Hello community, here is the log from the commit of package etcd for openSUSE:Factory checked in at 2019-02-01 11:46:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/etcd (Old) and /work/SRC/openSUSE:Factory/.etcd.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "etcd" Fri Feb 1 11:46:15 2019 rev:15 rq:670117 version:3.3.11 Changes: -------- --- /work/SRC/openSUSE:Factory/etcd/etcd.changes 2018-12-28 12:33:57.732020378 +0100 +++ /work/SRC/openSUSE:Factory/.etcd.new.28833/etcd.changes 2019-02-01 11:46:23.780493888 +0100 @@ -1,0 +2,10 @@ +Wed Jan 30 11:58:15 UTC 2019 - Panagiotis Georgiadis pgeorgiadis@suse.com + +- Update to version 3.3.11: + * version: 3.3.11 + * auth: fix cherry-pick + * auth: disable CommonName auth for gRPC-gateway + * grpcproxy: fix memory leak + * bsc#1121850 CVE-2018-16886 + +------------------------------------------------------------------- Old: ---- etcd-3.3.10.tar.xz New: ---- etcd-3.3.11.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ etcd.spec ++++++ --- /var/tmp/diff_new_pack.jQxesF/_old 2019-02-01 11:46:25.984491624 +0100 +++ /var/tmp/diff_new_pack.jQxesF/_new 2019-02-01 11:46:25.984491624 +0100 @@ -22,7 +22,7 @@ %endif Name: etcd -Version: 3.3.10 +Version: 3.3.11 Release: 0 Summary: Highly-available key value store for configuration and service discovery License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.jQxesF/_old 2019-02-01 11:46:26.008491600 +0100 +++ /var/tmp/diff_new_pack.jQxesF/_new 2019-02-01 11:46:26.008491600 +0100 @@ -4,8 +4,8 @@ <param name="url">https://github.com/coreos/etcd.git</param> <param name="exclude">.git</param> <param name="filename">etcd</param> - <param name="versionformat">3.3.10</param> - <param name="revision">v3.3.10</param> + <param name="versionformat">3.3.11</param> + <param name="revision">v3.3.11</param> <param name="changesgenerate">enable</param> </service> <service name="recompress" mode="disabled"> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.jQxesF/_old 2019-02-01 11:46:26.024491583 +0100 +++ /var/tmp/diff_new_pack.jQxesF/_new 2019-02-01 11:46:26.024491583 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/coreos/etcd.git</param> - <param name="changesrevision">27fc7e2296f506182f58ce846e48f36b34fe6842</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">2cf9e51d2a78003b164c2998886158e60ded1cbb</param></service></servicedata> \ No newline at end of file ++++++ etcd-3.3.10.tar.xz -> etcd-3.3.11.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etcd-3.3.10/.travis.yml new/etcd-3.3.11/.travis.yml --- old/etcd-3.3.10/.travis.yml 2018-10-10 19:17:54.000000000 +0200 +++ new/etcd-3.3.11/.travis.yml 2019-01-11 20:12:25.000000000 +0100 @@ -6,7 +6,7 @@ services: docker go: -- 1.10.4 +- 1.10.7 notifications: on_success: never @@ -23,7 +23,7 @@ matrix: fast_finish: true allow_failures: - - go: 1.10.4 + - go: 1.10.7 env: TARGET=linux-386-unit exclude: - go: tip diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etcd-3.3.10/auth/store.go new/etcd-3.3.11/auth/store.go --- old/etcd-3.3.10/auth/store.go 2018-10-10 19:17:54.000000000 +0200 +++ new/etcd-3.3.11/auth/store.go 2019-01-11 20:12:25.000000000 +0100 @@ -982,10 +982,23 @@ cn := chain.Subject.CommonName plog.Debugf("found common name %s", cn) - return &AuthInfo{ + ai := &AuthInfo{ Username: cn, Revision: as.Revision(), } + md, ok := metadata.FromIncomingContext(ctx) + if !ok { + return nil + } + + // gRPC-gateway proxy request to etcd server includes Grpcgateway-Accept + // header. The proxy uses etcd client server certificate. If the certificate + // has a CommonName we should never use this for authentication. + if gw := md["grpcgateway-accept"]; len(gw) > 0 { + plog.Warningf("ignoring common name in gRPC-gateway proxy request %s", ai.Username) + return nil + } + return ai } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etcd-3.3.10/proxy/grpcproxy/cache/store.go new/etcd-3.3.11/proxy/grpcproxy/cache/store.go --- old/etcd-3.3.10/proxy/grpcproxy/cache/store.go 2018-10-10 19:17:54.000000000 +0200 +++ new/etcd-3.3.11/proxy/grpcproxy/cache/store.go 2019-01-11 20:12:25.000000000 +0100 @@ -99,9 +99,12 @@ iv = c.cachedRanges.Find(ivl) if iv == nil { - c.cachedRanges.Insert(ivl, []string{key}) + val := map[string]struct{}{key: {}} + c.cachedRanges.Insert(ivl, val) } else { - iv.Val = append(iv.Val.([]string), key) + val := iv.Val.(map[string]struct{}) + val[key] = struct{}{} + iv.Val = val } } @@ -141,8 +144,8 @@ ivs = c.cachedRanges.Stab(ivl) for _, iv := range ivs { - keys := iv.Val.([]string) - for _, key := range keys { + keys := iv.Val.(map[string]struct{}) + for key := range keys { c.lru.Remove(key) } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etcd-3.3.10/version/version.go new/etcd-3.3.11/version/version.go --- old/etcd-3.3.10/version/version.go 2018-10-10 19:17:54.000000000 +0200 +++ new/etcd-3.3.11/version/version.go 2019-01-11 20:12:25.000000000 +0100 @@ -26,7 +26,7 @@ var ( // MinClusterVersion is the min cluster version this etcd binary is compatible with. MinClusterVersion = "3.0.0" - Version = "3.3.10" + Version = "3.3.11" APIVersion = "unknown" // Git SHA Value will be set during build