Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2015-07-05 18:03:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2015-06-30 10:19:19.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2015-07-05 18:03:15.000000000 +0200
@@ -1,0 +2,7 @@
+Fri Jul 3 16:37:55 UTC 2015 - kgronlund@suse.com
+
+- Update to 1.5.14 (CVE-2015-3281) (bsc#937042)
+ + BUILD/MINOR: tools: rename popcount to my_popcountl
+ + BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
+
+-------------------------------------------------------------------
Old:
----
haproxy-1.5.13.tar.gz
New:
----
haproxy-1.5.14.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.zNURpP/_old 2015-07-05 18:03:15.000000000 +0200
+++ /var/tmp/diff_new_pack.zNURpP/_new 2015-07-05 18:03:15.000000000 +0200
@@ -33,7 +33,7 @@
%bcond_without apparmor
Name: haproxy
-Version: 1.5.13
+Version: 1.5.14
Release: 0
#
#
++++++ haproxy-1.5.13.tar.gz -> haproxy-1.5.14.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/CHANGELOG new/haproxy-1.5.14/CHANGELOG
--- old/haproxy-1.5.13/CHANGELOG 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/CHANGELOG 2015-07-03 17:35:11.000000000 +0200
@@ -1,6 +1,10 @@
ChangeLog :
===========
+2015/07/03 : 1.5.14
+ - BUILD/MINOR: tools: rename popcount to my_popcountl
+ - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
+
2015/06/26 : 1.5.13
- BUG/MINOR: check: fix tcpcheck error message
- CLEANUP: deinit: remove codes for cleaning p->block_rules
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/README new/haproxy-1.5.14/README
--- old/haproxy-1.5.13/README 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/README 2015-07-03 17:35:11.000000000 +0200
@@ -1,9 +1,9 @@
----------------------
HAProxy how-to
----------------------
- version 1.5.13
+ version 1.5.14
willy tarreau
- 2015/06/26
+ 2015/07/02
1) How to build it
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/VERDATE new/haproxy-1.5.14/VERDATE
--- old/haproxy-1.5.13/VERDATE 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/VERDATE 2015-07-03 17:35:11.000000000 +0200
@@ -1,2 +1,2 @@
$Format:%ci$
-2015/06/23
+2015/07/02
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/VERSION new/haproxy-1.5.14/VERSION
--- old/haproxy-1.5.13/VERSION 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/VERSION 2015-07-03 17:35:11.000000000 +0200
@@ -1 +1 @@
-1.5.13
+1.5.14
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/doc/configuration.txt new/haproxy-1.5.14/doc/configuration.txt
--- old/haproxy-1.5.13/doc/configuration.txt 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/doc/configuration.txt 2015-07-03 17:35:11.000000000 +0200
@@ -2,9 +2,9 @@
HAProxy
Configuration Manual
----------------------
- version 1.5.13
+ version 1.5.14
willy tarreau
- 2015/06/26
+ 2015/07/02
This document covers the configuration language as implemented in the version
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/examples/haproxy.spec new/haproxy-1.5.14/examples/haproxy.spec
--- old/haproxy-1.5.13/examples/haproxy.spec 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/examples/haproxy.spec 2015-07-03 17:35:11.000000000 +0200
@@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.5.13
+Version: 1.5.14
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -76,6 +76,9 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Fri Jul 3 2015 Willy Tarreau
+- updated to 1.5.14
+
* Fri Jun 26 2015 Willy Tarreau
- updated to 1.5.13
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/include/common/standard.h new/haproxy-1.5.14/include/common/standard.h
--- old/haproxy-1.5.13/include/common/standard.h 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/include/common/standard.h 2015-07-03 17:35:11.000000000 +0200
@@ -565,8 +565,8 @@
return result;
}
-/* Simple popcount implementation. It returns the number of ones in a word */
-static inline unsigned int popcount(unsigned long a)
+/* Simple popcountl implementation. It returns the number of ones in a word */
+static inline unsigned int my_popcountl(unsigned long a)
{
unsigned int cnt;
for (cnt = 0; a; a >>= 1) {
@@ -576,7 +576,7 @@
return cnt;
}
-/* Build a word with the <bits> lower bits set (reverse of popcount) */
+/* Build a word with the <bits> lower bits set (reverse of my_popcountl) */
static inline unsigned long nbits(int bits)
{
if (--bits < 0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/src/buffer.c new/haproxy-1.5.14/src/buffer.c
--- old/haproxy-1.5.13/src/buffer.c 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/src/buffer.c 2015-07-03 17:35:11.000000000 +0200
@@ -107,30 +107,39 @@
return delta;
}
-/* This function realigns input data in a possibly wrapping buffer so that it
- * becomes contiguous and starts at the beginning of the buffer area. The
- * function may only be used when the buffer's output is empty.
