy/repos/community-testing-x86_64/haproxy.cfg)
haproxy/repos/community-x86_64/haproxy.install
(from rev 183626, haproxy/repos/community-testing-x86_64/haproxy.install)
Deleted:
haproxy/repos/community-i686/CVE-2016-5360-reqdeny.patch
haproxy/repos/community-i686/PKGBUILD
haproxy/repos/community-i686/gcc6-fix.patch
haproxy/repos/community-i686/haproxy.cfg
haproxy/repos/community-i686/haproxy.install
haproxy/repos/community-testing-i686/
haproxy/repos/community-testing-x86_64/
haproxy/repos/community-x86_64/CVE-2016-5360-reqdeny.patch
haproxy/repos/community-x86_64/PKGBUILD
haproxy/repos/community-x86_64/gcc6-fix.patch
haproxy/repos/community-x86_64/haproxy.cfg
haproxy/repos/community-x86_64/haproxy.install
----------------------------------------------+
/PKGBUILD | 140 +++++++++++++++++++++++++
/haproxy.cfg | 98 +++++++++++++++++
/haproxy.install | 8 +
community-i686/CVE-2016-5360-reqdeny.patch | 117 --------------------
community-i686/PKGBUILD | 70 ------------
community-i686/gcc6-fix.patch | 107 -------------------
community-i686/haproxy.cfg | 49 --------
community-i686/haproxy.install | 4
community-x86_64/CVE-2016-5360-reqdeny.patch | 117 --------------------
community-x86_64/PKGBUILD | 70 ------------
community-x86_64/gcc6-fix.patch | 107 -------------------
community-x86_64/haproxy.cfg | 49 --------
community-x86_64/haproxy.install | 4
13 files changed, 246 insertions(+), 694 deletions(-)
Deleted: community-i686/CVE-2016-5360-reqdeny.patch
===================================================================
--- community-i686/CVE-2016-5360-reqdeny.patch 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-i686/CVE-2016-5360-reqdeny.patch 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,117 +0,0 @@
-From: Willy Tarreau <w at 1wt.eu>
-Date: Wed, 25 May 2016 14:23:59 +0000 (+0200)
-Subject: BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
-X-Git-Url: http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff_plain;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b;hp=0c60f3790d6f177f123d4ae63d5f17868c789d12
-
-BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
-
-Commit 108b1dd ("MEDIUM: http: configurable http result codes for
-http-request deny") introduced in 1.6-dev2 was incomplete. It introduced
-a new field "rule_deny_status" into struct http_txn, which is filled only
-by actions "http-request deny" and "http-request tarpit". It's then used
-in the deny code path to emit the proper error message, but is used
-uninitialized when the deny comes from a "reqdeny" rule, causing random
-behaviours ranging from returning a 200, an empty response, or crashing
-the process. Often upon startup only 200 was returned but after the fields
-are used the crash happens. This can be sped up using -dM.
-
-There's no need at all for storing this status in the http_txn struct
-anyway since it's used immediately after being set. Let's store it in
-a temporary variable instead which is passed as an argument to function
-http_req_get_intercept_rule().
-
-As an extra benefit, removing it from struct http_txn reduced the size
-of this struct by 8 bytes.
-
-This fix must be backported to 1.6 where the bug was detected. Special
-thanks to Falco Schmutz for his detailed report including an exploitable
-core and a reproducer.
-(cherry picked from commit 58727ec088e55f739b146cff3baa955f8d1b2a3e)
----
-
-diff --git a/include/types/proto_http.h b/include/types/proto_http.h
-index e5e9667..c3a73ef 100644
---- a/include/types/proto_http.h
-+++ b/include/types/proto_http.h
-@@ -362,7 +362,6 @@ struct http_txn {
- unsigned int flags; /* transaction flags */
- enum http_meth_t meth; /* HTTP method */
- /* 1 unused byte here */
-- short rule_deny_status; /* HTTP status from rule when denying */
- short status; /* HTTP status from the server, negative if from proxy */
-
- char *uri; /* first line if log needed, NULL otherwise */
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 59cd5d2..6eac62b 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, struct http_msg *msg,
- * further processing of the request (auth, deny, ...), and defaults to
- * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or
- * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT
-- * on txn->flags if it encounters a tarpit rule.
-+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL
-+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny
-+ * status.
- */
- enum rule_result
--http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)
-+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)
- {
- struct session *sess = strm_sess(s);
- struct http_txn *txn = s->txn;
-@@ -3539,12 +3541,14 @@ resume_execution:
- return HTTP_RULE_RES_STOP;
-
- case ACT_ACTION_DENY:
-- txn->rule_deny_status = rule->deny_status;
-+ if (deny_status)
-+ *deny_status = rule->deny_status;
- return HTTP_RULE_RES_DENY;
-
- case ACT_HTTP_REQ_TARPIT:
- txn->flags |= TX_CLTARPIT;
-- txn->rule_deny_status = rule->deny_status;
-+ if (deny_status)
-+ *deny_status = rule->deny_status;
- return HTTP_RULE_RES_DENY;
-
- case ACT_HTTP_REQ_AUTH:
-@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
- struct redirect_rule *rule;
- struct cond_wordlist *wl;
- enum rule_result verdict;
-+ int deny_status = HTTP_ERR_403;
-
- if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
- /* we need more data */
-@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
-
- /* evaluate http-request rules */
- if (!LIST_ISEMPTY(&px->http_req_rules)) {
-- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
-+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
-
- switch (verdict) {
- case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
-@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
-
- /* parse the whole stats request and extract the relevant information */
- http_handle_stats(s, req);
-- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
-+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
- /* not all actions implemented: deny, allow, auth */
-
- if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
-@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
- manage_client_side_cookies(s, req);
-
- txn->flags |= TX_CLDENY;
-- txn->status = http_err_codes[txn->rule_deny_status];
-+ txn->status = http_err_codes[deny_status];
- s->logs.tv_request = now;
-- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));
-+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));
- stream_inc_http_err_ctr(s);
- sess->fe->fe_counters.denied_req++;
- if (sess->fe != s->be)
Deleted: community-i686/PKGBUILD
===================================================================
--- community-i686/PKGBUILD 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-i686/PKGBUILD 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,70 +0,0 @@
-# $Id$
-# Maintainer: Johannes Löthberg <johannes at kyriasis.com>
-# Contributor: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
-
-pkgname=haproxy
-pkgver=1.6.6
-pkgrel=1
-
-pkgdesc='Reliable, high performance TCP/HTTP load balancer'
-url='http://haproxy.org/'
-arch=('i686' 'x86_64')
-license=('GPL')
-
-depends=('openssl' 'pcre' 'zlib' 'lua')
-
-backup=('etc/haproxy/haproxy.cfg')
-
-install=haproxy.install
-
-source=(http://haproxy.org/download/${pkgver%.*}/src/haproxy-$pkgver.tar.gz
- haproxy.cfg)
-
-md5sums=('b418d83cf4f2da328f6eb8c255b8716b'
- '02241a8ca257d12f7eb131e2d7da3f3b')
-
-prepare() {
- cd haproxy-$pkgver
- sed -i 's:/usr/sbin/haproxy:/usr/bin/haproxy:' src/haproxy-systemd-wrapper.c
-}
-
-build() {
- cd haproxy-$pkgver
-
- make CPU=generic TARGET=linux2628 \
- USE_GETADDRINFO=1 \
- USE_OPENSSL=1 \
- USE_PCRE=1 USE_PCRE_JIT=1 \
- USE_ZLIB=1 \
- USE_LUA=1
-
- for contrib in halog iprange systemd; do
- make -C contrib/$contrib SBINDIR=/usr/bin
- done
-}
-
-package() {
- cd haproxy-$pkgver
- make \
- EXTRA=haproxy-systemd-wrapper \
- PREFIX="$pkgdir"/usr \
- SBINDIR="$pkgdir"/usr/bin \
- DOCDIR="$pkgdir"/usr/share/$pkgname \
- install
-
- for contrib in halog iprange; do
- install -Dm755 contrib/$contrib/$contrib "$pkgdir"/usr/bin/$contrib
- done
-
- install -Dm644 ../haproxy.cfg "$pkgdir"/etc/haproxy/haproxy.cfg
- install -Dm644 contrib/systemd/haproxy.service \
- "$pkgdir"/usr/lib/systemd/system/haproxy.service
-
- install -d "$pkgdir"/usr/share/haproxy/examples/errorfiles
- install -m644 examples/*.cfg "$pkgdir"/usr/share/haproxy/examples/
- install -m644 examples/errorfiles/*.http \
- "$pkgdir"/usr/share/haproxy/examples/errorfiles/
-
- install -Dm644 examples/haproxy.vim \
- "$pkgdir"/usr/share/vim/vimfiles/syntax/haproxy.vim
-}
Copied: haproxy/repos/community-i686/PKGBUILD (from rev 183626, haproxy/repos/community-testing-i686/PKGBUILD)
===================================================================
--- community-i686/PKGBUILD (rev 0)
+++ community-i686/PKGBUILD 2016-07-20 14:10:18 UTC (rev 183627)
@@ -0,0 +1,70 @@
+# $Id$
+# Maintainer: Johannes Löthberg <johannes at kyriasis.com>
