diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-23 14:20:01 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-23 14:38:48 +0100 |
| commit | 45e394536a3bf2a562ad861feeca530477d4dfd0 (patch) | |
| tree | 4b74a6ac3b428c0ee071767eca5e3ca9df1f4130 | |
| parent | 8c593acdd5ae3aa50db4851fe92f8b3eea5fd0e9 (diff) | |
| download | alpine_aports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.bz2 alpine_aports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.xz alpine_aports-45e394536a3bf2a562ad861feeca530477d4dfd0.zip | |
main/haproxy: security upgrade to 1.8.23 (CVE-2019-19330)
fixes #11003
| -rw-r--r-- | main/haproxy/APKBUILD | 10 | ||||
| -rw-r--r-- | main/haproxy/libressl-2.7.patch | 42 |
2 files changed, 37 insertions, 15 deletions
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD index eccfed17e3..e1b6eaf91d 100644 --- a/main/haproxy/APKBUILD +++ b/main/haproxy/APKBUILD | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | # Contributor: Jeff Bilyk <jbilyk@gmail.com> | 1 | # Contributor: Jeff Bilyk <jbilyk@gmail.com> |
| 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
| 3 | pkgname=haproxy | 3 | pkgname=haproxy |
| 4 | pkgver=1.8.5 | 4 | pkgver=1.8.23 |
| 5 | _pkgmajorver=${pkgver%.*} | 5 | _pkgmajorver=${pkgver%.*} |
| 6 | pkgrel=0 | 6 | pkgrel=0 |
| 7 | pkgdesc="A TCP/HTTP reverse proxy for high availability environments" | 7 | pkgdesc="A TCP/HTTP reverse proxy for high availability environments" |
| @@ -21,6 +21,10 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar. | |||
| 21 | 21 | ||
| 22 | builddir="$srcdir/$pkgname-$pkgver" | 22 | builddir="$srcdir/$pkgname-$pkgver" |
| 23 | 23 | ||
| 24 | # secfixes: | ||
| 25 | # 1.8.23: | ||
| 26 | # - CVE-2019-19330 | ||
| 27 | |||
| 24 | build() { | 28 | build() { |
| 25 | cd "$builddir" | 29 | cd "$builddir" |
| 26 | make \ | 30 | make \ |
| @@ -49,7 +53,7 @@ package() { | |||
| 49 | "$pkgdir"/etc/haproxy/haproxy.cfg | 53 | "$pkgdir"/etc/haproxy/haproxy.cfg |
| 50 | } | 54 | } |
| 51 | 55 | ||
| 52 | sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2 haproxy-1.8.5.tar.gz | 56 | sha512sums="bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f haproxy-1.8.23.tar.gz |
| 53 | 636bb2b18ad1de7f9cf97f69c8a911aae6575787eac999d1c419bf22989a3a36a7de14d21620a9919ae717be807518c9db0e20c46ca5788a3f9a5857ceb0bfee libressl-2.7.patch | 57 | 06908ddc3c689f4887bd3ae89bed49c17b5ead7938ce4c8b31128067be9a1a98afbfeacf2f1f9ba784d0ce12ac2042de6123435d03dcdfa911924a89792a9e9c libressl-2.7.patch |
| 54 | 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd | 58 | 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd |
| 55 | 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg" | 59 | 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg" |
diff --git a/main/haproxy/libressl-2.7.patch b/main/haproxy/libressl-2.7.patch index 8a3dc82507..0ec569a7ff 100644 --- a/main/haproxy/libressl-2.7.patch +++ b/main/haproxy/libressl-2.7.patch | |||
| @@ -21,7 +21,7 @@ index b6fe1d2..551cae2 100644 | |||
| 21 | * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL | 21 | * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL |
| 22 | */ | 22 | */ |
| 23 | diff --git a/src/ssl_sock.c b/src/ssl_sock.c | 23 | diff --git a/src/ssl_sock.c b/src/ssl_sock.c |
| 24 | index c2b5bf6..ebde76d 100644 | 24 | index e53133d..c663500 100644 |
| 25 | --- a/src/ssl_sock.c | 25 | --- a/src/ssl_sock.c |
| 26 | +++ b/src/ssl_sock.c | 26 | +++ b/src/ssl_sock.c |
| 27 | @@ -56,6 +56,14 @@ | 27 | @@ -56,6 +56,14 @@ |
| @@ -39,7 +39,7 @@ index c2b5bf6..ebde76d 100644 | |||
| 39 | #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) | 39 | #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) |
| 40 | #include <openssl/async.h> | 40 | #include <openssl/async.h> |
| 41 | #endif | 41 | #endif |
| 42 | @@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) | 42 | @@ -2093,7 +2101,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) |
| 43 | SSL_set_SSL_CTX(ssl, ctx); | 43 | SSL_set_SSL_CTX(ssl, ctx); |
| 44 | } | 44 | } |
| 45 | 45 | ||
| @@ -48,16 +48,16 @@ index c2b5bf6..ebde76d 100644 | |||
| 48 | 48 | ||
| 49 | static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) | 49 | static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) |
| 50 | { | 50 | { |
| 51 | @@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) | 51 | @@ -3932,7 +3940,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) |