+/* This function realigns a possibly wrapping buffer so that the input part is
+ * contiguous and starts at the beginning of the buffer and the output part
+ * ends at the end of the buffer. This provides the best conditions since it
+ * allows the largest inputs to be processed at once and ensures that once the
+ * output data leaves, the whole buffer is available at once.
*/
void buffer_slow_realign(struct buffer *buf)
{
- /* two possible cases :
- * - the buffer is in one contiguous block, we move it in-place
- * - the buffer is in two blocks, we move it via the swap_buffer
- */
- if (buf->i) {
- int block1 = buf->i;
- int block2 = 0;
- if (buf->p + buf->i > buf->data + buf->size) {
- /* non-contiguous block */
- block1 = buf->data + buf->size - buf->p;
- block2 = buf->p + buf->i - (buf->data + buf->size);
- }
- if (block2)
- memcpy(swap_buffer, buf->data, block2);
- memmove(buf->data, buf->p, block1);
- if (block2)
- memcpy(buf->data + block1, swap_buffer, block2);
+ int block1 = buf->o;
+ int block2 = 0;
+
+ /* process output data in two steps to cover wrapping */
+ if (block1 > buf->p - buf->data) {
+ block2 = buf->p - buf->data;
+ block1 -= block2;
}
+ memcpy(swap_buffer + buf->size - buf->o, bo_ptr(buf), block1);
+ memcpy(swap_buffer + buf->size - block2, buf->data, block2);
+
+ /* process input data in two steps to cover wrapping */
+ block1 = buf->i;
+ block2 = 0;
+
+ if (block1 > buf->data + buf->size - buf->p) {
+ block1 = buf->data + buf->size - buf->p;
+ block2 = buf->i - block1;
+ }
+ memcpy(swap_buffer, bi_ptr(buf), block1);
+ memcpy(swap_buffer + block1, buf->data, block2);
+
+ /* reinject changes into the buffer */
+ memcpy(buf->data, swap_buffer, buf->i);
+ memcpy(buf->data + buf->size - buf->o, swap_buffer + buf->size - buf->o, buf->o);
buf->p = buf->data;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.13/src/cfgparse.c new/haproxy-1.5.14/src/cfgparse.c
--- old/haproxy-1.5.13/src/cfgparse.c 2015-06-26 12:20:45.000000000 +0200
+++ new/haproxy-1.5.14/src/cfgparse.c 2015-07-03 17:35:11.000000000 +0200
@@ -6130,7 +6130,7 @@
/* an explicit bind-process was specified, let's check how many
* processes remain.
*/
- nbproc = popcount(curproxy->bind_proc);
+ nbproc = my_popcountl(curproxy->bind_proc);
curproxy->bind_proc &= nbits(global.nbproc);
if (!curproxy->bind_proc && nbproc == 1) {
@@ -6155,7 +6155,7 @@
mask &= curproxy->bind_proc;
/* mask cannot be null here thanks to the previous checks */
- nbproc = popcount(bind_conf->bind_proc);
+ nbproc = my_popcountl(bind_conf->bind_proc);
bind_conf->bind_proc &= mask;
if (!bind_conf->bind_proc && nbproc == 1) {
@@ -7092,7 +7092,7 @@
mask &= bind_conf->bind_proc;
/* stop here if more than one process is used */
- if (popcount(mask) > 1)
+ if (my_popcountl(mask) > 1)
break;
}
if (&bind_conf->by_fe != &global.stats_fe->conf.bind) {
@@ -7155,7 +7155,7 @@
unsigned int next_id;
int nbproc;
- nbproc = popcount(curproxy->bind_proc & nbits(global.nbproc));
+ nbproc = my_popcountl(curproxy->bind_proc & nbits(global.nbproc));
#ifdef USE_OPENSSL
/* Configure SSL for each bind line.
@@ -7272,7 +7272,7 @@
int count, maxproc = 0;
list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
- count = popcount(bind_conf->bind_proc);
+ count = my_popcountl(bind_conf->bind_proc);
if (count > maxproc)
maxproc = count;
}
@@ -7421,13 +7421,13 @@
Warning("Removing incomplete section 'peers %s' (no peer named '%s').\n",
curpeers->id, localpeer);
}
- else if (popcount(curpeers->peers_fe->bind_proc) != 1) {
+ else if (my_popcountl(curpeers->peers_fe->bind_proc) != 1) {
/* either it's totally stopped or too much used */
if (curpeers->peers_fe->bind_proc) {
Alert("Peers section '%s': peers referenced by sections "
"running in different processes (%d different ones). "
"Check global.nbproc and all tables' bind-process "
- "settings.\n", curpeers->id, popcount(curpeers->peers_fe->bind_proc));
+ "settings.\n", curpeers->id, my_popcountl(curpeers->peers_fe->bind_proc));
cfgerr++;
}
stop_proxy(curpeers->peers_fe);