+# Contributor: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+
+pkgname=haproxy
+pkgver=1.6.7
+pkgrel=1
+
+pkgdesc='Reliable, high performance TCP/HTTP load balancer'
+url='http://haproxy.org/'
+arch=('i686' 'x86_64')
+license=('GPL')
+
+depends=('openssl' 'pcre' 'zlib' 'lua')
+
+backup=('etc/haproxy/haproxy.cfg')
+
+install=haproxy.install
+
+source=(http://haproxy.org/download/${pkgver%.*}/src/haproxy-$pkgver.tar.gz
+ haproxy.cfg)
+
+md5sums=('a046ed63b00347bd367b983529dd541f'
+ '02241a8ca257d12f7eb131e2d7da3f3b')
+
+prepare() {
+ cd haproxy-$pkgver
+ sed -i 's:/usr/sbin/haproxy:/usr/bin/haproxy:' src/haproxy-systemd-wrapper.c
+}
+
+build() {
+ cd haproxy-$pkgver
+
+ make CPU=generic TARGET=linux2628 \
+ USE_GETADDRINFO=1 \
+ USE_OPENSSL=1 \
+ USE_PCRE=1 USE_PCRE_JIT=1 \
+ USE_ZLIB=1 \
+ USE_LUA=1
+
+ for contrib in halog iprange systemd; do
+ make -C contrib/$contrib SBINDIR=/usr/bin
+ done
+}
+
+package() {
+ cd haproxy-$pkgver
+ make \
+ EXTRA=haproxy-systemd-wrapper \
+ PREFIX="$pkgdir"/usr \
+ SBINDIR="$pkgdir"/usr/bin \
+ DOCDIR="$pkgdir"/usr/share/$pkgname \
+ install
+
+ for contrib in halog iprange; do
+ install -Dm755 contrib/$contrib/$contrib "$pkgdir"/usr/bin/$contrib
+ done
+
+ install -Dm644 ../haproxy.cfg "$pkgdir"/etc/haproxy/haproxy.cfg
+ install -Dm644 contrib/systemd/haproxy.service \
+ "$pkgdir"/usr/lib/systemd/system/haproxy.service
+
+ install -d "$pkgdir"/usr/share/haproxy/examples/errorfiles
+ install -m644 examples/*.cfg "$pkgdir"/usr/share/haproxy/examples/
+ install -m644 examples/errorfiles/*.http \
+ "$pkgdir"/usr/share/haproxy/examples/errorfiles/
+
+ install -Dm644 examples/haproxy.vim \
+ "$pkgdir"/usr/share/vim/vimfiles/syntax/haproxy.vim
+}
Deleted: community-i686/gcc6-fix.patch
===================================================================
--- community-i686/gcc6-fix.patch 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-i686/gcc6-fix.patch 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,107 +0,0 @@
-diff --git a/include/proto/proto_http.h b/include/proto/proto_http.h
-index 4d8f5365b625..0aa6643b98da 100644
---- a/include/proto/proto_http.h
-+++ b/include/proto/proto_http.h
-@@ -110,7 +110,7 @@ void http_set_status(unsigned int status, struct stream *s);
- int http_transform_header_str(struct stream* s, struct http_msg *msg, const char* name,
- unsigned int name_len, const char *str, struct my_regex *re,
- int action);
--void inet_set_tos(int fd, struct sockaddr_storage from, int tos);
-+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos);
- void http_perform_server_redirect(struct stream *s, struct stream_interface *si);
- void http_return_srv_error(struct stream *s, struct stream_interface *si);
- void http_capture_bad_message(struct error_snapshot *es, struct stream *s,
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 3fee54e0db1d..48e584cf73e7 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -287,7 +287,7 @@ int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf,
- }
-
- /* OK the address looks correct */
-- ss = *ss2;
-+ memcpy(&ss, ss2, sizeof(ss));
-
- for (; port <= end; port++) {
- l = calloc(1, sizeof(*l));
-diff --git a/src/connection.c b/src/connection.c
-index 330f3efbc995..5515188c6b10 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -744,7 +744,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- const char pp2_signature[] = PP2_SIGNATURE;
- int ret = 0;
- struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf;
-- struct sockaddr_storage null_addr = {0};
-+ struct sockaddr_storage null_addr = { .ss_family = 0 };
- struct sockaddr_storage *src = &null_addr;
- struct sockaddr_storage *dst = &null_addr;
-
-diff --git a/src/hlua.c b/src/hlua.c
-index f6eb8aa80ee0..94f97429c895 100644
---- a/src/hlua.c
-+++ b/src/hlua.c
-@@ -4781,7 +4781,7 @@ __LJMP static int hlua_txn_set_tos(lua_State *L)
- tos = MAY_LJMP(luaL_checkinteger(L, 2));
-
- if ((cli_conn = objt_conn(htxn->s->sess->origin)) && conn_ctrl_ready(cli_conn))
-- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, tos);
-+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, tos);
-
- return 0;
- }
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 21ad131c9f43..416504247a8d 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -3189,15 +3189,15 @@ int http_handle_stats(struct stream *s, struct channel *req)
- /* Sets the TOS header in IPv4 and the traffic class header in IPv6 packets
- * (as per RFC3260 #4 and BCP37 #4.2 and #5.2).
