Update for Haproxy to 1.4.23.

Mostly bugfixes and last patch commited upstream. ok jasper@
2013-04-28 20:30:50 +00:00 · 2013-04-28 20:30:50 +00:00 · 0c202f1ff5
commit 0c202f1ff5
parent 037be36b69
3 changed files with 4 additions and 48 deletions
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@ -1,9 +1,8 @@
-# $OpenBSD: Makefile,v 1.10 2013/04/03 06:23:25 jasper Exp $
+# $OpenBSD: Makefile,v 1.11 2013/04/28 20:30:50 gonzalo Exp $

 COMMENT =	reliable, high performance TCP/HTTP load balancer

-DISTNAME =	haproxy-1.4.22
-REVISION =	0
+DISTNAME =	haproxy-1.4.23
 CATEGORIES =	net www
 HOMEPAGE =	http://haproxy.1wt.eu/

--- a/net/haproxy/distinfo
+++ b/net/haproxy/distinfo
@ -1,2 +1,2 @@
-SHA256 (haproxy-1.4.22.tar.gz) = uiIbPqpNcSMyMLFWwwAPXCvU2s6U2SZiNVF/5C+Rf8Y=
-SIZE (haproxy-1.4.22.tar.gz) = 831791
+SHA256 (haproxy-1.4.23.tar.gz) = 6lrUFms5S0rMUGWgE8eNMAL+RWnexfkZwJ8qKPtEOPE=
+SIZE (haproxy-1.4.23.tar.gz) = 835907
--- a/net/haproxy/patches/patch-src_proto_http_c
+++ b/net/haproxy/patches/patch-src_proto_http_c
@ -1,43 +0,0 @@
-$OpenBSD: patch-src_proto_http_c,v 1.1 2013/04/03 06:23:25 jasper Exp $
-
-Security fix for CVE-2013-1912, haproxy may crash on TCP content inspection rules
-BUG/CRITICAL: using HTTP information in tcp-request content may crash the process
-
--- src/proto_http.c.orig	Tue Aug 14 09:09:31 2012
-+++ src/proto_http.c	Wed Apr  3 08:20:41 2013
-@@ -8278,6 +8278,14 @@ acl_fetch_proto_http(struct proxy *px, struct session 
- 		return 1;
- 	}
- 
-+	/* If the buffer does not leave enough free space at the end,
-+	 * we must first realign it.
-+	 */
-+	if (unlikely(req->lr > req->data &&
-+	    (req->r < req->lr || req->r > req->data + req->size - global.tune.maxrewrite)) &&
-+	    (req->l <= req->size - global.tune.maxrewrite))
-+		http_buffer_heavy_realign(req, msg);
-+
- 	/* Try to decode HTTP request */
- 	if (likely(req->lr < req->r))
- 		http_msg_analyzer(req, msg, &txn->hdr_idx);
-@@ -8295,6 +8303,20 @@ acl_fetch_proto_http(struct proxy *px, struct session 
- 	/* OK we got a valid HTTP request. We have some minor preparation to
- 	 * perform so that further checks can rely on HTTP tests.
- 	 */
-+
-+	/* If the request was parsed but was too large, we must absolutely
-+	 * return an error so that it is not processed. At the moment this
-+	 * cannot happen, but if the parsers are to change in the future,
-+	 * we want this check to be maintained.
-+	 */
-+	if (unlikely(req->lr > req->data &&
-+	    (req->r < req->lr || req->l > req->size - global.tune.maxrewrite ||
-+	     req->r > req->data + req->size - global.tune.maxrewrite))) {
-+		msg->msg_state = HTTP_MSG_ERROR;
-+		test->flags |= ACL_TEST_F_SET_RES_PASS;
-+		return 1;
-+	}
-+
- 	txn->meth = find_http_meth(msg->sol, msg->sl.rq.m_l);
- 	if (txn->meth == HTTP_METH_GET || txn->meth == HTTP_METH_HEAD)
- 		s->flags |= SN_REDIRECTABLE;