diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-23 14:20:01 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-23 14:38:48 +0100 |
commit | 45e394536a3bf2a562ad861feeca530477d4dfd0 (patch) | |
tree | 4b74a6ac3b428c0ee071767eca5e3ca9df1f4130 | |
parent | 8c593acdd5ae3aa50db4851fe92f8b3eea5fd0e9 (diff) | |
download | alpine_aports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.bz2 alpine_aports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.xz alpine_aports-45e394536a3bf2a562ad861feeca530477d4dfd0.zip |
main/haproxy: security upgrade to 1.8.23 (CVE-2019-19330)
fixes #11003
-rw-r--r-- | main/haproxy/APKBUILD | 10 | ||||
-rw-r--r-- | main/haproxy/libressl-2.7.patch | 42 |
2 files changed, 37 insertions, 15 deletions
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD index eccfed17e3..e1b6eaf91d 100644 --- a/main/haproxy/APKBUILD +++ b/main/haproxy/APKBUILD | |||
@@ -1,7 +1,7 @@ | |||
1 | # Contributor: Jeff Bilyk <jbilyk@gmail.com> | 1 | # Contributor: Jeff Bilyk <jbilyk@gmail.com> |
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=haproxy | 3 | pkgname=haproxy |
4 | pkgver=1.8.5 | 4 | pkgver=1.8.23 |
5 | _pkgmajorver=${pkgver%.*} | 5 | _pkgmajorver=${pkgver%.*} |
6 | pkgrel=0 | 6 | pkgrel=0 |
7 | pkgdesc="A TCP/HTTP reverse proxy for high availability environments" | 7 | pkgdesc="A TCP/HTTP reverse proxy for high availability environments" |
@@ -21,6 +21,10 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar. | |||
21 | 21 | ||
22 | builddir="$srcdir/$pkgname-$pkgver" | 22 | builddir="$srcdir/$pkgname-$pkgver" |
23 | 23 | ||
24 | # secfixes: | ||
25 | # 1.8.23: | ||
26 | # - CVE-2019-19330 | ||
27 | |||
24 | build() { | 28 | build() { |
25 | cd "$builddir" | 29 | cd "$builddir" |
26 | make \ | 30 | make \ |
@@ -49,7 +53,7 @@ package() { | |||
49 | "$pkgdir"/etc/haproxy/haproxy.cfg | 53 | "$pkgdir"/etc/haproxy/haproxy.cfg |
50 | } | 54 | } |
51 | 55 | ||
52 | sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2 haproxy-1.8.5.tar.gz | 56 | sha512sums="bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f haproxy-1.8.23.tar.gz |
53 | 636bb2b18ad1de7f9cf97f69c8a911aae6575787eac999d1c419bf22989a3a36a7de14d21620a9919ae717be807518c9db0e20c46ca5788a3f9a5857ceb0bfee libressl-2.7.patch | 57 | 06908ddc3c689f4887bd3ae89bed49c17b5ead7938ce4c8b31128067be9a1a98afbfeacf2f1f9ba784d0ce12ac2042de6123435d03dcdfa911924a89792a9e9c libressl-2.7.patch |
54 | 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd | 58 | 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd |
55 | 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg" | 59 | 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg" |
diff --git a/main/haproxy/libressl-2.7.patch b/main/haproxy/libressl-2.7.patch index 8a3dc82507..0ec569a7ff 100644 --- a/main/haproxy/libressl-2.7.patch +++ b/main/haproxy/libressl-2.7.patch | |||
@@ -21,7 +21,7 @@ index b6fe1d2..551cae2 100644 | |||
21 | * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL | 21 | * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL |
22 | */ | 22 | */ |
23 | diff --git a/src/ssl_sock.c b/src/ssl_sock.c | 23 | diff --git a/src/ssl_sock.c b/src/ssl_sock.c |
24 | index c2b5bf6..ebde76d 100644 | 24 | index e53133d..c663500 100644 |
25 | --- a/src/ssl_sock.c | 25 | --- a/src/ssl_sock.c |
26 | +++ b/src/ssl_sock.c | 26 | +++ b/src/ssl_sock.c |
27 | @@ -56,6 +56,14 @@ | 27 | @@ -56,6 +56,14 @@ |
@@ -39,7 +39,7 @@ index c2b5bf6..ebde76d 100644 | |||
39 | #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) | 39 | #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) |
40 | #include <openssl/async.h> | 40 | #include <openssl/async.h> |
41 | #endif | 41 | #endif |
42 | @@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) | 42 | @@ -2093,7 +2101,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) |
43 | SSL_set_SSL_CTX(ssl, ctx); | 43 | SSL_set_SSL_CTX(ssl, ctx); |
44 | } | 44 | } |
45 | 45 | ||
@@ -48,16 +48,16 @@ index c2b5bf6..ebde76d 100644 | |||
48 | 48 | ||
49 | static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) | 49 | static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) |
50 | { | 50 | { |
51 | @@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) | 51 | @@ -3932,7 +3940,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) |
