From: Jean Baptiste Favre Date: Sat, 21 May 2022 17:28:31 +0000 (+0100) Subject: Import trafficserver_8.1.1+ds-1.1+deb11u1.debian.tar.xz X-Git-Tag: archive/raspbian/8.1.1+ds-1.1+rpi1+deb11u1^2~20^2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0f8f0af7129b8d03888dcd11363180ab7fc081b4;p=trafficserver.git Import trafficserver_8.1.1+ds-1.1+deb11u1.debian.tar.xz [dgit import tarball trafficserver 8.1.1+ds-1.1+deb11u1 trafficserver_8.1.1+ds-1.1+deb11u1.debian.tar.xz] --- 0f8f0af7129b8d03888dcd11363180ab7fc081b4 diff --git a/CONFIGURATION.Debian b/CONFIGURATION.Debian new file mode 100644 index 00000000..206614a7 --- /dev/null +++ b/CONFIGURATION.Debian @@ -0,0 +1,99 @@ +trafficserver for Debian +------------------------ + +Here are some configuration hints related to Traffic Server. Unless you already +noted, configuration files are located in /etc/trafficserver. Traffic Server +has some uncommon behaviour here: Please note, those files are generated auto- +matically and some may not even be intended to be edited manually. Moreover it +will rotate and synchronize configuration files if you run a cluster. Hence be +careful when editing them, chances are Traffic Server WILL OVERWRITE them. This +is especially true for comments which are not kept when using `traffic_line' +(as explained below). + +* To get a general idea about traffic server and its architecture, read [4]. It + is crucial to understand the internal architecture before trying to start. + +* The main configuration file is `records.config'. You may either edit the main + configuration file by hand, but it is suggested to use the `traffic_line' + command instead. More on editing configuration files can be found on [1]. The + `traffic_line' command is used like this: + + traffic_line -s proxy.config.proxy_name -v www.example.com + + You might need to tell Traffic Server about your changes. If it is already + running use `traffic_line -x' to inform it about your changes. Please note + that you must restart your `traffic_server' daemon for some changes. + +* If you used Squid before you might find [2] helpful which lists Traffic Serv- + er configuration directives along their Squid equivalent. Use this as resour- + ce to understand Traffic Server. + +* To help you to get started, I am going to introduce you very briefly to Traf- + fic Server. Note, lines starting with `#' are remarks: + + Open `records.config'. + + # Configure the cluster interface + CONFIG proxy.config.cluster.ethernet_interface STRING eth0 + + + # You may also want to bind your proxy server to a specific IP: + # Please note the security warning below as well + CONFIG proxy.local.incoming_ip_to_bind 1.2.3.4 + + # Next configure the listening port for incoming connections + CONFIG proxy.config.http.server_port INT 80 + + # Now tell Traffic Server how much Memory it is allowed to consume + # Set this value to -1 for best results which will instruct Traffic Server + # to consume roughly 1 MB for each GB of your disk backend storage size + # for memory caching. If you can afford it, go on and trash as much as + # you want and put here any positive value indicating the memory cache + # in bytes. + CONFIG proxy.config.cache.ram_cache.size LLONG 131072 # (128 MB) + + Next edit `storage.config'. Debian ships with a default configuration poin- + ting to a cache file in `/var/cache/trafficserver' sized 256MB. This is fair- + ly ok for testing, otherwise feel free to change (value is in KB): + + /var/cache/trafficserver 262144 + + Finally open `remap.config' where you need to tell Traffic Server about + your origin server(s): + + map http://www.example.com/ http://www.example.com:8080/ + # ---------------------- ---------------------------- + # ^- This is your client This is your origin -^ + # Host: header that server. + # is to be mappend + +* For a more comprehensive documentation about Traffic Server and its configu- + ration directives consult [3]. + + Yet the documentation on the web page can not be considered up to date for some + parts. Feel free to ask for help on the Apache Traffic Server mailing list: + + E-Mail + URL: + + More information may be found on either resource among those: + Project Website: + IRC: #traffic-server on irc.freenode.net. + Project Wiki: https://cwiki.apache.org/TS/traffic-server.html + +* Traffic Server can basically act in two modes: As forward proxy and as a rever- + se proxy. Traffic Servers primary purpose is to act as reverse proxy (e.g. + different to Squid). Nonetheless you can Traffic Server still instruct to act + as forward proxy as well. If you know what you are doing, you need to set + + CONFIG proxy.config.url_remap.remap_required INT 0 + + for that purpose. + + +[1] https://docs.trafficserver.apache.org/en/latest/admin-guide/configuring-traffic-server.en.html +[2] https://cwiki.apache.org/confluence/display/TS/SquidConfigTranslation +[3] https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html +[4] https://docs.trafficserver.apache.org/en/latest/admin-guide/introduction.en.html + + -- Arno Töll Wed, 21 Mar 2012 14:10:21 +0100 diff --git a/NEWS b/NEWS new file mode 100644 index 00000000..d4253168 --- /dev/null +++ b/NEWS @@ -0,0 +1,23 @@ +trafficserver (6.0.0-3) unstable; urgency=medium + + If you are using 32-bits package, please not that upstream has + discontinued 32-bit support. + 32-bits Debian package will still be built, but is subject to removal + whenever 32-bit fails. + + -- Jean Baptiste Favre Mon, 14 Dec 2015 10:29:12 +0100 + +trafficserver (3.0.0-1) unstable; urgency=low + + If you are upgrading from v2.1.8 or earlier to ATS 3.0 you need to migrate + to the new `records.config' configuration file. If possible, let Debian + overwrite your `records.config' configuration file. + + Moreover you should clear all caches after upgrading (e.g. do "traffic_server + -Cclear"). + + The host.db data abse isn't required anymore. Therefore you can delete + `/etc/trafficserver/internal/hostdb.config' and `/var/cache/trafficserver/ + host.db'. + + -- Arno Töll Wed, 15 Jun 2011 16:23:13 +0200 diff --git a/README.Debian b/README.Debian new file mode 100644 index 00000000..cd6a3cae --- /dev/null +++ b/README.Debian @@ -0,0 +1,44 @@ +trafficserver for Debian +------------------------ + +* ATS 8.0.0 comes with slight changes in config files. + Following ones has been removed: + - /etc/trafficserver/vaddrs.config + - /etc/trafficserver/metrics.config + - /etc/trafficserver/logging.config + - /etc/trafficserver/log_hosts.config + - /etc/trafficserver/congestion.config + - /etc/trafficserver/cluster.config + - /etc/trafficserver/body_factory/default/congestion#retryAfter + +* New config files have been added and now use yaml format. + More files will be migrated in the future: + - /etc/trafficserver/logging.yaml + - /etc/trafficserver/ssl_server_name.yaml + +* gzip pluging has been renamed into compress. + Existing configuration won't be updated + +* traffic_cop has been removed. Now, init and systemd files use traffic_manager + + -- Jean Baptiste Favre Fri, 21 Sep 2018 09:04:07 +0200 + +* If you are using 32-bits package, please note that upstream has + discontinued 32-bit support. + 32-bits Debian package will still be built, but is subject to removal + whenever 32-bit fails. + + -- Jean Baptiste Favre Mon, 14 Dec 2015 10:29:12 +0100 + +* Please read the CONFIGURATION.Debian file to get started with Traffic Server. + +* Currently Apache Traffic Server lacks man pages of binaries shipped along the + package. That's a known problem which is being worked on. Please read the + upstream documentation on the website instead. + +* If you read upstream's documentation about Traffic Server you will sometimes + find references to a program `/usr/bin/trafficserver`. Debian does not ship + this script. This is intentional. Use Debian's /etc/init.d/trafficserver + script instead. + + -- Arno Töll Tue, 31 Dec 2011 13:54:18 +0100 diff --git a/README.conf-remap.Debian b/README.conf-remap.Debian new file mode 100644 index 00000000..28d9e4dc --- /dev/null +++ b/README.conf-remap.Debian @@ -0,0 +1,26 @@ +Trafficserver-plugin-conf-remap for Debian +----------------------------------------- + +* The conf_remap plug-in allows you to override configuration directives + dependent on actual remapping rules. +* This plug-in replaces older legacy functionality which allowed to achieve a + similar behaviour previously by configuring remap rules for example with + switches like "@pristine_host_hdr=1" in your remap configuration. +* If you want to achieve this behaviour now, configure a remap rule like this: + + map http://cdn.example.com/ http://some-server.example.com \ + @plugin=conf_remap.so @pparam=/etc/trafficserver/cdn.conf + + where cdn.conf would look like records.config, e.g. + + CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 + + Doing this, you will override your global default configuration on a per map- + ping rule. + +* You may want to look on + + for a full list of options which are allowed to be overridden and perhaps + some updated information. + + -- Arno Toell Tue, 12 Jan 2011 19:30:18 +0100 diff --git a/change_config.pl b/change_config.pl new file mode 100755 index 00000000..01072dfb --- /dev/null +++ b/change_config.pl @@ -0,0 +1,32 @@ +#! /usr/bin/perl + +use strict; + +our @config_lines; +our %defaults = ( + "proxy.config.alarm_email" => "trafficserver", + "proxy.config.admin.user_id" => "trafficserver", + "proxy.config.log.max_space_mb_for_logs" => 2000, +); + +die("Usage: $0 ") unless $#ARGV == 0; + +open(F, "+<", $ARGV[0]) || die("Cannot open $ARGV[0]: $!"); +while(my $line = ) +{ + if ($line =~ /^CONFIG/) + { + foreach my $pattern (keys %defaults) + { + $line =~ s/(?<=CONFIG $pattern)(\s+[A-Z]+)\s+.+$/$1 $defaults{$pattern}/; + } + } + push(@config_lines, $line); +} +seek(F, 0, 0); +foreach my $line (@config_lines) +{ + print F $line; +} +print F "CONFIG proxy.config.admin.user_id STRING trafficserver\n"; +close(F); diff --git a/changelog b/changelog new file mode 100644 index 00000000..5720a022 --- /dev/null +++ b/changelog @@ -0,0 +1,932 @@ +trafficserver (8.1.1+ds-1.1+deb11u1) bullseye-security; urgency=high + + * Multiple CVE fixes for 8.1.x + + CVE-2021-37147: Improper input validation vulnerability + + CVE-2021-37148: Improper input validation vulnerability + + CVE-2021-37149: Improper Input Validation vulnerability + + CVE-2021-38161: Improper Authentication vulnerability in TLS origin verification + + CVE-2021-44040: Improper Input Validation vulnerability in request line parsing + + CVE-2021-44759: Improper Authentication vulnerability in TLS origin validation + + -- Jean Baptiste Favre Sat, 21 May 2022 19:28:31 +0200 + +trafficserver (8.1.1+ds-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Address CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and + CVE-2021-35474. + - CVE-2021-27577: Incorrect handling of url fragment leads to cache + poisoning + - CVE-2021-32565: HTTP Request Smuggling, content length with invalid + charters + - CVE-2021-32566: Specific sequence of HTTP/2 frames can cause ATS to + crash + - CVE-2021-32567: Reading HTTP/2 frames too many times + - CVE-2021-35474: Dynamic stack buffer overflow in cachekey plugin + (Closes: #990303) + + -- Salvatore Bonaccorso Thu, 15 Jul 2021 21:48:17 +0200 + +trafficserver (8.1.1+ds-1) unstable; urgency=medium + + * New upstream version 8.1.0+ds + * Update d/watch + * Update d/upstream/signing-key.asc + * New upstream version 8.1.1+ds + * Update Debian Standards-Version + + -- Jean Baptiste Favre Sun, 06 Dec 2020 16:26:39 +0100 + +trafficserver (8.1.1+ds-1) unstable; urgency=medium + + * New upstream version 8.1.0+ds + * Update d/watch + * Update d/upstream/signing-key.asc + * New upstream version 8.1.1+ds + + -- Jean Baptiste Favre Sun, 06 Dec 2020 15:43:35 +0100 + +trafficserver (8.1.0+ds-2) unstable; urgency=medium + + * Remove autopkgtest (Closes: #974683) + + -- Jean Baptiste Favre Sun, 22 Nov 2020 18:24:18 +0100 + +trafficserver (8.1.0+ds-1) unstable; urgency=medium + + * Remove lintian-overrides for trafficserver-experimental-plugins + * Fix Salsa CI + * Update d/upstream/signing-key.asc + * New upstream version 8.1.0+ds + * d/patches refresh for 8.1.0 + * Update experimental plugins list + + -- Jean Baptiste Favre Tue, 01 Sep 2020 19:55:21 +0200 + +trafficserver (8.0.8+ds-3) UNRELEASED; urgency=low + + * Fix day-of-week for changelog entry 2.1.5-unstable-1. + + -- Debian Janitor Sat, 22 Aug 2020 17:48:33 -0000 + +trafficserver (8.0.8+ds-2) unstable; urgency=medium + + * Backport upstream patch to fix FTBFS with Sphinx >= 3.0 (Closes: #963664) + + -- Jean Baptiste Favre Wed, 29 Jul 2020 08:40:43 +0200 + +trafficserver (8.0.8+ds-1) unstable; urgency=medium + + * New upstream version 8.0.8+ds + * Includes fix for CVE-2020-9494 (Closes: #963629) + * Update debhelper-compat version in d/control + + -- Jean Baptiste Favre Thu, 25 Jun 2020 10:01:51 +0200 + +trafficserver (8.0.7+ds-1) unstable; urgency=medium + + * New upstream version 8.0.7+ds + + -- Jean Baptiste Favre Thu, 16 Apr 2020 18:32:04 +0200 + +trafficserver (8.0.6+ds-1) unstable; urgency=medium + + * Update d/watch after upstream changes + * Update d/gbp.conf + * Update d/gbp.conf + * New upstream version 8.0.6+ds + * Patches refresh for 8.0.6 + + -- Jean Baptiste Favre Tue, 03 Mar 2020 09:06:18 +0100 + +trafficserver (8.0.5+ds-3) unstable; urgency=medium + + * Bump Standards-Version + * Add patch for Python 3.8 compatibility (Closes: #950245) + * Update build & test dependencies for Python 3.8 + + -- Jean Baptiste Favre Mon, 03 Feb 2020 11:45:17 +0100 + +trafficserver (8.0.5+ds-2) unstable; urgency=medium + + * Bump Debian Policy version + * Remove Build-Depends against python2 modules (Closes: #943248) + + -- Jean Baptiste Favre Wed, 23 Oct 2019 10:07:42 +0200 + +trafficserver (8.0.5+ds-1) unstable; urgency=medium + + * New upstream release + - Changes introduced with 8.0.4 include fixes for CVE-2019-9512, + CVE-2019-9514, and CVE-2019-9515. (Closes: #934887) + - 8.0.5 fixes CVE-2019-9518 (Closes: #935314) + + -- Emanuele Rocca Sat, 24 Aug 2019 09:00:22 +0200 + +trafficserver (8.0.3+ds-4) unstable; urgency=medium + + * Fix lintian warning 'skip-systemd-native-flag-missing-pre-depends' + * Use debhelper-compat instead of debian/compat + + -- Jean Baptiste Favre Fri, 02 Aug 2019 09:07:31 +0200 + +trafficserver (8.0.3+ds-3) unstable; urgency=medium + + * Run upstream testsuite with autopkgtest. + * Enable CI tests on salsa (see debian/salsa-ci.yml). + * Set debhelper compatibility level to 12. + * Add myself to the Uploaders field. + * Set Standards-Version to 4.4.0. + + -- Emanuele Rocca Wed, 31 Jul 2019 11:11:59 +0200 + +trafficserver (8.0.3+ds-2) unstable; urgency=medium + + * Fix hardeing updating 0015-as-needed-fix.patch from Ubuntu + + -- Jean Baptiste Favre Tue, 26 Mar 2019 08:44:17 +0100 + +trafficserver (8.0.3+ds-1) unstable; urgency=medium + + * Use secure URI in Homepage field. + * Re-export upstream signing key without extra signatures. + * Drop unnecessary dependency on dh-autoconf. + * New upstream version 8.0.3+ds + * Patches update for 8.0.3 + * Add as-needed patch from Ubuntu + + -- Jean Baptiste Favre Mon, 25 Mar 2019 10:29:35 +0100 + +trafficserver (8.0.2+ds-1) unstable; urgency=medium + + * Disable testing build in d/gitlab-ci.yml + * Update d/copyright to remove unneeded files when importing upstream release + * Update upstream GPG keys list + * New upstream version 8.0.2+ds + * Patches refresh for 8.0.2 + * Update patch. Add dep3 headers + * Update d/control. Mark trafficserver-dev architecture all + * Remove signature from upstream keys. Fix lintian info + * Move dpkg-maintscript-helper commands to d/trafficserver.maintscript + + -- Jean Baptiste Favre Wed, 30 Jan 2019 14:45:09 +0100 + +trafficserver (8.0.1-4) unstable; urgency=medium + + * Add patch and update d/control, d/rules to use system provided yaml-cpp + + -- Jean Baptiste Favre Fri, 11 Jan 2019 19:07:28 +0100 + +trafficserver (8.0.1-3) unstable; urgency=medium + + * Add missed experimental plugin certifier + * Add man pages paths to d/not-installed to avoid too verbose dh_missing list. + Manpages are compressed before being install. Non-compressed version is in + turn erroneously detected as not installed. + * Update patch which has been merged upstream + + -- Jean Baptiste Favre Mon, 07 Jan 2019 15:24:38 +0100 + +trafficserver (8.0.1-2) unstable; urgency=medium + + * Update Standards Version in d/control. No other changes needed + * Update trafficserver-experimental-plugins package descriptions + in d/control to fix lintian warnings + * Add patch 0012-fix-spelling-checks to fix spellings. Forwarded upstream + * Update patch 0006-fix-doc-build to include missing manpages + * Remove d/trafficserver.lintian-overrides + * Add patch 0013-fix-perl-interpreter-path. Fix lintian error which used + to be overridden in d/trafficserver.lintian-overrides + * Update d/trafficserver-dev.lintian-overrides + + -- Jean Baptiste Favre Thu, 03 Jan 2019 10:52:44 +0100 + +trafficserver (8.0.1-1) unstable; urgency=medium + + * New upstream version 8.0.1 + * Patches refresh for 8.0.1 + * Removed patches which have been merged upstream: + - 0002-add-mips64-support + - 0004-fix_arm_build + - 0005-fix_build_kfreebsd + - 0007-fix-uri_signing + - 0010-fix-32bits-build + - 0012-fix-traffic_via + * Fix lintian warning public-upstream-key-not-minimal + + -- Jean Baptiste Favre Mon, 03 Dec 2018 14:15:07 +0100 + +trafficserver (8.0.0-4) unstable; urgency=medium + + [ Emanuele Rocca ] + * Update descriptions in d/control + + [ Jean Baptiste Favre ] + * Update patch to fix kfreebsd FTBFS + + -- Jean Baptiste Favre Mon, 05 Nov 2018 10:13:03 +0100 + +trafficserver (8.0.0-3) unstable; urgency=medium + + * Remove webptransform experimental plugin + * Update patch to fix kfreebsd FTBFS + * Update d/copyright to fix lintian error + * Update d/rules to fix FTBFS for mips & mipsel archs + * Update d/rules to spare call to dpkg-parsechangelog + * Update d/copyright after 8.0.0 file moves + + -- Jean Baptiste Favre Fri, 02 Nov 2018 14:24:38 +0100 + +trafficserver (8.0.0-2) unstable; urgency=medium + + * Add a patch to fix FTBFS with MySQL 8 (LP: #1795362) + * Update 0009-fix-mysql-8-build.patch which has been merged upstream + * Bump Standards-Version in d/control + * Add patch to fix 32bits arm & mips arch build + * Backport upstream patch to fix segmentation fault + * Backport upstream patch to fix traffic_via + + -- Jean Baptiste Favre Wed, 17 Oct 2018 20:40:51 +0200 + +trafficserver (8.0.0-1) unstable; urgency=medium + + [ Aron Xu ] + * Remove .vscode directory + * systemd: After=network-online.target + + [ Jean Baptiste Favre ] + * Update d/changelog for 8.0.0 + * Update init and service file after traffic_cop removal + * Update d/README.Debian to reflect configuration changes + * Add d/gitlab-ci.yml to use Salsa CI + * Update d/control + * Add build-deps against graphviz, python3-sphinxcontrib.plantuml + and plantuml to build documentation & manpages + * Add build-deps against libcrypto++-dev, libjansson-dev, libcjose-dev to + build uri_signing plugin + * Update Breaks to manage plugins transition from experimental to stable + * Update postinst maintainer script, add postrm & preinst scripts to remove + obsolete config files + - /etc/trafficserver/vaddrs.config, + - /etc/trafficserver/metrics.config, + - /etc/trafficserver/logging.config, + - /etc/trafficserver/log_hosts.config, + - /etc/trafficserver/congestion.config, + - /etc/trafficserver/cluster.config, + - /etc/trafficserver/body_factory/default/congestion#retryAfter + * Update d/trafficserver and d/trafficserver-experimental-plugins install + files + - Stable plugin gzip renamed to compress + - Promoted stable plugins: + - cachekey, + - cache_promote, + - escalate, + - test_cppapi, + - tslua + - Added new experimental plugins: + - access_control, + - fq_pacing, + - prefetch, + - server_push_preload, + - system_stats, + - tls_bridge, + - traffic_dump, + - uri_signing + - Remove deprecated plugins collapsed_connection, epic + * Remove obsolete config option --enable-system-luajit from d/rules + * Add --with-build-version option to d/rule to have a deterministic + build-version + * Update d/copyright to remove .vscode during import at repack stage + * Update patches for 8.0.0 + - Refresh patches for 8.0.0 + - Removed patches: + - 0004-force-use-luajit-system*, updated upstream + - 0005-fix_documentation_build_option, updated upstream + - 0008-fix_build_lua, updated upstream + - 0009-fix-doc-python3, update upstream + - 0010-Remove-custom-memory-barriers-from-header_rewrite-an patches, + updated upstream + - Renamed remaining patches: + - 0006-fix_arm_build -> 0004-fix_arm_build, + - 0007-fix_build_kfreebsd -> 0005-fix_build_kfreebsd, + - 0009-fix-doc-git -> 0006-fix-doc-build + - Add patch to fix uri_signing experimental plugin build + - Add patch to fix check-unused-dependencies + * New upstream version 8.0.0 + + -- Jean Baptiste Favre Sat, 06 Oct 2018 12:43:13 +0200 + +trafficserver (7.1.4+ds-1) unstable; urgency=medium + + [ Aron Xu ] + * Use libunwind for mips* + + [ Jean Baptiste Favre ] + * Update Debian standards version + * New upstream version 7.1.4+ds + * Patches refresh for 7.1.4 + * Add lintian override for trafficserver package + + -- Jean Baptiste Favre Mon, 06 Aug 2018 10:56:14 +0200 + +trafficserver (7.1.3+ds-4) unstable; urgency=medium + + * Fix FTBS on armel (Closes: #902112) + + -- Jean Baptiste Favre Fri, 22 Jun 2018 17:13:53 +0200 + +trafficserver (7.1.3+ds-3) unstable; urgency=medium + + * Add systemd tmpfile support (LP: #1756207) + * Update Build-Depends (Closes: #887503) + + -- Jean Baptiste Favre Wed, 13 Jun 2018 22:39:58 +0200 + +trafficserver (7.1.3+ds-2) unstable; urgency=medium + + * Update build-deps to libncurses6 + * Update patch to fix arm* builds + + -- Jean Baptiste Favre Fri, 18 May 2018 17:25:22 +0200 + +trafficserver (7.1.3+ds-1) unstable; urgency=medium + + * Update Vcs URLs. Replace alioth with salsa + * Add patch to make documentation build with python3. Fix lintian warning + * New upstream version 7.1.3+ds + * Update d/gbp.conf + * Patches refresh for 7.1.3 + * Add a patch to fix doc build outside of git repository + * Update standards version + * Remove chown command from postinst script. Fix lintian warning + + -- Jean Baptiste Favre Tue, 24 Apr 2018 10:17:21 +0200 + +trafficserver (7.1.2+ds-3) unstable; urgency=medium + + * Add upstream changelog file to trafficserver package + * Add systemd units file + * Fix documentation. Update links + * Update d/rules to remove examples binary files from package + + -- Jean Baptiste Favre Fri, 16 Feb 2018 15:05:07 +0100 + +trafficserver (7.1.2+ds-2) unstable; urgency=medium + + * Drop patch for lua source code removal (Handled with repack) + * Drop patch for documentation build (merged upstream) + * Add a patch to make man pages being built + * Update d/compat + * Fix lintian warnings + * Update d/rule to fix lintian warning. + * Disable auto_test (again) + * Install CHANGELOG file in /usr/share/doc + * Enable documentation built (if not, man pages aren't either) + + -- Jean Baptiste Favre Thu, 25 Jan 2018 23:38:51 +0100 + +trafficserver (7.1.2+ds-1) unstable; urgency=medium + + * New upstream version 7.1.2+ds + * Update d/patches for 7.1.2+ds + * Update build dependencies + * Update compilation flags + * Enable experimental plugin cache_key_genid + + -- Jean Baptiste Favre Tue, 16 Jan 2018 18:18:40 +0100 + +trafficserver (7.1.1-1) unstable; urgency=medium + + * Fix trafficserver-dev dependencies. (Closes: #877457) + * Fix d/gbp.conf. Remove duplicate filter option + * Update standards version in d/control + * Fix debian-rules-sets-dpkg-architecture-variable lintian warning + * Fix debian-watch-uses-insecure-uri lintian info + * Update d/patches + * Update d/rules to reflect healthcheck being managed as a stable plugin + * Add a patch to fix kfreebsd build + * Add a patch to fix arm build + * New upstream version 7.1.0 + * Remove broken 0008-fix_build_armel patch + * Patches refresh for 7.1.0 + * Add new patch to fix build with luajit 2.1 (Closes: #873328) + * Update experimental modules list + * Update Debian Standards-Version & d/compat + * Update Vcs-* fields to use secure communication + * Lintian fix for d/NEWS + * Add new build option to use system luajit + * Update build dependencies (Closes: #859750) + * Fix lintian warning in d/copyright + * New upstream version 7.1.1 + * Patches refresh for 7.1.1 + + -- Jean Baptiste Favre Tue, 02 Jan 2018 13:30:43 +0100 + +trafficserver (7.0.0-5) unstable; urgency=medium + + * Add patch to fix arm* build. (Closes: #857389) + + -- Jean Baptiste Favre Wed, 22 Mar 2017 09:31:14 +0100 + +trafficserver (7.0.0-4) unstable; urgency=medium + + * Add Conflicts for file overwrites (Closes: #850775) + + -- Aron Xu Wed, 11 Jan 2017 14:49:15 +0800 + +trafficserver (7.0.0-3) unstable; urgency=medium + + * Fix documentation build for docutils >= 0.13 (Closes: #848800) + * Update LuaJIT patches serie to fallback using Lua if LuaJIT not found + * Update luajit patch. + - Remove hardcoded value + - Add luajit dynamic detection + + -- Jean Baptiste Favre Wed, 04 Jan 2017 15:13:43 +0100 + +trafficserver (7.0.0-2) unstable; urgency=medium + + * Add patches to use system luajit and not the internal one any more + * Update d/rules to remove luajit exception. + + -- Jean Baptiste Favre Fri, 25 Nov 2016 17:51:25 +0100 + +trafficserver (7.0.0-1) unstable; urgency=medium + + [ Arno Töll ] + * Remove myself as maintainer. Thanks to Aron and Jean Baptiste for stepping + in on my place and keeping the package up to date. It makes the confident + the package is in good hands now. + + [ Jean Baptiste Favre ] + * New upstream release 7.0.0 + * Patches refresh for 7.0.0 + * Update plugins list + * Update build dependencies + * Add pkgconfig .pc file in trafficserver-dev package + * Enable experimental plugins webp_transform + * Enable traffic_top build (Closes: #836126) + * Remove Linux AIO support (Closes: #803661, #836124) + * Fix FTBFS for mips64el (Closes: #830856) + * Add patch to make the build reproductible (Closes: #833176) + + [ Aron Xu ] + * Set myself as Maintainer at the moment + * Build-Depends on default-libmysqlclient-dev + + -- Jean Baptiste Favre Wed, 16 Nov 2016 09:48:10 +0100 + +trafficserver (6.2.0-1) unstable; urgency=medium + + * Add upstream gpg keys for uscan pgpsigurlmangle option + * Imported Upstream version 6.2.0 + * Patch refresh for 6.2.0 + * Update trafficserver manpages list + * Update trafficserver install list + * Update trafficserver-experimental-plugins install list + * Update build dependencies (Add libmariadbclient-dev in experimental) + * Bump standards version + + -- Jean Baptiste Favre Sat, 23 Jul 2016 19:15:58 +0200 + +trafficserver (6.1.1-1) unstable; urgency=medium + + * Imported Upstream version 6.1.1 + * Update d/watch for gpg signature check + + -- Jean Baptiste Favre Sat, 06 Feb 2016 10:37:41 +0100 + +trafficserver (6.1.0-1) unstable; urgency=medium + + * New upstream release + * Use -mcx16 on x86 platforms only (Closes: #805124) + + -- Aron Xu Tue, 02 Feb 2016 12:18:10 +0800 + +trafficserver (6.0.0-3) unstable; urgency=medium + + * Update d/NEWS & d/README.Debian with 32-bit upstream support drop + + -- Jean Baptiste Favre Mon, 14 Dec 2015 10:48:20 +0100 + +trafficserver (6.0.0-2) unstable; urgency=medium + + * Re-enable 32-bit builds + * Add some optional build dependencies + * Use -O3 by default + + -- Aron Xu Sat, 31 Oct 2015 03:05:20 +0800 + +trafficserver (6.0.0-1) unstable; urgency=medium + + [ Aron Xu ] + * Avoid possible-missing-colon-in-closes + + [ Jean Baptiste Favre ] + * Imported Upstream version 6.0.0 + * Update experimental plugins list + - Remove channel_stats + - Add cache promote cache_promote.so + - Add cache ranage request cache_range_requests.so + - Add mp4 streaming media mp4.so + - Add Stream editor stream_editor.so + + -- Aron Xu Sat, 10 Oct 2015 11:19:19 +0200 + +trafficserver (5.3.1-1) unstable; urgency=medium + + [ Arno Töll ] + * Add proxy.config.admin.user_id setting + + [ Aron Xu ] + * Add myself back to Uploaders + * Use dh compat 9 + + [ Jean Baptiste Favre ] + * Imported Upstream version 5.3.1 + * Removed patch for TS-3632 (merged upstream) + * Upstream changes allow ftbfs with GCC-5 (Closes: #778148) + + -- Jean Baptiste Favre Sat, 04 Jul 2015 23:20:49 +0200 + +trafficserver (5.3.0-2) unstable; urgency=medium + + * Avoid installing tslua.so on archs built without LuaJIT + (Closes: #770353) + + -- Aron Xu Thu, 11 Jun 2015 15:28:39 +0800 + +trafficserver (5.3.0-1) unstable; urgency=medium + + * Imported Upstream version 5.3.0 + - CVE-2014-10022: remote DoS + * Remove fix_TS3316_i386_build patch + * Fix traffic_wccp build, missing OpenSSL symbol + * Add experimental plugin generator + * Format patch for TS-3632 + * Update Uploader field in d/control + + -- Jean Baptiste Favre Wed, 03 Jun 2015 20:06:13 +0200 + +trafficserver (5.2.0-2) unstable; urgency=medium + + * Disable LuaJIT for arm64 + + -- Aron Xu Sat, 28 Feb 2015 23:51:00 +0800 + +trafficserver (5.2.0-1) unstable; urgency=medium + + [ Jean Baptiste Favre ] + * New upstream release. + * Add support for following experimental modules: + - epic + - header_normalize + - mysql_remap + - ssl_cert_loader + - sslheaders + * Remove missing file related to removed traffic_shell + * Backport patch for TS-3316 to solve i386 build issue + * Fix misconfigured call to dh_makeshlibs (used system dir instead + of temporary build one) + + [ Aron Xu ] + * Enable all hardening features. + * Update copyright file. + + -- Aron Xu Thu, 12 Feb 2015 22:22:44 +0100 + +trafficserver (5.1.1-1) unstable; urgency=medium + + * New upstream release. This release includes fixes for these security + related vulnerabilities: + - CVE-2014-3566: Do not enable SSL3 by default + - CVE-2014-3624: Ensure remap requests are properly tunneled using CONNECT + requests to avoid an open relay + * Add support for ppc64el, patch merged upstream (Closes: #754134, #754808) + * Fix "ftbfs on kfreebsd" by conditionally building healthchecks.so on Linux + only. Patch supplied by Steven Chamberlain, thanks (Closes: #767287) + + -- Arno Töll Sun, 02 Nov 2014 12:40:44 -1100 + +trafficserver (5.1.0-1) unstable; urgency=medium + + * New upstream release + * Bump standards version to 3.9.6 (no changes needed) + + [Jean Baptiste Favre] + * Add a debug package with debug symbols for those who need it. + * Split out experimental trafficserver plugins into a separate package so + that users are aware of their experimental character before using them. + * Add a libhwloc b-d so that ATS has a better idea about the underlying + hardware it runs at to improve the runtime performance + + -- Arno Töll Wed, 08 Oct 2014 23:50:49 -1100 + +trafficserver (5.0.1-1) unstable; urgency=medium + + * New upstream release including a fix for CVE-2014-3525 that allowed + attackers by special crafted packets to obtain privileges for services bound + to localhost + + -- Arno Töll Wed, 23 Jul 2014 04:43:00 -1100 + +trafficserver (5.0.0-1) unstable; urgency=medium + + * Acknowledge previous NMUs, thanks to Anibal Monsalve Salazar for + coordination. + * New upstream version. Patch changes: + + drop 0001-TS-1821.patch: released upstream in 5.0.0 + + drop 0001-TS-2454-Fix-undefined-reference-to-__sync_fetch_and_.patch: + released upstream in 4.2 + + drop add-mips-support.patch: released upstream in 5.0.0 + + drop pthread_setname_np.patch: This was a Debian specific issue which is + being worked around in eglibc's commit r5460. + * Add "support for mips64": merged upstream (Closes: #750807) + * Build with dh-autoreconf to avoid build time issues with Automake 1.13 + which is not in Debian yet. + + -- Arno Töll Sun, 06 Jul 2014 00:20:59 -1100 + +trafficserver (4.1.2-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Add missing prototype for pthread_setname_np() + Add pthread_setname_np.patch + Patch by Petr Salinger + Closes: #743584 + + -- Anibal Monsalve Salazar Fri, 04 Apr 2014 08:59:48 +0100 + +trafficserver (4.1.2-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix undefined reference to `__sync_fetch_and_sub_8' on ARM 32bit + Add 0001-TS-2454-Fix-undefined-reference-to-__sync_fetch_and_.patch + from https://issues.apache.org/jira/browse/TS-2454 + Patch by Yunkai Zhang + * Add support for MIPS + Add add-mips-support.patch + Submitted: https://issues.apache.org/jira/browse/TS-2687 + Merged: https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=2f81790 + Patch by Dejan Latinovic + Closes: 743395 + * Build-depend on libboost-dev + Patch by Dejan Latinovic + Closes: #737510 + + -- Anibal Monsalve Salazar Thu, 03 Apr 2014 04:18:23 +0100 + +trafficserver (4.1.2-1) unstable; urgency=medium + + * Merge the experimental branch of trafficserver to unstable + * New upstram release (Closes: #711530, #733377) + + Refresh 0001-TS-1821.patch until it is fixed upstream + + Don't run autoreconf anymore, we do not need it anymore + + build depend on libaio-dev to support AIO on Linux systems + * Push standards version + + -- Arno Töll Wed, 29 Jan 2014 03:01:12 -1100 + +trafficserver (3.3.2-1) experimental; urgency=low + + [ Arno Töll ] + * Drop --with-arg-max from configure + * Update changelog in view of the new upstream version + + [ Aron Xu ] + * Imported Upstream version 3.3.2 + * Drop patch for enabling experimental plugins + * Add liblua5.1-dev and liboost1.53-dev to B-D + * Try on all archs for experimental builds + * Permit parallel building + * Fix typo in dep5 copyright file + * Do not install staticly linked library + * Enable Linux native AIO support for linux-any + * Enable reclaimable freelist + + -- Aron Xu Thu, 09 May 2013 01:00:04 +0800 + +trafficserver (3.3.0+git20121208-0exp1) experimental; urgency=low + + * Upstream git snapshot. + * Enable most of experimental plugins, install related libraries. + * Run dh_autoreconf. + * Make dh_auto_test errors non-fatal. + + -- Aron Xu Thu, 06 Dec 2012 23:32:25 +0800 + +trafficserver (3.3.0-1) experimental; urgency=low + + * Upload upstream development release to experimental. + + -- Aron Xu Thu, 29 Nov 2012 22:13:55 +0800 + +trafficserver (3.2.5-1) unstable; urgency=low + + * New upstream release + + Fix FTBFS on ARM (Closes: #691179) + + Fix FTBS with gcc 4.8 (Closes: #701427) + * Promote trafficserver to depend for trafficserver-dev to fix a broken + library symlink. The library is not required for all users, but those who + need it don't need to install it manually anymore (Closes: #715134) + + -- Arno Töll Sun, 21 Jul 2013 11:55:38 +0200 + +trafficserver (3.2.4-1) unstable; urgency=low + + * New upstream release + + Delete upstream's .gitignore file in our source tree + * Switch packaging repository to Git. + + Add gbp.conf file for those using git-buildpackage + * Fix "Upgrade fails if purging of cache fails" by not dying in a fire when + the postinst fails to purge the cache (Closes: #687698) + * Drop --with-arg-max from ./configure, it's not needed anymore. + + -- Arno Töll Tue, 29 Jan 2013 23:54:44 +0100 + +trafficserver (3.2.0-1) unstable; urgency=low + + * New upstream release + + If you are using SSL or HTTP filtering, please update your configuration. + proxy.config.http.quick_filter.mask and + proxy.config.ssl.server.cert.filename is not recognized anymore. Please + use ip_allow.config and ssl_multicert.config respectively instead. + There is no automated migration for this in Debian, as this affects your + site-specific configuration files. + + See https://cwiki.apache.org/confluence/display/TS/Upgrading+to+3.2 for + full upgrade instructions. + * Upstream decided to ship more plug-ins with the trafficserver core + distribution. These are all bundled into the main package now. Therefore, + the trafficserver-plugin-conf-remap package is not provided anymore. + * Update the default configuration file to ship with more moderate values + for the log configuration. + * Now do start ATS by default for fresh installations. The default + out-of-the box configuration is much more secure than past defaults. + * Purge the host and data cache on upgrades + * Let's welcome Aron Xu to the Uploaders of Trafficserver. Hi Aron! :) + + -- Arno Töll Fri, 14 Sep 2012 22:56:29 +0200 + +trafficserver (3.0.5-1) unstable; urgency=low + + * New upstream release. + * No kudos for the previous hostile NMU, but include the changelog to denote + this upload does not introduce a regression. + * Update my maintainer address + * Make the init script look much better when using fancy outputs. + * Fix "status" output of the init script + * Remove "DM-Upload-Allowed". I don't need that flag anymore. + + + -- Arno Töll Sat, 09 Jun 2012 18:48:23 +0200 + +trafficserver (3.0.4-1.1) unstable; urgency=low + + * Non maintainer upload + * Fix build failure with GCC 4.7. Closes: #667396. + + -- Matthias Klose Wed, 30 May 2012 04:40:28 +0000 + +trafficserver (3.0.4-1) unstable; urgency=high + + * New upstream release + + Fix CVE-2012-0256: A request with a very large Host header caused ATS to + crash. + * Setting urgency to high because of security updates + * Push standards to 3.9.3 - no further changes + * Stilistic adaptions in debian/copyright, but not content changes + * Remove cluster interface warning from README.Configuration. ATS now binds on + lo by default + + -- Arno Töll Wed, 21 Mar 2012 12:34:35 +0100 + +trafficserver (3.0.2-1) unstable; urgency=low + + * New upstream release + + Includes former Debian specific patch which makes sure the upstream + configure script does not override any -O flags passed by the user + anymore. + * Adapt to dpkg 1.16.1 API changes regarding build flags. This enables + hardening build flags. This means, trafficserver is now being built with + -fstack-protector and other security related build flags. + * Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are + properly supported. That's guaranteed for Testing, but might be helpful to + know for backporters. + * Fix several issues in the DEP-5 syntax. Unfortunately there is no way to + express that a file is subject to different license agreements so far. + * Do not install the upstream changelog twice anymore + * Finally run regression checks again, now as build failures are sorted out. + + -- Arno Töll Sun, 11 Dec 2011 00:45:45 +0100 + +trafficserver (3.0.1-2) unstable; urgency=low + + * Fix "please add armhf to the arch list" - add armhf to the list of supported + architectures. Thanks Konstantinos Margaritis for the hint (Closes: #636338) + * Remove IA64 from the list of supported architectures. The upgrade to the gcc + 4.6 toolchain disclosed portability issues with it, which caused the resul- + ting binary package to produce no-op code in some functions. + + -- Arno Töll Tue, 02 Aug 2011 22:58:37 +0200 + +trafficserver (3.0.1-1) unstable; urgency=low + + * New upstream release. Fixes several important issues which caused + `traffic_cop' and `traffic_server' to crash. + * Fix "FTBFS with ld --as-needed" re-order libraries upon linkage, patch + committed upstream. Thanks Ilya Barygin (Closes: #632546) + * Fix "trafficserver: Getting rid of unneeded *.la / emptying + dependency_libs", remove *.la files from the installation target completely + (Closes: #633192) + * Set "DM-Upload-Allowed: yes" in agreement with Asheesh Laroia + + + -- Arno Töll Mon, 01 Aug 2011 19:29:58 +0200 + +trafficserver (3.0.0-1) unstable; urgency=low + + * New upstream release. Major changes (since 2.1.9): + + `traffic_server' won't crash anymore when using non-existent plugin in + remap rule + + Don't cache HTTP 401, 303 and 407 error responses anymore, when negative + caching is enabled. + * Re-enable kfreebsd support, it was accidentally not available in + 2.1.9-unstable-1 because of non installable dependencies, as libcap-dev is + installable (and required) on Linux only + * debian/rules: + + Simplify dh_auto_configure flags (upstream incorporated our build layout) + + Enable WCCP (Web Cache Communication Protocol; Linux only) + * debian/control: + + Add flex and bison to build dependencies, both are required for WCCP + (Linux only) + + -- Arno Töll Wed, 15 Jun 2011 15:56:29 +0200 + +trafficserver (2.1.9-unstable-1) unstable; urgency=low + + * New upstream release. Major features (since 2.1.8): + + Bring back support for $DESTDIR and "make check" which makes Debian + patches obsolete + + Allow larger working sets than 512G + + Disable cluster autodiscovery when cluster mode is disabled + + Cleanup `records.config' + + Disable SSLv2 by default + * debian/control: Add build dependency to libcap-dev, because when running + traffic_server standalone, it is unable to bind restricted ports otherwise + (Upstream: TS-804) + * debian/rules: + + Remove override for dh_clean, but put options to debian/source/options + instead + + Remove DH_OPTIONS (unused anyway) + * Source package: Minor change to improving package quality and usability + (i.e. grammar, verbosity of comments) + * Make the init script more robust + * Base the origin of the package source on the untouched upstream tarball, + instead of the versioned SVN branch. + * Bring back IA64 support, this time actually working (upstream merged my + patch TS-783) + * Remove patch `build-quirks.patch'. Changes have been committed upstream + by now. + + -- Arno Töll Tue, 31 May 2011 21:56:12 +0200 + +trafficserver (2.1.8-unstable-1) unstable; urgency=low + + * New upstream release. Major features (since 2.1.5): + + Many bug fixes (none reported in Debian's BTS) + + Set source address for origin Servers + + Major API changes for the SDK + + Provide traffic_logstats + + traffic_shell does not hang anymore on any command + * Fix "FTBFS on architectures not supported upstream": (Closes: #622800) + + Don't execute regression checks for now (fixes x86) + + Upstream merges a Debian patch originally for 2.1.7 which enables + kFreeBSD support (originally provided by myself) + + Restrict Architectures (drop S390, IA64, MIPS[EL], PPC, SPARC) + * Remove ts-ui-disable-conf.patch (applied upstream) + * Update `build-quirks.patch' to make TS handle $DESTDIR correctly + (upstream: TS-759) + * Remove .deps from SDK binary package examples (they were incidentally + included before). + * Fix permissions for /var/cache/trafficserver in postinst + * Bump standards to 3.9.2, depend on debhelper 8.0, adapt VCS links + * Simplify debian/rules + + -- Arno Töll Thu, 05 May 2011 21:49:52 +0200 + +trafficserver (2.1.5-unstable-1) unstable; urgency=low + + * Initial release (Closes: #609285) + * Added some configuration and informational hints + * New upstream release. Major features: + + Better AMD64 support + + Override configuration per transaction + + IPv6 + + Support ARM architectures + + SDK-API changes + * Differences to upstream version: + + Ship some documentation. Well, really a few hints + + Split source into three packages (core, plug-in, SDK) + + Ship our own init script + + -- Arno Toell Thu, 13 Jan 2011 11:49:18 +0100 diff --git a/control b/control new file mode 100644 index 00000000..7f4eb7bd --- /dev/null +++ b/control @@ -0,0 +1,66 @@ +Source: trafficserver +Section: web +Priority: optional +Maintainer: Jean Baptiste Favre +Uploaders: Aron Xu , Emanuele Rocca +Build-Depends: debhelper-compat (= 13), libssl-dev, tcl-dev, libexpat1-dev, + libpcre3-dev, libtool, libcap-dev [linux-any], graphviz, + bison [linux-any], flex [linux-any], dpkg-dev (>= 1.16.1~), pkg-config, libgeoip-dev, + libluajit-5.1-dev, libboost-dev, libhwloc-dev, default-libmysqlclient-dev, + python3-distro, python3-sphinx, plantuml, python3-sphinxcontrib.plantuml, + libxml2-dev, libncurses-dev, libcurl4-openssl-dev, + libkyotocabinet-dev, libmemcached-dev, libbrotli-dev, + libcrypto++-dev, libjansson-dev, libcjose-dev, libyaml-cpp-dev (>= 0.6.2~), + libunwind-dev [i386 amd64 ppc64el armhf arm64 mipsel mips64el mips] +Standards-Version: 4.5.1 +Homepage: https://trafficserver.apache.org/ +Vcs-Git: https://salsa.debian.org/debian/trafficserver.git +Vcs-Browser: https://salsa.debian.org/debian/trafficserver + +Package: trafficserver +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base (>= 3.2-14), adduser, + ${perl:Depends} +Pre-Depends: ${misc:Pre-Depends} +Provides: trafficserver-plugin-conf-remap +Replaces: trafficserver-plugin-conf-remap (<< 3.2~), + trafficserver-experimental-plugins (<< 8.0.0~) +Suggests: trafficserver-experimental-plugins (= ${binary:Version}) +Breaks: trafficserver-plugin-conf-remap (<< 3.2~), + trafficserver-experimental-plugins (<< 8.0.0~) +Description: fast, scalable and extensible HTTP/1.1 and HTTP/2.0 caching proxy server + This package provides the Apache Traffic Server, a fast, scalable reverse + proxy server which may operate as forward proxy as well. Apache Traffic Server + supports: + . + * Caching: improve response time while reducing server load and bandwidth + needs by caching and reusing frequently-requested web pages, images, and + web service calls. + * Proxying: add keep-alive, filter or anonymize content requests, or add + load balancing by adding a proxy layer. + * Scaling: handle 10s of thousands of requests per second on modern SMP + hardware. + * Extensions: use the API to do anything from modifying HTTP headers to + handling ESI requests to writing your own cache algorithm. + +Package: trafficserver-experimental-plugins +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Pre-Depends: trafficserver (= ${binary:Version}) +Breaks: trafficserver (<< 8.0.0~) +Description: experimental plugins for Apache Traffic Server + This package provides the Apache Traffic Server plugins marked as + experimental. + . + Please note that these plugins can be removed without priori notice, or + promoted as stable plugin. In the last case, they'll be moved from + trafficserver-experimental-plugins to trafficserver package. + +Package: trafficserver-dev +Architecture: any +Depends: ${misc:Depends}, trafficserver (= ${binary:Version}) +Description: Apache Traffic Server Software Developers Kit (SDK) + This package provides the Apache Traffic Server Software Developers Kit, which + consists of: a collection of development header and bindings for the C + programming language, the tsxs linking helper and examples to write your own + plug-ins for the Apache Traffic Server. diff --git a/copyright b/copyright new file mode 100644 index 00000000..eddb9830 --- /dev/null +++ b/copyright @@ -0,0 +1,130 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Traffic Server +Upstream-Contact: dev@trafficserver.apache.org +Source: http://trafficserver.apache.org/ +Files-Excluded: + .vscode + lib/yamlcpp +Comment: + The upstream repository provides libraries which are also available + in Debian. Because we'll use libraries packaged in Debian, we don't + need embedded ones. + +Files: * +Copyright: 2010 - 2011 The Apache Software Foundation + 2009 Yahoo! Inc. +License: Apache-2.0 + +Files: debian/* +Copyright: 2011 Arno Töll +License: Apache-2.0 +Comment: Packaging for Debian was done by Arno Toell, and I hereby grant + distribution of it under the same terms as Apache Traffic Server itself. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the full text of the e Apache License, Version 2.0 + can be found in the file `/usr/share/common-licenses/Apache-2.0'. + +Files: include/tscore/ink_rand.* +Copyright: 1997 - 2002, Makoto Matsumoto and Takuji Nishimura +License: BSD-3-clause + +Files: include/tscore/ink_resolver.h src/tscore/ink_res_init.cc src/tscore/ink_res_mkquery.cc +Copyright: 1983, 1987, 1989 The Regents of the University of California +License: BSD-3-clause + +License: BSD-3-clause + For the University of California part: + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + . + For the Internet Systems Consortium, Inc. part: + See Apache-2.0 + . + For the Digital Equipment Corporation part: + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies, and that + the name of Digital Equipment Corporation not be used in advertising or + publicity pertaining to distribution of the document or software without + specific, written prior permission. + . + THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL + WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT + CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + SOFTWARE. + +Files: src/tscore/ink_string.cc +Comment: For the strlcat, strlcpy in inktomi++/ink_string.cc +Copyright: 1998 Todd C. Miller +License: ISC + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: include/tscore/fastlz.h src/tscore/fastlz.c +Copyright: 2005-2007 Ariya Hidayat (ariya@kde.org) +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. diff --git a/docs b/docs new file mode 100644 index 00000000..356cb60e --- /dev/null +++ b/docs @@ -0,0 +1,9 @@ +LAYOUT +NOTICE +STATUS +REVIEWERS +README +README-EC2 +debian/README.Debian +debian/CONFIGURATION.Debian +debian/README.conf-remap.Debian diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 00000000..8164b815 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,18 @@ +[DEFAULT] +pristine-tar = True +builder=dpkg-buildpackage -i\.git -I.git +#cleaner=true + +[import-orig] +filter = [ + '.gitignore', + '.git', + '.vscode', + '.clang-analyzer', + '.clang-format', + '.clang-tidy', + '.editorconfig', + 'emacs-style', + '.vimrc', + 'Vagrantfile' ] +merge = True diff --git a/not-installed b/not-installed new file mode 100644 index 00000000..b97cd0e7 --- /dev/null +++ b/not-installed @@ -0,0 +1,2 @@ +usr/man/man3 +usr/share/man diff --git a/patches/0001-Use-mcx16-on-x86-platforms-only.patch b/patches/0001-Use-mcx16-on-x86-platforms-only.patch new file mode 100644 index 00000000..ba1110e1 --- /dev/null +++ b/patches/0001-Use-mcx16-on-x86-platforms-only.patch @@ -0,0 +1,26 @@ +From: Aron Xu +Date: Tue, 2 Feb 2016 12:17:24 +0800 +Subject: Use -mcx16 on x86 platforms only + +--- + configure.ac | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -1487,12 +1487,15 @@ CFLAGS="${__saved_CFLAGS}" + AC_LANG_POP + AC_SUBST(has_128bit_cas) + ++case "$host_cpu" in ++ amd64|x86_64|i*86) + AS_IF([test "x$has_128bit_cas" = "x1"], [ + AS_IF([test "x$ax_cv_c_compiler_vendor" != "xintel"], [ + TS_ADDTO(AM_CFLAGS, [-mcx16]) + TS_ADDTO(AM_CXXFLAGS, [-mcx16]) + ]) + ]) ++esac + + # Check for POSIX capabilities library. + # If we don't find it, disable checking for header. diff --git a/patches/0003-reproductible-build.patch b/patches/0003-reproductible-build.patch new file mode 100644 index 00000000..dc2cc8d9 --- /dev/null +++ b/patches/0003-reproductible-build.patch @@ -0,0 +1,22 @@ +Description: make the build reproducible +Author: Reiner Herrmann +Origin: other, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833176 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2016-11-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/configure.ac ++++ b/configure.ac +@@ -144,9 +144,9 @@ AC_ARG_WITH([build-number], + # + # Build environment + # +-build_person="`id -nu | sed -e 's/\\\\/\\\\\\\\/g'`" +-build_group="`id -ng | sed -e 's/\\\\/\\\\\\\\/g'`" +-build_machine="`uname -n | sed -e 's/\\\\/\\\\\\\\/g'`" ++build_person="root" ++build_group="root" ++build_machine="localhost" + AC_SUBST([build_machine]) + AC_SUBST([build_person]) + AC_SUBST([build_group]) diff --git a/patches/0006-fix-doc-build.patch b/patches/0006-fix-doc-build.patch new file mode 100644 index 00000000..21e53917 --- /dev/null +++ b/patches/0006-fix-doc-build.patch @@ -0,0 +1,51 @@ +Description: Make documentation build works outside of git repository + Current documentation build requires git and curl to get some stuff from the internet + This patch aims to delete those dependencies, forcing git branch to master, + and using Debian provided plantuml instead of downloading it from apache mirror +Author: Jean Baptiste Favre +Origin: other +Last-Update: 2019-01-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/doc/ext/traffic-server.py ++++ b/doc/ext/traffic-server.py +@@ -380,7 +380,7 @@ with open('../configure.ac', 'r') as f: + autoconf_version = '.'.join(match.group(1).split('.', 2)[:2] + ['x']) + + # get the current branch the local repository is on +-git_branch = subprocess.check_output(['git', 'rev-parse', '--abbrev-ref', 'HEAD']) ++git_branch = "master" + + + def make_github_link(name, rawtext, text, lineno, inliner, options={}, content=[]): +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -61,7 +61,7 @@ I18NSPHINXOPTS = $(SPHINXOPTS) + # The PAPER setting variables requires recursive make variable expansion, which automake + # detects as non-portable. We bounce this through a shell script and do the expansion there. + SBUILD = PAPEROPT_a4="$(PAPEROPT_a4)" PAPEROPT_letter="$(PAPEROPT_letter)" PAPER="$(PAPER)" \ +- PLANTUML_JAR="$(shell ext/plantuml_fetch.sh | tail -1)" \ ++ PLANTUML_JAR="/usr/share/plantuml/plantuml.jar" \ + $(srcdir)/sbuild $(SPHINXBUILD) \ + -c $(srcdir) \ + $(ALLSPHINXOPTS) +--- a/doc/uml/Makefile.am ++++ b/doc/uml/Makefile.am +@@ -18,7 +18,7 @@ + + if BUILD_DOCS + images := $(patsubst %.uml,images/%.svg,$(wildcard *.uml)) +-PLANTUML_JAR := $(shell ../ext/plantuml_fetch.sh | tail -1) ++PLANTUML_JAR := /usr/share/plantuml/plantuml.jar + + all-am: jar-check $(images) + endif +@@ -39,7 +39,7 @@ latex: all-am + man: all-am + + images/%.svg : %.uml +- $(JAVA) -jar $(PLANTUML_JAR) -o images -tsvg $< ++ $(JAVA) -jar $(PLANTUML_JAR) -graphvizdot /usr/bin/dot -o images -tsvg $< + + clean-local: + rm -f images/*.svg diff --git a/patches/0008-fix-python-check-unused-dependencies.patch b/patches/0008-fix-python-check-unused-dependencies.patch new file mode 100644 index 00000000..e1e057c6 --- /dev/null +++ b/patches/0008-fix-python-check-unused-dependencies.patch @@ -0,0 +1,18 @@ +Description: Force python3 usage, add libfakeroot-sysv to blacklist +Author: Jean Baptiste Favre +Origin: other +Last-Update: 2018-09-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/tools/check-unused-dependencies ++++ b/tools/check-unused-dependencies +@@ -53,7 +53,8 @@ def get_dependencies(program): + 'libdl.so.', # Because we add -ldl to LIBS + 'libgcc_s.so.', + 'libm.so.', # Why does Libtool call ld with -lm? +- 'libpthread.so.' # Because we add -lpthread to LIBS ++ 'libpthread.so.', # Because we add -lpthread to LIBS ++ 'libfakeroot-sysv.so' + ])): + continue + diff --git a/patches/0009-fix-mysql-8-build.patch b/patches/0009-fix-mysql-8-build.patch new file mode 100644 index 00000000..b2615e37 --- /dev/null +++ b/patches/0009-fix-mysql-8-build.patch @@ -0,0 +1,23 @@ +Description: Fix build issue with MySQL 8 + The my_bool type is no longer used in MySQL source code. + Any third-party code that used this type to represent C + boolean variables should use the bool or int C type instead. +Author: Jean Baptiste Favre +Origin: other, https://bugs.launchpad.net/ubuntu/+source/trafficserver/+bug/1795362 +Forwarded: https://github.com/apache/trafficserver/pull/4360 +Applied-Upstream: https://github.com/apache/trafficserver/commit/05b30527974416768515506f69da338652c23260 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2018-10-06 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/plugins/experimental/mysql_remap/mysql_remap.cc ++++ b/plugins/experimental/mysql_remap/mysql_remap.cc +@@ -187,7 +187,7 @@ TSPluginInit(int argc, const char *argv[ + my_data *data = (my_data *)malloc(1 * sizeof(my_data)); + + TSPluginRegistrationInfo info; +- my_bool reconnect = 1; ++ bool reconnect = 1; + + info.plugin_name = const_cast(PLUGIN_NAME); + info.vendor_name = const_cast("Apache Software Foundation"); diff --git a/patches/0011-fix-segfault.patch b/patches/0011-fix-segfault.patch new file mode 100644 index 00000000..d3db7fff --- /dev/null +++ b/patches/0011-fix-segfault.patch @@ -0,0 +1,25 @@ +Description: Fix Segmentation fault in ShowCache::handleCacheEvent +Author: zhang <15535135608@163.com> +Origin: upstream +Bug: https://github.com/apache/trafficserver/issues/4328 +Applied-Upstream: https://github.com/apache/trafficserver/commit/616eb10bfc35599a2c93ff30879d584a05ddf83e +Reviewed-by: Jean Baptiste Favre +Last-Update: 2018-10-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/iocore/cache/CachePages.cc ++++ b/iocore/cache/CachePages.cc +@@ -337,6 +337,13 @@ ShowCache::handleCacheEvent(int event, E + CacheHTTPInfoVector *vec = &(cache_vc->vector); + int alt_count = vec->count(); + if (alt_count) { ++ // check cache_vc->first_buf is NULL, response cache lookup busy. ++ if (cache_vc->first_buf == nullptr) { ++ cache_vc->do_io_close(-1); ++ CHECK_SHOW(show("

