Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey! We would like to propose a stable upload for HAProxy. There is already a security upload (1.5.8-3+deb8u1) which should hit the next stable release. On top of that, we would like to fix an important regression when upgrading from 1.4. When a proxy is marked as disabled, the config parser will segfault. This was not the case with the same configuration with 1.4. This is bug #792116. Upstream marked the severity to medium because there was a workaround (commenting the proxy instead of disabling it). However, the workaround may be impractical (disabled proxies are kept in the configuration to be able to enable them at runtime) and people may just not know about it. The fix is quite small. I have appended another fix which is just needed for the patch to apply cleanly. If needed, I can just modify the patch to not need the additional fix. Debdiff against 1.5.8-3+deb8u1 is attached. - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVpM1gAAoJEJWkL+g1NSX58mcP/R8uOyJ1QMrUfoEUaXIDT+vm 6zaSlHF0RrEaxtyN86kmWbN8xMF9r0w3wLZmOq3WohatGP9BtJ25GfnS42RFyEmT St3PWD7r60FCT6cJL3B4lQuhQZUoXrEXD5OX7DunHUrtPhuTe1HB5j25LjGl50AA W4nbggq0IsbwU/eikpSAAQeFaleMXkiPESEet9H/ZZ0jXTRkTVqrtwGuOeg5zoCA BvxGwxO1P1tHgzRNqIZ9E9luB4lwh4N7OTbn81LjHIQfL0+5zhDOz2Y2axv81nn5 eLlLrAIcUkNzhpePdh9ku6GnGfKI0dkK9IjsnW2jnCOYsPtx/Z/EZ+gK53bmsq1M YOvBZ3k/0FyxMMDcI95A2NaejQ6iVPM3ERB+zsQPMEgp4dzlifVzKEOUEHqAYLzy FnP1c64DIBhgaU1hKHtqe4I2S2SudeOXFGslpXcXNIpnA5Ob5dCJoelrOY+iNJTB JvqfmJ3eFX/ECTM/M2lB7s2ycSwGGl9I4ujdy7XlsQEYFsbNbvhn7NN4oiWiyPSx Bu1FFeBKEgWrFYVnY6SCH2Hr1s+TIOgsDJ55l/c78xcl64qNxnSOy285SAQ07Xe0 l0CGFxSYJ39HH5E25H7McWEaWsHcXp8DJV0sgXLRuXvPd4b2AiTrdjBjRVFyyLiU V1qcrXRo6dZR75HmeZyY =w4OU -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index 74a07ea3c9ac..5b61f80f2146 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +haproxy (1.5.8-3+deb8u2) jessie; urgency=medium + + * Fix a segfault when parsing a configuration file containing disabled + proxy sections. Closes: #792116. + - BUG/MINOR: config: fix typo in condition when propagating + process binding + - BUG/MEDIUM: config: do not propagate processes between + stopped processes + + -- Vincent Bernat <ber...@debian.org> Tue, 14 Jul 2015 10:32:26 +0200 + haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high * Fix an information leak. CVE-2015-3281. diff --git a/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch b/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch new file mode 100644 index 000000000000..da4c2e1982a4 --- /dev/null +++ b/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch @@ -0,0 +1,34 @@ +From ed061c0590109dde6cd77cd963bebc46ba0cd0cc Mon Sep 17 00:00:00 2001 +From: Willy Tarreau <w...@1wt.eu> +Date: Thu, 18 Dec 2014 14:00:43 +0100 +Subject: [PATCH] BUG/MEDIUM: config: do not propagate processes between + stopped processes + +Immo Goltz reported a case of segfault while parsing the config where +we try to propagate processes across stopped frontends (those with a +"disabled" statement). The fix is trivial. The workaround consists in +commenting out these frontends, although not always easy. + +This fix must be backported to 1.5. +(cherry picked from commit f6b70013389cf9378c6a4d55d3d570de4f95c33c) +--- + src/cfgparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/cfgparse.c b/src/cfgparse.c +index f5eed03cce91..2a27d8b0a0f9 100644 +--- a/src/cfgparse.c ++++ b/src/cfgparse.c +@@ -6009,6 +6009,9 @@ void propagate_processes(struct proxy *from, struct proxy *to) + if (!(from->cap & PR_CAP_FE)) + return; + ++ if (from->state == PR_STSTOPPED) ++ return; ++ + /* default_backend */ + if (from->defbe.be) + propagate_processes(from, from->defbe.be); +-- +2.1.4 + diff --git a/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch b/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch new file mode 100644 index 000000000000..3636696d0278 --- /dev/null +++ b/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch @@ -0,0 +1,38 @@ +From 8a95d8cd61c8ec61b9e1c9c9e571405878a40624 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau <w...@1wt.eu> +Date: Thu, 18 Dec 2014 13:56:26 +0100 +Subject: [PATCH] BUG/MINOR: config: fix typo in condition when propagating + process binding + +propagate_processes() has a typo in a condition : + + if (!from->cap & PR_CAP_FE) + return; + +The return is never taken because each proxy has at least one capability +so !from->cap always evaluates to zero. Most of the time the caller already +checks that <from> is a frontend. In the cases where it's not tested +(use_backend, reqsetbe), the rules have been checked for the context to +be a frontend as well, so in the end it had no nasty side effect. + +This should be backported to 1.5. +--- + src/cfgparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cfgparse.c b/src/cfgparse.c +index 3e345e48c0e0..d91d010f83f1 100644 +--- a/src/cfgparse.c ++++ b/src/cfgparse.c +@@ -6102,7 +6102,7 @@ void propagate_processes(struct proxy *from, struct proxy *to) + from = to; + } + +- if (!from->cap & PR_CAP_FE) ++ if (!(from->cap & PR_CAP_FE)) + return; + + /* default_backend */ +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 32218471e68b..620a21d401ac 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,5 @@ from-upstream/0007-BUG-MAJOR-sessions-unlink-session-from-list-on-out-o.patch from-upstream/0008-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch from-upstream/0009-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch from-upstream/0001-BUG-MAJOR-buffers-make-the-buffer_slow_realign-funct.patch +from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch +from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