- */
--void inet_set_tos(int fd, struct sockaddr_storage from, int tos)
-+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos)
- {
- #ifdef IP_TOS
-- if (from.ss_family == AF_INET)
-+ if (from->ss_family == AF_INET)
- setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
- #endif
- #ifdef IPV6_TCLASS
-- if (from.ss_family == AF_INET6) {
-- if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&from)->sin6_addr))
-+ if (from->ss_family == AF_INET6) {
-+ if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)from)->sin6_addr))
- /* v4-mapped addresses need IP_TOS */
- setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
- else
-@@ -3363,7 +3363,7 @@ resume_execution:
-
- case ACT_HTTP_SET_TOS:
- if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
-- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
-+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
- break;
-
- case ACT_HTTP_SET_MARK:
-@@ -3646,7 +3646,7 @@ resume_execution:
-
- case ACT_HTTP_SET_TOS:
- if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
-- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
-+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
- break;
-
- case ACT_HTTP_SET_MARK:
-diff --git a/src/proto_tcp.c b/src/proto_tcp.c
-index a44912af4654..bbe12e2d4c0d 100644
---- a/src/proto_tcp.c
-+++ b/src/proto_tcp.c
-@@ -435,7 +435,7 @@ int tcp_connect_server(struct connection *conn, int data, int delack)
- struct sockaddr_storage sa;
-
- ret = 1;
-- sa = src->source_addr;
-+ memcpy(&sa, &src->source_addr, sizeof(sa));
-
- do {
- /* note: in case of retry, we may have to release a previously
Deleted: community-i686/haproxy.cfg
===================================================================
--- community-i686/haproxy.cfg 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-i686/haproxy.cfg 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,49 +0,0 @@
-#---------------------------------------------------------------------
-# Example configuration. See the full configuration manual online.
-#
-# http://www.haproxy.org/download/1.6/doc/configuration.txt
-#
-#---------------------------------------------------------------------
-
-global
- maxconn 20000
- log 127.0.0.1 local0
- user haproxy
- chroot /usr/share/haproxy
- pidfile /run/haproxy.pid
- daemon
-
-frontend main
- bind :5000
- mode http
- log global
- option httplog
- option dontlognull
- option http_proxy
- option forwardfor except 127.0.0.0/8
- maxconn 8000
- timeout client 30s
-
- acl url_static path_beg -i /static /images /javascript /stylesheets
- acl url_static path_end -i .jpg .gif .png .css .js
-
- use_backend static if url_static
- default_backend app
-
-backend static
- mode http
- balance roundrobin
- timeout connect 5s
- timeout server 5s
- server static 127.0.0.1:4331 check
-
-backend app
- mode http
- balance roundrobin
- timeout connect 5s
- timeout server 30s
- timeout queue 30s
- server app1 127.0.0.1:5001 check
- server app2 127.0.0.1:5002 check
- server app3 127.0.0.1:5003 check
- server app4 127.0.0.1:5004 check
Copied: haproxy/repos/community-i686/haproxy.cfg (from rev 183626, haproxy/repos/community-testing-i686/haproxy.cfg)
===================================================================
--- community-i686/haproxy.cfg (rev 0)
+++ community-i686/haproxy.cfg 2016-07-20 14:10:18 UTC (rev 183627)
@@ -0,0 +1,49 @@
+#---------------------------------------------------------------------
+# Example configuration. See the full configuration manual online.