Cache Lookup Busy, please try again

\n")); ++ return complete(event, e); ++ } ++ + Doc *d = (Doc *)(cache_vc->first_buf->data()); + time_t t; + char tmpstr[4096]; diff --git a/patches/0012-fix-spelling-checks.patch b/patches/0012-fix-spelling-checks.patch new file mode 100644 index 00000000..44c11cd5 --- /dev/null +++ b/patches/0012-fix-spelling-checks.patch @@ -0,0 +1,817 @@ +Description: Fix various speeling issues +Author: Jean Baptiste Favre +Forwarded: https://github.com/apache/trafficserver/pull/4750 +Applied-Upstream: https://github.com/apache/trafficserver/commit/af0ad4a1880a21743e98331855bb78e15d5406ef +Last-Update: 2019-01-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/doc/admin-guide/files/ip_allow.config.en.rst ++++ b/doc/admin-guide/files/ip_allow.config.en.rst +@@ -55,7 +55,7 @@ range with the lower and upper values eq + The value of ``method`` is a string which must consist of either HTTP method names separated by the + character '|' or the keyword literal ``ALL``. This keyword may omitted in which case it is treated + as if it were ``method=ALL``. Methods can also be specified by having multiple instances of the +-``method`` keyword, each specifiying a single method. E.g., ``method=GET|HEAD`` is the same as ++``method`` keyword, each specifying a single method. E.g., ``method=GET|HEAD`` is the same as + ``method=GET method=HEAD``. The method names are not validated which means non-standard method names + can be specified. + +@@ -104,7 +104,7 @@ If the entire subnet were to be denied, + + src_ip=123.45.6.0/24 action=ip_deny + +-The following example allows to any upstream servers:: ++The following example allows one to any upstream servers:: + + dest_ip=0.0.0.0-255.255.255.255 action=ip_allow + +--- a/doc/admin-guide/files/parent.config.en.rst ++++ b/doc/admin-guide/files/parent.config.en.rst +@@ -210,7 +210,7 @@ The following list shows the possible ac + - ``simple_retry`` - If the parent origin server returns a 404 response on a request + a new parent is selected and the request is retried. The number of retries is controlled + by ``max_simple_retries`` which is set to 1 by default. +- - ``unavailable_server_retry`` - If the parent returns a 503 response or if the reponse matches ++ - ``unavailable_server_retry`` - If the parent returns a 503 response or if the response matches + a list of http 5xx responses defined in ``unavailable_server_retry_responses``, the currently selected + parent is marked down and a new parent is selected to retry the request. The number of + retries is controlled by ``max_unavailable_server_retries`` which is set to 1 by default. +@@ -228,7 +228,7 @@ The following list shows the possible ac + + ``max_simple_retries`` + By default the value for ``max_simple_retries`` is 1. It may be set to any value in the range 1 to 5. +- If ``parent_retry`` is set to ``simple_retry`` or ``both`` a 404 reponse ++ If ``parent_retry`` is set to ``simple_retry`` or ``both`` a 404 response + from a parent origin server will cause the request to be retried using a new parent at most 1 to 5 + times as configured by ``max_simple_retries``. + +@@ -236,7 +236,7 @@ The following list shows the possible ac + + ``max_unavailable_server_retries`` + By default the value for ``max_unavailable_server_retries`` is 1. It may be set to any value in the range 1 to 5. +- If ``parent_retry`` is set to ``unavailable_server_retries`` or ``both`` a 503 reponse ++ If ``parent_retry`` is set to ``unavailable_server_retries`` or ``both`` a 503 response + by default or any http 5xx response listed in the list ``unavailable_server_retry_responses`` from a parent origin server will + cause the request to be retried using a new parent after first marking the current parent down. The request + will be retried at most 1 to 5 times as configured by ``max_unavailable_server_retries``. +--- a/doc/admin-guide/files/records.config.en.rst ++++ b/doc/admin-guide/files/records.config.en.rst +@@ -833,7 +833,7 @@ mptcp + ===== ====================================================================== + Value Description + ===== ====================================================================== +- ``0`` |TS| will buffer the request until the post body has been recieved and ++ ``0`` |TS| will buffer the request until the post body has been received and + then send the request to the origin server. + ``1`` Immediately return a ``100 Continue`` from |TS| without waiting for + the post body. +@@ -1630,7 +1630,7 @@ Proxy User Variables + connection=full Full user agent connection :ref:`protocol tags ` + ================== =============================================================== + +- Each paramater in the list must be separated by ``|`` or ``:``. For example, ``for|by=uuid|proto`` is ++ Each parameter in the list must be separated by ``|`` or ``:``. For example, ``for|by=uuid|proto`` is + a valid value for this variable. Note that the ``connection`` parameter is a non-standard extension to + RFC 7239. Also note that, while Traffic Server allows multiple ``by`` parameters for the same proxy, this + is prohibited by RFC 7239. Currently, for the ``host`` parameter to provide the original host from the +@@ -1658,7 +1658,7 @@ Proxy User Variables + information. + See :ts:cv:`proxy.config.http.server_ports` for information on how to enable Proxy Protocol on a port. + +- See :ref:`proxy-protocol` for more discussion on how |TS| tranforms the `Forwarded: header. ++ See :ref:`proxy-protocol` for more discussion on how |TS| transforms the `Forwarded: header. + + .. ts:cv:: CONFIG proxy.config.http.normalize_ae INT 1 + :reloadable: +@@ -2364,7 +2364,7 @@ DNS + + .. ts:cv:: CONFIG proxy.config.dns.resolv_conf STRING /etc/resolv.conf + +- Allows to specify which ``resolv.conf`` file to use for finding resolvers. While the format of this file must be the same as the ++ Allows one to specify which ``resolv.conf`` file to use for finding resolvers. While the format of this file must be the same as the + standard ``resolv.conf`` file, this option allows an administrator to manage the set of resolvers in an external configuration file, + without affecting how the rest of the operating system uses DNS. + +@@ -2622,7 +2622,7 @@ HostDB + Set the frequency (in seconds) to sync hostdb to disk. + + Note: hostdb is syncd to disk on a per-partition basis (of which there are 64). +- This means that the minumum time to sync all data to disk is :ts:cv:`proxy.config.cache.hostdb.sync_frequency` * 64 ++ This means that the minimum time to sync all data to disk is :ts:cv:`proxy.config.cache.hostdb.sync_frequency` * 64 + + Logging Configuration + ===================== +@@ -2956,7 +2956,7 @@ Diagnostic Logging Configuration + + .. ts:cv:: CONFIG proxy.config.diags.debug.tags STRING http|dns + +- Each |TS| `diag` and `debug` level message is annotated with a subsytem tag. This configuration ++ Each |TS| `diag` and `debug` level message is annotated with a subsystem tag. This configuration + contains an anchored regular expression that filters the messages based on the tag. The + expressions are prefix matched which creates an implicit ``.*`` at the end. Therefore the default + value ``http|dns`` will match tags such as ``http``, ``http_hdrs``, ``dns``, and ``dns_recv``. +@@ -2964,7 +2964,7 @@ Diagnostic Logging Configuration + Some commonly used debug tags are: + + ============ ===================================================== +- Tag Subsytem usage ++ Tag Subsystem usage + ============ ===================================================== + dns DNS query resolution + http_hdrs Logs the headers for HTTP requests and responses +@@ -3120,7 +3120,7 @@ SSL Termination + .. ts:cv:: CONFIG proxy.config.ssl.client.groups_list STRING + + Configures the list of supported groups provided by OpenSSL which +- |TS| will use for the "key_share" and "supported groups" extention ++ |TS| will use for the "key_share" and "supported groups" extension + of TLSv1.3 connections. The value is a colon separated list of + group NIDs or names, for example "P-521:P-384:P-256". For + instructions, see "Groups" section of `TLS1.3 - OpenSSLWiki `_. +@@ -3263,7 +3263,7 @@ SSL Termination + ``0`` Disables the session cache entirely. + ``1`` Enables the session cache using OpenSSL's implementation. + ``2`` Default. Enables the session cache using |TS|'s implementation. This +- implentation should perform much better than the OpenSSL ++ implementation should perform much better than the OpenSSL + implementation. + ===== ====================================================================== + +--- a/doc/admin-guide/files/remap.config.en.rst ++++ b/doc/admin-guide/files/remap.config.en.rst +@@ -415,7 +415,7 @@ Acl Filters + + Acl filters can be created to control access of specific remap lines. The markup + is very similar to that of :file:`ip_allow.config`, with slight changes to +-accomodate remap markup ++accommodate remap markup + + Examples + -------- +--- a/doc/admin-guide/files/storage.config.en.rst ++++ b/doc/admin-guide/files/storage.config.en.rst +@@ -92,7 +92,7 @@ which will effectively clear most of the + reboot causes the path names to change. + + The :arg:`id` option can be used to create a fixed string that an administrator can use to keep the +-assignment table consistent by maintaing the mapping from physical device to base string even in the presence of hardware changes and failures. ++assignment table consistent by maintaining the mapping from physical device to base string even in the presence of hardware changes and failures. + + Examples + ======== +--- a/doc/appendices/command-line/traffic_ctl.en.rst ++++ b/doc/appendices/command-line/traffic_ctl.en.rst +@@ -255,7 +255,7 @@ traffic_ctl host + .. program:: traffic_ctl host + .. option:: status HOSTNAME [HOSTNAME ...] + +- Get the current status of the hosts used in parent.config as a next hop in a multi-tiered cache heirarchy. The value 0 or 1 is returned indicating that the host is marked as down '0' or marked as up '1'. If a host is marked as down, it will not be used as the next hop parent, another host marked as up will be chosen. ++ Get the current status of the hosts used in parent.config as a next hop in a multi-tiered cache hierarchy. The value 0 or 1 is returned indicating that the host is marked as down '0' or marked as up '1'. If a host is marked as down, it will not be used as the next hop parent, another host marked as up will be chosen. + + .. program:: traffic_ctl host + .. option:: down --time seconds --reason 'active|local|manual' HOSTNAME [HOSTNAME ...] +--- a/doc/developer-guide/api/functions/TSCacheRemove.en.rst ++++ b/doc/developer-guide/api/functions/TSCacheRemove.en.rst +@@ -41,4 +41,4 @@ the cache calls :arg:`contp` back with t + In both of these callbacks, the user (:arg:`contp`) does not have to do + anything. The user does not get any vconnection from the cache, since + no data needs to be transferred. When the cache calls :arg:`contp` back with +-:data:`TS_EVENT_CACHE_REMOVE`, the remove has already been commited. ++:data:`TS_EVENT_CACHE_REMOVE`, the remove has already been committed. +--- a/doc/developer-guide/api/functions/TSContSchedule.en.rst ++++ b/doc/developer-guide/api/functions/TSContSchedule.en.rst +@@ -32,7 +32,7 @@ Description + =========== + + Schedules :arg:`contp` to run :arg:`delay` milliseconds in the future. This is approximate. The delay +-will be at least :arg:`delay` but possibly more. Resultions finer than roughly 5 milliseconds will ++will be at least :arg:`delay` but possibly more. Resolutions finer than roughly 5 milliseconds will + not be effective. :arg:`contp` is required to have a mutex, which is provided to + :func:`TSContCreate`. + +--- a/doc/developer-guide/api/functions/TSHttpConnectWithPluginId.en.rst ++++ b/doc/developer-guide/api/functions/TSHttpConnectWithPluginId.en.rst +@@ -79,7 +79,7 @@ virtual connection. + + The combination of :arg:`tag` and :arg:`id` is intended to enable correlation + in log post processing. The :arg:`tag` identifies the connection as related +-to the plugin and the :arg:`id` can be used in conjuction with plugin ++to the plugin and the :arg:`id` can be used in conjunction with plugin + generated logs to correlate the log records. + + Notes +--- a/doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst ++++ b/doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst +@@ -43,7 +43,7 @@ Description + + Some of the values that are set in :file:`records.config` can be changed for a + specific transaction. It is important to note that these functions change the +-configuration values stored for the transation, which is not quite the same as ++configuration values stored for the transaction, which is not quite the same as + changing the actual operating values of the transaction. The critical effect is + the value must be changed before it is used by the transaction - after that, + changes will not have any effect. +--- a/doc/developer-guide/api/functions/TSHttpTxnErrorBodySet.en.rst ++++ b/doc/developer-guide/api/functions/TSHttpTxnErrorBodySet.en.rst +@@ -36,4 +36,4 @@ Description + Note that both string arguments must be allocated with :c:func:`TSmalloc` or + :c:func:`TSstrdup`. The :arg:`mimetype` is optional, and if not provided it + defaults to :literal:`text/html`. Sending an empty string would prevent setting +-a content type header (but that is not adviced). ++a content type header (but that is not advised). +--- a/doc/developer-guide/api/functions/TSHttpTxnMilestoneGet.en.rst ++++ b/doc/developer-guide/api/functions/TSHttpTxnMilestoneGet.en.rst +@@ -138,7 +138,7 @@ is successful. + + .. macro:: TS_MILESTONE_LAST_ENTRY + +- A psuedo index which is set to be one more than the last valid index. This is useful for looping over the data. ++ A pseudo index which is set to be one more than the last valid index. This is useful for looping over the data. + + + * The server connect times predate the transmission of the :literal:`SYN` +--- a/doc/developer-guide/api/functions/TSHttpTxnServerIntercept.en.rst ++++ b/doc/developer-guide/api/functions/TSHttpTxnServerIntercept.en.rst +@@ -53,7 +53,7 @@ The response from the plugin is cached s + caching rules. Should the plugin wish the response not be cached, the plugin + must use appropriate HTTP response headers to prevent caching. The primary + purpose of :func:`TSHttpTxnServerIntercept` is allow plugins to provide gateways +-to other protocols or to allow to plugin to its own transport for the next hop ++to other protocols or to allow one to plugin to its own transport for the next hop + to the server. :func:`TSHttpTxnServerIntercept` overrides parent cache + configuration. + +--- a/doc/developer-guide/api/functions/TSIOBufferReader.en.rst ++++ b/doc/developer-guide/api/functions/TSIOBufferReader.en.rst +@@ -59,7 +59,7 @@ has two very important consequences -- + * Conversely keeping a reader around unused will pin the buffer data in memory. This can be useful or harmful. + + A buffer has a fixed amount of possible readers (currently 5) which is determined at compile +-time. Reader allocation is fast and cheap until this maxium is reached at which point it fails. ++time. Reader allocation is fast and cheap until this maximum is reached at which point it fails. + + :func:`TSIOBufferReaderAlloc` allocates a reader for the IO buffer :arg:`bufp`. This should only be + called on a newly allocated buffer. If not the location of the reader in the buffer will be +--- a/doc/developer-guide/api/functions/TSSslContext.en.rst ++++ b/doc/developer-guide/api/functions/TSSslContext.en.rst +@@ -36,11 +36,11 @@ Description + =========== + + :func:`TSSslContextFindByName` searches for a SSL server context +-created from :file:`ssl_multicert.config`, matching against the ++created from :file:`ssl_multicert.config`, matchingg against the + server :arg:`name`. + + :func:`TSSslContextFindByAddr` searches for a SSL server context +-created from :file:`ssl_multicert.config` matchin against the server ++created from :file:`ssl_multicert.config` matching against the server + :arg:`address`. + + +--- a/doc/developer-guide/api/functions/TSSslSession.en.rst ++++ b/doc/developer-guide/api/functions/TSSslSession.en.rst +@@ -46,7 +46,7 @@ The functions also work with the :type:` + + These functions perform the appropriate locking on the session cache to avoid errors. + +-The :func:`TSSslSessionGet` and :func:`TSSslSessionGetBuffer` functions retreive the :type:`TSSslSession` object that is identifed by the ++The :func:`TSSslSessionGet` and :func:`TSSslSessionGetBuffer` functions retrieve the :type:`TSSslSession` object that is identifed by the + :type:`TSSslSessionID` object. If there is no matching sesion object, :func:`TSSslSessionGet` returns NULL and :func:`TSSslSessionGetBuffer` + returns 0. + +--- a/doc/developer-guide/api/functions/TSStat.en.rst ++++ b/doc/developer-guide/api/functions/TSStat.en.rst +@@ -46,9 +46,9 @@ Description + + A plugin statistic is created by :func:`TSStatCreate`. The :arg:`name` must be globally unique and + should follow the standard dotted tag form. To avoid collisions and for easy of use the first tag +-should be the plugin name or something easily derived from it. Currently only integers are suppored ++should be the plugin name or something easily derived from it. Currently only integers are supported + therefore :arg:`type` must be :macro:`TS_RECORDDATATYPE_INT`. The return value is the index of the +-statistic. In general thsi should work but if it doesn't it will :code:`assert`. In particular, ++statistic. In general this should work but if it doesn't it will :code:`assert`. In particular, + creating the same statistic twice will fail in this way, which can happen if statistics are created + as part of or based on configuration files and |TS| is reloaded. + +--- a/doc/developer-guide/api/functions/TSVConnReenable.en.rst ++++ b/doc/developer-guide/api/functions/TSVConnReenable.en.rst +@@ -32,7 +32,7 @@ Description + =========== + + Reenable the SSL connection :arg:`svc`. If a plugin hook is called, ATS +-processing on that connnection will not resume until this is invoked for that ++processing on that connection will not resume until this is invoked for that + connection. + + If the server is running OpenSSL 1.0.1 with the appropraite patch installed or +--- a/doc/developer-guide/api/functions/TSfwrite.en.rst ++++ b/doc/developer-guide/api/functions/TSfwrite.en.rst +@@ -44,4 +44,4 @@ The behavior is undefined if length is g + Return Value + ============ + +-Returns the number of bytes actually written, or -1 if an error occured. ++Returns the number of bytes actually written, or -1 if an error occurred. +--- a/iocore/cache/CacheHosting.cc ++++ b/iocore/cache/CacheHosting.cc +@@ -715,7 +715,7 @@ ConfigVolumes::BuildListFromString(char + // added by YTS Team, yamsat for bug id 59632 + total += size; + if (size > 100 || total > 100) { +- err = "Total volume size added upto more than 100 percent, No volumes created"; ++ err = "Total volume size added up to more than 100 percent, No volumes created"; + break; + } + // ends here +--- a/iocore/eventsystem/IOBuffer.cc ++++ b/iocore/eventsystem/IOBuffer.cc +@@ -182,7 +182,7 @@ MIOBuffer::puts(char *s, int64_t len) + } + if (!*pb || *pb == '\n') { + int64_t n = (int64_t)(pb - s); +- memcpy(end(), s, n + 1); // Upto and including '\n' ++ memcpy(end(), s, n + 1); // Up to and including '\n' + end()[n + 1] = 0; + fill(n + 1); + return n + 1; +--- a/plugins/esi/lib/EsiProcessor.cc ++++ b/plugins/esi/lib/EsiProcessor.cc +@@ -305,7 +305,7 @@ EsiProcessor::process(const char *&data, + + /* FAILURE CACHE */ + FailureData *data = static_cast(pthread_getspecific(threadKey)); +- _debugLog("plugin_esi_failureInfo", "[%s]Fetched data related to thread specfic %p", __FUNCTION__, data); ++ _debugLog("plugin_esi_failureInfo", "[%s]Fetched data related to thread specific %p", __FUNCTION__, data); + + for (iter = try_iter->attempt_nodes.begin(); iter != try_iter->attempt_nodes.end(); ++iter) { + if ((iter->type == DocNode::TYPE_INCLUDE) || iter->type == DocNode::TYPE_SPECIAL_INCLUDE) { +@@ -342,7 +342,7 @@ EsiProcessor::process(const char *&data, + } + } + if (attempt_succeeded) { +- _debugLog(_debug_tag, "[%s] attempt section succeded; using attempt section", __FUNCTION__); ++ _debugLog(_debug_tag, "[%s] attempt section succeeded; using attempt section", __FUNCTION__); + _node_list.splice(try_iter->pos, try_iter->attempt_nodes); + } else { + _debugLog(_debug_tag, "[%s] attempt section errored; trying except section", __FUNCTION__); +@@ -436,7 +436,7 @@ EsiProcessor::flush(string &data, int &o + + /* FAILURE CACHE */ + FailureData *fdata = static_cast(pthread_getspecific(threadKey)); +- _debugLog("plugin_esi_failureInfo", "[%s]Fetched data related to thread specfic %p", __FUNCTION__, fdata); ++ _debugLog("plugin_esi_failureInfo", "[%s]Fetched data related to thread specific %p", __FUNCTION__, fdata); + + for (iter = try_iter->attempt_nodes.begin(); iter != try_iter->attempt_nodes.end(); ++iter) { + if ((iter->type == DocNode::TYPE_INCLUDE) || iter->type == DocNode::TYPE_SPECIAL_INCLUDE) { +@@ -473,7 +473,7 @@ EsiProcessor::flush(string &data, int &o + } + } + if (attempt_succeeded) { +- _debugLog(_debug_tag, "[%s] attempt section succeded; using attempt section", __FUNCTION__); ++ _debugLog(_debug_tag, "[%s] attempt section succeeded; using attempt section", __FUNCTION__); + _n_prescanned_nodes = _n_prescanned_nodes + try_iter->attempt_nodes.size(); + _node_list.splice(try_iter->pos, try_iter->attempt_nodes); + } else { +--- a/plugins/esi/lib/Variables.cc ++++ b/plugins/esi/lib/Variables.cc +@@ -437,18 +437,18 @@ Variables::_parseDictVariable(const std: + for (int i = 0; i < (var_size - 1); ++i) { + if (variable[i] == '{') { + if (paranth_index != -1) { +- _debugLog(_debug_tag, "[%s] Cannot have multiple paranthesis in dict variable [%.*s]", __FUNCTION__, var_size, var_ptr); ++ _debugLog(_debug_tag, "[%s] Cannot have multiple parenthesis in dict variable [%.*s]", __FUNCTION__, var_size, var_ptr); + return false; + } + paranth_index = i; + } + if (variable[i] == '}') { +- _debugLog(_debug_tag, "[%s] Cannot have multiple paranthesis in dict variable [%.*s]", __FUNCTION__, var_size, var_ptr); ++ _debugLog(_debug_tag, "[%s] Cannot have multiple parenthesis in dict variable [%.*s]", __FUNCTION__, var_size, var_ptr); + return false; + } + } + if (paranth_index == -1) { +- _debugLog(_debug_tag, "[%s] Could not find opening paranthesis in variable [%.*s]", __FUNCTION__, var_size, var_ptr); ++ _debugLog(_debug_tag, "[%s] Could not find opening parenthesis in variable [%.