Projects
openEuler:20.03:LTS:SP3:Epol
trafficserver
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 18
View file
_service:tar_scm_kernel_repo:trafficserver.spec
Changed
@@ -1,7 +1,7 @@ %define _hardened_build 1 Name: trafficserver Version: 9.1.4 -Release: 1 +Release: 2 Summary: Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache License: Apache-2.0 URL: https://trafficserver.apache.org/ @@ -11,6 +11,10 @@ Patch0002: Fix-log-in-debug-mode.patch Patch0003: config-layout-openEuler.patch Patch0004: Modify-storage.config-for-traffic_cache_tool.patch +# https://github.com/apache/trafficserver/commit/c371b7b21a7e774f852af86b85c87d5d877a14bd +Patch0005: CVE-2022-47184.patch +# https://github.com/apache/trafficserver/commit/726a79cb2f70fcbe0e2139aab3fe56930d3d8c27 +Patch0006: CVE-2023-33933.patch BuildRequires: expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel BuildRequires: libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker BuildRequires: libcap-devel cmake libunwind-devel automake @@ -113,6 +117,9 @@ %{_datadir}/pkgconfig/trafficserver.pc %changelog +* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 9.1.4-2 +- Fix CVE-2022-47184 and CVE-2023-33933 + * Tue Dec 27 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 9.1.4-1 - Update to 9.1.4 to fix CVE-2022-37392 and CVE-2022-32749 and CVE-2022-40743
View file
_service:tar_scm_kernel_repo:CVE-2022-47184.patch
Added
@@ -0,0 +1,105 @@ +From c371b7b21a7e774f852af86b85c87d5d877a14bd Mon Sep 17 00:00:00 2001 +From: Bryan Call <bcall@apache.org> +Date: Tue, 6 Jun 2023 15:23:04 -0700 +Subject: [PATCH] Deny the TRACE method by default (#9788) + +(cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25) +--- + configs/ip_allow.yaml.default | 4 +++- + doc/admin-guide/files/ip_allow.yaml.en.rst | 9 ++++++--- + tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default +index ff3627d23e8..16db1d2845a 100644 +--- a/configs/ip_allow.yaml.default ++++ b/configs/ip_allow.yaml.default +@@ -24,7 +24,7 @@ + # Rules are applied in the order listed starting from the top. + # That means you generally want to append your rules after the ones listed here. + # +-# Allow anything on localhost, limit destructive methods elsewhere. ++# Allow anything on localhost, limit destructive and debug methods elsewhere. + ip_allow: + - apply: in + ip_addrs: 127.0.0.1 +@@ -41,6 +41,7 @@ ip_allow: + - PURGE + - PUSH + - DELETE ++ - TRACE + - apply: in + ip_addrs: ::/0 + action: deny +@@ -48,3 +49,4 @@ ip_allow: + - PURGE + - PUSH + - DELETE ++ - TRACE +diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst +index 1f1843e21ac..db2e58dfa46 100644 +--- a/doc/admin-guide/files/ip_allow.yaml.en.rst ++++ b/doc/admin-guide/files/ip_allow.yaml.en.rst +@@ -60,6 +60,7 @@ Format + - PURGE + - PUSH + - DELETE ++ - TRACE + - apply: in + ip_addrs: ::/0 + action: deny +@@ -67,6 +68,7 @@ Format + - PURGE + - PUSH + - DELETE ++ - TRACE + + Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must + be a mapping or a sequence of mappings, each of those being one rule. +@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed. + For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all + methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any + method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it +-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed. ++matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method ++is allowed. + + The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the + loopback address because the latter is matched first. +@@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form:: + ip_allow: [ + { apply: in, ip_addrs: 127.0.0.1, action: allow }, + { apply: in, ip_addrs: "::1", action: allow }, +- { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] }, +- { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] } ++ { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }, ++ { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] } + ] + + .. note:: +diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml +index d13c27516ac..841286477cb 100644 +--- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml ++++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml +@@ -13,7 +13,7 @@ + # or implied. See the License for the specific language governing permissions and limitations under + # the License. + +-# Allow anything on localhost, limit destructive methods elsewhere. ++# Allow anything on localhost, limit destructive and debug methods elsewhere. + ip_allow: + - apply: in + ip_addrs: 127.0.0.1 +@@ -34,6 +34,7 @@ ip_allow: + - PURGE + - PUSH + - DELETE ++ - TRACE + - apply: in + ip_addrs: ::/0 + action: deny +@@ -41,3 +42,4 @@ ip_allow: + - PURGE + - PUSH + - DELETE ++ - TRACE
View file
_service:tar_scm_kernel_repo:CVE-2023-33933.patch
Added
