[no description] https://git.osdyson.ru/mirror/pkgsrc/atom?h=pkgsrc-2014Q2 2014-09-13T18:13:24Z 2014-09-13T18:13:24Z tron tron@pkgsrc.org 2014-09-13T18:13:24Z urn:sha1:16c21489f614c0aca0ebddf2fa83755a104880ff net/haproxy: security update Revisions pulled up: - net/haproxy/Makefile 1.13-1.15 - net/haproxy/PLIST 1.5 - net/haproxy/distinfo 1.9-1.11 - net/haproxy/options.mk 1.1 - net/haproxy/patches/patch-aa 1.5 - net/haproxy/patches/patch-ab deleted - net/haproxy/patches/patch-standard_h 1.1 --- Module Name: pkgsrc Committed By: fhajny Date: Mon Jul 14 15:30:10 UTC 2014 Modified Files: pkgsrc/net/haproxy: Makefile PLIST distinfo pkgsrc/net/haproxy/patches: patch-aa Added Files: pkgsrc/net/haproxy: options.mk pkgsrc/net/haproxy/patches: patch-standard_h Removed Files: pkgsrc/net/haproxy/patches: patch-ab Log Message: Update haproxy to 1.5.2. Introduce support for OpenSSL, PCRE and Zlib. 1.5.2 ----- Two extra important issues were discovered since 1.5.1 which were fixed in 1.5.2. The first one can cause some sample fetch combinations to fail together in a same expression, and one artificial case (but totally useless) may even crash the process. The second one is an incomplete fix in 1.5-dev23 for the request body forwarding. Hash-based balancing algorithms and http-send-name-header may fail if a request contains a body which starts to be forwarded before the contents are used. A few other bugs were fixed, and the max syslog line length is now configurable per logger. 1.5.1 ----- Version 1.5.1 fixes a few bugs from 1.5.0 among which a really annoying one which can cause some file descriptor leak when dealing with clients which disappear from the net, resulting in the impossibility to accept new connections after some time. 1.5.0 ----- 1.5 expands 1.4 with many new features and performance improvements, including native SSL support on both sides with SNI/NPN/ALPN and OCSP stapling, IPv6 and UNIX sockets are supported everywhere, full HTTP keep-alive for better support of NTLM and improved efficiency in static farms, HTTP/1.1 compression (deflate, gzip) to save bandwidth, PROXY protocol versions 1 and 2 on both sides, data sampling on everything in request or response, including payload, ACLs can use any matching method with any input sample maps and dynamic ACLs updatable from the CLI stick-tables support counters to track activity on any input sample custom format for logs, unique-id, header rewriting, and redirects, improved health checks (SSL, scripted TCP, check agent, ...), much more scalable configuration supports hundreds of thousands of backends and certificates without sweating. Full changelog for the 1.5 branch: http://www.haproxy.org/download/1.5/src/CHANGELOG --- Module Name: pkgsrc Committed By: fhajny Date: Sun Jul 27 16:33:36 UTC 2014 Modified Files: pkgsrc/net/haproxy: Makefile distinfo Log Message: Update haproxy to 1.5.3. 2014/07/25 : 1.5.3 - DOC: fix typo in Unix Socket commands - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange - DOC: mention that Squid correctly responds 400 to PPv2 header - BUG/MINOR: http: base32+src should use the big endian version of base32 - BUG/MEDIUM: connection: fix proxy v2 header again! --- Module Name: pkgsrc Committed By: morr Date: Fri Sep 12 21:37:38 UTC 2014 Modified Files: pkgsrc/net/haproxy: Makefile distinfo Log Message: Update to version 1.5.4. Changes: - BUG: config: error in http-response replace-header number of arguments - BUG/MINOR: Fix search for -p argument in systemd wrapper. - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported - MEDIUM: connection: add new bit in Proxy Protocol V2 - BUG/MINOR: server: move the directive #endif to the end of file - BUG/MEDIUM: http: tarpit timeout is reset - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() - BUG/MEDIUM: acl: correctly compute the output type when a converter is used - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer 2014-04-27T01:28:01Z rodent rodent@pkgsrc.org 2014-04-27T01:28:01Z urn:sha1:bd8cf744cb03313bfe13c6e28d965c899fb67d8c * Don't hardcode PREFIX nor PKG_SYSCONFDIR; * Add a configtest() function to test the configuration file before restart so lazy SysOps (me) don't have to remember command arguments; From CHANGELOG: - DOC: typo: nosepoll self reference in config guide - BUG/MINOR: deinit: free fdinfo while doing cleanup - BUG/MEDIUM: server: set the macro for server's max weight SRV_UWGHT_MAX to SRV_UWGHT_RANGE - BUG/MINOR: use the same check condition for server as other algorithms - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN for recv() - BUG/MINOR: fix forcing fastinter in "on-error" - BUG/MEDIUM: http/auth: Sometimes the authentication credentials can be mix between two requests - BUG/MAJOR: http: don't emit the send-name-header when no server is available - BUG/MEDIUM: http: "option checkcache" fails with the no-cache header - MEDIUM: session: disable lingering on the server when the client aborts - MINOR: config: warn when a server with no specific port uses rdp-cookie - MEDIUM: increase chunk-size limit to 2GB-1 - DOC: add a mention about the limited chunk size - MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection - BUILD: proto_tcp: remove a harmless warning - BUG/MINOR: acl: remove patterns from the tree before freeing them - BUG/MEDIUM: checks: fix slow start regression after fix attempt - BUG/MAJOR: server: weight calculation fails for