*s]", __FUNCTION__, var_size, var_ptr); + return false; + } + if (paranth_index == 0) { +--- a/plugins/experimental/collapsed_forwarding/collapsed_forwarding.cc ++++ b/plugins/experimental/collapsed_forwarding/collapsed_forwarding.cc +@@ -353,7 +353,7 @@ TSRemapInit(TSRemapInterface * /* api_in + TSError("Cannot initialize %s as both global and remap plugin", DEBUG_TAG); + return TS_ERROR; + } else { +- TSDebug(DEBUG_TAG, "plugin is succesfully initialized for remap"); ++ TSDebug(DEBUG_TAG, "plugin is successfully initialized for remap"); + return TS_SUCCESS; + } + } +--- a/plugins/experimental/fq_pacing/fq_pacing.c ++++ b/plugins/experimental/fq_pacing/fq_pacing.c +@@ -118,7 +118,7 @@ TSRemapInit(TSRemapInterface *api_info, + return TS_ERROR; + } + +- TSDebug(PLUGIN_NAME, "plugin is succesfully initialized"); ++ TSDebug(PLUGIN_NAME, "plugin is successfully initialized"); + return TS_SUCCESS; + } + +--- a/plugins/experimental/header_normalize/header_normalize.cc ++++ b/plugins/experimental/header_normalize/header_normalize.cc +@@ -158,7 +158,7 @@ TSRemapInit(TSRemapInterface *api_info, + return TS_ERROR; + } + buildHdrMap(); +- TSDebug(PLUGIN_NAME, "plugin is succesfully initialized"); ++ TSDebug(PLUGIN_NAME, "plugin is successfully initialized"); + return TS_SUCCESS; + } + +--- a/plugins/experimental/prefetch/plugin.cc ++++ b/plugins/experimental/prefetch/plugin.cc +@@ -202,7 +202,7 @@ evaluate(const String &v) + } else { + stmt.assign(v); + } +- PrefetchDebug("statement: '%s', formating length: %zu", stmt.c_str(), len); ++ PrefetchDebug("statement: '%s', formatting length: %zu", stmt.c_str(), len); + + int result = 0; + pos = stmt.find_first_of("+-"); +--- a/plugins/experimental/url_sig/url_sig.c ++++ b/plugins/experimental/url_sig/url_sig.c +@@ -98,7 +98,7 @@ TSRemapInit(TSRemapInterface *api_info, + return TS_ERROR; + } + +- TSDebug(PLUGIN_NAME, "plugin is succesfully initialized"); ++ TSDebug(PLUGIN_NAME, "plugin is successfully initialized"); + return TS_SUCCESS; + } + +--- a/plugins/generator/generator.cc ++++ b/plugins/generator/generator.cc +@@ -609,7 +609,7 @@ GeneratorTxnHook(TSCont contp, TSEvent e + TSReleaseAssert(TSHttpTxnCacheLookupStatusGet(arg.txn, &status) == TS_SUCCESS); + if (status != TS_CACHE_LOOKUP_HIT_FRESH) { + // This transaction is going to be a cache miss, so intercept it. +- VDEBUG("intercepting orgin server request for txn=%p", arg.txn); ++ VDEBUG("intercepting origin server request for txn=%p", arg.txn); + TSHttpTxnServerIntercept(TSContCreate(GeneratorInterceptionHook, TSMutexCreate()), arg.txn); + } + +--- a/plugins/header_rewrite/header_rewrite.cc ++++ b/plugins/header_rewrite/header_rewrite.cc +@@ -339,7 +339,7 @@ TSPluginInit(int argc, const char *argv[ + // just appended to the configurations. + TSDebug(PLUGIN_NAME, "Loading global configuration file %s", argv[i]); + if (conf->parse_config(argv[i], TS_HTTP_READ_RESPONSE_HDR_HOOK)) { +- TSDebug(PLUGIN_NAME, "Succesfully loaded global config file %s", argv[i]); ++ TSDebug(PLUGIN_NAME, "Successfully loaded global config file %s", argv[i]); + got_config = true; + } else { + TSError("[header_rewrite] failed to parse configuration file %s", argv[i]); +@@ -410,7 +410,7 @@ TSRemapNewInstance(int argc, char *argv[ + delete conf; + return TS_ERROR; + } else { +- TSDebug(PLUGIN_NAME, "Succesfully loaded remap config file %s", argv[i]); ++ TSDebug(PLUGIN_NAME, "Successfully loaded remap config file %s", argv[i]); + } + } + +--- a/plugins/s3_auth/s3_auth.cc ++++ b/plugins/s3_auth/s3_auth.cc +@@ -869,7 +869,7 @@ event_handler(TSCont cont, TSEvent event + } + + if (TS_HTTP_STATUS_OK == status) { +- TSDebug(PLUGIN_NAME, "Succesfully signed the AWS S3 URL"); ++ TSDebug(PLUGIN_NAME, "Successfully signed the AWS S3 URL"); + } else { + TSDebug(PLUGIN_NAME, "Failed to sign the AWS S3 URL, status = %d", status); + TSHttpTxnStatusSet(txnp, status); +--- a/src/traffic_cache_tool/CacheTool.cc ++++ b/src/traffic_cache_tool/CacheTool.cc +@@ -869,7 +869,7 @@ Span::updateHeader() + zret.push(0, errno, "Failed to update span - ", strerror(errno)); + } + } else { +- std::cout << "Writing not enabled, no updates perfomed" << std::endl; ++ std::cout << "Writing not enabled, no updates performed" << std::endl; + } + return zret; + } +--- a/src/traffic_crashlog/traffic_crashlog.cc ++++ b/src/traffic_crashlog/traffic_crashlog.cc +@@ -198,7 +198,7 @@ main(int /* argc ATS_UNUSED */, const ch + mgmterr = TSInit(nullptr, (TSInitOptionT)(TS_MGMT_OPT_NO_EVENTS | TS_MGMT_OPT_NO_SOCK_TESTS)); + if (mgmterr != TS_ERR_OKAY) { + char *msg = TSGetErrorMessage(mgmterr); +- Warning("failed to intialize management API: %s", msg); ++ Warning("failed to initialize management API: %s", msg); + TSfree(msg); + } + +--- a/src/traffic_logstats/logstats.cc ++++ b/src/traffic_logstats/logstats.cc +@@ -1828,7 +1828,7 @@ process_file(int in_fd, off_t offset, un + unsigned second_read_size = sizeof(LogBufferHeader) - first_read_size; + nread = read(in_fd, &buffer[first_read_size], second_read_size); + if (!nread || EOF == nread) { +- Debug("logstats", "Second read of header failed (attemped %d bytes at offset %d, got nothing), errno=%d.", second_read_size, ++ Debug("logstats", "Second read of header failed (attempted %d bytes at offset %d, got nothing), errno=%d.", second_read_size, + first_read_size, errno); + return 1; + } +--- a/src/traffic_manager/traffic_manager.cc ++++ b/src/traffic_manager/traffic_manager.cc +@@ -142,7 +142,7 @@ rotateLogs() + if (kill(tspid, SIGUSR2) != 0) { + mgmt_log("Could not send SIGUSR2 to TS: %s", strerror(errno)); + } else { +- mgmt_log("Succesfully sent SIGUSR2 to TS!"); ++ mgmt_log("Successfully sent SIGUSR2 to TS!"); + } + } + } +--- a/src/traffic_server/CoreUtils.h ++++ b/src/traffic_server/CoreUtils.h +@@ -44,7 +44,7 @@ + #define PC_REGNUM 12 /* Contains program counter EIP */ + #define FP_REGNUM 5 /* Virtual frame pointer EBP */ + #define NO_OF_ARGS \ +- 10 /* The argument depth upto which we would be looking into \ ++ 10 /* The argument depth up to which we would be looking into \ + the stack */ + + // contains local and in registers, frame pointer, and stack base +@@ -63,7 +63,7 @@ struct core_stack_state { + #include + + #define NO_OF_ARGS \ +- 10 /* The argument depth upto which we would be looking into \ ++ 10 /* The argument depth up to which we would be looking into \ + the stack */ + + // contains local and in registers, frame pointer, and stack base +--- a/src/traffic_server/InkAPITest.cc ++++ b/src/traffic_server/InkAPITest.cc +@@ -4225,7 +4225,7 @@ REGRESSION_TEST(SDK_API_TSHttpHdr)(Regre + SDK_RPRINT(test, "TSHttpHdrUrlSet&Get", "TestCase1", TC_FAIL, "TSHttpHdrUrlSet returns TS_ERROR"); + } else { + if (TSHttpHdrUrlGet(bufp1, hdr_loc1, &url_loc_Get) != TS_SUCCESS) { +- SDK_RPRINT(test, "TSHttpHdrUrlSet&Get", "TestCase1", TC_FAIL, "TSHttpHdrUrlGet retuns TS_ERROR"); ++ SDK_RPRINT(test, "TSHttpHdrUrlSet&Get", "TestCase1", TC_FAIL, "TSHttpHdrUrlGet returns TS_ERROR"); + } else { + if (url_loc == url_loc_Get) { + SDK_RPRINT(test, "TSHttpHdrUrlSet&Get", "TestCase1", TC_PASS, "ok"); +--- a/src/tscore/ArgParser.cc ++++ b/src/tscore/ArgParser.cc +@@ -154,7 +154,7 @@ ArgParser::parse(const char **argv) + }; + // if there is anything left, then output usage + if (!args.empty()) { +- std::string msg = "Unkown command, option or args:"; ++ std::string msg = "Unknown command, option or args:"; + for (auto it : args) { + msg = msg + " '" + it + "'"; + } +--- a/iocore/net/Socks.cc ++++ b/iocore/net/Socks.cc +@@ -694,7 +694,7 @@ socks5PasswdAuthHandler(int event, unsig + // NEC thinks it is 5 RFC seems to indicate 1. + switch (p[1]) { + case 0: +- Debug("Socks", "Username/Passwd succeded"); ++ Debug("Socks", "Username/Passwd succeeded"); + *h_ptr = nullptr; + break; + +--- a/iocore/net/UnixUDPNet.cc ++++ b/iocore/net/UnixUDPNet.cc +@@ -628,7 +628,7 @@ UDPNetProcessor::CreateUDPSocket(int *re + } + + if (safe_getsockname(fd, &local_addr.sa, &local_addr_len) < 0) { +- Debug("udpnet", "CreateUdpsocket: getsockname didnt' work"); ++ Debug("udpnet", "CreateUdpsocket: getsockname didn't work"); + goto HardError; + } + } +--- a/mgmt/Rollback.cc ++++ b/mgmt/Rollback.cc +@@ -133,7 +133,7 @@ Rollback::Rollback(const char *fileName_ + mgmt_log("[RollBack::Rollback] Automatic Rollback to prior version failed for %s : %s\n", fileName, strerror(errno)); + needZeroLength = true; + } else { +- mgmt_log("[RollBack::Rollback] Automatic Rollback to version succeded for %s\n", fileName, strerror(errno)); ++ mgmt_log("[RollBack::Rollback] Automatic Rollback to version succeeded for %s\n", fileName, strerror(errno)); + needZeroLength = false; + highestSeen--; + // Since we've made the highestVersion active +--- a/proxy/logging/LogBuffer.cc ++++ b/proxy/logging/LogBuffer.cc +@@ -270,7 +270,7 @@ LogBuffer::checkout_write(size_t *write_ + } + + if (switch_state(old_s, new_s)) { +- // we succeded in setting the new state ++ // we succeeded in setting the new state + break; + } + } +--- a/proxy/logging/LogObject.cc ++++ b/proxy/logging/LogObject.cc +@@ -420,7 +420,7 @@ LogObject::_checkout_write(size_t *write + + switch (result_code) { + case LogBuffer::LB_OK: +- // checkout succeded ++ // checkout succeeded + retry = false; + break; + +--- a/doc/admin-guide/plugins/header_rewrite.en.rst ++++ b/doc/admin-guide/plugins/header_rewrite.en.rst +@@ -330,7 +330,7 @@ The data that can be checked is :: + %{INBOUND:REMOTE-PORT} The client port for the connection. + %{INBOUND:TLS} The TLS protocol if the connection is over TLS, otherwise the empty string. + %{INBOUND:H2} The string "h2" if the connection is HTTP/2, otherwise the empty string. +- %{INBOUND:IPV4} The string "ipv4" if the connection is IPv4, otherwise the emtpy string. ++ %{INBOUND:IPV4} The string "ipv4" if the connection is IPv4, otherwise the empty string. + %{INBOUND:IPV6} The string "ipv6" if the connection is IPv6, otherwise the empty string. + %{INBOUND:IP-FAMILY} The IP family, either "ipv4" or "ipv6". + %{INBOUND:STACK} The full protocol stack separated by ','. +@@ -836,7 +836,7 @@ Variable Description + % The TLS protocol for the inbound connection if it is over TLS, otherwise the + empty string. + % The string "h2" if the inbound connection is HTTP/2, otherwise the empty string. +-% The string "ipv4" if the inbound connection is IPv4, otherwise the emtpy string. ++% The string "ipv4" if the inbound connection is IPv4, otherwise the empty string. + % The string "ipv6" if the inbound connection is IPv6, otherwise the empty string. + % The IP family of the inbound connection (either "ipv4" or "ipv6"). + % The full protocol stack of the inbound connection separated by ','. +--- a/iocore/dns/SplitDNS.cc ++++ b/iocore/dns/SplitDNS.cc +@@ -341,7 +341,7 @@ SplitDNSRecord::ProcessDNSHosts(char *va + if (tmp - current > (MAXDNAME - 1)) { + return "DNS server name (ip) is too long"; + } else if (tmp - current == 0) { +- return "server string is emtpy"; ++ return "server string is empty"; + } + *tmp = 0; + } +--- a/lib/records/RecHttp.cc ++++ b/lib/records/RecHttp.cc +@@ -435,7 +435,7 @@ HttpProxyPort::processOptions(const char + if (in_ip_set_p && m_family != m_inbound_ip.family()) { + std::string_view iname{ats_ip_family_name(m_inbound_ip.family())}; + std::string_view fname{ats_ip_family_name(m_family)}; +- Warning("Invalid port descriptor '%s' - the inbound adddress family [%.*s] is not the same type as the explicit family value " ++ Warning("Invalid port descriptor '%s' - the inbound address family [%.*s] is not the same type as the explicit family value " + "[%.*s]", + opts, static_cast(iname.size()), iname.data(), static_cast(fname.size()), fname.data()); + zret = false; +--- a/proxy/ParentSelection.cc ++++ b/proxy/ParentSelection.cc +@@ -517,7 +517,7 @@ ParentRecord::ProcessParents(char *val, + errPtr = "Parent hostname is too long"; + goto MERROR; + } else if (tmp - current == 0) { +- errPtr = "Parent string is emtpy"; ++ errPtr = "Parent string is empty"; + goto MERROR; + } + // Update the pRecords +--- a/src/tscore/HostLookup.cc ++++ b/src/tscore/HostLookup.cc +@@ -50,7 +50,7 @@ domaincmp(const char *hostname, const ch + const char *host_cur = hostname + strlen(hostname); + const char *domain_cur = domain + strlen(domain); + +- // Check to see if were passed emtpy stings for either ++ // Check to see if were passed empty stings for either + // argument. Empty strings do not match anything + // + if (domain_cur == domain || host_cur == hostname) { +@@ -380,7 +380,7 @@ charIndex::Insert(const char *match_data + + // Check to see if are at the level we supposed be at + if (*(match_data + 1) == '\0') { +- // The slot should always be emtpy, no duplicate ++ // The slot should always be empty, no duplicate + // keys are allowed + ink_assert(cur->branch_array[index] == nullptr); + cur->branch_array[index] = toInsert; +--- a/build/pkg.m4 ++++ b/build/pkg.m4 +@@ -53,7 +53,7 @@ fi[]dnl + # to PKG_CHECK_MODULES(), but does not set variables or print errors. + # + # Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +-# only at the first occurence in configure.ac, so if the first place ++# only at the first occurrence in configure.ac, so if the first place + # it's called might be skipped (such as if it is within an "if", you + # have to call PKG_CHECK_EXISTS manually + # -------------------------------------------------------------- +--- a/include/tscpp/util/TextView.h ++++ b/include/tscpp/util/TextView.h +@@ -264,7 +264,7 @@ public: + self_type prefix(size_t n) const; + /// Convenience overload to avoid ambiguity for literal numbers. + self_type prefix(int n) const; +- /** Get the prefix delimited by the first occurence of the character @a c. ++ /** Get the prefix delimited by the first occurrence of the character @a c. + + If @a c is not found the entire view is returned. + The delimiter character is not included in the returned view. +@@ -272,7 +272,7 @@ public: + @return A view of the prefix. + */ + self_type prefix(char c) const; +- /** Get the prefix delimited by the first occurence of a character in @a delimiters. ++ /** Get the prefix delimited by the first occurrence of a character in @a delimiters. + + If no such character is found the entire view is returned. + The delimiter character is not included in the returned view. +--- a/iocore/cache/CacheVol.cc ++++ b/iocore/cache/CacheVol.cc +@@ -400,7 +400,7 @@ CacheVC::scanOpenWrite(int /* event ATS_ + // get volume lock + if (writer_lock_retry > SCAN_WRITER_LOCK_MAX_RETRY) { + int r = _action.continuation->handleEvent(CACHE_EVENT_SCAN_OPERATION_BLOCKED, nullptr); +- Debug("cache_scan", "still havent got the writer lock, asking user.."); ++ Debug("cache_scan", "still haven't got the writer lock, asking user.."); + switch (r) { + case CACHE_SCAN_RESULT_RETRY: + writer_lock_retry = 0; +--- a/iocore/eventsystem/I_IOBuffer.h ++++ b/iocore/eventsystem/I_IOBuffer.h +@@ -680,7 +680,7 @@ public: + /** + Perform a memchr() across the list of IOBufferBlocks. Returns the + offset from the current start point of the reader to the first +- occurence of character 'c' in the buffer. ++ occurrence of character 'c' in the buffer. + + @param c character to look for. + @param len number of characters to check. If len exceeds the number +--- a/iocore/net/OCSPStapling.cc ++++ b/iocore/net/OCSPStapling.cc +@@ -99,7 +99,7 @@ stapling_get_issuer(SSL_CTX *ssl_ctx, X5 + + #ifdef SSL_CTX_select_current_cert + if (!SSL_CTX_select_current_cert(ssl_ctx, x)) { +- Warning("OCSP: could not select current certifcate chain %p", x); ++ Warning("OCSP: could not select current certificate chain %p", x); + } + #endif + +--- a/mgmt/Alarms.cc ++++ b/mgmt/Alarms.cc +@@ -297,7 +297,7 @@ Alarms::signalAlarm(alarm_t a, const cha + (*(func))(a, ip, desc); + } + +- /* Priority 2 alarms get signalled if they are the first unsolved occurence. */ ++ /* Priority 2 alarms get signalled if they are the first unsolved occurrence. */ + if (priority == 2 && !ip) { + execAlarmBin(desc); + } +--- a/proxy/http/HttpSessionManager.cc ++++ b/proxy/http/HttpSessionManager.cc +@@ -204,7 +204,7 @@ ServerSessionPool::eventHandler(int even + if (connection_count_below_min) { + Debug("http_ss", + "[%" PRId64 "] [session_bucket] session received io notice [%s], " +- "reseting timeout to maintain minimum number of connections", ++ "resetting timeout to maintain minimum number of connections", + s->con_id, HttpDebugNames::get_event_name(event)); + s->get_netvc()->set_inactivity_timeout(s->get_netvc()->get_inactivity_timeout()); + s->get_netvc()->set_active_timeout(s->get_netvc()->get_active_timeout()); +--- a/plugins/lua/ts_lua_transform.c ++++ b/plugins/lua/ts_lua_transform.c +@@ -89,7 +89,7 @@ ts_lua_transform_handler(TSCont contp, t + empty_input = 0; + if (!TSVIOBufferGet(input_vio)) { + if (transform_ctx->output.vio) { +- TSDebug(TS_LUA_DEBUG_TAG, "[%s] reenabling ouput VIO after input VIO does not exist", __FUNCTION__); ++ TSDebug(TS_LUA_DEBUG_TAG, "[%s] reenabling output VIO after input VIO does not exist", __FUNCTION__); + TSVIONBytesSet(transform_ctx->output.vio, transform_ctx->total); + TSVIOReenable(transform_ctx->output.vio); + return 0; +--- a/proxy/hdrs/HdrHeap.cc ++++ b/proxy/hdrs/HdrHeap.cc +@@ -965,7 +965,7 @@ HdrHeap::unmarshal(int buf_length, int o + // Nothing to do + break; + default: +- fprintf(stderr, "WARNING: Unmarshal failed due to unknow obj type %d after %d bytes", (int)obj->m_type, ++ fprintf(stderr, "WARNING: Unmarshal failed due to unknown obj type %d after %d bytes", (int)obj->m_type, + (int)(obj_data - (char *)this)); + dump_heap(unmarshal_size); + return -1; diff --git a/patches/0013-fix-perl-interpreter-path.patch b/patches/0013-fix-perl-interpreter-path.patch new file mode 100644 index 00000000..4866f34b --- /dev/null +++ b/patches/0013-fix-perl-interpreter-path.patch @@ -0,0 +1,14 @@ +Description: Fix Perl interpreter path +Author: Jean Baptiste Favre +Reviewed-by: Jean Baptiste Favre +Last-Update: 2019-01-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/tools/tspush ++++ b/tools/tspush +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # + # Licensed to the Apache Software Foundation (ASF) under one diff --git a/patches/0014-use_system_yaml-cpp.patch b/patches/0014-use_system_yaml-cpp.patch new file mode 100644 index 00000000..f62ae20e --- /dev/null +++ b/patches/0014-use_system_yaml-cpp.patch @@ -0,0 +1,42 @@ +Description: Update compilation chain after embedded libyamlcpp removal +Author: Jean Baptiste Favre +Origin: other +Reviewed-by: Jean Baptiste Favre +Last-Update: 2019-01-30 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -41,7 +41,6 @@ include_directories(lib + proxy/shared + lib/records + include/wccp +- lib/yamlcpp/include + iocore/eventsystem + iocore/net + iocore/dns +--- a/configure.ac ++++ b/configure.ac +@@ -2073,7 +2073,6 @@ AC_CONFIG_FILES([ + include/tscore/ink_config.h + lib/tsconfig/Makefile + src/wccp/Makefile +- lib/yamlcpp/Makefile + mgmt/Makefile + mgmt/api/Makefile + mgmt/api/include/Makefile +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -25,12 +25,6 @@ endif + # to prevent Clang Analyzer warning + LOCAL = + +-if BUILD_YAML_CPP +-LOCAL += yamlcpp +-endif +- + all-local: $(LOCAL) +- $(MAKE) -C yamlcpp + + clean-local: +- $(MAKE) -C yamlcpp clean diff --git a/patches/0015-as-needed-fix.patch b/patches/0015-as-needed-fix.patch new file mode 100644 index 00000000..43a2f2fb --- /dev/null +++ b/patches/0015-as-needed-fix.patch @@ -0,0 +1,30 @@ +Description: Fix LDFLAGS usage, +Author: Gianfranco Costamagna + +Forwarded: https://github.com/apache/trafficserver/pull/4793 +Last-Update: 2019-01-12 + +--- a/build/common.m4 ++++ b/build/common.m4 +@@ -196,17 +196,17 @@ AC_DEFUN([TS_TRY_COMPILE_NO_WARNING], + ]) + + dnl +-dnl TS_LINK_WITH_FLAGS_IFELSE(LDFLAGS, FUNCTION-BODY, ++dnl TS_LINK_WITH_FLAGS_IFELSE(LIBS, FUNCTION-BODY, + dnl [ACTIONS-IF-LINKS], [ACTIONS-IF-LINK-FAILS]) + dnl + dnl Tries a link test with the provided flags. + dnl + + AC_DEFUN([TS_LINK_WITH_FLAGS_IFELSE], +-[ats_save_LDFLAGS=$LDFLAGS +- LDFLAGS="$LDFLAGS $1" ++[ats_save_LIBS=$LIBS ++ LIBS="$LIBS $1" + AC_LINK_IFELSE([$2],[$3],[$4]) +- LDFLAGS=$ats_save_LDFLAGS ++ LIBS=$ats_save_LIBS + ]) + + diff --git a/patches/0016-fix_python_3.8.patch b/patches/0016-fix_python_3.8.patch new file mode 100644 index 00000000..5523f6d3 --- /dev/null +++ b/patches/0016-fix_python_3.8.patch @@ -0,0 +1,18 @@ +Description: Fix test for python 3.8 +Author: Matthias Klose +Reviewed-by: Jean Baptiste Favre +Last-Update: 2020-02-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/tests/bootstrap.py ++++ b/tests/bootstrap.py +@@ -81,7 +81,8 @@ def command_output(cmd_str): + + + def get_distro(): +- return platform.linux_distribution() ++ import distro ++ return distro.linux_distribution() + + + def distro_version(): diff --git a/patches/0017-fix_sphinx_3.0.patch b/patches/0017-fix_sphinx_3.0.patch new file mode 100644 index 00000000..c47b4237 --- /dev/null +++ b/patches/0017-fix_sphinx_3.0.patch @@ -0,0 +1,82 @@ +Description: Remove python2 vestiges from conf.py, traffic-server.py. +Author: Alan M. Carroll +Origin: upstream +Applied-Upstream: https://github.com/apache/trafficserver/commit/096b2590b6111dd16ec19ca24f88ff41d069f2d0 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2020-07-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/doc/ext/traffic-server.py ++++ b/doc/ext/traffic-server.py +@@ -31,7 +31,7 @@ from docutils.parsers import rst + from docutils.parsers.rst import directives + from sphinx.domains import Domain, ObjType, std + from sphinx.roles import XRefRole +-from sphinx.locale import l_, _ ++from sphinx.locale import _ + import sphinx + + import subprocess +@@ -301,8 +301,8 @@ class TrafficServerDomain(Domain): + data_version = 2 + + object_types = { +- 'cv': ObjType(l_('configuration variable'), 'cv'), +- 'stat': ObjType(l_('statistic'), 'stat') ++ 'cv': ObjType(_('configuration variable'), 'cv'), ++ 'stat': ObjType(_('statistic'), 'stat') + } + + directives = { +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -57,7 +57,9 @@ extensions = [ + ] + + # Contains values that are dependent on configure.ac. +-execfile('ext/local-config.py') ++LOCAL_CONFIG = 'ext/local-config.py' ++with open(LOCAL_CONFIG) as f : ++ exec(compile(f.read(), LOCAL_CONFIG, 'exec')) + + if version_info >= (1, 4): + extensions.append('sphinx.ext.imgmath') +@@ -114,7 +116,7 @@ gettext_compact = False + # Generate .mo files just in time + if os.environ.get('READTHEDOCS') == 'True': + import polib +- print "Generating .mo files", ++ print("Generating .mo files"), + for locale_dir in locale_dirs: + for path, dummy, filenames in os.walk(locale_dir): + for filename in filenames: +@@ -124,7 +126,7 @@ if os.environ.get('READTHEDOCS') == 'Tru + mo_file = base + ".mo" + po = polib.pofile(po_file) + po.save_as_mofile(fpath=mo_file) +- print "done" ++ print("done") + else: + # On RedHat-based distributions, install the python-sphinx_rtd_theme package + # to get an end result tht looks more like readthedoc.org. +@@ -213,7 +215,7 @@ class Inliner(states.Inliner): + punctuation_chars.closers)) + + issue = re.compile( +- ur''' ++ r''' + {start_string_prefix} + TS-\d+ + {end_string_suffix}'''.format( +@@ -344,9 +346,9 @@ latex_elements = { + #'preamble': '', + } + +-if tags.has('latex_a4'): ++if 'latex_a4' in tags: + latex_elements['papersize'] = 'a4paper' +-elif tags.has('latex_paper'): ++elif 'latex_paper' in tags: + latex_elements['papersiize'] = 'letterpaper' + + # Grouping the document tree into LaTeX files. List of tuples diff --git a/patches/0018-Fixes-7971.patch b/patches/0018-Fixes-7971.patch new file mode 100644 index 00000000..c862438f --- /dev/null +++ b/patches/0018-Fixes-7971.patch @@ -0,0 +1,153 @@ +From: Evan Zelkowitz +Date: Tue, 22 Jun 2021 14:32:55 -0700 +Subject: Fixes (#7971) +Origin: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27577 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32565 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32566 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32567 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-35474 +Bug-Debian: https://bugs.debian.org/990303 + +* String the url fragment for outgoing requests (#7966) + +Co-authored-by: Susan Hinrichs +(cherry picked from commit 2b13eb33794574e62249997b4ba654d943a10f2d) + +* Ensure that the content-length value is only digits (#7964) + +Co-authored-by: Susan Hinrichs +(cherry picked from commit 668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca) + +* Schedule H2 reenable event only if it's necessary + +Co-authored-by: Katsutoshi Ikenoya + +* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945) + +* Fix dynamic-stack-buffer-overflow of cachekey plugin + +* Check dst_size include null termination + +(cherry picked from commit 5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b) + +Co-authored-by: Bryan Call +Co-authored-by: Masakazu Kitajo +Co-authored-by: Katsutoshi Ikenoya +Co-authored-by: Masaori Koshiba +--- + plugins/cachekey/cachekey.cc | 2 +- + proxy/hdrs/HTTP.cc | 11 +++++++++++ + proxy/http/HttpTransact.cc | 5 ++++- + proxy/http2/Http2ClientSession.cc | 14 +++++++------- + proxy/logging/LogUtils.cc | 2 +- + 5 files changed, 24 insertions(+), 10 deletions(-) + +diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc +index 5f128894bfa8..44925b3db280 100644 +--- a/plugins/cachekey/cachekey.cc ++++ b/plugins/cachekey/cachekey.cc +@@ -41,7 +41,7 @@ appendEncoded(String &target, const char *s, size_t len) + return; + } + +- char tmp[len * 2]; ++ char tmp[len * 3 + 1]; + size_t written; + + /* The default table does not encode the comma, so we need to use our own table here. */ +diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc +index 6a2ecc41d3ad..48032dd9ddf4 100644 +--- a/proxy/hdrs/HTTP.cc ++++ b/proxy/hdrs/HTTP.cc +@@ -1202,6 +1202,17 @@ validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh) + int content_length_len = 0; + const char *content_length_val = content_length_field->value_get(&content_length_len); + ++ // RFC 7230 section 3.3.2 ++ // Content-Length = 1*DIGIT ++ // ++ // If the content-length value contains a non-numeric value, the header is invalid ++ for (int i = 0; i < content_length_len; i++) { ++ if (!isdigit(content_length_val[i])) { ++ Debug("http", "Content-Length value contains non-digit, returning parse error"); ++ return PARSE_RESULT_ERROR; ++ } ++ } ++ + while (content_length_field->has_dups()) { + int content_length_len_2 = 0; + const char *content_length_val_2 = content_length_field->m_next_dup->value_get(&content_length_len_2); +diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc +index c3d135b98e88..2de29a8d08d8 100644 +--- a/proxy/http/HttpTransact.cc ++++ b/proxy/http/HttpTransact.cc +@@ -7619,9 +7619,12 @@ HttpTransact::build_request(State *s, HTTPHdr *base_request, HTTPHdr *outgoing_r + + // HttpTransactHeaders::convert_request(outgoing_version, outgoing_request); // commented out this idea + ++ URL *url = outgoing_request->url_get(); ++ // Remove fragment from upstream URL ++ url->fragment_set(NULL, 0); ++ + // Check whether a Host header field is missing from a 1.0 or 1.1 request. + if (outgoing_version != HTTPVersion(0, 9) && !outgoing_request->presence(MIME_PRESENCE_HOST)) { +- URL *url = outgoing_request->url_get(); + int host_len; + const char *host = url->host_get(&host_len); + +diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc +index 6d7d3de79923..ee952b8a2753 100644 +--- a/proxy/http2/Http2ClientSession.cc ++++ b/proxy/http2/Http2ClientSession.cc +@@ -82,11 +82,6 @@ Http2ClientSession::destroy() + void + Http2ClientSession::free() + { +- if (this->_reenable_event) { +- this->_reenable_event->cancel(); +- this->_reenable_event = nullptr; +- } +- + if (h2_pushed_urls) { + this->h2_pushed_urls = ink_hash_table_destroy(this->h2_pushed_urls); + } +@@ -107,6 +102,11 @@ Http2ClientSession::free() + REMEMBER(NO_EVENT, this->recursion) + Http2SsnDebug("session free"); + ++ if (this->_reenable_event) { ++ this->_reenable_event->cancel(); ++ this->_reenable_event = nullptr; ++ } ++ + // Don't free active ProxySession + ink_release_assert(is_active() == false); + +@@ -653,8 +653,8 @@ Http2ClientSession::remember(const SourceLocation &location, int event, int reen + bool + Http2ClientSession::_should_do_something_else() + { +- // Do something else every 128 incoming frames +- return (this->_n_frame_read & 0x7F) == 0; ++ // Do something else every 128 incoming frames if connection state isn't closed ++ return (this->_n_frame_read & 0x7F) == 0 && !connection_state.is_state_closed(); + } + + int64_t +diff --git a/proxy/logging/LogUtils.cc b/proxy/logging/LogUtils.cc +index 94becf250ac2..475bee87cad4 100644 +--- a/proxy/logging/LogUtils.cc ++++ b/proxy/logging/LogUtils.cc +@@ -343,7 +343,7 @@ escapify_url_common(Arena *arena, char *url, size_t len_in, int *len_out, char * + // + size_t out_len = len_in + 2 * count; + +- if (dst && out_len > dst_size) { ++ if (dst && (out_len + 1) > dst_size) { + *len_out = 0; + return nullptr; + } +-- +2.32.0 + diff --git a/patches/0019-CVE_2021_37147.patch b/patches/0019-CVE_2021_37147.patch new file mode 100644 index 00000000..4f7978d3 --- /dev/null +++ b/patches/0019-CVE_2021_37147.patch @@ -0,0 +1,49 @@ +Description: Fix output '\n' HTTP field line endings + This is another attempt to fix what was initially addressed in #8096 but + got backed out via #8305. That more extensive patch was considered too + invasive and potentially risky. This more targeted patch will fix + clients that only send the \n endings but it will force the \r\n line + ending on output. + This was mostly in place except for header lines that get + m_n_v_raw_printable set, which seems to be most header lines. The + addition checks to see if the header line ends in \r\n. If it does not + the m_n_v_raw_printable flag gets cleared and the logic that explicitly + adds the line endings while be invoked on output. +Author: Brian Neradt +Origin: upstream +Applied-Upstream: https://github.com/apache/trafficserver/commit/5cad961c87cb07fbb8fa6890685d9878a169378d +Reviewed-by: Jean Baptiste Favre +Last-Update: 2022-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trafficserver/proxy/hdrs/MIME.cc +=================================================================== +--- trafficserver.orig/proxy/hdrs/MIME.cc 2022-05-21 19:01:36.000000000 +0200 ++++ trafficserver/proxy/hdrs/MIME.cc 2022-05-21 19:02:12.210230747 +0200 +@@ -2652,8 +2652,17 @@ + + // find_value_last + field_value_last = line_e - 1; ++ int suffix_count = 0; + while ((field_value_last >= field_value_first) && ParseRules::is_wslfcr(*field_value_last)) { + --field_value_last; ++ ++suffix_count; ++ } ++ ++ // Make sure the field ends in CRLF. If not, we'll fix the field via the n_v_raw_printable ++ // flag. ++ bool raw_print_field = true; ++ if (suffix_count < 2 || *(line_e - 2) != '\r' || *(line_e - 1) != '\n') { ++ raw_print_field = false; + } + + field_name_length = (int)(field_name_last - field_name_first + 1); +@@ -2690,7 +2699,7 @@ + + MIMEField *field = mime_field_create(heap, mh); + mime_field_name_value_set(heap, mh, field, field_name_wks_idx, field_name_first, field_name_length, field_value_first, +- field_value_length, true, total_line_length, false); ++ field_value_length, raw_print_field, total_line_length, false); + mime_hdr_field_attach(mh, field, 1, nullptr); + } + } diff --git a/patches/0019-CVE_2021_37148.patch b/patches/0019-CVE_2021_37148.patch new file mode 100644 index 00000000..eea3a3bc --- /dev/null +++ b/patches/0019-CVE_2021_37148.patch @@ -0,0 +1,37 @@ +Description: Reject Transfer-Encoding in pre-HTTP/1.1 requests + Per spec, Transfer-Encoding is only supported in HTTP/1.1. For earlier + versions, we must reject Transfer-Encoding rather than interpret it + since downstream proxies may ignore the chunk header and rely upon the + Content-Length, or interpret the body some other way. These differences + in interpretation may open up the door to compatibility issues. To + protect against this, we reply with a 4xx if the client uses + Transfer-Encoding with HTTP versions that do not support it. +Author: Brian Neradt +Origin: upstream +Applied-Upstream: https://github.com/apache/trafficserver/commit/e2c9ac217f24dc3e91ff2c9f52b52093e8fb32d5 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2022-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trafficserver/proxy/http/HttpTransact.cc +=================================================================== +--- trafficserver.orig/proxy/http/HttpTransact.cc 2022-05-21 18:55:58.801202772 +0200 ++++ trafficserver/proxy/http/HttpTransact.cc 2022-05-21 19:06:47.056189813 +0200 +@@ -5174,6 +5174,17 @@ + return BAD_CONNECT_PORT; + } + ++ if (s->client_info.transfer_encoding == CHUNKED_ENCODING && incoming_hdr->version_get() < HTTPVersion(1, 1)) { ++ // Per spec, Transfer-Encoding is only supported in HTTP/1.1. For earlier ++ // versions, we must reject Transfer-Encoding rather than interpret it ++ // since downstream proxies may ignore the chunk header and rely upon the ++ // Content-Length, or interpret the body some other way. These ++ // differences in interpretation may open up the door to compatibility ++ // issues. To protect against this, we reply with a 4xx if the client ++ // uses Transfer-Encoding with HTTP versions that do not support it. ++ return UNACCEPTABLE_TE_REQUIRED; ++ } ++ + // Require Content-Length/Transfer-Encoding for POST/PUSH/PUT + if ((scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_HTTPS) && + (method == HTTP_WKSIDX_POST || method == HTTP_WKSIDX_PUSH || method == HTTP_WKSIDX_PUT) && diff --git a/patches/0019-CVE_2021_37149.patch b/patches/0019-CVE_2021_37149.patch new file mode 100644 index 00000000..71b8c105 --- /dev/null +++ b/patches/0019-CVE_2021_37149.patch @@ -0,0 +1,235 @@ +Description: Detect and handle chunk header size truncation + This detects if a chunk header size is too large and, if so, closes the + connection. +Author: Brian Neradt +Origin: upstream +Applied-Upstream: https://github.com/apache/trafficserver/commit/2addc8ca71449ceac0d5b80172460ee09c938f5e +Reviewed-by: Jean Baptiste Favre +Last-Update: 2022-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trafficserver/include/tscore/ink_memory.h +=================================================================== +--- trafficserver.orig/include/tscore/ink_memory.h 2022-05-21 18:55:58.637203619 +0200 ++++ trafficserver/include/tscore/ink_memory.h 2022-05-21 19:10:10.978804602 +0200 +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -204,6 +205,24 @@ + memset(static_cast(&t), 0, sizeof(t)); + } + ++/** Verify that we can safely shift value num_places places left. ++ * ++ * This checks that the shift will not cause the variable to overflow and that ++ * the value will not become negative. ++ * ++ * @param[in] value The value against which to check whether the shift is safe. ++ * ++ * @param[in] num_places The number of places to check that shifting left is safe. ++ * ++ */ ++template ++inline constexpr bool ++can_safely_shift_left(T value, int num_places) ++{ ++ constexpr auto max_value = std::numeric_limits::max(); ++ return value >= 0 && value <= (max_value >> num_places); ++} ++ + /** Scoped resources. + + An instance of this class is used to hold a contingent resource. When this object goes out of scope +Index: trafficserver/proxy/http/HttpTunnel.cc +=================================================================== +--- trafficserver.orig/proxy/http/HttpTunnel.cc 2022-05-21 18:55:58.801202772 +0200 ++++ trafficserver/proxy/http/HttpTunnel.cc 2022-05-21 19:10:10.982804575 +0200 +@@ -36,6 +36,7 @@ + #include "HttpSM.h" + #include "HttpDebugNames.h" + #include "tscore/ParseRules.h" ++#include "tscore/ink_memory.h" + + static const int min_block_transfer_bytes = 256; + static const char *const CHUNK_HEADER_FMT = "%" PRIx64 "\r\n"; +@@ -153,8 +154,16 @@ + if (state == CHUNK_READ_SIZE) { + // The http spec says the chunked size is always in hex + if (ParseRules::is_hex(*tmp)) { ++ // Make sure we will not overflow running_sum with our shift. ++ if (!can_safely_shift_left(running_sum, 4)) { ++ // We have no more space in our variable for the shift. ++ state = CHUNK_READ_ERROR; ++ done = true; ++ break; ++ } + num_digits++; +- running_sum *= 16; ++ // Shift over one hex value. ++ running_sum <<= 4; + + if (ParseRules::is_digit(*tmp)) { + running_sum += *tmp - '0'; +Index: trafficserver/src/tscore/Makefile.am +=================================================================== +--- trafficserver.orig/src/tscore/Makefile.am 2022-05-21 18:55:58.853202502 +0200 ++++ trafficserver/src/tscore/Makefile.am 2022-05-21 19:10:10.982804575 +0200 +@@ -258,6 +258,7 @@ + unit_tests/test_BufferWriter.cc \ + unit_tests/test_BufferWriterFormat.cc \ + unit_tests/test_ink_inet.cc \ ++ unit_tests/test_ink_memory.cc \ + unit_tests/test_IntrusivePtr.cc \ + unit_tests/test_IpMap.cc \ + unit_tests/test_layout.cc \ +Index: trafficserver/src/tscore/unit_tests/test_ink_memory.cc +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/src/tscore/unit_tests/test_ink_memory.cc 2022-05-21 19:10:10.982804575 +0200 +@@ -0,0 +1,141 @@ ++/** @file ++ ++ ink_memory unit tests. ++ ++ @section license License ++ ++ Licensed to the Apache Software Foundation (ASF) under one ++ or more contributor license agreements. See the NOTICE file ++ distributed with this work for additional information ++ regarding copyright ownership. The ASF licenses this file ++ to you under the Apache License, Version 2.0 (the ++ "License"); you may not use this file except in compliance ++ with the License. You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++ Unless required by applicable law or agreed to in writing, software ++ distributed under the License is distributed on an "AS IS" BASIS, ++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ See the License for the specific language governing permissions and ++ limitations under the License. ++*/ ++ ++#include ++#include ++#include "tscore/ink_memory.h" ++ ++constexpr void ++test_can_safely_shift_int8_t() ++{ ++ constexpr int8_t a = 0; ++ static_assert(can_safely_shift_left(a, 0) == true, "shifting 0 is safe"); ++ static_assert(can_safely_shift_left(a, 4) == true, "shifting 0 is safe"); ++ static_assert(can_safely_shift_left(a, 8) == true, "shifting 0 is safe"); ++ ++ constexpr int8_t b = 1; ++ static_assert(can_safely_shift_left(b, 0) == true, "shifting int8_t 1 0 places is safe"); ++ static_assert(can_safely_shift_left(b, 1) == true, "shifting int8_t 1 1 places is safe"); ++ static_assert(can_safely_shift_left(b, 6) == true, "shifting int8_t 1 6 places is safe"); ++ static_assert(can_safely_shift_left(b, 7) == false, "shifting int8_t 1 7 places becomes negative"); ++ static_assert(can_safely_shift_left(b, 8) == false, "shifting int8_t 1 8 places overflows"); ++ ++ constexpr int8_t c = 0xff; ++ static_assert(can_safely_shift_left(c, 0) == false, "int8_t 0xff is already negative"); ++ static_assert(can_safely_shift_left(c, 1) == false, "shifting int8_t 0xff 1 place overflows"); ++} ++ ++constexpr void ++test_can_safely_shift_uint8_t() ++{ ++ constexpr uint8_t a = 0; ++ static_assert(can_safely_shift_left(a, 0) == true, "shifting 0 is safe"); ++ static_assert(can_safely_shift_left(a, 4) == true, "shifting 0 is safe"); ++ static_assert(can_safely_shift_left(a, 8) == true, "shifting 0 is safe"); ++ ++ constexpr uint8_t b = 1; ++ static_assert(can_safely_shift_left(b, 0) == true, "shifting uint8_t 1 0 places is safe"); ++ static_assert(can_safely_shift_left(b, 1) == true, "shifting uint8_t 1 1 places is safe"); ++ static_assert(can_safely_shift_left(b, 6) == true, "shifting uint8_t 1 6 places is safe"); ++ static_assert(can_safely_shift_left(b, 7) == true, "shifting uint8_t 1 7 is safe"); ++ static_assert(can_safely_shift_left(b, 8) == false, "shifting uint8_t 1 8 places overflows"); ++ ++ constexpr uint8_t c = 0xff; ++ static_assert(can_safely_shift_left(c, 0) == true, "shifting int8_t 0xff 0 places is safe"); ++ static_assert(can_safely_shift_left(c, 1) == false, "shifting int8_t 0xff 1 place overflows"); ++} ++ ++constexpr void ++test_can_safely_shift_int32_t() ++{ ++ constexpr int32_t a = 0; ++ static_assert(can_safely_shift_left(a, 4) == true, "shifting 0 is safe"); ++ ++ constexpr int32_t b = 1; ++ static_assert(can_safely_shift_left(b, 4) == true, "shifting 1 is safe"); ++ ++ constexpr int32_t c = 0x00ff'ffff; ++ static_assert(can_safely_shift_left(c, 4) == true, "shifting 0x00ff'ffff is safe"); ++ ++ constexpr int32_t d = 0x07ff'ffff; ++ static_assert(can_safely_shift_left(d, 4) == true, "shifting 0x07ff'ffff is safe"); ++ ++ constexpr int32_t e = -1; ++ static_assert(can_safely_shift_left(e, 4) == false, "shifting -1 will result in truncation"); ++ ++ constexpr int32_t f = 0x0800'0000; ++ static_assert(can_safely_shift_left(f, 4) == false, "shifting 0x0801'0000 will become negative"); ++ ++ constexpr int32_t g = 0x0fff'ffff; ++ static_assert(can_safely_shift_left(g, 4) == false, "shifting 0x0fff'ffff will become negative"); ++ ++ constexpr int32_t h = 0x1000'0000; ++ static_assert(can_safely_shift_left(h, 4) == false, "shifting 0x1000'0000 will overflow"); ++ ++ constexpr int32_t i = 0xf000'0000; ++ static_assert(can_safely_shift_left(i, 4) == false, "shifting 0xf000'0000 will overflow"); ++ ++ constexpr int32_t j = 0xf800'0000; ++ static_assert(can_safely_shift_left(j, 4) == false, "shifting 0xf800'0000 will become negative"); ++} ++ ++constexpr void ++test_can_safely_shift_uint32_t() ++{ ++ constexpr uint32_t a = 0; ++ static_assert(can_safely_shift_left(a, 4) == true, "shifting 0 is safe"); ++ ++ constexpr uint32_t b = 1; ++ static_assert(can_safely_shift_left(b, 4) == true, "shifting 1 is safe"); ++ ++ constexpr uint32_t c = 0x00ff'ffff; ++ static_assert(can_safely_shift_left(c, 4) == true, "shifting 0x00ff'ffff is safe"); ++ ++ constexpr uint32_t d = 0x07ff'ffff; ++ static_assert(can_safely_shift_left(d, 4) == true, "shifting 0x07ff'ffff is safe"); ++ ++ constexpr uint32_t e = 0x0800'0000; ++ static_assert(can_safely_shift_left(e, 4) == true, "shifting unisgned 0x0800'0000 is safe"); ++ ++ constexpr uint32_t f = 0x0fff'ffff; ++ static_assert(can_safely_shift_left(f, 4) == true, "shifting unsigned 0x0fff'ffff is safe"); ++ ++ constexpr uint32_t g = 0x1000'0000; ++ static_assert(can_safely_shift_left(g, 4) == false, "shifting 0x1000'0000 will overflow"); ++ ++ constexpr uint32_t h = 0xf000'0000; ++ static_assert(can_safely_shift_left(h, 4) == false, "shifting 0xf000'0000 will overflow"); ++ ++ constexpr uint32_t i = 0xf800'0000; ++ static_assert(can_safely_shift_left(i, 4) == false, "shifting 0xf800'0000 will become negative"); ++} ++ ++TEST_CASE("can_safely_shift", "[libts][ink_inet][memory]") ++{ ++ // can_safely_shift_left is a constexpr function, therefore all these checks are ++ // done at compile time and REQUIRES calls are not necessary. ++ test_can_safely_shift_int8_t(); ++ test_can_safely_shift_uint8_t(); ++ test_can_safely_shift_int32_t(); ++ test_can_safely_shift_uint32_t(); ++} diff --git a/patches/0019-CVE_2021_38161.patch b/patches/0019-CVE_2021_38161.patch new file mode 100644 index 00000000..5dc61785 --- /dev/null +++ b/patches/0019-CVE_2021_38161.patch @@ -0,0 +1,30 @@ +Description: Add some checking to validate the scheme matches the wire protocol. +Author: Alan M. Carroll +Origin: upstream +Applied-Upstream: https://github.com/apache/trafficserver/commit/feefc5e4abc5011dfad5dcfef3f22998faf6e2d4 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2022-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trafficserver/proxy/http/HttpSM.cc +=================================================================== +--- trafficserver.orig/proxy/http/HttpSM.cc 2022-05-21 18:55:58.793202813 +0200 ++++ trafficserver/proxy/http/HttpSM.cc 2022-05-21 19:12:07.438046649 +0200 +@@ -732,6 +732,17 @@ + case PARSE_RESULT_DONE: + SMDebug("http", "[%" PRId64 "] done parsing client request header", sm_id); + ++ if (!is_internal) { ++ auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx(); ++ if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) || ++ (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) { ++ SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme), ++ client_connection_is_ssl ? "tls" : "plaintext"); ++ t_state.http_return_code = HTTP_STATUS_BAD_REQUEST; ++ call_transact_and_set_next_state(HttpTransact::BadRequest); ++ break; ++ } ++ } + ua_txn->set_session_active(); + + if (t_state.hdr_info.client_request.version_get() == HTTPVersion(1, 1) && diff --git a/patches/0019-CVE_2021_44040.patch b/patches/0019-CVE_2021_44040.patch new file mode 100644 index 00000000..0f87d1a8 --- /dev/null +++ b/patches/0019-CVE_2021_44040.patch @@ -0,0 +1,513 @@ +Description: Improper Input Validation vulnerability in request line parsing +Author: +Origin: upstream +Applied-Upstream: 85c319a7f7c0537bee408ea25df6f1a5ed0a4071, c4e6661a5a205b1f60279f0e66aa496023185967, 8c6f2ed84ba0d8e6255baceb99ee891ebe1ce473 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2022-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trafficserver/doc/admin-guide/files/records.config.en.rst +=================================================================== +--- trafficserver.orig/doc/admin-guide/files/records.config.en.rst 2022-05-21 19:01:54.422372252 +0200 ++++ trafficserver/doc/admin-guide/files/records.config.en.rst 2022-05-21 19:18:52.251530553 +0200 +@@ -1134,10 +1134,12 @@ + An arbitrary string value that, if set, will be used to replace any request + ``User-Agent`` header. + +-.. ts:cv:: CONFIG proxy.config.http.strict_uri_parsing INT 0 ++.. ts:cv:: CONFIG proxy.config.http.strict_uri_parsing INT 2 + +- Enables (``1``) or disables (``0``) Traffic Server to return a 400 Bad Request +- if client's request URI includes character which is not RFC 3986 compliant ++ Takes a value between 0 and 2. ``0`` disables strict_uri_parsing. Any character can appears ++ in the URI. ``1`` causes |TS| to return 400 Bad Request ++ if client's request URI includes character which is not RFC 3986 compliant. ``2`` directs |TS| ++ to reject the clients request if it contains whitespace or non-printable characters. + + .. ts:cv:: CONFIG proxy.config.http.errors.log_error_pages INT 1 + :reloadable: +Index: trafficserver/mgmt/RecordsConfig.cc +=================================================================== +--- trafficserver.orig/mgmt/RecordsConfig.cc 2022-05-21 18:55:58.701203288 +0200 ++++ trafficserver/mgmt/RecordsConfig.cc 2022-05-21 19:18:52.251530553 +0200 +@@ -354,7 +354,7 @@ + , + {RECT_CONFIG, "proxy.config.http.post.check.content_length.enabled", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , +- {RECT_CONFIG, "proxy.config.http.strict_uri_parsing", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} ++ {RECT_CONFIG, "proxy.config.http.strict_uri_parsing", RECD_INT, "2", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-2]", RECA_NULL} + , + // # Send http11 requests + // # +Index: trafficserver/proxy/hdrs/HTTP.cc +=================================================================== +--- trafficserver.orig/proxy/hdrs/HTTP.cc 2022-05-21 18:55:58.781202874 +0200 ++++ trafficserver/proxy/hdrs/HTTP.cc 2022-05-21 19:18:41.927593091 +0200 +@@ -885,7 +885,7 @@ + + ParseResult + http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const char **start, const char *end, +- bool must_copy_strings, bool eof, bool strict_uri_parsing) ++ bool must_copy_strings, bool eof, int strict_uri_parsing) + { + if (parser->m_parsing_http) { + MIMEScanner *scanner = &parser->m_mime_parser.m_scanner; +Index: trafficserver/proxy/hdrs/HTTP.h +=================================================================== +--- trafficserver.orig/proxy/hdrs/HTTP.h 2022-05-21 18:55:58.781202874 +0200 ++++ trafficserver/proxy/hdrs/HTTP.h 2022-05-21 19:18:41.927593091 +0200 +@@ -445,7 +445,7 @@ + void http_parser_init(HTTPParser *parser); + void http_parser_clear(HTTPParser *parser); + ParseResult http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const char **start, const char *end, +- bool must_copy_strings, bool eof, bool strict_uri_parsing); ++ bool must_copy_strings, bool eof, int strict_uri_parsing); + ParseResult validate_hdr_host(HTTPHdrImpl *hh); + ParseResult validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh); + ParseResult http_parser_parse_resp(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const char **start, const char *end, +@@ -624,10 +624,10 @@ + const char *reason_get(int *length); + void reason_set(const char *value, int length); + +- ParseResult parse_req(HTTPParser *parser, const char **start, const char *end, bool eof, bool strict_uri_parsing = false); ++ ParseResult parse_req(HTTPParser *parser, const char **start, const char *end, bool eof, int strict_uri_parsing = 0); + ParseResult parse_resp(HTTPParser *parser, const char **start, const char *end, bool eof); + +- ParseResult parse_req(HTTPParser *parser, IOBufferReader *r, int *bytes_used, bool eof, bool strict_uri_parsing = false); ++ ParseResult parse_req(HTTPParser *parser, IOBufferReader *r, int *bytes_used, bool eof, int strict_uri_parsing = 0); + ParseResult parse_resp(HTTPParser *parser, IOBufferReader *r, int *bytes_used, bool eof); + + public: +@@ -1225,7 +1225,7 @@ + -------------------------------------------------------------------------*/ + + inline ParseResult +-HTTPHdr::parse_req(HTTPParser *parser, const char **start, const char *end, bool eof, bool strict_uri_parsing) ++HTTPHdr::parse_req(HTTPParser *parser, const char **start, const char *end, bool eof, int strict_uri_parsing) + { + ink_assert(valid()); + ink_assert(m_http->m_polarity == HTTP_TYPE_REQUEST); +Index: trafficserver/proxy/hdrs/HdrTSOnly.cc +=================================================================== +--- trafficserver.orig/proxy/hdrs/HdrTSOnly.cc 2022-05-21 18:55:58.781202874 +0200 ++++ trafficserver/proxy/hdrs/HdrTSOnly.cc 2022-05-21 19:18:41.927593091 +0200 +@@ -45,7 +45,7 @@ + -------------------------------------------------------------------------*/ + + ParseResult +-HTTPHdr::parse_req(HTTPParser *parser, IOBufferReader *r, int *bytes_used, bool eof, bool strict_uri_parsing) ++HTTPHdr::parse_req(HTTPParser *parser, IOBufferReader *r, int *bytes_used, bool eof, int strict_uri_parsing) + { + const char *start; + const char *tmp; +Index: trafficserver/proxy/hdrs/URL.cc +=================================================================== +--- trafficserver.orig/proxy/hdrs/URL.cc 2022-05-21 18:55:58.789202833 +0200 ++++ trafficserver/proxy/hdrs/URL.cc 2022-05-21 19:18:41.927593091 +0200 +@@ -1179,10 +1179,34 @@ + return true; + } + ++/** ++ * This method will return TRUE if the uri is mostly compliant with ++ * RFC 3986 and it will return FALSE if not. Specifically denying white ++ * space an unprintable characters ++ */ ++static bool ++url_is_mostly_compliant(const char *start, const char *end) ++{ ++ for (const char *i = start; i < end; ++i) { ++ if (isspace(*i)) { ++ Debug("http", "Whitespace character [0x%.2X] found in URL", (unsigned char)*i); ++ return false; ++ } ++ if (!isprint(*i)) { ++ Debug("http", "Non-printable character [0x%.2X] found in URL", (unsigned char)*i); ++ return false; ++ } ++ } ++ return true; ++} ++ + ParseResult +-url_parse(HdrHeap *heap, URLImpl *url, const char **start, const char *end, bool copy_strings_p, bool strict_uri_parsing) ++url_parse(HdrHeap *heap, URLImpl *url, const char **start, const char *end, bool copy_strings_p, int strict_uri_parsing) + { +- if (strict_uri_parsing && !url_is_strictly_compliant(*start, end)) { ++ if (strict_uri_parsing == 1 && !url_is_strictly_compliant(*start, end)) { ++ return PARSE_RESULT_ERROR; ++ } ++ if (strict_uri_parsing == 2 && !url_is_mostly_compliant(*start, end)) { + return PARSE_RESULT_ERROR; + } + +Index: trafficserver/proxy/hdrs/URL.h +=================================================================== +--- trafficserver.orig/proxy/hdrs/URL.h 2022-05-21 18:55:58.789202833 +0200 ++++ trafficserver/proxy/hdrs/URL.h 2022-05-21 19:18:41.927593091 +0200 +@@ -198,14 +198,13 @@ + void url_fragment_set(HdrHeap *heap, URLImpl *url, const char *value, int length, bool copy_string); + + ParseResult url_parse(HdrHeap *heap, URLImpl *url, const char **start, const char *end, bool copy_strings, +- bool strict_uri_parsing = false); ++ int strict_uri_parsing = false); + ParseResult url_parse_no_path_component_breakdown(HdrHeap *heap, URLImpl *url, const char **start, const char *end, + bool copy_strings); + ParseResult url_parse_internet(HdrHeap *heap, URLImpl *url, const char **start, const char *end, bool copy_strings); + ParseResult url_parse_http(HdrHeap *heap, URLImpl *url, const char **start, const char *end, bool copy_strings); + ParseResult url_parse_http_no_path_component_breakdown(HdrHeap *heap, URLImpl *url, const char **start, const char *end, + bool copy_strings); +- + char *url_unescapify(Arena *arena, const char *str, int length); + + void unescape_str(char *&buf, char *buf_e, const char *&str, const char *str_e, int &state); +Index: trafficserver/proxy/http/HttpConfig.cc +=================================================================== +--- trafficserver.orig/proxy/http/HttpConfig.cc 2022-05-21 18:55:58.789202833 +0200 ++++ trafficserver/proxy/http/HttpConfig.cc 2022-05-21 19:18:41.927593091 +0200 +@@ -1473,7 +1473,7 @@ + params->referer_filter_enabled = INT_TO_BOOL(m_master.referer_filter_enabled); + params->referer_format_redirect = INT_TO_BOOL(m_master.referer_format_redirect); + +- params->strict_uri_parsing = INT_TO_BOOL(m_master.strict_uri_parsing); ++ params->strict_uri_parsing = m_master.strict_uri_parsing; + + params->oride.down_server_timeout = m_master.oride.down_server_timeout; + params->oride.client_abort_threshold = m_master.oride.client_abort_threshold; +Index: trafficserver/proxy/http/HttpConfig.h +=================================================================== +--- trafficserver.orig/proxy/http/HttpConfig.h 2022-05-21 18:55:58.789202833 +0200 ++++ trafficserver/proxy/http/HttpConfig.h 2022-05-21 19:18:52.251530553 +0200 +@@ -847,7 +847,7 @@ + MgmtByte referer_filter_enabled = 0; + MgmtByte referer_format_redirect = 0; + +- MgmtByte strict_uri_parsing = 0; ++ MgmtByte strict_uri_parsing = 2; + + MgmtByte reverse_proxy_enabled = 0; + MgmtByte url_remap_required = 1; +Index: trafficserver/tests/gold_tests/headers/gold/bad_good_request.gold +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/gold/bad_good_request.gold 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,9 @@ ++``HTTP/1.1 400 Invalid HTTP Request ++``Connection: close ++``Server: ATS/`` ++``Content-Length: 219 ++`` ++Bad Request ++``

Bad Request

++``Description: Could not process this request. ++`` +Index: trafficserver/tests/gold_tests/headers/gold/bad_good_request_header.gold +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/gold/bad_good_request_header.gold 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,5 @@ ++``HTTP/1.1 400 Invalid HTTP Request ++``Connection: close ++``Server: ATS/`` ++``Content-Length: 219 ++`` +Index: trafficserver/tests/gold_tests/headers/gold/bad_good_request_http1.gold +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/gold/bad_good_request_http1.gold 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,8 @@ ++``HTTP/1.0 400 Invalid HTTP Request ++``Server: ATS/`` ++``Content-Length: 219 ++`` ++Bad Request ++``

Bad Request

++``Description: Could not process this request. ++`` +Index: trafficserver/tests/gold_tests/headers/gold/bad_method.gold +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/gold/bad_method.gold 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,24 @@ ++HTTP/1.1 501 Unsupported method ('gET') ++Content-Type: text/html;charset=utf-8 ++Content-Length: 496 ++Date: `` ++Age: 0 ++Connection: keep-alive ++Server: ATS/`` ++ ++ ++ ++ ++ ++ Error response ++ ++ ++

Error response

++

Error code: 501

++

Message: Unsupported method ('gET').

++

Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.

++ ++ ++HTTP/1.1 200 OK ++`` +Index: trafficserver/tests/gold_tests/headers/gold/bad_protocol_number.gold +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/gold/bad_protocol_number.gold 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,22 @@ ++HTTP/1.1 505 Unsupported HTTP Version ++Date: `` ++Server: ATS/`` ++Cache-Control: no-store ++Content-Type: text/html ++Content-Language: en ++Content-Length: 219 ++ ++ ++ ++Bad Request ++ ++ ++ ++

Bad Request

++
++ ++ ++Description: Could not process this request. ++ ++
++ +Index: trafficserver/tests/gold_tests/headers/gold/bad_te_value.gold +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/gold/bad_te_value.gold 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,25 @@ ++HTTP/1.1 501 Field not implemented ++Date: `` ++Connection: keep-alive ++Server: ATS/`` ++Cache-Control: no-store ++Content-Type: text/html ++Content-Language: en ++Content-Length: 289 ++ ++ ++ ++Transcoding Not Available ++ ++ ++ ++

Transcoding Not Available

++
++ ++ ++ ++ Description: Unable to provide the document in the ++format requested by your browser. ++ ++
++ +Index: trafficserver/tests/gold_tests/headers/good_request_after_bad.test.py +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ trafficserver/tests/gold_tests/headers/good_request_after_bad.test.py 2022-05-21 19:18:41.931593066 +0200 +@@ -0,0 +1,196 @@ ++''' ++Verify that request following a ill-formed request is not processed ++''' ++# Licensed to the Apache Software Foundation (ASF) under one ++# or more contributor license agreements. See the NOTICE file ++# distributed with this work for additional information ++# regarding copyright ownership. The ASF licenses this file ++# to you under the Apache License, Version 2.0 (the ++# "License"); you may not use this file except in compliance ++# with the License. You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++import os ++ ++Test.Summary = ''' ++Verify that request following a ill-formed request is not processed ++''' ++Test.ContinueOnFail = True ++ts = Test.MakeATSProcess("ts") ++Test.ContinueOnFail = True ++ts.Disk.records_config.update({'proxy.config.diags.debug.tags': 'http', ++ 'proxy.config.diags.debug.enabled': 0, ++ 'proxy.config.http.strict_uri_parsing': 1 ++ }) ++ ++ts2 = Test.MakeATSProcess("ts2") ++ ++ts2.Disk.records_config.update({'proxy.config.diags.debug.tags': 'http', ++ 'proxy.config.diags.debug.enabled': 0, ++ 'proxy.config.http.strict_uri_parsing': 2 ++ }) ++ ++ ++server = Test.MakeOriginServer("server") ++request_header = {"headers": "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""} ++response_header = { ++ "headers": "HTTP/1.1 200 OK\r\nConnection: close\r\nLast-Modified: Tue, 08 May 2018 15:49:41 GMT\r\nCache-Control: max-age=1000\r\n\r\n", ++ "timestamp": "1469733493.993", ++ "body": "xxx"} ++server.addResponse("sessionlog.json", request_header, response_header) ++ ++ts.Disk.remap_config.AddLine( ++ 'map / http://127.0.0.1:{0}'.format(server.Variables.Port) ++) ++ts.Disk.remap_config.AddLine( ++ 'map /bob<> http://127.0.0.1:{0}'.format(server.Variables.Port) ++) ++ts2.Disk.remap_config.AddLine( ++ 'map / http://127.0.0.1:{0}'.format(server.Variables.Port) ++) ++ts2.Disk.remap_config.AddLine( ++ 'map /bob<> http://127.0.0.1:{0}'.format(server.Variables.Port) ++) ++ ++trace_out = Test.Disk.File("trace_curl.txt") ++ ++# Make a good request to get item in the cache for later tests ++tr = Test.AddTestRun("Good control") ++tr.Processes.Default.StartBefore(server) ++tr.Processes.Default.StartBefore(Test.Processes.ts) ++tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nHost: bob\r\n\r\n" | nc 127.0.0.1 {}'.format(ts.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++ ++tr = Test.AddTestRun("Good control") ++tr.Processes.Default.StartBefore(server) ++tr.Processes.Default.StartBefore(Test.Processes.ts2) ++tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nHost: bob\r\n\r\n" | nc 127.0.0.1 {}'.format(ts2.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++ ++tr = Test.AddTestRun("space after header name") ++tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nHost : bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++tr.Processes.Default.Streams.stdout = 'gold/bad_good_request.gold' ++ ++# Commenting out a bunch of tests on master whose fixes are not in 8.1.x. ++#tr = Test.AddTestRun("Bad protocol number") ++#tr.Processes.Default.Command = 'printf "GET / HTTP/11.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_protocol_number.gold' ++# ++#tr = Test.AddTestRun("Unsupported Transfer Encoding value") ++#tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nhost: bob\r\ntransfer-encoding: random\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_te_value.gold' ++# ++#tr = Test.AddTestRun("Another unsupported Transfer Encoding value") ++#tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nhost: bob\r\ntransfer-encoding: \x08chunked\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_te_value.gold' ++# ++#tr = Test.AddTestRun("Extra characters in content-length") ++#tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nhost: bob\r\ncontent-length:+3\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_header.gold' ++# ++#tr = Test.AddTestRun("Different extra characters in content-length") ++#tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nhost: bob\r\ncontent-length:\x0c3\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_header.gold' ++# ++# ++## TRACE request with a body ++#tr = Test.AddTestRun("Trace request with a body") ++#tr.Processes.Default.Command = 'printf "TRACE /foo HTTP/1.1\r\nHost: bob\r\nContent-length:2\r\n\r\nokGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_good_request.gold' ++# ++#tr = Test.AddTestRun("Trace request with a chunked body") ++#tr.Processes.Default.Command = 'printf "TRACE /foo HTTP/1.1\r\nHost: bob\r\ntransfer-encoding: chunked\r\n\r\n2\r\nokGGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_good_request.gold' ++# ++#tr = Test.AddTestRun("Trace request with a chunked body via curl") ++#tr.Processes.Default.Command = 'curl -v --http1.1 --header "Transfer-Encoding: chunked" -d aaa -X TRACE -o trace_curl.txt -k http://127.0.0.1:{}/foo'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.All = 'gold/bad_good_request_header.gold' ++#trace_out.Content = Testers.ContainsExpression("Bad Request", "ATS error msg") ++#trace_out.Content += Testers.ContainsExpression("Description: Could not process this request.", "ATS error msg") ++# ++#tr = Test.AddTestRun("Trace request via curl") ++#tr.Processes.Default.Command = 'curl -v --http1.1 -X TRACE -k http://127.0.0.1:{}/bar'.format(ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.All = Testers.ContainsExpression( ++# r"HTTP/1.1 501 Unsupported method \('TRACE'\)", ++# "microserver does not support TRACE") ++# ++## Methods are case sensitive. Verify that "gET" is not confused with "GET". ++#tr = Test.AddTestRun("mixed case method") ++#tr.Processes.Default.Command = 'printf "gET / HTTP/1.1\r\nHost:bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_method.gold' ++# ++## mangled termination ++#tr = Test.AddTestRun("mangled line termination") ++#tr.Processes.Default.Command = 'printf "GET / HTTP/1.1\r\nHost:bob\r\n \r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++# ts.Variables.port) ++#tr.Processes.Default.ReturnCode = 0 ++#tr.Processes.Default.Streams.stdout = 'gold/bad_good_request.gold' ++ ++tr = Test.AddTestRun("Catch bad URL characters") ++tr.Processes.Default.Command = 'printf "GET /bob<> HTTP/1.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++# Since the request line is messsed up ATS will reply with HTTP/1.0 ++tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_http1.gold' ++ ++tr = Test.AddTestRun("Catch whitespace in URL") ++tr.Processes.Default.Command = 'printf "GET /bob foo HTTP/1.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++# Since the request line is messsed up ATS will reply with HTTP/1.0 ++tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_http1.gold' ++ ++tr = Test.AddTestRun("Extra characters in protocol") ++tr.Processes.Default.Command = 'printf "GET / HTP/1.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++# Since the request line is messsed up ATS will reply with HTTP/1.0 ++tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_http1.gold' ++ ++tr = Test.AddTestRun("Characters that are strict but not case 2 bad") ++tr.Processes.Default.Command = 'printf "GET /bob<> HTTP/1.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts2.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++tr.Processes.Default.Streams.All = Testers.ContainsExpression("HTTP/1.1 200 OK", "Success") ++ ++tr = Test.AddTestRun("Catch whitespace in URL") ++tr.Processes.Default.Command = 'printf "GET /bob foo HTTP/1.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts2.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++# Since the request line is messsed up ATS will reply with HTTP/1.0 ++tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_http1.gold' ++ ++tr = Test.AddTestRun("Extra characters in protocol") ++tr.Processes.Default.Command = 'printf "GET / HTP/1.1\r\nhost: bob\r\n\r\nGET / HTTP/1.1\r\nHost: boa\r\n\r\n" | nc 127.0.0.1 {}'.format( ++ ts2.Variables.port) ++tr.Processes.Default.ReturnCode = 0 ++# Since the request line is messsed up ATS will reply with HTTP/1.0 ++tr.Processes.Default.Streams.stdout = 'gold/bad_good_request_http1.gold' diff --git a/patches/0019-CVE_2021_44759.patch b/patches/0019-CVE_2021_44759.patch new file mode 100644 index 00000000..d0e2328b --- /dev/null +++ b/patches/0019-CVE_2021_44759.patch @@ -0,0 +1,79 @@ +Description: Bug fix in origin connection handling +Origin: upstream +Applied-Upstream: https://github.com/apache/trafficserver/commit/d3f36f79820ea10c26573c742b1bbc370c351716 +Reviewed-by: Jean Baptiste Favre +Last-Update: 2022-05-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trafficserver/iocore/net/SSLNetVConnection.cc +=================================================================== +--- trafficserver.orig/iocore/net/SSLNetVConnection.cc 2022-05-21 18:55:58.677203412 +0200 ++++ trafficserver/iocore/net/SSLNetVConnection.cc 2022-05-21 19:22:11.594334167 +0200 +@@ -1041,8 +1041,7 @@ + // Making the check here instead of later, so we only + // do this setting immediately after we create the SSL object + SNIConfig::scoped_config sniParam; +- int8_t clientVerify = 0; +- cchar *serverKey = this->options.sni_servername; ++ cchar *serverKey = this->options.sni_servername; + if (!serverKey) { + ats_ip_ntop(this->get_remote_addr(), buff, INET6_ADDRSTRLEN); + serverKey = buff; +@@ -1051,25 +1050,30 @@ + SSL_CTX *clientCTX = nullptr; + + if (nps) { +- clientCTX = nps->ctx; +- clientVerify = nps->verifyLevel; ++ clientCTX = nps->ctx; + } else { + clientCTX = params->client_ctx; +- // Keeping backwards compatability on the proxy.config.ssl.client.verify.server setting +- clientVerify = params->clientVerify ? (params->clientVerify == 1 ? 2 : 1) : 0; + } ++ + if (!clientCTX) { + SSLErrorVC(this, "failed to create SSL client session"); + return EVENT_ERROR; + } + ++ if (nps && nps->verifyLevel != static_cast(YamlSNIConfig::Level::UNSET)) { ++ this->options.clientVerificationFlag = nps->verifyLevel; ++ } else { ++ // Keeping backwards compatibility on the proxy.config.ssl.client.verify.server setting ++ this->options.clientVerificationFlag = params->clientVerify ? (params->clientVerify == 1 ? 2 : 1) : 0; ++ } ++ + this->ssl = make_ssl_connection(clientCTX, this); + if (this->ssl == nullptr) { + SSLErrorVC(this, "failed to create SSL client session"); + return EVENT_ERROR; + } + int verify_op; +- if (clientVerify) { ++ if (this->options.clientVerificationFlag) { + verify_op = SSL_VERIFY_PEER; + SSL_set_verify(this->ssl, verify_op, verify_callback); + } else { +Index: trafficserver/iocore/net/YamlSNIConfig.h +=================================================================== +--- trafficserver.orig/iocore/net/YamlSNIConfig.h 2022-05-21 18:55:58.681203391 +0200 ++++ trafficserver/iocore/net/YamlSNIConfig.h 2022-05-21 19:22:11.594334167 +0200 +@@ -45,7 +45,7 @@ + client_cert + + }; +- enum class Level { NONE = 0, MODERATE, STRICT }; ++ enum class Level { NONE = 0, MODERATE, STRICT, UNSET }; + enum class TLSProtocol : uint8_t { TLSv1 = 0, TLSv1_1, TLSv1_2, TLSv1_3, TLS_MAX = TLSv1_3 }; + + YamlSNIConfig() {} +@@ -55,7 +55,7 @@ + bool disable_h2 = false; + uint8_t verify_client_level = 0; + std::string tunnel_destination; +- uint8_t verify_origin_server = 0; ++ uint8_t verify_origin_server = static_cast(Level::UNSET); + std::string client_cert; + std::string ip_allow; + bool protocol_unset = true; diff --git a/patches/series b/patches/series new file mode 100644 index 00000000..5d4ca8c4 --- /dev/null +++ b/patches/series @@ -0,0 +1,19 @@ +0001-Use-mcx16-on-x86-platforms-only.patch +0003-reproductible-build.patch +0006-fix-doc-build.patch +0008-fix-python-check-unused-dependencies.patch +0009-fix-mysql-8-build.patch +0011-fix-segfault.patch +0012-fix-spelling-checks.patch +0013-fix-perl-interpreter-path.patch +0014-use_system_yaml-cpp.patch +0015-as-needed-fix.patch +0016-fix_python_3.8.patch +0017-fix_sphinx_3.0.patch +0018-Fixes-7971.patch +0019-CVE_2021_37147.patch +0019-CVE_2021_37148.patch +0019-CVE_2021_37149.patch +0019-CVE_2021_38161.patch +0019-CVE_2021_44040.patch +0019-CVE_2021_44759.patch diff --git a/rules b/rules new file mode 100755 index 00000000..1e772682 --- /dev/null +++ b/rules @@ -0,0 +1,80 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND = -O3 +export DEB_CXXFLAGS_MAINT_APPEND = -O3 +# mips & mipsel need explicit libatomic link +ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),mips mipsel)) + export DEB_LDFLAGS_MAINT_APPEND += -latomic +endif + +# Get build architecture. ./configure is different on Linux +include /usr/share/dpkg/architecture.mk +# Get rid f dpkg-parsechangelog +include /usr/share/dpkg/pkg-info.mk + +configure_flags = \ + --enable-layout=Debian \ + --sysconfdir=/etc/trafficserver --libdir=/usr/lib/trafficserver \ + --libexecdir=/usr/lib/trafficserver/modules \ + --with-user=root --with-group=root --disable-silent-rules \ + --enable-experimental-plugins --enable-32bit-build \ + --enable-mime-sanity-check --enable-docs \ + --with-build-version=$(DEB_VERSION) \ + --with-yaml-cpp=/usr \ + $(shell dpkg-buildflags --export=configure) + +ifeq ($(DEB_HOST_ARCH_OS),linux) + configure_flags += --enable-wccp +endif + +%: + dh $@ + +override_dh_auto_configure: + dh_auto_configure -- $(configure_flags) + +override_dh_auto_install: + dh_auto_install -- INSTALLDIRS=vendor + rm -f debian/tmp/usr/bin/trafficserver # We install our own + # Satisfy §10.2 (http://wiki.debian.org/ReleaseGoals/LAFileRemoval) + rm -f debian/tmp/usr/lib/trafficserver/lib*.la + rm -f debian/tmp/usr/lib/trafficserver/modules/*.la + rm -f debian/tmp/usr/lib/trafficserver/lib*.a +ifneq ($(DEB_HOST_ARCH_OS),linux) + # Remove Linux-specific plugin + sed -i '/\/healthchecks\.so$$/d' \ + debian/trafficserver.install +endif + +override_dh_install: + dh_install + dh_missing --list-missing + ./debian/change_config.pl debian/trafficserver/etc/trafficserver/records.config + # Lintian fixes + mkdir -p debian/trafficserver/usr/share/doc/trafficserver + cat CHANGELOG-* >> debian/trafficserver/usr/share/doc/trafficserver/changelog + #rm debian/trafficserver-dev/usr/share/doc/trafficserver-dev/examples/ssl-preaccept/ssl_preaccept.config + #(cd debian/trafficserver-dev/usr/share/doc/trafficserver-dev/examples/ssl-preaccept/; \ + #ln -s ssl_preaccept.config ssl_sni.config) + +override_dh_fixperms: + dh_fixperms -Xvar/lib/trafficserver \ + -Xvar/log/trafficserver \ + -Xvar/cache/trafficserver \ + -Xvar/run/trafficserver + # Fix lintian warning + chmod -x debian/trafficserver-dev/usr/share/doc/trafficserver-dev/examples/remap_header_add/build.txt + +override_dh_installexamples: + dh_installexamples -XMakefile -X.libs -X.dirstamp -X.deps -X.la -X.lo + +override_dh_makeshlibs: + dh_makeshlibs -Xdebian/tmp/usr/lib/trafficserver + +override_dh_auto_test: + -dh_auto_test diff --git a/salsa-ci.yml b/salsa-ci.yml new file mode 100644 index 00000000..5a21243c --- /dev/null +++ b/salsa-ci.yml @@ -0,0 +1,10 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + SALSA_CI_DISABLE_APTLY: 1 + +reprotest: + allow_failure: true diff --git a/source/format b/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/options b/source/options new file mode 100644 index 00000000..9693b2ab --- /dev/null +++ b/source/options @@ -0,0 +1 @@ +--extend-diff-ignore='examples/|diags.log|lib/perl/' diff --git a/trafficserver-dev.examples b/trafficserver-dev.examples new file mode 100644 index 00000000..0bbe99ef --- /dev/null +++ b/trafficserver-dev.examples @@ -0,0 +1 @@ +example/* diff --git a/trafficserver-dev.install b/trafficserver-dev.install new file mode 100644 index 00000000..973eea9a --- /dev/null +++ b/trafficserver-dev.install @@ -0,0 +1,4 @@ +debian/tmp/usr/include/* +debian/tmp/usr/bin/tsxs +debian/tmp/usr/lib/trafficserver/lib*.so +debian/tmp/usr/lib/trafficserver/pkgconfig/trafficserver.pc diff --git a/trafficserver-dev.manpages b/trafficserver-dev.manpages new file mode 100644 index 00000000..c1687793 --- /dev/null +++ b/trafficserver-dev.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/tsxs.1 +debian/tmp/usr/share/man/man3/* diff --git a/trafficserver-experimental-plugins.install b/trafficserver-experimental-plugins.install new file mode 100644 index 00000000..dfb2d111 --- /dev/null +++ b/trafficserver-experimental-plugins.install @@ -0,0 +1,37 @@ +usr/lib/trafficserver/modules/access_control.so +usr/lib/trafficserver/modules/acme.so +usr/lib/trafficserver/modules/balancer.so +usr/lib/trafficserver/modules/buffer_upload.so +usr/lib/trafficserver/modules/cache_key_genid.so +usr/lib/trafficserver/modules/cache_range_requests.so +usr/lib/trafficserver/modules/certifier.so +usr/lib/trafficserver/modules/collapsed_forwarding.so +usr/lib/trafficserver/modules/custom_redirect.so +usr/lib/trafficserver/modules/fq_pacing.so +usr/lib/trafficserver/modules/geoip_acl.so +usr/lib/trafficserver/modules/header_freq.so +usr/lib/trafficserver/modules/header_normalize.so +usr/lib/trafficserver/modules/hipes.so +usr/lib/trafficserver/modules/hook-trace.so +usr/lib/trafficserver/modules/inliner.so +usr/lib/trafficserver/modules/tsmemcache.so +usr/lib/trafficserver/modules/memcached_remap.so +usr/lib/trafficserver/modules/metalink.so +usr/lib/trafficserver/modules/money_trace.so +usr/lib/trafficserver/modules/mp4.so +usr/lib/trafficserver/modules/multiplexer.so +usr/lib/trafficserver/modules/mysql_remap.so +usr/lib/trafficserver/modules/prefetch.so +usr/lib/trafficserver/modules/remap_purge.so +usr/lib/trafficserver/modules/remap_stats.so +usr/lib/trafficserver/modules/server_push_preload.so +usr/lib/trafficserver/modules/slice.so +usr/lib/trafficserver/modules/ssl_cert_loader.so +usr/lib/trafficserver/modules/sslheaders.so +usr/lib/trafficserver/modules/stale_while_revalidate.so +usr/lib/trafficserver/modules/stream_editor.so +usr/lib/trafficserver/modules/system_stats.so +usr/lib/trafficserver/modules/tls_bridge.so +usr/lib/trafficserver/modules/traffic_dump.so +usr/lib/trafficserver/modules/uri_signing.so +usr/lib/trafficserver/modules/url_sig.so diff --git a/trafficserver.default b/trafficserver.default new file mode 100644 index 00000000..ca86af35 --- /dev/null +++ b/trafficserver.default @@ -0,0 +1,41 @@ +## Defaults for trafficserver initscript +## sourced by /etc/init.d/trafficserver +## installed at /etc/default/trafficserver by the maintainer scripts + +## +## This is a POSIX shell fragment +## + +## Variable: RUNDIR +## Default: /var/run/trafficserver +## Description: Set this to the directory where runtime data is stored. The +## default value should work fine for almost all users. +# RUNDIR=/var/run/trafficserver + + +## Configuration for `traffic_manager'. +## Meaning of variables is analogous to traffic_cop above, but for the +## `traffic_manager' binary. + +TM_START=yes +# TM_DAEMON_ARGS="" +# TM_PIDFILE=$RUNDIR/manager.lock + +## +## NOTICE: +## Typically you do not want to configure anything below. Note, generally Traffic +## Server is started through `traffic_cop' which is a watchdog to control any local +## Traffic Server instances. It starts both, traffic_manager and traffic_server, as +## does it monitor these processes. While it is generally not advised, you can +## choose to manage both processes yourself. In such cases do not set TC_START to +## "yes" and enable any service you want below. +## +## Choose either alternative, but do not mix up both. + +## Configuration for `traffic_server'. +## Meaning