aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2020-01-23 14:20:01 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2020-01-23 14:38:48 +0100
commit45e394536a3bf2a562ad861feeca530477d4dfd0 (patch)
tree4b74a6ac3b428c0ee071767eca5e3ca9df1f4130
parent8c593acdd5ae3aa50db4851fe92f8b3eea5fd0e9 (diff)
downloadaports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.gz
aports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.bz2
aports-45e394536a3bf2a562ad861feeca530477d4dfd0.tar.xz
main/haproxy: security upgrade to 1.8.23 (CVE-2019-19330)
fixes #11003
-rw-r--r--main/haproxy/APKBUILD10
-rw-r--r--main/haproxy/libressl-2.7.patch42
2 files changed, 37 insertions, 15 deletions
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index eccfed17e3..e1b6eaf91d 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Jeff Bilyk <jbilyk@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=haproxy
-pkgver=1.8.5
+pkgver=1.8.23
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -21,6 +21,10 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 1.8.23:
+# - CVE-2019-19330
+
build() {
cd "$builddir"
make \
@@ -49,7 +53,7 @@ package() {
"$pkgdir"/etc/haproxy/haproxy.cfg
}
-sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2 haproxy-1.8.5.tar.gz
-636bb2b18ad1de7f9cf97f69c8a911aae6575787eac999d1c419bf22989a3a36a7de14d21620a9919ae717be807518c9db0e20c46ca5788a3f9a5857ceb0bfee libressl-2.7.patch
+sha512sums="bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f haproxy-1.8.23.tar.gz
+06908ddc3c689f4887bd3ae89bed49c17b5ead7938ce4c8b31128067be9a1a98afbfeacf2f1f9ba784d0ce12ac2042de6123435d03dcdfa911924a89792a9e9c libressl-2.7.patch
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
diff --git a/main/haproxy/libressl-2.7.patch b/main/haproxy/libressl-2.7.patch
index 8a3dc82507..0ec569a7ff 100644
--- a/main/haproxy/libressl-2.7.patch
+++ b/main/haproxy/libressl-2.7.patch
@@ -21,7 +21,7 @@ index b6fe1d2..551cae2 100644
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
*/
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index c2b5bf6..ebde76d 100644
+index e53133d..c663500 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -56,6 +56,14 @@
@@ -39,7 +39,7 @@ index c2b5bf6..ebde76d 100644
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
#include <openssl/async.h>
#endif
-@@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
+@@ -2093,7 +2101,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
SSL_set_SSL_CTX(ssl, ctx);
}
@@ -48,16 +48,16 @@ index c2b5bf6..ebde76d 100644
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
{
-@@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
+@@ -3932,7 +3940,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
#ifdef OPENSSL_IS_BORINGSSL
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
- SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
- #else
-@@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
+ if (bind_conf->ssl_conf.early_data) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
+ SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
+@@ -5223,7 +5231,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
if (!conn->xprt_ctx)
goto out_error;
@@ -66,7 +66,25 @@ index c2b5bf6..ebde76d 100644
/*
* Check if we have early data. If we do, we have to read them
* before SSL_do_handshake() is called, And there's no way to
-@@ -5252,7 +5260,7 @@ check_error:
+@@ -5299,7 +5307,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
+ OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ empty_handshake = state == TLS_ST_BEFORE;
+ #else
+- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
++ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
+ #endif
+ if (empty_handshake) {
+ if (!errno) {
+@@ -5383,7 +5391,7 @@ check_error:
+ OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ empty_handshake = state == TLS_ST_BEFORE;
+ #else
+- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
++ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
+ #endif
+ if (empty_handshake) {
+ if (!errno) {
+@@ -5423,7 +5431,7 @@ check_error:
goto out_error;
}
}
@@ -75,7 +93,7 @@ index c2b5bf6..ebde76d 100644
else {
/*
* If the server refused the early data, we have to send a
-@@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
+@@ -5542,7 +5550,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
continue;
}
@@ -84,7 +102,7 @@ index c2b5bf6..ebde76d 100644
if (conn->flags & CO_FL_EARLY_SSL_HS) {
size_t read_length;
-@@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+@@ -5670,7 +5678,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
* in which case we accept to do it once again.
*/
while (buf->o) {
@@ -93,12 +111,12 @@ index c2b5bf6..ebde76d 100644
size_t written_data;
#endif
-@@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+@@ -5689,7 +5697,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
}
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if HAVE_SSL_EARLY_DATA
- if (!SSL_is_init_finished(conn->xprt_ctx)) {
+ if (!SSL_is_init_finished(conn->xprt_ctx) && conn_is_back(conn)) {
unsigned int max_early;