Open Build Service

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 18

_service:tar_scm_kernel_repo:trafficserver.spec Changed

@@ -1,7 +1,7 @@
 %define _hardened_build 1
 Name:                trafficserver
 Version:             9.1.4
-Release:             1
+Release:             2
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@@ -11,6 +11,10 @@
 Patch0002:           Fix-log-in-debug-mode.patch
 Patch0003:           config-layout-openEuler.patch
 Patch0004:           Modify-storage.config-for-traffic_cache_tool.patch
+# https://github.com/apache/trafficserver/commit/c371b7b21a7e774f852af86b85c87d5d877a14bd
+Patch0005:           CVE-2022-47184.patch
+# https://github.com/apache/trafficserver/commit/726a79cb2f70fcbe0e2139aab3fe56930d3d8c27
+Patch0006:           CVE-2023-33933.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake
@@ -113,6 +117,9 @@
 %{_datadir}/pkgconfig/trafficserver.pc
 
 %changelog
+* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 9.1.4-2
+- Fix CVE-2022-47184 and CVE-2023-33933
+
 * Tue Dec 27 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 9.1.4-1
 - Update to 9.1.4 to fix CVE-2022-37392 and CVE-2022-32749 and CVE-2022-40743

_service:tar_scm_kernel_repo:CVE-2022-47184.patch Added

@@ -0,0 +1,105 @@
+From c371b7b21a7e774f852af86b85c87d5d877a14bd Mon Sep 17 00:00:00 2001
+From: Bryan Call <bcall@apache.org>
+Date: Tue, 6 Jun 2023 15:23:04 -0700
+Subject: [PATCH] Deny the TRACE method by default (#9788)
+
+(cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25)
+---
+ configs/ip_allow.yaml.default                      | 4 +++-
+ doc/admin-guide/files/ip_allow.yaml.en.rst         | 9 ++++++---
+ tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++-
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
+index ff3627d23e8..16db1d2845a 100644
+--- a/configs/ip_allow.yaml.default
++++ b/configs/ip_allow.yaml.default
+@@ -24,7 +24,7 @@
+ # Rules are applied in the order listed starting from the top.
+ # That means you generally want to append your rules after the ones listed here.
+ #
+-# Allow anything on localhost, limit destructive methods elsewhere.
++# Allow anything on localhost, limit destructive and debug methods elsewhere.
+ ip_allow:
+   - apply: in
+     ip_addrs: 127.0.0.1
+@@ -41,6 +41,7 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE
+   - apply: in
+     ip_addrs: ::/0
+     action: deny
+@@ -48,3 +49,4 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE
+diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst
+index 1f1843e21ac..db2e58dfa46 100644
+--- a/doc/admin-guide/files/ip_allow.yaml.en.rst
++++ b/doc/admin-guide/files/ip_allow.yaml.en.rst
+@@ -60,6 +60,7 @@ Format
+          - PURGE
+          - PUSH
+          - DELETE
++         - TRACE
+      - apply: in
+        ip_addrs: ::/0
+        action: deny
+@@ -67,6 +68,7 @@ Format
+          - PURGE
+          - PUSH
+          - DELETE
++         - TRACE
+ 
+ Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must
+ be a mapping or a sequence of mappings, each of those being one rule.
+@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed.
+ For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all
+ methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any
+ method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it
+-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed.
++matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method
++is allowed.
+ 
+ The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the
+ loopback address because the latter is matched first.
+@@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form::
+    ip_allow: [
+      { apply: in, ip_addrs: 127.0.0.1, action: allow },
+      { apply: in, ip_addrs: "::1", action: allow },
+-     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] },
+-     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] }
++     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] },
++     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }
+      ]
+ 
+ .. note::
+diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+index d13c27516ac..841286477cb 100644
+--- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
++++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+@@ -13,7 +13,7 @@
+ #  or implied. See the License for the specific language governing permissions and limitations under
+ #  the License.
+ 
+-# Allow anything on localhost, limit destructive methods elsewhere.
++# Allow anything on localhost, limit destructive and debug methods elsewhere.
+ ip_allow:
+   - apply: in
+     ip_addrs: 127.0.0.1
+@@ -34,6 +34,7 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE
+   - apply: in
+     ip_addrs: ::/0
+     action: deny
+@@ -41,3 +42,4 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE

_service:tar_scm_kernel_repo:CVE-2023-33933.patch Added

@@ -0,0 +1,202 @@
+From 726a79cb2f70fcbe0e2139aab3fe56930d3d8c27 Mon Sep 17 00:00:00 2001
+From: Masakazu Kitajo <maskit@apache.org>
+Date: Thu, 8 Jun 2023 02:27:52 +0900
+Subject: [PATCH] s3_auth: Fix hash calculation (#9779)
+
+(cherry picked from commit 867c48c1adf9e795c8d85c48d2d0f07f08aa87ec)
+---
+ plugins/s3_auth/aws_auth_v4.cc                 |  5 +++++
+ plugins/s3_auth/aws_auth_v4.h                  |  1 +
+ plugins/s3_auth/aws_auth_v4_wrap.h             |  5 +++++
+ plugins/s3_auth/unit_tests/test_aws_auth_v4.cc | 14 ++++++++++++++
+ plugins/s3_auth/unit_tests/test_aws_auth_v4.h  |  7 +++++++
+ 5 files changed, 32 insertions(+)
+
+diff --git a/plugins/s3_auth/aws_auth_v4.cc b/plugins/s3_auth/aws_auth_v4.cc
+index 3f9aea0..6ba76d8 100644
+--- a/plugins/s3_auth/aws_auth_v4.cc
++++ b/plugins/s3_auth/aws_auth_v4.cc
+@@ -303,6 +303,11 @@ getCanonicalRequestSha256Hash(TsInterface &api, bool signPayload, const StringSe
+   str = api.getPath(&length);
+   String path("/");
+   path.append(str, length);
++  str = api.getParams(&length);
++  if (length > 0) {
++    path.append(";", 1);
++    path.append(str, length);
++  }
+   String canonicalUri = canonicalEncode(path, /* isObjectName */ true);
+   sha256Update(&canonicalRequestSha256Ctx, canonicalUri);
+   sha256Update(&canonicalRequestSha256Ctx, "\n");
+diff --git a/plugins/s3_auth/aws_auth_v4.h b/plugins/s3_auth/aws_auth_v4.h
+index 865a199..984bc62 100644
+--- a/plugins/s3_auth/aws_auth_v4.h
++++ b/plugins/s3_auth/aws_auth_v4.h
+@@ -47,6 +47,7 @@ public:
+   virtual const char *getMethod(int *length) = 0;
+   virtual const char *getHost(int *length)   = 0;
+   virtual const char *getPath(int *length)   = 0;
++  virtual const char *getParams(int *length) = 0;
+   virtual const char *getQuery(int *length)  = 0;
+   virtual HeaderIterator headerBegin()       = 0;
+   virtual HeaderIterator headerEnd()         = 0;
+diff --git a/plugins/s3_auth/aws_auth_v4_wrap.h b/plugins/s3_auth/aws_auth_v4_wrap.h
+index 72221c3..3ed858a 100644
+--- a/plugins/s3_auth/aws_auth_v4_wrap.h
++++ b/plugins/s3_auth/aws_auth_v4_wrap.h
+@@ -108,6 +108,11 @@ public:
+     return TSUrlPathGet(_bufp, _url, len);
+   }
+   const char *
++  getParams(int *len) override
++  {
++    return TSUrlHttpParamsGet(_bufp, _url, len);
++  }
++  const char *
+   getQuery(int *len) override
+   {
+     return TSUrlHttpQueryGet(_bufp, _url, len);
+diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+index 595fe00..a11213c 100644
+--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
++++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+@@ -404,6 +404,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Object", "[AWS][auth][SpecByExample]")
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("test.txt");
++  api._params.assign("");
+   api._query.assign("");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Range", "bytes=0-9"));
+@@ -449,6 +450,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket Lifecycle", "[AWS][auth][SpecByExamp
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("lifecycle");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+@@ -493,6 +495,7 @@ TEST_CASE("AWSAuthSpecByExample: Get Bucket List Objects", "[AWS][auth][SpecByEx
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+@@ -584,6 +587,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, unsigned pay-load, exc
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+@@ -633,6 +637,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, query param value alre
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("PATH==");
++  api._params.assign("");
+   api._query.assign("key=TEST==");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+@@ -679,6 +684,7 @@ TEST_CASE("S3AuthV4UtilParams: signing multiple same name fields", "[AWS][auth][
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -777,6 +783,7 @@ TEST_CASE("S3AuthV4UtilParams: include all headers explicit", "[AWS][auth][SpecB
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -812,6 +819,7 @@ TEST_CASE("S3AuthV4UtilParams: exclude all headers explicit", "[AWS][auth][utili
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -847,6 +855,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude non overlapping headers", "[AWS][
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -881,6 +890,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers", "[AWS][auth
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -916,6 +926,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing inclu
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -951,6 +962,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing exclu
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -989,6 +1001,7 @@ TEST_CASE("S3AuthV4UtilParams: include content type", "[AWS][auth][utility]")
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -1022,6 +1035,7 @@ TEST_CASE("S3AuthV4UtilParams: include missing content type", "[AWS][auth][utili
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+index e295d75..e4eb454 100644
+--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
++++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+@@ -95,6 +95,12 @@ public:
+     return _path.c_str();
+   }
+   const char *
++  getParams(int *length)
++  {
++    *length = _params.length();
++    return _params.c_str();
++  }
++  const char *
+   getQuery(int *length)
+   {
+     *length = _query.length();
+@@ -114,6 +120,7 @@ public:
+   String _method;
+   String _host;
+   String _path;
++  String _params;
+   String _query;
+   HeaderMultiMap _headers;
+ };