+#
+# http://www.haproxy.org/download/1.6/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+global
+ maxconn 20000
+ log 127.0.0.1 local0
+ user haproxy
+ chroot /usr/share/haproxy
+ pidfile /run/haproxy.pid
+ daemon
+
+frontend main
+ bind :5000
+ mode http
+ log global
+ option httplog
+ option dontlognull
+ option http_proxy
+ option forwardfor except 127.0.0.0/8
+ maxconn 8000
+ timeout client 30s
+
+ acl url_static path_beg -i /static /images /javascript /stylesheets
+ acl url_static path_end -i .jpg .gif .png .css .js
+
+ use_backend static if url_static
+ default_backend app
+
+backend static
+ mode http
+ balance roundrobin
+ timeout connect 5s
+ timeout server 5s
+ server static 127.0.0.1:4331 check
+
+backend app
+ mode http
+ balance roundrobin
+ timeout connect 5s
+ timeout server 30s
+ timeout queue 30s
+ server app1 127.0.0.1:5001 check
+ server app2 127.0.0.1:5002 check
+ server app3 127.0.0.1:5003 check
+ server app4 127.0.0.1:5004 check
Deleted: community-i686/haproxy.install
===================================================================
--- community-i686/haproxy.install 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-i686/haproxy.install 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,4 +0,0 @@
-post_install() {
- getent passwd haproxy >/dev/null || useradd -r -M -d / \
- -s /usr/bin/nologin haproxy >/dev/null
-}
Copied: haproxy/repos/community-i686/haproxy.install (from rev 183626, haproxy/repos/community-testing-i686/haproxy.install)
===================================================================
--- community-i686/haproxy.install (rev 0)
+++ community-i686/haproxy.install 2016-07-20 14:10:18 UTC (rev 183627)
@@ -0,0 +1,4 @@
+post_install() {
+ getent passwd haproxy >/dev/null || useradd -r -M -d / \
+ -s /usr/bin/nologin haproxy >/dev/null
+}
Deleted: community-x86_64/CVE-2016-5360-reqdeny.patch
===================================================================
--- community-x86_64/CVE-2016-5360-reqdeny.patch 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-x86_64/CVE-2016-5360-reqdeny.patch 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,117 +0,0 @@
-From: Willy Tarreau <w at 1wt.eu>
-Date: Wed, 25 May 2016 14:23:59 +0000 (+0200)
-Subject: BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
-X-Git-Url: http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff_plain;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b;hp=0c60f3790d6f177f123d4ae63d5f17868c789d12
-
-BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
-
-Commit 108b1dd ("MEDIUM: http: configurable http result codes for
-http-request deny") introduced in 1.6-dev2 was incomplete. It introduced
-a new field "rule_deny_status" into struct http_txn, which is filled only
-by actions "http-request deny" and "http-request tarpit". It's then used
-in the deny code path to emit the proper error message, but is used
-uninitialized when the deny comes from a "reqdeny" rule, causing random
-behaviours ranging from returning a 200, an empty response, or crashing
-the process. Often upon startup only 200 was returned but after the fields
-are used the crash happens. This can be sped up using -dM.
-
-There's no need at all for storing this status in the http_txn struct
-anyway since it's used immediately after being set. Let's store it in
-a temporary variable instead which is passed as an argument to function
-http_req_get_intercept_rule().
-
-As an extra benefit, removing it from struct http_txn reduced the size
-of this struct by 8 bytes.
-
-This fix must be backported to 1.6 where the bug was detected. Special
-thanks to Falco Schmutz for his detailed report including an exploitable
-core and a reproducer.
-(cherry picked from commit 58727ec088e55f739b146cff3baa955f8d1b2a3e)
----
-
-diff --git a/include/types/proto_http.h b/include/types/proto_http.h
-index e5e9667..c3a73ef 100644
---- a/include/types/proto_http.h
-+++ b/include/types/proto_http.h
-@@ -362,7 +362,6 @@ struct http_txn {
- unsigned int flags; /* transaction flags */
- enum http_meth_t meth; /* HTTP method */
- /* 1 unused byte here */
-- short rule_deny_status; /* HTTP status from rule when denying */
- short status; /* HTTP status from the server, negative if from proxy */
-
- char *uri; /* first line if log needed, NULL otherwise */
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 59cd5d2..6eac62b 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, struct http_msg *msg,
- * further processing of the request (auth, deny, ...), and defaults to
- * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or
- * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT
-- * on txn->flags if it encounters a tarpit rule.
-+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL
-+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny
-+ * status.
- */
- enum rule_result
--http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)
-+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)
- {
- struct session *sess = strm_sess(s);
- struct http_txn *txn = s->txn;
-@@ -3539,12 +3541,14 @@ resume_execution:
- return HTTP_RULE_RES_STOP;
-
- case ACT_ACTION_DENY:
-- txn->rule_deny_status = rule->deny_status;
-+ if (deny_status)
-+ *deny_status = rule->deny_status;
- return HTTP_RULE_RES_DENY;
-
- case ACT_HTTP_REQ_TARPIT:
- txn->flags |= TX_CLTARPIT;
-- txn->rule_deny_status = rule->deny_status;
-+ if (deny_status)
-+ *deny_status = rule->deny_status;
- return HTTP_RULE_RES_DENY;
-
- case ACT_HTTP_REQ_AUTH:
-@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
- struct redirect_rule *rule;
- struct cond_wordlist *wl;
- enum rule_result verdict;
-+ int deny_status = HTTP_ERR_403;
-
- if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
- /* we need more data */
-@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
-
- /* evaluate http-request rules */
- if (!LIST_ISEMPTY(&px->http_req_rules)) {
-- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
-+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
-
- switch (verdict) {
- case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
-@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
-
- /* parse the whole stats request and extract the relevant information */
- http_handle_stats(s, req);
-- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
-+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
- /* not all actions implemented: deny, allow, auth */
-
- if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
-@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
- manage_client_side_cookies(s, req);
-
- txn->flags |= TX_CLDENY;
-- txn->status = http_err_codes[txn->rule_deny_status];
-+ txn->status = http_err_codes[deny_status];
- s->logs.tv_request = now;
-- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));
-+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));
- stream_inc_http_err_ctr(s);
- sess->fe->fe_counters.denied_req++;
- if (sess->fe != s->be)
Deleted: community-x86_64/PKGBUILD
===================================================================
--- community-x86_64/PKGBUILD 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-x86_64/PKGBUILD 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,70 +0,0 @@
-# $Id$
-# Maintainer: Johannes Löthberg <johannes at kyriasis.com>
-# Contributor: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
-
-pkgname=haproxy
-pkgver=1.6.6
-pkgrel=1
-
-pkgdesc='Reliable, high performance TCP/HTTP load balancer'
-url='http://haproxy.org/'
-arch=('i686' 'x86_64')
-license=('GPL')
-
-depends=('openssl' 'pcre' 'zlib' 'lua')
-
-backup=('etc/haproxy/haproxy.cfg')
-
-install=haproxy.install
-
-source=(http://haproxy.org/download/${pkgver%.*}/src/haproxy-$pkgver.tar.gz
- haproxy.cfg)
-
-md5sums=('b418d83cf4f2da328f6eb8c255b8716b'
- '02241a8ca257d12f7eb131e2d7da3f3b')
-
-prepare() {
- cd haproxy-$pkgver
- sed -i 's:/usr/sbin/haproxy:/usr/bin/haproxy:' src/haproxy-systemd-wrapper.c
-}
-
-build() {
- cd haproxy-$pkgver
-
- make CPU=generic TARGET=linux2628 \
- USE_GETADDRINFO=1 \
- USE_OPENSSL=1 \
- USE_PCRE=1 USE_PCRE_JIT=1 \
- USE_ZLIB=1 \
- USE_LUA=1
-
- for contrib in halog iprange systemd; do
- make -C contrib/$contrib SBINDIR=/usr/bin
- done
-}
-
-package() {
- cd haproxy-$pkgver
- make \
- EXTRA=haproxy-systemd-wrapper \
- PREFIX="$pkgdir"/usr \
- SBINDIR="$pkgdir"/usr/bin \
- DOCDIR="$pkgdir"/usr/share/$pkgname \
- install
-
- for contrib in halog iprange; do
- install -Dm755 contrib/$contrib/$contrib "$pkgdir"/usr/bin/$contrib
- done
-
- install -Dm644 ../haproxy.cfg "$pkgdir"/etc/haproxy/haproxy.cfg
- install -Dm644 contrib/systemd/haproxy.service \
- "$pkgdir"/usr/lib/systemd/system/haproxy.service
-
- install -d "$pkgdir"/usr/share/haproxy/examples/errorfiles
- install -m644 examples/*.cfg "$pkgdir"/usr/share/haproxy/examples/
- install -m644 examples/errorfiles/*.http \
- "$pkgdir"/usr/share/haproxy/examples/errorfiles/
-
- install -Dm644 examples/haproxy.vim \
- "$pkgdir"/usr/share/vim/vimfiles/syntax/haproxy.vim
-}
Copied: haproxy/repos/community-x86_64/PKGBUILD (from rev 183626, haproxy/repos/community-testing-x86_64/PKGBUILD)
===================================================================
--- community-x86_64/PKGBUILD (rev 0)