| 52 | #ifdef OPENSSL_IS_BORINGSSL | 52 | #ifdef OPENSSL_IS_BORINGSSL |
| 53 | SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); | 53 | SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); |
| 54 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); | 54 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); |
| 55 | -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) | 55 | -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) |
| 56 | +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) | 56 | +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) |
| 57 | SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); | 57 | if (bind_conf->ssl_conf.early_data) { |
| 58 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); | 58 | SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); |
| 59 | #else | 59 | SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); |
| 60 | @@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) | 60 | @@ -5223,7 +5231,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) |
| 61 | if (!conn->xprt_ctx) | 61 | if (!conn->xprt_ctx) |
| 62 | goto out_error; | 62 | goto out_error; |
| 63 | 63 | ||
| @@ -66,7 +66,25 @@ index c2b5bf6..ebde76d 100644 | |||
| 66 | /* | 66 | /* |
| 67 | * Check if we have early data. If we do, we have to read them | 67 | * Check if we have early data. If we do, we have to read them |
| 68 | * before SSL_do_handshake() is called, And there's no way to | 68 | * before SSL_do_handshake() is called, And there's no way to |
| 69 | @@ -5252,7 +5260,7 @@ check_error: | 69 | @@ -5299,7 +5307,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) |
| 70 | OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); | ||
| 71 | empty_handshake = state == TLS_ST_BEFORE; | ||
| 72 | #else | ||
| 73 | - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; | ||
| 74 | + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; | ||
| 75 | #endif | ||
| 76 | if (empty_handshake) { | ||
| 77 | if (!errno) { | ||
| 78 | @@ -5383,7 +5391,7 @@ check_error: | ||
| 79 | OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); | ||
| 80 | empty_handshake = state == TLS_ST_BEFORE; | ||
| 81 | #else | ||
| 82 | - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; | ||
| 83 | + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; | ||
| 84 | #endif | ||
| 85 | if (empty_handshake) { | ||
| 86 | if (!errno) { | ||
| 87 | @@ -5423,7 +5431,7 @@ check_error: | ||
| 70 | goto out_error; | 88 | goto out_error; |
| 71 | } | 89 | } |
| 72 | } | 90 | } |
| @@ -75,7 +93,7 @@ index c2b5bf6..ebde76d 100644 | |||
| 75 | else { | 93 | else { |
| 76 | /* | 94 | /* |
| 77 | * If the server refused the early data, we have to send a | 95 | * If the server refused the early data, we have to send a |
| 78 | @@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun | 96 | @@ -5542,7 +5550,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun |
| 79 | continue; | 97 | continue; |
| 80 | } | 98 | } |
| 81 | 99 | ||
| @@ -84,7 +102,7 @@ index c2b5bf6..ebde76d 100644 | |||
| 84 | if (conn->flags & CO_FL_EARLY_SSL_HS) { | 102 | if (conn->flags & CO_FL_EARLY_SSL_HS) { |
| 85 | size_t read_length; | 103 | size_t read_length; |
| 86 | 104 | ||
| 87 | @@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl | 105 | @@ -5670,7 +5678,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl |
| 88 | * in which case we accept to do it once again. | 106 | * in which case we accept to do it once again. |
| 89 | */ | 107 | */ |
| 90 | while (buf->o) { | 108 | while (buf->o) { |
| @@ -93,12 +111,12 @@ index c2b5bf6..ebde76d 100644 | |||
| 93 | size_t written_data; | 111 | size_t written_data; |
| 94 | #endif | 112 | #endif |
| 95 | 113 | ||
| 96 | @@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl | 114 | @@ -5689,7 +5697,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl |
| 97 | conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; | 115 | conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; |
| 98 | } | 116 | } |
| 99 | 117 | ||
| 100 | -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) | 118 | -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) |
| 101 | +#if HAVE_SSL_EARLY_DATA | 119 | +#if HAVE_SSL_EARLY_DATA |
| 102 | if (!SSL_is_init_finished(conn->xprt_ctx)) { | 120 | if (!SSL_is_init_finished(conn->xprt_ctx) && conn_is_back(conn)) { |
| 103 | unsigned int max_early; | 121 | unsigned int max_early; |
| 104 | 122 | ||