@@ -0,0 +1,202 @@ +From 726a79cb2f70fcbe0e2139aab3fe56930d3d8c27 Mon Sep 17 00:00:00 2001 +From: Masakazu Kitajo <maskit@apache.org> +Date: Thu, 8 Jun 2023 02:27:52 +0900 +Subject: [PATCH] s3_auth: Fix hash calculation (#9779) + +(cherry picked from commit 867c48c1adf9e795c8d85c48d2d0f07f08aa87ec) +--- + plugins/s3_auth/aws_auth_v4.cc | 5 +++++ + plugins/s3_auth/aws_auth_v4.h | 1 + + plugins/s3_auth/aws_auth_v4_wrap.h | 5 +++++ + plugins/s3_auth/unit_tests/test_aws_auth_v4.cc | 14 ++++++++++++++ + plugins/s3_auth/unit_tests/test_aws_auth_v4.h | 7 +++++++ + 5 files changed, 32 insertions(+) + +diff --git a/plugins/s3_auth/aws_auth_v4.cc b/plugins/s3_auth/aws_auth_v4.cc +index 3f9aea0..6ba76d8 100644 +--- a/plugins/s3_auth/aws_auth_v4.cc ++++ b/plugins/s3_auth/aws_auth_v4.cc +@@ -303,6 +303,11 @@ getCanonicalRequestSha256Hash(TsInterface &api, bool signPayload, const StringSe + str = api.getPath(&length); + String path("/"); + path.append(str, length); ++ str = api.getParams(&length); ++ if (length > 0) { ++ path.append(";", 1); ++ path.append(str, length); ++ } + String canonicalUri = canonicalEncode(path, /* isObjectName */ true); + sha256Update(&canonicalRequestSha256Ctx, canonicalUri); + sha256Update(&canonicalRequestSha256Ctx, "\n"); +diff --git a/plugins/s3_auth/aws_auth_v4.h b/plugins/s3_auth/aws_auth_v4.h +index 865a199..984bc62 100644 +--- a/plugins/s3_auth/aws_auth_v4.h ++++ b/plugins/s3_auth/aws_auth_v4.h +@@ -47,6 +47,7 @@ public: + virtual const char *getMethod(int *length) = 0; + virtual const char *getHost(int *length) = 0; + virtual const char *getPath(int *length) = 0; ++ virtual const char *getParams(int *length) = 0; + virtual const char *getQuery(int *length) = 0; + virtual HeaderIterator headerBegin() = 0; + virtual HeaderIterator headerEnd() = 0; +diff --git a/plugins/s3_auth/aws_auth_v4_wrap.h b/plugins/s3_auth/aws_auth_v4_wrap.h +index 72221c3..3ed858a 100644 +--- a/plugins/s3_auth/aws_auth_v4_wrap.h ++++ b/plugins/s3_auth/aws_auth_v4_wrap.h +@@ -108,6 +108,11 @@ public: + return TSUrlPathGet(_bufp, _url, len); + } + const char * ++ getParams(int *len) override ++ { ++ return TSUrlHttpParamsGet(_bufp, _url, len); ++ } ++ const char * + getQuery(int *len) override + { + return TSUrlHttpQueryGet(_bufp, _url, len); +diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc +index 595fe00..a11213c 100644 +--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc ++++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc +@@ -404,6 +404,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Object", "[AWS][auth][SpecByExample]") + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign("test.txt"); ++ api._params.assign(""); + api._query.assign(""); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Range", "bytes=0-9")); +@@ -449,6 +450,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket Lifecycle", "[AWS][auth][SpecByExamp + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("lifecycle"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")); +@@ -493,6 +495,7 @@ TEST_CASE("AWSAuthSpecByExample: Get Bucket List Objects", "[AWS][auth][SpecByEx + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")); +@@ -584,6 +587,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, unsigned pay-load, exc + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD")); +@@ -633,6 +637,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, query param value alre + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign("PATH=="); ++ api._params.assign(""); + api._query.assign("key=TEST=="); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD")); +@@ -679,6 +684,7 @@ TEST_CASE("S3AuthV4UtilParams: signing multiple same name fields", "[AWS][auth][ + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -777,6 +783,7 @@ TEST_CASE("S3AuthV4UtilParams: include all headers explicit", "[AWS][auth][SpecB + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -812,6 +819,7 @@ TEST_CASE("S3AuthV4UtilParams: exclude all headers explicit", "[AWS][auth][utili + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -847,6 +855,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude non overlapping headers", "[AWS][ + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -881,6 +890,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers", "[AWS][auth + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -916,6 +926,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing inclu + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -951,6 +962,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing exclu + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -989,6 +1001,7 @@ TEST_CASE("S3AuthV4UtilParams: include content type", "[AWS][auth][utility]") + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("Content-Type", "gzip")); +@@ -1022,6 +1035,7 @@ TEST_CASE("S3AuthV4UtilParams: include missing content type", "[AWS][auth][utili + api._method.assign("GET"); + api._host.assign("examplebucket.s3.amazonaws.com"); + api._path.assign(""); ++ api._params.assign(""); + api._query.assign("max-keys=2&prefix=J"); + api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); + api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD")); +diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h +index e295d75..e4eb454 100644 +--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h ++++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h +@@ -95,6 +95,12 @@ public: + return _path.c_str(); + } + const char * ++ getParams(int *length) ++ { ++ *length = _params.length(); ++ return _params.c_str(); ++ } ++ const char * + getQuery(int *length) + { + *length = _query.length(); +@@ -114,6 +120,7 @@ public: + String _method; + String _host; + String _path; ++ String _params; + String _query; + HeaderMultiMap _headers; + }; +-- +2.30.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.