+++ community-x86_64/PKGBUILD 2016-07-20 14:10:18 UTC (rev 183627)
@@ -0,0 +1,70 @@
+# $Id$
+# Maintainer: Johannes Löthberg <johannes at kyriasis.com>
+# Contributor: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+
+pkgname=haproxy
+pkgver=1.6.7
+pkgrel=1
+
+pkgdesc='Reliable, high performance TCP/HTTP load balancer'
+url='http://haproxy.org/'
+arch=('i686' 'x86_64')
+license=('GPL')
+
+depends=('openssl' 'pcre' 'zlib' 'lua')
+
+backup=('etc/haproxy/haproxy.cfg')
+
+install=haproxy.install
+
+source=(http://haproxy.org/download/${pkgver%.*}/src/haproxy-$pkgver.tar.gz
+ haproxy.cfg)
+
+md5sums=('a046ed63b00347bd367b983529dd541f'
+ '02241a8ca257d12f7eb131e2d7da3f3b')
+
+prepare() {
+ cd haproxy-$pkgver
+ sed -i 's:/usr/sbin/haproxy:/usr/bin/haproxy:' src/haproxy-systemd-wrapper.c
+}
+
+build() {
+ cd haproxy-$pkgver
+
+ make CPU=generic TARGET=linux2628 \
+ USE_GETADDRINFO=1 \
+ USE_OPENSSL=1 \
+ USE_PCRE=1 USE_PCRE_JIT=1 \
+ USE_ZLIB=1 \
+ USE_LUA=1
+
+ for contrib in halog iprange systemd; do
+ make -C contrib/$contrib SBINDIR=/usr/bin
+ done
+}
+
+package() {
+ cd haproxy-$pkgver
+ make \
+ EXTRA=haproxy-systemd-wrapper \
+ PREFIX="$pkgdir"/usr \
+ SBINDIR="$pkgdir"/usr/bin \
+ DOCDIR="$pkgdir"/usr/share/$pkgname \
+ install
+
+ for contrib in halog iprange; do
+ install -Dm755 contrib/$contrib/$contrib "$pkgdir"/usr/bin/$contrib
+ done
+
+ install -Dm644 ../haproxy.cfg "$pkgdir"/etc/haproxy/haproxy.cfg
+ install -Dm644 contrib/systemd/haproxy.service \
+ "$pkgdir"/usr/lib/systemd/system/haproxy.service
+
+ install -d "$pkgdir"/usr/share/haproxy/examples/errorfiles
+ install -m644 examples/*.cfg "$pkgdir"/usr/share/haproxy/examples/
+ install -m644 examples/errorfiles/*.http \
+ "$pkgdir"/usr/share/haproxy/examples/errorfiles/
+
+ install -Dm644 examples/haproxy.vim \
+ "$pkgdir"/usr/share/vim/vimfiles/syntax/haproxy.vim
+}
Deleted: community-x86_64/gcc6-fix.patch
===================================================================
--- community-x86_64/gcc6-fix.patch 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-x86_64/gcc6-fix.patch 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,107 +0,0 @@
-diff --git a/include/proto/proto_http.h b/include/proto/proto_http.h
-index 4d8f5365b625..0aa6643b98da 100644
---- a/include/proto/proto_http.h
-+++ b/include/proto/proto_http.h
-@@ -110,7 +110,7 @@ void http_set_status(unsigned int status, struct stream *s);
- int http_transform_header_str(struct stream* s, struct http_msg *msg, const char* name,
- unsigned int name_len, const char *str, struct my_regex *re,
- int action);
--void inet_set_tos(int fd, struct sockaddr_storage from, int tos);
-+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos);
- void http_perform_server_redirect(struct stream *s, struct stream_interface *si);
- void http_return_srv_error(struct stream *s, struct stream_interface *si);
- void http_capture_bad_message(struct error_snapshot *es, struct stream *s,
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 3fee54e0db1d..48e584cf73e7 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -287,7 +287,7 @@ int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf,
- }
-
- /* OK the address looks correct */
-- ss = *ss2;
-+ memcpy(&ss, ss2, sizeof(ss));
-
- for (; port <= end; port++) {
- l = calloc(1, sizeof(*l));
-diff --git a/src/connection.c b/src/connection.c
-index 330f3efbc995..5515188c6b10 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -744,7 +744,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- const char pp2_signature[] = PP2_SIGNATURE;
- int ret = 0;
- struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf;
-- struct sockaddr_storage null_addr = {0};
-+ struct sockaddr_storage null_addr = { .ss_family = 0 };
- struct sockaddr_storage *src = &null_addr;
- struct sockaddr_storage *dst = &null_addr;
-
-diff --git a/src/hlua.c b/src/hlua.c
-index f6eb8aa80ee0..94f97429c895 100644
---- a/src/hlua.c
-+++ b/src/hlua.c
-@@ -4781,7 +4781,7 @@ __LJMP static int hlua_txn_set_tos(lua_State *L)
- tos = MAY_LJMP(luaL_checkinteger(L, 2));
-
- if ((cli_conn = objt_conn(htxn->s->sess->origin)) && conn_ctrl_ready(cli_conn))
-- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, tos);
-+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, tos);
-
- return 0;
- }
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 21ad131c9f43..416504247a8d 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -3189,15 +3189,15 @@ int http_handle_stats(struct stream *s, struct channel *req)
- /* Sets the TOS header in IPv4 and the traffic class header in IPv6 packets
- * (as per RFC3260 #4 and BCP37 #4.2 and #5.2).
