You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2014/07/23 17:25:58 UTC
svn commit: r5948 - in /release/trafficserver: ./ patches/
Author: bcall
Date: Wed Jul 23 15:25:58 2014
New Revision: 5948
Log:
Release of 4.2.1.1 and 5.0.1 and patch for 3.2.5
Security: CVE-2014-3525
Added:
release/trafficserver/patches/
release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff
release/trafficserver/trafficserver-4.2.1.1.tar.bz2 (with props)
release/trafficserver/trafficserver-4.2.1.1.tar.bz2.asc (with props)
release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5
release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1
release/trafficserver/trafficserver-5.0.1.tar.bz2 (with props)
release/trafficserver/trafficserver-5.0.1.tar.bz2.asc (with props)
release/trafficserver/trafficserver-5.0.1.tar.bz2.md5
release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1
Added: release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff
==============================================================================
--- release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff (added)
+++ release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff Wed Jul 23 15:25:58 2014
@@ -0,0 +1,168 @@
+diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
+index 03aa782..8c1daf1 100644
+--- a/mgmt/RecordsConfig.cc
++++ b/mgmt/RecordsConfig.cc
+@@ -253,7 +253,7 @@ RecordElement RecordsConfig[] = {
+ ,
+ {RECT_CONFIG, "proxy.config.admin.autoconf.doc_root", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_NULL, RR_REQUIRED, RECC_NULL, NULL, RECA_NULL}
+ ,
+- {RECT_CONFIG, "proxy.config.admin.autoconf.localhost_only", RECD_INT, "0", RECU_RESTART_TM, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
++ {RECT_CONFIG, "proxy.config.admin.autoconf.localhost_only", RECD_INT, "1", RECU_RESTART_TM, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.admin.autoconf.pac_filename", RECD_STRING, "proxy.pac", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+ ,
+diff --git a/mgmt/web2/WebIntrMain.cc b/mgmt/web2/WebIntrMain.cc
+index 210a1df..b8de3a5 100644
+--- a/mgmt/web2/WebIntrMain.cc
++++ b/mgmt/web2/WebIntrMain.cc
+@@ -67,6 +67,7 @@ extern "C"
+ #define STACK_H
+
+ typedef int fd;
++static RecInt autoconf_localhost_only = 1;
+
+ #define SOCKET_TIMEOUT 10*60
+
+@@ -75,14 +76,14 @@ WebInterFaceGlobals wGlobals;
+
+ // There are two web ports maintained
+ //
+-// One is for adminstration. This port serves
++// One is for administration. This port serves
+ // all the configuration and monitoring info.
+ // Most sites will have some security features
+ // (authentication and SSL) active on this
+ // port since it system administrator access
+ // The other is for things that we want to serve
+ // insecurely. Client auto configuration falls
+-// in this catagory. The public key for the
++// in this category. The public key for the
+ // administration server is another example
+ //
+ WebContext autoconfContext;
+@@ -96,7 +97,7 @@ int aconf_port_arg = -1;
+ // directory exists and that the default file
+ // exists
+ //
+-// returns 0 if everthing is OK
++// returns 0 if everything is OK
+ // returns 1 if something is missing
+ //
+ int
+@@ -235,7 +236,11 @@ newTcpSocket(int port)
+ memset(&socketInfo, 0, sizeof(socketInfo));
+ socketInfo.sin_family = AF_INET;
+ socketInfo.sin_port = htons(port);
+- socketInfo.sin_addr.s_addr = htonl(INADDR_ANY);
++ if (autoconf_localhost_only == 1) {
++ socketInfo.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
++ } else {
++ socketInfo.sin_addr.s_addr = htonl(INADDR_ANY);
++ }
+
+ // Allow for immediate re-binding to port
+ if (setsockopt(socketFD, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(int)) < 0) {
+@@ -346,7 +351,6 @@ webIntr_main(void *x)
+
+ RecInt tempInt;
+ bool found;
+- int autoconf_localhost_only = 0;
+
+ int addrLen;
+ int i;
+@@ -390,8 +394,7 @@ webIntr_main(void *x)
+ ink_mutex_init(&wGlobals.submitLock, "Submission Mutex");
+
+ // Fix for INKqa10514
+- found = (RecGetRecordInt("proxy.config.admin.autoconf.localhost_only", &tempInt) == REC_ERR_OKAY);
+- autoconf_localhost_only = (int) tempInt;
++ found = (RecGetRecordInt("proxy.config.admin.autoconf.localhost_only", &autoconf_localhost_only) == REC_ERR_OKAY);
+ ink_assert(found);
+
+ // Set up the client autoconfiguration context
+@@ -405,7 +408,7 @@ webIntr_main(void *x)
+ publicPort = (int) tempInt;
+ ink_assert(found);
+ }
+- Debug("ui", "[WebIntrMain] Starting Client AutoConfig Server on Port %d\n", publicPort);
++ Debug("ui", "[WebIntrMain] Starting Client AutoConfig Server on Port %d", publicPort);
+
+ found = (RecGetRecordString_Xmalloc("proxy.config.admin.autoconf.doc_root", &(autoconfContext.docRoot)) == REC_ERR_OKAY);
