You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2014/07/23 17:25:58 UTC
svn commit: r5948 - in /release/trafficserver: ./ patches/

Author: bcall
Date: Wed Jul 23 15:25:58 2014
New Revision: 5948

Log:
Release of 4.2.1.1 and 5.0.1 and patch for 3.2.5

Security: CVE-2014-3525	

Added:
    release/trafficserver/patches/
    release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff
    release/trafficserver/trafficserver-4.2.1.1.tar.bz2   (with props)
    release/trafficserver/trafficserver-4.2.1.1.tar.bz2.asc   (with props)
    release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5
    release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1
    release/trafficserver/trafficserver-5.0.1.tar.bz2   (with props)
    release/trafficserver/trafficserver-5.0.1.tar.bz2.asc   (with props)
    release/trafficserver/trafficserver-5.0.1.tar.bz2.md5
    release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1

Added: release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff
==============================================================================
--- release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff (added)
+++ release/trafficserver/patches/trafficserver-3.2.5-CVE-2014-3525.diff Wed Jul 23 15:25:58 2014
@@ -0,0 +1,168 @@
+diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
+index 03aa782..8c1daf1 100644
+--- a/mgmt/RecordsConfig.cc
++++ b/mgmt/RecordsConfig.cc
+@@ -253,7 +253,7 @@ RecordElement RecordsConfig[] = {
+   ,
+   {RECT_CONFIG, "proxy.config.admin.autoconf.doc_root", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_NULL, RR_REQUIRED, RECC_NULL, NULL, RECA_NULL}
+   ,
+-  {RECT_CONFIG, "proxy.config.admin.autoconf.localhost_only", RECD_INT, "0", RECU_RESTART_TM, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
++  {RECT_CONFIG, "proxy.config.admin.autoconf.localhost_only", RECD_INT, "1", RECU_RESTART_TM, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+   ,
+   {RECT_CONFIG, "proxy.config.admin.autoconf.pac_filename", RECD_STRING, "proxy.pac", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+   ,
+diff --git a/mgmt/web2/WebIntrMain.cc b/mgmt/web2/WebIntrMain.cc
+index 210a1df..b8de3a5 100644
+--- a/mgmt/web2/WebIntrMain.cc
++++ b/mgmt/web2/WebIntrMain.cc
+@@ -67,6 +67,7 @@ extern "C"
+ #define STACK_H
+ 
+ typedef int fd;
++static RecInt autoconf_localhost_only = 1;
+ 
+ #define SOCKET_TIMEOUT 10*60
+ 
+@@ -75,14 +76,14 @@ WebInterFaceGlobals wGlobals;
+ 
+ // There are two web ports maintained
+ //
+-//  One is for adminstration.  This port serves
++//  One is for administration.  This port serves
+ //     all the configuration and monitoring info.
+ //     Most sites will have some security features
+ //     (authentication and SSL) active on this
+ //     port since it system administrator access
+ //  The other is for things that we want to serve
+ //     insecurely.  Client auto configuration falls
+-//     in this catagory.  The public key for the
++//     in this category.  The public key for the
+ //     administration server is another example
+ //
+ WebContext autoconfContext;
+@@ -96,7 +97,7 @@ int aconf_port_arg = -1;
+ //      directory exists and that the default file
+ //      exists
+ //
+-//    returns 0 if everthing is OK
++//    returns 0 if everything is OK
+ //    returns 1 if something is missing
+ //
+ int
+@@ -235,7 +236,11 @@ newTcpSocket(int port)
+   memset(&socketInfo, 0, sizeof(socketInfo));
+   socketInfo.sin_family = AF_INET;
+   socketInfo.sin_port = htons(port);
+-  socketInfo.sin_addr.s_addr = htonl(INADDR_ANY);
++  if (autoconf_localhost_only == 1) {
++    socketInfo.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
++  } else {
++    socketInfo.sin_addr.s_addr = htonl(INADDR_ANY);
++  }
+ 
+   // Allow for immediate re-binding to port
+   if (setsockopt(socketFD, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(int)) < 0) {
+@@ -346,7 +351,6 @@ webIntr_main(void *x)
+ 
+   RecInt tempInt;
+   bool found;
+-  int autoconf_localhost_only = 0;
+ 
+   int addrLen;
+   int i;
+@@ -390,8 +394,7 @@ webIntr_main(void *x)
+   ink_mutex_init(&wGlobals.submitLock, "Submission Mutex");
+ 
+   // Fix for INKqa10514
+-  found = (RecGetRecordInt("proxy.config.admin.autoconf.localhost_only", &tempInt) == REC_ERR_OKAY);
+-  autoconf_localhost_only = (int) tempInt;
++  found = (RecGetRecordInt("proxy.config.admin.autoconf.localhost_only", &autoconf_localhost_only) == REC_ERR_OKAY);
+   ink_assert(found);
+ 
+   // Set up the client autoconfiguration context
+@@ -405,7 +408,7 @@ webIntr_main(void *x)
+     publicPort = (int) tempInt;
+     ink_assert(found);
+   }
+-  Debug("ui", "[WebIntrMain] Starting Client AutoConfig Server on Port %d\n", publicPort);
++  Debug("ui", "[WebIntrMain] Starting Client AutoConfig Server on Port %d", publicPort);
+ 
+   found = (RecGetRecordString_Xmalloc("proxy.config.admin.autoconf.doc_root", &(autoconfContext.docRoot)) == REC_ERR_OKAY);
+   ink_assert(found);
+diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
+index 0667565..054d6bd 100644
+--- a/proxy/http/HttpConfig.cc
++++ b/proxy/http/HttpConfig.cc
+@@ -1382,6 +1382,10 @@ HttpConfig::startup()
+     }
+   }
+ 
++  // Local Manager
++  HttpEstablishStaticConfigLongLong(c.autoconf_port, "proxy.config.admin.autoconf_port");
++  HttpEstablishStaticConfigByte(c.autoconf_localhost_only, "proxy.config.admin.autoconf.localhost_only");
++
+   // Cluster time delta gets it own callback since it needs
+   //  to use ink_atomic_swap
+   c.cluster_time_delta = 0;
+@@ -1609,6 +1613,10 @@ HttpConfig::reconfigure()
+   params->number_of_redirections = m_master.number_of_redirections;
+   params->post_copy_size = m_master.post_copy_size;
+ 
++  // Local Manager
++  params->autoconf_port = m_master.autoconf_port;
++  params->autoconf_localhost_only = m_master.autoconf_localhost_only;
++
+   m_id = configProcessor.set(m_id, params);
+ 
+ #undef INT_TO_BOOL
+diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
+index 6c92bd1..57c047a 100644
+--- a/proxy/http/HttpConfig.h
++++ b/proxy/http/HttpConfig.h
+@@ -800,6 +800,13 @@ public:
+ 
+   OverridableHttpConfigParams oride;
+ 
++  ////////////////////
++  // Local Manager  //
++  ////////////////////
++  MgmtInt autoconf_port;
++  MgmtByte autoconf_localhost_only;
++
++
+ private:
+   /////////////////////////////////////
+   // operator = and copy constructor //
+@@ -965,7 +972,9 @@ HttpConfigParams::HttpConfigParams()
+     ignore_accept_language_mismatch(0),
+     ignore_accept_encoding_mismatch(0),
+     ignore_accept_charset_mismatch(0),
+-    normalize_ae_gzip(1)
++    normalize_ae_gzip(1),
++    autoconf_port(0),
++    autoconf_localhost_only(0)
+ {
+ }
+ 
+diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
+index 43eff68..40f7ae0 100644
+--- a/proxy/http/HttpTransact.cc
++++ b/proxy/http/HttpTransact.cc
+@@ -775,11 +775,16 @@ HttpTransact::StartRemapRequest(State* s)
+   int host_len, path_len;
+   const char *host = url->host_get(&host_len);
+   const char *path = url->path_get(&path_len);
++  const int port = url->port_get();
+ 
+   const char syntxt[] = "synthetic.txt";
+ 
+   s->cop_test_page = (ptr_len_cmp(host, host_len, local_host_ip_str, sizeof(local_host_ip_str) - 1) == 0) &&
+-    (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0);
++    (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0) &&
++    port == s->http_config_param->autoconf_port &&
++    s->method == HTTP_WKSIDX_GET &&
++    s->orig_scheme == URL_WKSIDX_HTTP &&
++    (!s->http_config_param->autoconf_localhost_only || ats_ip4_addr_cast(&s->client_info.addr.sa) == htonl(INADDR_LOOPBACK));
+ 
+   //////////////////////////////////////////////////////////////////
+   // FIX: this logic seems awfully convoluted and hard to follow; //

Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2
==============================================================================
Binary file - no diff available.

Propchange: release/trafficserver/trafficserver-4.2.1.1.tar.bz2
------------------------------------------------------------------------------
    svn:mime-type = application/x-bzip2

Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.asc
==============================================================================
Binary file - no diff available.

Propchange: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5
==============================================================================
--- release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5 (added)
+++ release/trafficserver/trafficserver-4.2.1.1.tar.bz2.md5 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+7d154544c4953973570b4713a78cb0cb *trafficserver-4.2.1.1.tar.bz2

Added: release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1
==============================================================================
--- release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1 (added)
+++ release/trafficserver/trafficserver-4.2.1.1.tar.bz2.sha1 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+1cd542a52ac7ed71ae95ec40d0076c45df0c5f27 *trafficserver-4.2.1.1.tar.bz2

Added: release/trafficserver/trafficserver-5.0.1.tar.bz2
==============================================================================
Binary file - no diff available.

Propchange: release/trafficserver/trafficserver-5.0.1.tar.bz2
------------------------------------------------------------------------------
    svn:mime-type = application/x-bzip2

Added: release/trafficserver/trafficserver-5.0.1.tar.bz2.asc
==============================================================================
Binary file - no diff available.

Propchange: release/trafficserver/trafficserver-5.0.1.tar.bz2.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: release/trafficserver/trafficserver-5.0.1.tar.bz2.md5
==============================================================================
--- release/trafficserver/trafficserver-5.0.1.tar.bz2.md5 (added)
+++ release/trafficserver/trafficserver-5.0.1.tar.bz2.md5 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+76d5d7fea7ab1e3e1a09169ad0941767 *trafficserver-5.0.1.tar.bz2

Added: release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1
==============================================================================
--- release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1 (added)
+++ release/trafficserver/trafficserver-5.0.1.tar.bz2.sha1 Wed Jul 23 15:25:58 2014
@@ -0,0 +1 @@
+13e6810ed7ad36b66e9dd0b3394fd059062a1f93 *trafficserver-5.0.1.tar.bz2