- */
--void inet_set_tos(int fd, struct sockaddr_storage from, int tos)
-+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos)
- {
- #ifdef IP_TOS
-- if (from.ss_family == AF_INET)
-+ if (from->ss_family == AF_INET)
- setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
- #endif
- #ifdef IPV6_TCLASS
-- if (from.ss_family == AF_INET6) {
-- if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&from)->sin6_addr))
-+ if (from->ss_family == AF_INET6) {
-+ if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)from)->sin6_addr))
- /* v4-mapped addresses need IP_TOS */
- setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
- else
-@@ -3363,7 +3363,7 @@ resume_execution:
-
- case ACT_HTTP_SET_TOS:
- if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
-- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
-+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
- break;
-
- case ACT_HTTP_SET_MARK:
-@@ -3646,7 +3646,7 @@ resume_execution:
-
- case ACT_HTTP_SET_TOS:
- if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
-- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
-+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
- break;
-
- case ACT_HTTP_SET_MARK:
-diff --git a/src/proto_tcp.c b/src/proto_tcp.c
-index a44912af4654..bbe12e2d4c0d 100644
---- a/src/proto_tcp.c
-+++ b/src/proto_tcp.c
-@@ -435,7 +435,7 @@ int tcp_connect_server(struct connection *conn, int data, int delack)
- struct sockaddr_storage sa;
-
- ret = 1;
-- sa = src->source_addr;
-+ memcpy(&sa, &src->source_addr, sizeof(sa));
-
- do {
- /* note: in case of retry, we may have to release a previously
Deleted: community-x86_64/haproxy.cfg
===================================================================
--- community-x86_64/haproxy.cfg 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-x86_64/haproxy.cfg 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,49 +0,0 @@
-#---------------------------------------------------------------------
-# Example configuration. See the full configuration manual online.
-#
-# http://www.haproxy.org/download/1.6/doc/configuration.txt
-#
-#---------------------------------------------------------------------
-
-global
- maxconn 20000
- log 127.0.0.1 local0
- user haproxy
- chroot /usr/share/haproxy
- pidfile /run/haproxy.pid
- daemon
-
-frontend main
- bind :5000
- mode http
- log global
- option httplog
- option dontlognull
- option http_proxy
- option forwardfor except 127.0.0.0/8
- maxconn 8000
- timeout client 30s
-
- acl url_static path_beg -i /static /images /javascript /stylesheets
- acl url_static path_end -i .jpg .gif .png .css .js
-
- use_backend static if url_static
- default_backend app
-
-backend static
- mode http
- balance roundrobin
- timeout connect 5s
- timeout server 5s
- server static 127.0.0.1:4331 check
-
-backend app
- mode http
- balance roundrobin
- timeout connect 5s
- timeout server 30s
- timeout queue 30s
- server app1 127.0.0.1:5001 check
- server app2 127.0.0.1:5002 check
- server app3 127.0.0.1:5003 check
- server app4 127.0.0.1:5004 check
Copied: haproxy/repos/community-x86_64/haproxy.cfg (from rev 183626, haproxy/repos/community-testing-x86_64/haproxy.cfg)
===================================================================
--- community-x86_64/haproxy.cfg (rev 0)
+++ community-x86_64/haproxy.cfg 2016-07-20 14:10:18 UTC (rev 183627)
@@ -0,0 +1,49 @@
+#---------------------------------------------------------------------
+# Example configuration. See the full configuration manual online.
+#
+# http://www.haproxy.org/download/1.6/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+global
+ maxconn 20000
+ log 127.0.0.1 local0
+ user haproxy
+ chroot /usr/share/haproxy
+ pidfile /run/haproxy.pid
+ daemon
+
+frontend main
+ bind :5000
+ mode http
+ log global
+ option httplog
+ option dontlognull
+ option http_proxy
+ option forwardfor except 127.0.0.0/8
+ maxconn 8000
+ timeout client 30s
+
+ acl url_static path_beg -i /static /images /javascript /stylesheets
+ acl url_static path_end -i .jpg .gif .png .css .js
+
+ use_backend static if url_static
+ default_backend app
+
+backend static
+ mode http
+ balance roundrobin
+ timeout connect 5s
+ timeout server 5s
+ server static 127.0.0.1:4331 check
+
+backend app
+ mode http
+ balance roundrobin
+ timeout connect 5s
+ timeout server 30s
+ timeout queue 30s
+ server app1 127.0.0.1:5001 check
+ server app2 127.0.0.1:5002 check
+ server app3 127.0.0.1:5003 check
+ server app4 127.0.0.1:5004 check
Deleted: community-x86_64/haproxy.install
===================================================================
--- community-x86_64/haproxy.install 2016-07-20 13:57:12 UTC (rev 183626)
+++ community-x86_64/haproxy.install 2016-07-20 14:10:18 UTC (rev 183627)
@@ -1,4 +0,0 @@
-post_install() {
- getent passwd haproxy >/dev/null || useradd -r -M -d / \
- -s /usr/bin/nologin haproxy >/dev/null
-}
Copied: haproxy/repos/community-x86_64/haproxy.install (from rev 183626, haproxy/repos/community-testing-x86_64/haproxy.install)
===================================================================
--- community-x86_64/haproxy.install (rev 0)
+++ community-x86_64/haproxy.install 2016-07-20 14:10:18 UTC (rev 183627)
@@ -0,0 +1,4 @@
+post_install() {
+ getent passwd haproxy >/dev/null || useradd -r -M -d / \
+ -s /usr/bin/nologin haproxy >/dev/null
+}
More information about the arch-commits
mailing list