52 | #ifdef OPENSSL_IS_BORINGSSL | 52 | #ifdef OPENSSL_IS_BORINGSSL |
53 | SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); | 53 | SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); |
54 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); | 54 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); |
55 | -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) | 55 | -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) |
56 | +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) | 56 | +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) |
57 | SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); | 57 | if (bind_conf->ssl_conf.early_data) { |
58 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); | 58 | SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); |
59 | #else | 59 | SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); |
60 | @@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) | 60 | @@ -5223,7 +5231,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) |
61 | if (!conn->xprt_ctx) | 61 | if (!conn->xprt_ctx) |
62 | goto out_error; | 62 | goto out_error; |
63 | 63 | ||
@@ -66,7 +66,25 @@ index c2b5bf6..ebde76d 100644 | |||
66 | /* | 66 | /* |
67 | * Check if we have early data. If we do, we have to read them | 67 | * Check if we have early data. If we do, we have to read them |
68 | * before SSL_do_handshake() is called, And there's no way to | 68 | * before SSL_do_handshake() is called, And there's no way to |
69 | @@ -5252,7 +5260,7 @@ check_error: | 69 | @@ -5299,7 +5307,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) |
70 | OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); | ||
71 | empty_handshake = state == TLS_ST_BEFORE; | ||
72 | #else | ||
73 | - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; | ||
74 | + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; | ||
75 | #endif | ||
76 | if (empty_handshake) { | ||
77 | if (!errno) { | ||
78 | @@ -5383,7 +5391,7 @@ check_error: | ||
79 | OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); | ||
80 | empty_handshake = state == TLS_ST_BEFORE; | ||
81 | #else | ||
82 | - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; | ||
83 | + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; | ||
84 | #endif | ||
85 | if (empty_handshake) { | ||
86 | if (!errno) { | ||
87 | @@ -5423,7 +5431,7 @@ check_error: | ||
70 | goto out_error; | 88 | goto out_error; |
71 | } | 89 | } |
72 | } | 90 | } |
@@ -75,7 +93,7 @@ index c2b5bf6..ebde76d 100644 | |||
75 | else { | 93 | else { |
76 | /* | 94 | /* |
77 | * If the server refused the early data, we have to send a | 95 | * If the server refused the early data, we have to send a |
78 | @@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun | 96 | @@ -5542,7 +5550,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun |
79 | continue; | 97 | continue; |
80 | } | 98 | } |
81 | 99 | ||
@@ -84,7 +102,7 @@ index c2b5bf6..ebde76d 100644 | |||
84 | if (conn->flags & CO_FL_EARLY_SSL_HS) { | 102 | if (conn->flags & CO_FL_EARLY_SSL_HS) { |
85 | size_t read_length; | 103 | size_t read_length; |
86 | 104 | ||
87 | @@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl | 105 | @@ -5670,7 +5678,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl |
88 | * in which case we accept to do it once again. | 106 | * in which case we accept to do it once again. |
89 | */ | 107 | */ |
90 | while (buf->o) { | 108 | while (buf->o) { |
@@ -93,12 +111,12 @@ index c2b5bf6..ebde76d 100644 | |||
93 | size_t written_data; | 111 | size_t written_data; |
94 | #endif | 112 | #endif |
95 | 113 | ||
96 | @@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl | 114 | @@ -5689,7 +5697,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl |
97 | conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; | 115 | conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; |
98 | } | 116 | } |
99 | 117 | ||
100 | -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) | 118 | -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) |
101 | +#if HAVE_SSL_EARLY_DATA | 119 | +#if HAVE_SSL_EARLY_DATA |
102 | if (!SSL_is_init_finished(conn->xprt_ctx)) { | 120 | if (!SSL_is_init_finished(conn->xprt_ctx) && conn_is_back(conn)) { |
103 | unsigned int max_early; | 121 | unsigned int max_early; |
104 | 122 | ||