of variables is analogous to traffic_cop above, but for the +## `traffic_server' binary. + +# TS_START=no +# TS_DAEMON_ARGS="" +# TS_PIDFILE=$RUNDIR/server.lock diff --git a/trafficserver.dirs b/trafficserver.dirs new file mode 100644 index 00000000..91e6eaf4 --- /dev/null +++ b/trafficserver.dirs @@ -0,0 +1,2 @@ +/var/cache/trafficserver +/var/log/trafficserver diff --git a/trafficserver.example b/trafficserver.example new file mode 100644 index 00000000..b9d32e1e --- /dev/null +++ b/trafficserver.example @@ -0,0 +1,2 @@ +plugins/experimental/cacheurl/*.example +plugins/experimental/mysql_remap/sample.ini diff --git a/trafficserver.init b/trafficserver.init new file mode 100644 index 00000000..cc1179b0 --- /dev/null +++ b/trafficserver.init @@ -0,0 +1,257 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: trafficserver +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: init script for the Apache Traffic Server +# Description: Apache Traffic Server is fast, scalable and extensible +# HTTP/1.1 compliant caching proxy server. +### END INIT INFO + +# Author: Arno Töll +# +# This init script is derived from the source package's version shipped +# along the source tarball as rc/trafficserver. Therefore it is a derivative +# work and licensed as follows: +# +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Apache Traffic Server" +NAME=trafficserver +SCRIPTNAME=/etc/init.d/$NAME + + +# Please do not touch TS_ROOT and TS_BASE. Traffic Server uses them +# They are used to determine location of ATS components on the file +# system. +# According to DPM § 9.9 a program must not depend on the existance of +# environment variables to work properly. Please report any errors if +# you experience such a problem, for me it seems to work just fine with- +# out +ESED=/usr/bin/sed +test -x $ESED || ESED=sed +TS_PREFIX="/usr" +TS_ROOT=${TS_ROOT:-$TS_PREFIX} + +# TS_BASE is offset inside the file system from where the layout starts +# For standard installations TS_BASE will be empty +eval TS_BASE="`echo $TS_ROOT | ${ESED} -e 's;/usr$;;'`" + +# Set some safe defaults. So not change values here, override them in +# in /etc/default/trafficserver instead. +# See there for a documentation as well + +RUNDIR=${RUNDIR:-$TS_BASE/var/run/trafficserver} + +TM_START=${TM_START:-no} +TM_NAME=${TM_NAME:-traffic_manager} +TM_DAEMON=${TM_DAEMON:-$TS_BASE/usr/bin/traffic_manager} +TM_DAEMON_ARGS="" +TM_PIDFILE=${TM_PIDFILE:-$RUNDIR/manager.lock} + +TS_START=${TS_START:-no} +TS_NAME=${TS_NAME:-traffic_server} +TS_DAEMON=${TS_DAEMON:-$TS_BASE/usr/bin/traffic_server} +TS_DAEMON_ARGS="" +TS_PIDFILE=${TS_PIDFILE:-$RUNDIR/server.lock} + +# Exit if the package is not installed +[ -x "$TM_DAEMON" ] || exit 0 + + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +. /lib/lsb/init-functions + +# Check permissions of /etc/trafficserver. +# Traffic Server needs write permissions, so warn the user if we suppose it +# wouldn't. +# The sysadmin is welcome to change the user ID that ATS uses. However to do that +# in a clean and supported way, the administrator should overwrite the `stat override' +# Debian installs by default in Trafficserver's postinst maintainer script. +# Print a warning only. +# Since this can't be safely determined by this script print a warning only, but +# don't fail. +CONF_DIR='/etc/trafficserver' +USER=$(dpkg-statoverride --list "$CONF_DIR" | awk '{print $1}') +OWNER=$(env stat -c '%U' "$CONF_DIR") +if [ -d "$CONF_DIR" ] && [ ! "x$OWNER" = "x$USER" ] ; then + log_warning_msg "Configuration directory '$CONF_DIR' is not owned by user '$USER'. " \ + "However Traffic Server needs write permissions to it." +fi + + +# Make sure $RUNDIR exists as the underlying file system +# may be volatile (see § 9.3.2 from DPM) +install -d -o trafficserver -g trafficserver -m 0755 "$RUNDIR" + + +# A helper function, its purpose is to start a daemon. +# Arguments are interpreted in order as follows: +# 1) The executable path +# 2) A string containing optional daemon arguments +# 3) A (valid) path containing the PID file for the daemon +# Returns: +# 0 if daemon has been started +# 1 if daemon was already running +# 2 if daemon could not be started +start_cmd() +{ + # Args + DAEMON=$1 + DAEMON_ARGS=$2 + PID=$3 + + #echo "\n\n" + #echo "d:" $DAEMON + #echo "da:" $DAEMON_ARGS + #echo "pid:" $PID + + start-stop-daemon --start --quiet --pidfile $PID --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PID --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + + return 0 +} + + +# A helper function, its purpose is to stop a daemon. +# Arguments are interpreted in order as follows: +# 1) The daemon name (i.e. the binary name) +# 2) The executable path +# 3) A (valid) path containing the PID file for the daemon +# Returns: +# 0 if daemon has been stopped +# 1 if daemon was already stopped +# 2 if daemon could not be stopped +# Another value if a failure occurred +stop_cmd() +{ + NAME=$1 + DAEMON=$2 + PID=$3 + + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PID --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + + # Many daemons don't delete their pidfiles when they exit. + rm -f $PID + return "$RETVAL" +} + +# The start function +# This function does everything required to bring up the service +# at boot time. +# It does not accept any arguments +do_start() { + if [ "x$TM_START" != "xno" ]; then + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $TM_NAME" + start_cmd "$TM_DAEMON" "$TM_DAEMON_ARGS" "$TM_PIDFILE" + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + fi + + if [ "x$TS_START" != "xno" ]; then + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $TS_NAME" + start_cmd "$TS_DAEMON" "$TS_DAEMON_ARGS" "$TS_PIDFILE" + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + fi +} + + +# The stop function +# This function does everything required to stop the service. +# It does not accept any arguments +do_stop() { + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $TM_NAME" + stop_cmd "$TM_NAME" "$TM_DAEMON" "$TM_PIDFILE" + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $TS_NAME" + stop_cmd "$TS_NAME" "$TS_DAEMON" "$TS_PIDFILE" + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac +} + +case "$1" in + start) + if [ "x$TM_START" = "xno" ] && [ "x$TS_START" = "xno" ]; then + [ "$VERBOSE" != no ] && log_warning_msg "Not starting $DESC" + else + do_start + fi + ;; + stop) + do_stop + ;; + status) + if [ "x$TM_START" != "xno" ] ; then + status_of_proc "$TM_DAEMON" "$TM_NAME" -p "$TM_PIDFILE" && exit 0 || exit $? + else + status_of_proc "$TS_DAEMON" "$TS_NAME" -p "$TS_PIDFILE" || exit $? + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME\n" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/trafficserver.install b/trafficserver.install new file mode 100644 index 00000000..aa971f52 --- /dev/null +++ b/trafficserver.install @@ -0,0 +1,26 @@ +usr/bin/traffic_* +usr/bin/tspush +etc/trafficserver/* +usr/lib/trafficserver/lib*.so.* +usr/lib/trafficserver/modules/authproxy.so +usr/lib/trafficserver/modules/background_fetch.so +usr/lib/trafficserver/modules/cachekey.so +usr/lib/trafficserver/modules/cache_promote.so +usr/lib/trafficserver/modules/combo_handler.so +usr/lib/trafficserver/modules/compress.so +usr/lib/trafficserver/modules/conf_remap.so +usr/lib/trafficserver/modules/escalate.so +usr/lib/trafficserver/modules/esi.so +usr/lib/trafficserver/modules/generator.so +usr/lib/trafficserver/modules/header_rewrite.so +usr/lib/trafficserver/modules/healthchecks.so +usr/lib/trafficserver/modules/libloader.so +usr/lib/trafficserver/modules/regex_remap.so +usr/lib/trafficserver/modules/regex_revalidate.so +usr/lib/trafficserver/modules/s3_auth.so +usr/lib/trafficserver/modules/stats_over_http.so +usr/lib/trafficserver/modules/tcpinfo.so +usr/lib/trafficserver/modules/test_cppapi.so +usr/lib/trafficserver/modules/tslua.so +usr/lib/trafficserver/modules/xdebug.so +usr/lib/perl5/* usr/share/perl5/ diff --git a/trafficserver.maintscript b/trafficserver.maintscript new file mode 100644 index 00000000..51810a2e --- /dev/null +++ b/trafficserver.maintscript @@ -0,0 +1,9 @@ +rm_conffile /etc/trafficserver/vaddrs.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/metrics.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/logging.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/log_hosts.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/congestion.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/cluster.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/body_factory/default/congestion#retryAfter 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/icp.config 8.0.0~ trafficserver +rm_conffile /etc/trafficserver/snapshosts 8.0.0~ trafficserver diff --git a/trafficserver.manpages b/trafficserver.manpages new file mode 100644 index 00000000..b2bfc3aa --- /dev/null +++ b/trafficserver.manpages @@ -0,0 +1,4 @@ +debian/tmp/usr/share/man/man1/traffic_* +debian/tmp/usr/share/man/man1/tspush.1 +debian/tmp/usr/share/man/man8/traffic_* +debian/tmp/usr/share/man/man5/* diff --git a/trafficserver.postinst b/trafficserver.postinst new file mode 100755 index 00000000..23764905 --- /dev/null +++ b/trafficserver.postinst @@ -0,0 +1,127 @@ +#! /bin/sh +# postinst script for trafficserver +# +# see: dh_installdeb(1) +# +# Copyright 2011 Arno Toell +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +set -e + +USER='trafficserver' +GROUP='trafficserver' +USER_HOME='/var/run/trafficserver' +OWNER=$(env stat -c '%U' /etc/trafficserver) +OWNER_CACHE_DIR=$(env stat -c '%U' /var/cache/trafficserver) + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +case "$1" in +configure) + + if ! getent passwd -- "$USER" >/dev/null 2>&1 ; then + adduser --home "$USER_HOME" \ + --group \ + --system \ + --disabled-password \ + --no-create-home \ + --gecos "Debian Traffic Server user" \ + $USER + fi + + if [ -d /etc/trafficserver ] && [ "x$OWNER" = "xroot" ] ; then + # Ok, I admit I am lazy. I don't check every permission + # the user may have changed. If he didn't for /etc I can + # safely assume he neither has for other directories (I + # hope, since /etc requires write permissions by ATS). + echo 'Fixing permissions ...' + + if ! dpkg-statoverride --list /etc/trafficserver >/dev/null 2>&1; then + dpkg-statoverride --update --add "$USER" "$GROUP" 0755 /etc/trafficserver + fi + + if ! dpkg-statoverride --list /var/log/trafficserver >/dev/null 2>&1; then + dpkg-statoverride --update --add "$USER" adm 0750 /var/log/trafficserver + fi + + if [ -d /var/cache/trafficserver ] && [ "x$OWNER_CACHE_DIR" = "xroot" ] ; then + if ! dpkg-statoverride --list /var/cache/trafficserver >/dev/null 2>&1; then + dpkg-statoverride --update --add "$USER" adm 0750 /var/cache/trafficserver + fi + fi + fi + + if [ -n "$2" ] && dpkg --compare-versions "$2" 'le' '3.2~' ; then + RET=0 + invoke-rc.d trafficserver status > /dev/null 2>&1 || RET=$? + # 0 => ATS is running + # 4 => Status is unknown + # 1,2,3 => ATS is not running + + # using /bin/echo to make sure -e is supported + ECHO=`which echo` + if [ "$RET" -gt 0 ] && [ "$RET" -ne 4 ] && [ -f /var/cache/trafficserver/host.db ] ; then + echo "Purging TrafficServer cache upon upgrade." + RET=0 + traffic_server -Cclear > /dev/null 2>&1 || RET=$? + if [ "$RET" -ne 0 ] ; then + $ECHO "=======================================================================" + $ECHO -e "WARNING: Apache TrafficServer's cache couldn't be purged during the upgrade.\n" \ + "Please inspect the situation manually and call 'traffic_server -Cclear'\n" \ + "afterwards to purge the caches." + $ECHO "=======================================================================" + fi + else + $ECHO "=======================================================================" + $ECHO -e "WARNING: Apache TrafficServer is not running or its state couldn't be\n" \ + "determined. Please inspect the situation manually and call\n" \ + "'traffic_server -Cclear' afterwards to purge the caches.\n" + $ECHO "=======================================================================" + + fi + fi +;; + +abort-upgrade|abort-remove|abort-deconfigure) + +;; + +*) +echo "postinst called with unknown argument \`$1'" >&2 +exit 0 +;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/trafficserver.service b/trafficserver.service new file mode 100644 index 00000000..3fb0f534 --- /dev/null +++ b/trafficserver.service @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +[Unit] +Description=Apache Traffic Server is a fast, scalable and extensible caching proxy server. +Documentation=man:traffic_server(8) +After=network-online.target + +[Service] +Type=simple +EnvironmentFile=-/etc/default/trafficserver +PIDFile=/run/trafficserver/manager.lock +ExecStart=/usr/bin/traffic_manager $TM_DAEMON_ARGS +ExecReload=/usr/bin/traffic_ctl config reload + +[Install] +WantedBy=multi-user.target diff --git a/trafficserver.tmpfile b/trafficserver.tmpfile new file mode 100644 index 00000000..231e3171 --- /dev/null +++ b/trafficserver.tmpfile @@ -0,0 +1 @@ +d /run/trafficserver 0755 trafficserver trafficserver diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 00000000..b5b19452 --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,101 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBErZOgoBEADImA8eQf03cOXh1UCuzNAg6paeNRBHJgSq2ly1lF47WgI1S0Kf +7dHdr3HH3xpkM7d0m2Nm2tPsZzemYFAW1sixzXj5bnCCuCaeOHzI+4mM9Tu9AUQp +ZqTiaW++tSenl+CzRWwDYFUG2s+r4/Fp0VNp/vHo1EqoO1cyauG/Jvo3VpbsKl2g +XuNZfRRoDOscGU7kcSKj7wnxRCXm8IHMGsuobtOC5UsuQCggoxFfD0mc1ZKZT9dv +WwcYG7sGHUUuEVkwHQr3ikjvItzZFgDU5Do5kv7q4OZ/N6wQhwT3lqXmpFX5fMK/ +1zMlrFjepl7OePgPf2qrYUGu9DVOcdT1ElMlY6BOHV+zkA7i/SBZUOvN93CGP8I4 +7Dp/DaQaCAs7mcGScu+07Nr14xKmfqo+oqL40UbaVNyEAqhqHlynKGKO6mYPkUOZ +KST0R3AQCM6nTr8zsGqiJze2C+uEc4uBUXHsY4tgo9DO8ZcyaBj6G/TYuol4m2kF +InxNHWFJ3tiO9dkM0O+YYae3UnH7mXBnKJNhTG/ek34LLLYCgXnOZ1cDKdtyd5Z8 +p+Ve73EM4pxJuC0J3UkPGBRxYzqkqx0tXDCAf1zYpTH486HJapxYuYyv94LQKhzp +hEyXfm6zFufHWdcwe0bjovcTKARE8Q81eBi+N/3cUzNMQN+5bjiy3nQOBQARAQAB +tDNMZWlmIEhlZHN0cm9tIChDT0RFIFNJR05JTkcgS0VZKSA8endvb3BAYXBhY2hl +Lm9yZz6JAjcEEwECACECGwMCHgECF4AFAkrZO1gFCwkIBwMFFQoJCAsFFgIDAQAA +CgkQUz3vFV17vFp8Ng/+NkQz+V+cCAirJg08XrZ+G508I8RxNsHAtZ4krPK958EJ +Fxs2SBCX5V+edP4ng4pRdEg6zA17up40zlnn14FVBpdZ+bU0yd/DTiKaX5MpfPVN +Gzw/t4gDoTntguDyw2JCUKhOu7B9zMDBSUT4KFeG91nIAjygB55c/d9OMwRXmoel +vUL1/JVqLBJuZgTJ70jn4dUHz5VSuUsylvl/kRwceY3QyZrA+3LXVW8V++s36WzT +QIXSAgfFdsw8Ry0C4OWWX5And0quB/E9l3zKpDvwH3FGrifM28aNd9We5c8QgxVd +gKbSHc595zquLebhIj0c3peXRY15qmqq0fYGcMkpr+capY0KEsusxDg/M06srymq +Tr5/BFE8Lqv/Qy+OebLRw0+B7b+ZvR0tMyv2L+drYgWvXtpCFKMCfqp1KWJYtolu +bUcIZrCMzUlsCNT5zCjf396jMThucfRQ5PrgLtF8Jc+NDnlKzz8acClhdNwa4F3s +dmS2C3PqRs9JWEhdXCvnuurnMQMsbujVeam8kQRFUcvCdl33cHP8JUy3cQ4uA8M+ +XanNDBHxDis5DDTgLLnDiWfGHL6FVSsH3OxsPCOA/go7uDw0ihiC7THJvh2L8051 +NPlGVDnCqbnFbzIVLbbXFSTpJQ5vbzOPRaKZLOTXvKEG9MmbtrxhXfpQr5zapIO5 +Ag0EStk6CgEQANMwI7QnPWQowMgfC365G1OlZeHWM1hwdPqpcJsI2KSIfCcCaKH8 +16bdNr/3p60rp3UIFCHSrX4CAxvYneEOG3pKYvzGf6GYI7g4NbLGu13cFOsBfz32 +1O5pmZPOH3FgDVvQBYCbC1cffWQiR2sp6U+O1rwAVk89+kxh6RfkPopPC4kkw18T +UsiNLHPQsfQ/aNazLdg5vgGKoxHj0BIx7BSb6JgZu48czu3pm1hudWfyoDtZFVQm +DWFFkzdhfvKO2pmMjG2IFrDdVLgxdKOO1WgsC+PSZesfkeOvN0qaFpFaHwIRVPYz +l9gwo8z5LJQsCEKx3aMmbDfkDeL5nN8Khb2p7yyyxwdPVSxKpx7lGdmCscVWj874 +7bGg+1D+vAIBKBYpQz2bWQrHcMra6rTra656KIWXwRelztUrgkfE5AxxtsyNflmV +3b7JsE3yAsXntjmAEOnZUeyGguNJR31oVn4W+oei7vGmFhzQZklGaKe0lo1BsbmM +0HPVu/n5stVRjiqMvLHvZdfx/EbELkE572/NcxKH4XM3wm19FODcEJy8AXg2YlDk +s/BD7nLGGEuefqMgZjFfoMWTkeIEHibIkJdmOUxqTXvG8SQw2S7QiGETbTezsEyq +ZV9NN3yN/Rro0BkgsYq2jX1fPSYR9CHVrhVT8BESnvt4FwSTExyuePUbABEBAAGJ +Ah8EGAECAAkFAkrZOgoCGwwACgkQUz3vFV17vFrnTQ/8DRkm/eyD9RH0QVmeClQm +2TXqxvD95nMbAycmKnoe1+KBT26oNs+7XwUF4tfnZ8TCM8NgQ03TdeS2lczXERnm +LUJc1iM3XFTBEi6n7BrbUadD1PFDf4G2zXGV+t7Ho+ukg03pNe5Y+VQnaF6ht51G +HM8k3AWxYSgOlA11T+E+YBCiZzLA5GanflGRV0Vj+lZbp6gsCN/3IUxO0mfV/Jtv +MRKTGvFAssZpqFwJJVDRJZgr+GUKff+Vef8+7wB78WYE93P3y0YPDo5+HrgMBej+ +izgVjMg0KToBzZoXKNWNywDvV3pZn0zL32wzKW10hgAesVyqNebznkBvHYk29BVU +R4fTQ2DJ8PvXXnjWtfyOGc0lz6HpBlGXAgbOZZjRdJb9eBtjcALoUPAQyi4TyN7n +dxzNtmssG3B+Xv08/VyGx00ClWLHTI+tFfwrfp4640uc3Yrg4CRZDhWLmxnDNc61 +FudI/6PjPfIo4FNWLgLMR3YRuVOij1/Wxos/XHVhuG4kBhkGfYyBmERLWdo/FAFc +X/Pa2B5Sbw9bp/h+Pro0KrQinJv2mygGG/045S6WKobyYZMNFTAquOtFBqzN+xbB +L/EeLJ3Vlj11vw1qRd6jjTdpC6rKtYNTnmTuHSC6HCWNZ49dE2HCfI+QhXvLvqpz +ItxbCP1bTdT/tJjiNyoT8xY= +=099s +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBEtfajQBEADAmWqIJkt2MPjmZJ9RlymAAuOcvImB5E3cvpWFqVH8h5ycS3NA +TTcvomSnILsiq+NM0h/J3Bd3cchCNA0uuXW1CIDY7mGrkPdXNxQVygYY2L/ubAE8 +Ed1u1ghzPUaMYtFf7QAk4WCpglBaL2frJmfS93AIYOAIuV0zw8+ce8uvVYSt7aAk +Ww8JKnpW91nMZr3GBTibhthCmLcDWIyntR2gYyPX9NdAAViSfkmW8ea4dtbXfu8j +nkr7DnbsQu+vl29nwLmI3h2jcgV6QkHu40breY5NbFSTVmyyBgM5yH3cVk7xVIGv +1rt0Q9DvoftaSiWn3TcXcrnHnWVPTo1VM+kYHT9J9p6JSxZdrcAySR48YZvgDXTI +BC2sNCtW/gHC4iNdxWvOYKDO7xv9fLweqiUNXi/BxcwcCapYN5xZEONFKVVRvd5X +pcr0hxviNjkD/GkWTYEt3EqhnAGDOwQc60DtyuY1w82bhtIhCmNcnLAUEXYlJMXN +iPy1owKuY0EBt3VO3KsI5RqZTGgvYHtB2XpnyRLutnwAsMQceUl3r3CMRoNagTGw ++gfY18819b5dgMSYp1+Im0TtImMv/LOPjZY44Br24JisScaqQXc+DETEfafoIKsW +BBj1gfz5GsuUxdlnZHwwIM4MwtWvoU8/OHp3zVlDJZFLNBReTimV1La0DQARAQAB +tCBCcnlhbiBXLiBDYWxsIDxiY2FsbEBhcGFjaGUub3JnPokCOAQTAQIAIgUCS19q +NAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQTRVBELhFCOyuyxAArYgT +qrMxveqgKEEUrdnYF+hw1weoA5I4vJPUoAdsUr52WUZ2P8AnKxsESdGefA0XwG2v +t6qyo0fFce04YZ5gYjg5au0sYndN84vwysjuo5PKBR4mt3Ij097gMnotRzFDReJD +TB5Yk4oj0/jHMUkkS2dw3gM2DFfI2ILAaCRNbFapejwk4jCxt5JAGVEr+z8BEyOg +NcwL0X5G1qci+OR9cv0AzfChxaKNwW/oGpW/h5gM4jBQuElMmCxqDcyAlIHLaGoM +H73iGnD9U4bI05kvpIdqABQrfDoN1QyQkiqG640LnP4WVHycNDIyOeeQcDVenK5a +IOm/4gnErOyzQkPS0v5J4jD4df2lvxXnoSvjLySCeA1um/HV/gF02NufyoMHDJFD +QeEIjQu6KLYPNOT3dMeuioqtIsncylmAXiSqnwrP7zfp2RWRaWzAgP1SSZMzF/80 +a+6W5uQt8j2ok/z0NPCKQflS+oU4Gc5C+/KHUrdDCY5GcwwgFBv1i41jXdjh0nkz +VzX/asUIO9ptW8TR7aIcS3lm847YV4isNvWlroeGhmVfIk8M8RqsDfq7HPLvqipI +V2phFiUEiON8OgD0x8+2fTnveE/lY1jpjYUg73XOcHG6wna4D6ECTzlG3s4QtBrI +gcUFY97nfHgt6sT/ix7jB746wVfKgRzRyCuCwxK5Ag0ES19qNAEQAL3rbob4n3jy +cUhDIqg7bzReb4rfoS5JWKVCu169q8aGys2HJ4tCKtPE2ldwHKo55nTZsQQTbaLM +WxznmGWxESV4OJKDDNXOhctISaiwOSNEj58QvDGmcmK38ZlrSsuoUNgpbnFfxlwx +DBu0Nh5ocKiNJcBx5BwhrD9hzqaSW/HjQU52EUrLfT5gYnT25ZtmTIEzonbT1AGb +vMWPQeNVHwUZmy7foFIp68Hw4Z54SWWB6wOs3sPg5PfptfrTe2TTCe1CfcUCCzAJ +IEeNK8u2tYwK1u02pmYJ2nXxCo0op0bP4Bo40USbqI40qf37WAjGYIik31upNOU7 +Ku6vYopQMV8kB7i5HBuYzTvxjCz+dC8P2TuALwmMCpOdBQ5c+lT4gRr5kt0OlD1k +IpL/vrlTFsmhILe5KbawfM2ZwM6KbJyX0er38XNK4HPpHiyaNrLS2bQSDgBU8PC5 +sOHKpOXq404owDybkOfiB0voCJm/e7RkOI6AyeokCobXzcO6ZrWmwiRwXz9K5EuK +IfA8gWs5i3pK3X9cBMnjQ/uMSL0w7SY5khUAMFwECM73YW53E+hqaB7LG26ATjql +esM3uhaVd3INNNp+haoHSsRUY7DZh2s/ghX5t/T/pkRzfNimVdejYOUxAHHX4x8S +fcXsB1I9r81wolbUqaddHdZLYS4Z7ZBNABEBAAGJAh8EGAECAAkFAktfajQCGwwA +CgkQTRVBELhFCOyNpw//fF6pKllSPv9yvNAMvt+Ly0hk6GwOCRYCMe9uQuk7EDTI +idiG6DbzEKsqGIugvcyMrOGJxGDfSc+I8KgOhsuY31aWllSLyMo2fVFPECztPPFt +7IovwXe1sSA5d278KG2Xi+2Z0W0XMnCqVLLoQoFqkVvbgaLKWrvgk93yozsYYcJd +2iDIseyL3YzuqSNeLoXf0DWlMDX8oXtemlD87oWJWOnfHTVMLmGM45qAvmcDf96b +ZiDjdo4Sn6LSu5Xn/fCNrZOtpTDXJPJ9fb9APz4n2tdTS4UrzCQdtYEaNxb5LeP7 +MySMOITpZ2xrmC3SzL67STXn4POTxXa8lnY1DCpGUL8uxYej8cXkPDSC9sX836vJ +DbalYPHlgb5Fyn9pb+LoZWhUKxtfp6dp8N2kVKJ1yLlTwVdRFEicF5hqiMa6Curk +TVIVb9VQxEzw9bnBmoi9k4XLJAHz35cFvLNjJVSt0naNqjpy6fxHllJ6I1s6dJe9 +jGfECEc1sw1vLjS4f+NIGTSjciuxWkOfZ3Ulw3RPuUbeMHMC6FEfv35M1dDRv3ec +xIBKO0t7qvJ8Q6b/DzwW+IhqzLTK5bXEXVKS1zAJ3Iyd1QOmGOLdP/caoKV313J5 +YVz+bqtclFVJQ20cqAPhWEf7UNZTFCwa1CAKbPIGKYoDSCId4sqsNyRCmbRqY8A= +=Ycol +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 00000000..20374fd5 --- /dev/null +++ b/watch @@ -0,0 +1,5 @@ +version=4 +opts="pgpsigurlmangle=s/$/.asc/,dversionmangle=s/\+ds\d*$//,repacksuffix=+ds,repack,compression=xz" \ + https://downloads.apache.org/trafficserver/ \ + trafficserver-(\d+\.\d+.\d+)\.tar\.bz2 \ + debian uupdate