+ ink_assert(found);
+diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
+index 0667565..054d6bd 100644
+--- a/proxy/http/HttpConfig.cc
++++ b/proxy/http/HttpConfig.cc
+@@ -1382,6 +1382,10 @@ HttpConfig::startup()
+ }
+ }
+
++ // Local Manager
++ HttpEstablishStaticConfigLongLong(c.autoconf_port, "proxy.config.admin.autoconf_port");
++ HttpEstablishStaticConfigByte(c.autoconf_localhost_only, "proxy.config.admin.autoconf.localhost_only");
++
+ // Cluster time delta gets it own callback since it needs
+ // to use ink_atomic_swap
+ c.cluster_time_delta = 0;
+@@ -1609,6 +1613,10 @@ HttpConfig::reconfigure()
+ params->number_of_redirections = m_master.number_of_redirections;
+ params->post_copy_size = m_master.post_copy_size;
+
++ // Local Manager
++ params->autoconf_port = m_master.autoconf_port;
++ params->autoconf_localhost_only = m_master.autoconf_localhost_only;
++
+ m_id = configProcessor.set(m_id, params);
+
+ #undef INT_TO_BOOL
+diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
+index 6c92bd1..57c047a 100644
+--- a/proxy/http/HttpConfig.h
++++ b/proxy/http/HttpConfig.h
+@@ -800,6 +800,13 @@ public:
+
+ OverridableHttpConfigParams oride;
+
++ ////////////////////
++ // Local Manager //
++ ////////////////////
++ MgmtInt autoconf_port;
++ MgmtByte autoconf_localhost_only;
++
++
+ private:
+ /////////////////////////////////////
+ // operator = and copy constructor //
+@@ -965,7 +972,9 @@ HttpConfigParams::HttpConfigParams()
+ ignore_accept_language_mismatch(0),
+ ignore_accept_encoding_mismatch(0),
+ ignore_accept_charset_mismatch(0),
+- normalize_ae_gzip(1)
++ normalize_ae_gzip(1),
++ autoconf_port(0),
++ autoconf_localhost_only(0)
+ {
+ }
+
+diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
+index 43eff68..40f7ae0 100644
+--- a/proxy/http/HttpTransact.cc
++++ b/proxy/http/HttpTransact.cc
+@@ -775,11 +775,16 @@ HttpTransact::StartRemapRequest(State* s)
+ int host_len, path_len;
+ const char *host = url->host_get(&host_len);
+ const char *path = url->path_get(&path_len);
++ const int port = url->port_get();
+
+ const char syntxt[] = "synthetic.txt";
+
+ s->cop_test_page = (ptr_len_cmp(host, host_len, local_host_ip_str, sizeof(local_host_ip_str) - 1) == 0) &&
+- (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0);
++ (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0) &&
++ port == s->http_config_param->autoconf_port &&
++ s->method == HTTP_WKSIDX_GET &&
++ s->orig_scheme == URL_WKSIDX_HTTP &&
++ (!s->http_config_param->autoconf_localhost_only || ats_ip4_addr_cast(&s->client_info.addr.sa) == htonl(INADDR_LOOPBACK));
+
+ //////////////////////////////////////////////////////////////////
+ // FIX: this logic seems awfully convoluted and hard to follow; //
Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: release/trafficserver/trafficserver-4.2.1.1.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5
==============================================================================
--- release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5 (added)
+++ release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+7d154544c4953973570b4713a78cb0cb *trafficserver-4.2.1.1.tar.bz2
Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1
==============================================================================
--- release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1 (added)
+++ release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+1cd542a52ac7ed71ae95ec40d0076c45df0c5f27 *trafficserver-4.2.1.1.tar.bz2
Added: release/trafficserver/trafficserver-5.0.1.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: release/trafficserver/trafficserver-5.0.1.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: release/trafficserver/trafficserver-5.0.1.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: release/trafficserver/trafficserver-5.0.1.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/trafficserver/trafficserver-5.0.1.tar.bz2.md5
==============================================================================
--- release/trafficserver/trafficserver-5.0.1.tar.bz2.md5 (added)
+++ release/trafficserver/trafficserver-5.0.1.tar.bz2.md5 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+76d5d7fea7ab1e3e1a09169ad0941767 *trafficserver-5.0.1.tar.bz2
Added: release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1
==============================================================================
--- release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1 (added)
+++ release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+13e6810ed7ad36b66e9dd0b3394fd059062a1f93 *trafficserver-5.0.1.tar.bz2