map-based algorithms - BUG/MINOR: backend: fix target address retrieval in transparent mode - BUG/MEDIUM: stick: completely remove the unused flag from the store entries - BUG/MEDIUM: stick-tables: complete the latest fix about store-responses - BUG/MEDIUM: checks: tracking servers must not inherit the MAINT flag - BUG/MINOR: stats: report correct throttling percentage for servers in slowstart - BUG/MINOR: stats: correctly report throttle rate of low weight servers - BUG/MINOR: checks: successful check completion must not re-enable MAINT servers - BUG/MEDIUM: stats: the web interface must check the tracked servers before enabling - BUG/MINOR: channel: initialize xfer_small/xfer_large on new buffers - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN - BUG/MEDIUM: http: don't start to forward request data before the connect - DOC: fix misleading information about SIGQUIT - BUILD: simplify the date and version retrieval in the makefile - BUILD: prepare the makefile to skip format lines in SUBVERS and VERDATE - BUILD: use format tags in VERDATE and SUBVERS files 2014-04-24T16:23:59Z jperkin jperkin@pkgsrc.org 2014-04-24T16:23:59Z urn:sha1:851091928d95e7b972aab6ce262f0f5461d952ca only OS for which the flag is supplied. Bump PKGREVISION. 2014-03-11T14:34:36Z jperkin jperkin@pkgsrc.org 2014-03-11T14:34:36Z urn:sha1:76740313a3ac624b6ff51288f485f40d39d80cb1 2014-03-11T14:04:57Z jperkin jperkin@pkgsrc.org 2014-03-11T14:04:57Z urn:sha1:071ea796c1307e737cc3101448aa934353fe247c These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or ignored otherwise. 2014-02-20T00:37:46Z rodent rodent@pkgsrc.org 2014-02-20T00:37:46Z urn:sha1:bb70bebf9641b6d032175a339c37404efa1fafb9 NetBSD platforms. 2014-02-20T00:14:22Z rodent rodent@pkgsrc.org 2014-02-20T00:14:22Z urn:sha1:9a1b6b60b2b3cb73e2f61517b1fa15fcadcf50c9 pkgtools/rc.subr works perfectly fine on other OSes. We're not doing this anywhere else either... 2013-06-20T21:36:28Z morr morr@pkgsrc.org 2013-06-20T21:36:28Z urn:sha1:7cc2875f00793b11a2e6687ff37dc2fcaf58ecad ChangeLog: - BUG/MAJOR: backend: consistent hash can loop forever in certain circumstances - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used - MEDIUM: protocol: implement a "drain" function in protocol layers - BUG/CRITICAL: fix a possible crash when using negative header occurrences 2013-04-17T19:55:37Z morr morr@pkgsrc.org 2013-04-17T19:55:37Z urn:sha1:95af2590fb94ee6dc49bc4e1fe14f5bb57e23b3d ChangeLog: 2013/04/03 : 1.4.23 - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read - BUG: fix garbage data when http-send-name-header replaces an existing header - BUG/MEDIUM: remove supplementary groups when changing gid - BUG/MINOR: Correct logic in cut_crlf() - BUG/MINOR: config: use a copy of the file name in proxy configurations - BUG/MINOR: epoll: correctly disable FD polling in fd_rem() - MINOR: halog: sort output by cookie code - BUG/MINOR: halog: -ad/-ac report the correct number of output lines - BUG/MINOR: halog: fix help message for -ut/-uto - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode - BUG/MEDIUM: command-line option -D must have precedence over "debug" - OPTIM: halog: keep a fast path for the lines-count only - MINOR: halog: add a parameter to limit output line count - BUG: halog: fix broken output limitation - MEDIUM: checks: avoid accumulating TIME_WAITs during checks - MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts - BUG/MAJOR: cli: show sess <id> may randomly corrupt the back-ref list - BUG/MINOR: http: don't report client aborts as server errors - BUG/MINOR: http: don't log a 503 on client errors while waiting for requests - BUG/MEDIUM: tcp: process could theorically crash on lack of source ports - BUG/MINOR: http: don't abort client connection on premature responses - BUILD: no need to clean up when making git-tar - MINOR: http: always report PR-- flags for redirect rules - BUG/MINOR: time: frequency counters are not totally accurate - BUG/MINOR: http: don't process abortonclose when request was sent - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait() - BUG/MINOR: config: fix improper check for failed memory alloc in ACL parser - BUG/MEDIUM: checks: ensure the health_status is always within bounds - CLEANUP: http: remove a useless null check - BUG/MEDIUM: signal: signal handler does not properly check for signal bounds - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage - CLEANUP: config: slowstart is never negative - BUILD: improve the makefile's support for libpcre - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a - MEDIUM: halog: add support for counting per source address (-ic) - DOC: mention the new HTTP 307 and 308 redirect statues (cherry picked from commit b67fdc4cd8bde202f2805d98683ddab929469a05) - MEDIUM: poll: do not use FD_* macros anymore - BUG/MAJOR: ev_select: disable the select() poller if maxsock > FD_SETSIZE - BUILD: enable poll() by default in the makefile - BUILD: add explicit support for Mac OS/X - BUG/CRITICAL: using HTTP information in tcp-request content may crash the process - MEDIUM: http: implement redirect 307 and 308 - MINOR: http: status 301 should not be marked non-cacheable 2012-12-15T19:04:55Z shattered shattered@pkgsrc.org 2012-12-15T19:04:55Z urn:sha1:ee0a452e51f3c345e7ab55dd2a2fa9093db85096 - BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations - BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches