Commit 45e39453 authored by Natanael Copa's avatar Natanael Copa

main/haproxy: security upgrade to 1.8.23 (CVE-2019-19330)

fixes #11003
parent 8c593acd
# Contributor: Jeff Bilyk <jbilyk@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=haproxy
pkgver=1.8.5
pkgver=1.8.23
_pkgmajorver=${pkgver%.*}
pkgrel=0
pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
......@@ -21,6 +21,10 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 1.8.23:
# - CVE-2019-19330
build() {
cd "$builddir"
make \
......@@ -49,7 +53,7 @@ package() {
"$pkgdir"/etc/haproxy/haproxy.cfg
}
sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2 haproxy-1.8.5.tar.gz
636bb2b18ad1de7f9cf97f69c8a911aae6575787eac999d1c419bf22989a3a36a7de14d21620a9919ae717be807518c9db0e20c46ca5788a3f9a5857ceb0bfee libressl-2.7.patch
sha512sums="bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f haproxy-1.8.23.tar.gz
06908ddc3c689f4887bd3ae89bed49c17b5ead7938ce4c8b31128067be9a1a98afbfeacf2f1f9ba784d0ce12ac2042de6123435d03dcdfa911924a89792a9e9c libressl-2.7.patch
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
......@@ -21,7 +21,7 @@ index b6fe1d2..551cae2 100644
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
*/
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c2b5bf6..ebde76d 100644
index e53133d..c663500 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -56,6 +56,14 @@
......@@ -39,7 +39,7 @@ index c2b5bf6..ebde76d 100644
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
#include <openssl/async.h>
#endif
@@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
@@ -2093,7 +2101,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
SSL_set_SSL_CTX(ssl, ctx);
}
......@@ -48,16 +48,16 @@ index c2b5bf6..ebde76d 100644
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
{
@@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
@@ -3932,7 +3940,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
#ifdef OPENSSL_IS_BORINGSSL
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
#else
@@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
if (bind_conf->ssl_conf.early_data) {
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
@@ -5223,7 +5231,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
if (!conn->xprt_ctx)
goto out_error;
......@@ -66,7 +66,25 @@ index c2b5bf6..ebde76d 100644
/*
* Check if we have early data. If we do, we have to read them
* before SSL_do_handshake() is called, And there's no way to
@@ -5252,7 +5260,7 @@ check_error:
@@ -5299,7 +5307,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
#endif
if (empty_handshake) {
if (!errno) {
@@ -5383,7 +5391,7 @@ check_error:
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
#endif
if (empty_handshake) {
if (!errno) {
@@ -5423,7 +5431,7 @@ check_error:
goto out_error;
}
}
......@@ -75,7 +93,7 @@ index c2b5bf6..ebde76d 100644
else {
/*
* If the server refused the early data, we have to send a
@@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
@@ -5542,7 +5550,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
continue;
}
......@@ -84,7 +102,7 @@ index c2b5bf6..ebde76d 100644
if (conn->flags & CO_FL_EARLY_SSL_HS) {
size_t read_length;
@@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
@@ -5670,7 +5678,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
* in which case we accept to do it once again.
*/
while (buf->o) {
......@@ -93,12 +111,12 @@ index c2b5bf6..ebde76d 100644
size_t written_data;
#endif
@@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
@@ -5689,7 +5697,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
}
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if HAVE_SSL_EARLY_DATA
if (!SSL_is_init_finished(conn->xprt_ctx)) {
if (!SSL_is_init_finished(conn->xprt_ctx) && conn_is_back(conn)) {
unsigned int max_early;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment