commit df2a5aa801daa6c337879c84e23faaeb4e9eeda6 Author: MSVSphere Packaging Team Date: Fri Apr 14 15:55:28 2023 +0300 import rsyslog-8.2102.0-111.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8a200b6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/qpid-proton-0.34.0.tar.gz +SOURCES/rsyslog-8.2102.0.tar.gz +SOURCES/rsyslog-doc-8.2102.0.tar.gz diff --git a/.rsyslog.metadata b/.rsyslog.metadata new file mode 100644 index 0000000..e0fc0e7 --- /dev/null +++ b/.rsyslog.metadata @@ -0,0 +1,3 @@ +390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz +fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz +9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz diff --git a/SOURCES/openssl3-compatibility.patch b/SOURCES/openssl3-compatibility.patch new file mode 100644 index 0000000..c86fe23 --- /dev/null +++ b/SOURCES/openssl3-compatibility.patch @@ -0,0 +1,83 @@ +diff -up ./qpid-proton-0.34.0/c/src/ssl/openssl.c.orig ./qpid-proton-0.34.0/c/src/ssl/openssl.c +--- ./qpid-proton-0.34.0/c/src/ssl/openssl.c.orig 2021-06-01 09:29:27.976842727 +0200 ++++ ./qpid-proton-0.34.0/c/src/ssl/openssl.c 2021-06-01 09:31:05.232015887 +0200 +@@ -353,65 +353,6 @@ static int verify_callback(int preverify + return preverify_ok; + } + +-// This was introduced in v1.1 +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- dh->p = p; +- dh->q = q; +- dh->g = g; +- return 1; +-} +-#endif +- +-// this code was generated using the command: +-// "openssl dhparam -C -2 2048" +-static DH *get_dh2048(void) +-{ +- static const unsigned char dhp_2048[]={ +- 0xAE,0xF7,0xE9,0x66,0x26,0x7A,0xAC,0x0A,0x6F,0x1E,0xCD,0x81, +- 0xBD,0x0A,0x10,0x7E,0xFA,0x2C,0xF5,0x2D,0x98,0xD4,0xE7,0xD9, +- 0xE4,0x04,0x8B,0x06,0x85,0xF2,0x0B,0xA3,0x90,0x15,0x56,0x0C, +- 0x8B,0xBE,0xF8,0x48,0xBB,0x29,0x63,0x75,0x12,0x48,0x9D,0x7E, +- 0x7C,0x24,0xB4,0x3A,0x38,0x7E,0x97,0x3C,0x77,0x95,0xB0,0xA2, +- 0x72,0xB6,0xE9,0xD8,0xB8,0xFA,0x09,0x1B,0xDC,0xB3,0x80,0x6E, +- 0x32,0x0A,0xDA,0xBB,0xE8,0x43,0x88,0x5B,0xAB,0xC3,0xB2,0x44, +- 0xE1,0x95,0x85,0x0A,0x0D,0x13,0xE2,0x02,0x1E,0x96,0x44,0xCF, +- 0xA0,0xD8,0x46,0x32,0x68,0x63,0x7F,0x68,0xB3,0x37,0x52,0xCE, +- 0x3A,0x4E,0x48,0x08,0x7F,0xD5,0x53,0x00,0x59,0xA8,0x2C,0xCB, +- 0x51,0x64,0x3D,0x5F,0xEF,0x0E,0x5F,0xE6,0xAF,0xD9,0x1E,0xA2, +- 0x35,0x64,0x37,0xD7,0x4C,0xC9,0x24,0xFD,0x2F,0x75,0xBB,0x3A, +- 0x15,0x82,0x76,0x4D,0xC2,0x8B,0x1E,0xB9,0x4B,0xA1,0x33,0xCF, +- 0xAA,0x3B,0x7C,0xC2,0x50,0x60,0x6F,0x45,0x69,0xD3,0x6B,0x88, +- 0x34,0x9B,0xE4,0xF8,0xC6,0xC7,0x5F,0x10,0xA1,0xBA,0x01,0x8C, +- 0xDA,0xD1,0xA3,0x59,0x9C,0x97,0xEA,0xC3,0xF6,0x02,0x55,0x5C, +- 0x92,0x1A,0x39,0x67,0x17,0xE2,0x9B,0x27,0x8D,0xE8,0x5C,0xE9, +- 0xA5,0x94,0xBB,0x7E,0x16,0x6F,0x53,0x5A,0x6D,0xD8,0x03,0xC2, +- 0xAC,0x7A,0xCD,0x22,0x98,0x8E,0x33,0x2A,0xDE,0xAB,0x12,0xC0, +- 0x0B,0x7C,0x0C,0x20,0x70,0xD9,0x0B,0xAE,0x0B,0x2F,0x20,0x9B, +- 0xA4,0xED,0xFD,0x49,0x0B,0xE3,0x4A,0xF6,0x28,0xB3,0x98,0xB0, +- 0x23,0x1C,0x09,0x33, +- }; +- static const unsigned char dhg_2048[]={ +- 0x02, +- }; +- DH *dh = DH_new(); +- BIGNUM *dhp_bn, *dhg_bn; +- +- if (dh == NULL) +- return NULL; +- dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); +- dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); +- if (dhp_bn == NULL || dhg_bn == NULL +- || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { +- DH_free(dh); +- BN_free(dhp_bn); +- BN_free(dhg_bn); +- return NULL; +- } +- return dh; +-} +- + typedef struct { + char *id; + SSL_SESSION *session; +@@ -542,13 +483,6 @@ static bool pni_init_ssl_domain( pn_ssl_ + domain->default_seclevel = SSL_CTX_get_security_level(domain->ctx); + # endif + +- DH *dh = get_dh2048(); +- if (dh) { +- SSL_CTX_set_tmp_dh(domain->ctx, dh); +- DH_free(dh); +- SSL_CTX_set_options(domain->ctx, SSL_OP_SINGLE_DH_USE); +- } +- + return true; + } + diff --git a/SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch b/SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch new file mode 100644 index 0000000..e9a188d --- /dev/null +++ b/SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch @@ -0,0 +1,93 @@ +diff -up ./plugins/imjournal/imjournal.c.default-tag ./plugins/imjournal/imjournal.c +--- ./plugins/imjournal/imjournal.c.default-tag 2018-05-17 08:50:11.416418022 -0400 ++++ ./plugins/imjournal/imjournal.c 2018-05-17 08:53:02.884418022 -0400 +@@ -78,6 +78,7 @@ static struct configSettings_s { + int bWorkAroundJournalBug; /* deprecated, left for backwards compatibility only */ + int bFsync; + int bRemote; ++ char *dfltTag; + } cs; + + static rsRetVal facilityHdlr(uchar **pp, void *pVal); +@@ -93,7 +94,8 @@ static struct cnfparamdescr modpdescr[] + { "usepid", eCmdHdlrString, 0 }, + { "workaroundjournalbug", eCmdHdlrBinary, 0 }, + { "fsync", eCmdHdlrBinary, 0 }, +- { "remote", eCmdHdlrBinary, 0 } ++ { "remote", eCmdHdlrBinary, 0 }, ++ { "defaulttag", eCmdHdlrGetWord, 0 } + }; + static struct cnfparamblk modpblk = + { CNFPARAMBLK_VERSION, +@@ -104,6 +106,7 @@ static struct cnfparamblk modpblk = + #define DFLT_persiststateinterval 10 + #define DFLT_SEVERITY pri2sev(LOG_NOTICE) + #define DFLT_FACILITY pri2fac(LOG_USER) ++#define DFLT_TAG "journal" + + static int bLegacyCnfModGlobalsPermitted = 1;/* are legacy module-global config parameters permitted? */ + +@@ -268,7 +271,7 @@ readjournal(void) + + /* Information from messages */ + char *message = NULL; +- char *sys_iden; ++ char *sys_iden = NULL; + char *sys_iden_help = NULL; + + const void *get; +@@ -331,7 +334,7 @@ readjournal(void) + if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) { + CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden)); + } else { +- CHKmalloc(sys_iden = strdup("journal")); ++ CHKmalloc(sys_iden = strdup(cs.dfltTag)); + } + + /* trying to get PID, default is "SYSLOG_PID" property */ +@@ -654,6 +657,11 @@ CODESTARTrunInput + "\"usepidfromsystem\" is depricated, use \"usepid\" instead"); + } + ++ if (cs.dfltTag == NULL) { ++ cs.dfltTag = strdup(DFLT_TAG); ++ } ++ ++ + if (cs.usePid && (strcmp(cs.usePid, "system") == 0)) { + pidFieldName = "_PID"; + bPidFallBack = 0; +@@ -732,6 +740,7 @@ CODESTARTbeginCnfLoad + cs.bWorkAroundJournalBug = 1; + cs.bFsync = 0; + cs.bRemote = 0; ++ cs.dfltTag = NULL; + ENDbeginCnfLoad + + +@@ -754,6 +763,7 @@ BEGINfreeCnf + CODESTARTfreeCnf + free(cs.stateFile); + free(cs.usePid); ++ free(cs.dfltTag); + free(journalContext.cursor); + statsobj.Destruct(&(statsCounter.stats)); + ENDfreeCnf +@@ -832,6 +842,8 @@ CODESTARTsetModCnf + cs.bFsync = (int) pvals[i].val.d.n; + } else if (!strcmp(modpblk.descr[i].name, "remote")) { + cs.bRemote = (int) pvals[i].val.d.n; ++ } else if (!strcmp(modpblk.descr[i].name, "defaulttag")) { ++ cs.dfltTag = (char *)es_str2cstr(pvals[i].val.d.estr, NULL); + } else { + dbgprintf("imjournal: program error, non-handled " + "param '%s' in beginCnfLoad\n", modpblk.descr[i].name); +@@ -799,6 +820,8 @@ CODEmodInit_QueryRegCFSLineHdlr + facilityHdlr, &cs.iDfltFacility, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournalusepidfromsystem", 0, eCmdHdlrBinary, + NULL, &cs.bUseJnlPID, STD_LOADABLE_MODULE_ID)); ++ CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournaldefaulttag", 0, eCmdHdlrGetWord, ++ NULL, &cs.dfltTag, STD_LOADABLE_MODULE_ID)); + ENDmodInit + /* vim:set ai: + */ diff --git a/SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch b/SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch new file mode 100644 index 0000000..2faf05c --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch @@ -0,0 +1,67 @@ +diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c +--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-02-17 11:52:17.460043970 +0100 ++++ rsyslog-8.2102.0/runtime/rsconf.c 2023-02-17 12:00:49.881602881 +0100 +@@ -33,9 +33,6 @@ + #include + #include + #include +-#ifdef ENABLE_LIBCAPNG +- #include +-#endif + + #include "rsyslog.h" + #include "obj.h" +@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void) + uchar szBuf[1024]; + DEFiRet; + +-#ifndef ENABLE_LIBCAPNG ++ + if(!ourConf->globals.gidDropPrivKeepSupplemental) { + res = setgroups(0, NULL); /* remove all supplemental group IDs */ + if(res) { +@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void) + "could not set requested group id: %s via setgid()", szBuf); + ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV); + } +-#else +- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP; +- res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags); +- if (res) { +- LogError(0, RS_RET_LIBCAPNG_ERR, +- "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv); +- ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR); +- } +-#endif + + DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res); + snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d", +@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid) + iUid, szBuf); + } + +-#ifndef ENABLE_LIBCAPNG ++ + res = setuid(iUid); +- // res = setuid(cnf->globals.uidDropPriv); +-#else +- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP; +- res = capng_change_id(iUid, -1, capng_flags); +-#endif + + if(res) { + /* if we can not set the userid, this is fatal, so let's unconditionally abort */ +diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c +--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-02-17 11:52:00.011011019 +0100 ++++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-02-17 11:58:37.322491823 +0100 +@@ -2161,9 +2161,9 @@ main(int argc, char **argv) + CAP_LEASE, + CAP_NET_ADMIN, + CAP_NET_BIND_SERVICE, +- CAP_PERFMON, + CAP_SETGID, + CAP_SETUID, ++ CAP_DAC_OVERRIDE, + CAP_SYS_ADMIN, + CAP_SYS_CHROOT, + CAP_SYS_RESOURCE, diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch b/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch new file mode 100644 index 0000000..a847084 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch @@ -0,0 +1,21 @@ +diff -up rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig rsyslog-8.2102.0/plugins/omrelp/omrelp.c +--- rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig 2021-06-15 12:46:14.758589030 +0200 ++++ rsyslog-8.2102.0/plugins/omrelp/omrelp.c 2021-06-15 12:47:08.130516632 +0200 +@@ -303,7 +303,7 @@ ENDfreeCnf + BEGINcreateInstance + CODESTARTcreateInstance + pData->sizeWindow = 0; +- pData->timeout = 90; ++ pData->timeout = 5; + pData->connTimeout = 10; + pData->rebindInterval = 0; + pData->bEnableTLS = DFLT_ENABLE_TLS; +@@ -365,7 +365,7 @@ setInstParamDefaults(instanceData *pData + pData->target = NULL; + pData->port = NULL; + pData->tplName = NULL; +- pData->timeout = 90; ++ pData->timeout = 5; + pData->connTimeout = 10; + pData->sizeWindow = 0; + pData->rebindInterval = 0; diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch new file mode 100644 index 0000000..b717972 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch @@ -0,0 +1,47 @@ +diff -up rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc rsyslog-8.2102.0/doc/configuration/modules/imfile.html +--- rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc 2021-02-15 12:53:31.000000000 +0100 ++++ rsyslog-8.2102.0/doc/configuration/modules/imfile.html 2022-03-29 10:35:07.187827004 +0200 +@@ -294,6 +294,28 @@ rsyslog needs write permissions to work + also might require SELinux definitions (or similar for other enhanced security + systems).

+ ++
++

deleteStateOnFileMove

++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
typedefaultmandatoryobsolete legacy directive
binaryoffnonone
++

This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.

++ ++

However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.

++
+ +
+

Input Parameters

+@@ -1214,6 +1236,7 @@ and Others.

+
  • sortFiles
    • +
  • PollingInterval
    • +
  • statefile.directory
    • ++
  • deleteStateOnFileMove
    • + + +
  • Input Parameters
      +@@ -1311,4 +1334,4 @@ and Others.

      + + +- +\ No newline at end of file ++ diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch new file mode 100644 index 0000000..161f90c --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch @@ -0,0 +1,162 @@ +diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking rsyslog-8.2102.0/plugins/imfile/imfile.c +--- rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/plugins/imfile/imfile.c 2022-03-28 12:51:03.572554843 +0200 +@@ -259,6 +259,7 @@ struct modConfData_s { + Must be manually reset to 0 if desired. Helper for + polling mode. + */ ++ sbool deleteStateOnFileMove; + }; + static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */ + static modConfData_t *runModConf = NULL;/* modConf ptr to use for run process */ +@@ -305,7 +306,8 @@ static struct cnfparamdescr modpdescr[] + { "sortfiles", eCmdHdlrBinary, 0 }, + { "statefile.directory", eCmdHdlrString, 0 }, + { "normalizepath", eCmdHdlrBinary, 0 }, +- { "mode", eCmdHdlrGetWord, 0 } ++ { "mode", eCmdHdlrGetWord, 0 }, ++ { "deletestateonfilemove", eCmdHdlrBinary, 0 } + }; + static struct cnfparamblk modpblk = + { CNFPARAMBLK_VERSION, +@@ -545,11 +547,20 @@ static int + in_setupWatch(act_obj_t *const act, const int is_file) + { + int wd = -1; ++ int flags; + if(runModConf->opMode != OPMODE_INOTIFY) + goto done; + +- wd = inotify_add_watch(ino_fd, act->name, +- (is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO); ++ // wd = inotify_add_watch(ino_fd, act->name, ++ // (is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO); ++ if(is_file) ++ flags = IN_MODIFY|IN_DONT_FOLLOW; ++ else if(runModConf->deleteStateOnFileMove) ++ flags = IN_CREATE|IN_DELETE|IN_MOVED_TO; ++ else ++ flags = IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO; ++ wd = inotify_add_watch(ino_fd, act->name, flags); ++ + if(wd < 0) { + if (errno == EACCES) { /* There is high probability of selinux denial on top-level paths */ + DBGPRINTF("imfile: permission denied when adding watch for '%s'\n", act->name); +@@ -713,7 +724,7 @@ act_obj_add(fs_edge_t *const edge, const + char basename[MAXFNAME]; + DEFiRet; + int fd = -1; +- ++ + DBGPRINTF("act_obj_add: edge %p, name '%s' (source '%s')\n", edge, name, source? source : "---"); + for(act = edge->active ; act != NULL ; act = act->next) { + if(!strcmp(act->name, name)) { +@@ -977,9 +988,18 @@ act_obj_destroy(act_obj_t *const act, co + if(act == NULL) + return; + +- DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n", +- act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted, +- act->in_move); ++ // DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n", ++ // act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted, ++ // act->in_move); ++ if (runModConf->deleteStateOnFileMove) { ++ DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d\n", ++ act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted); ++ } else { ++ DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n", ++ act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, ++ is_deleted, act->in_move); ++ } ++ + if(act->is_symlink && is_deleted) { + act_obj_t *target_act; + for(target_act = act->edge->active ; target_act != NULL ; target_act = target_act->next) { +@@ -996,13 +1016,15 @@ act_obj_destroy(act_obj_t *const act, co + pollFile(act); /* get any left-over data */ + if(inst->bRMStateOnDel) { + statefn = getStateFileName(act, statefile, sizeof(statefile)); +- getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check! ++ // getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check! ++ getFullStateFileName(statefn, act->file_id, toDel, sizeof(toDel)); // TODO: check! + statefn = toDel; + } + persistStrmState(act); + strm.Destruct(&act->pStrm); + /* we delete state file after destruct in case strm obj initiated a write */ +- if(is_deleted && !act->in_move && inst->bRMStateOnDel) { ++ // if(is_deleted && !act->in_move && inst->bRMStateOnDel) { ++ if(is_deleted && inst->bRMStateOnDel && (runModConf->deleteStateOnFileMove || !act->in_move)) { + DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn); + unlink((char*)statefn); + } +@@ -1012,6 +1034,7 @@ act_obj_destroy(act_obj_t *const act, co + } + #ifdef HAVE_INOTIFY_INIT + if(act->wd != -1) { ++ inotify_rm_watch(ino_fd, act->wd); + wdmapDel(act->wd); + } + #endif +@@ -2026,6 +2049,7 @@ CODESTARTbeginCnfLoad + loadModConf->timeoutGranularity = 1000; /* default: 1 second */ + loadModConf->haveReadTimeouts = 0; /* default: no timeout */ + loadModConf->normalizePath = 1; ++ loadModConf->deleteStateOnFileMove = 0; + loadModConf->sortFiles = GLOB_NOSORT; + loadModConf->stateFileDirectory = NULL; + loadModConf->conf_tree = calloc(sizeof(fs_node_t), 1); +@@ -2085,6 +2109,8 @@ CODESTARTsetModCnf + loadModConf->stateFileDirectory = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(modpblk.descr[i].name, "normalizepath")) { + loadModConf->normalizePath = (sbool) pvals[i].val.d.n; ++ } else if(!strcmp(modpblk.descr[i].name, "deletestateonfilemove")) { ++ loadModConf->deleteStateOnFileMove = (sbool) pvals[i].val.d.n; + } else if(!strcmp(modpblk.descr[i].name, "mode")) { + if(!es_strconstcmp(pvals[i].val.d.estr, "polling")) + loadModConf->opMode = OPMODE_POLLING; +@@ -2388,16 +2414,35 @@ in_processEvent(struct inotify_event *ev + DBGPRINTF("in_processEvent process Event %x is_file %d, act->name '%s'\n", + ev->mask, etry->act->edge->is_file, etry->act->name); + +- if((ev->mask & IN_MOVED_FROM)) { +- flag_in_move(etry->act->edge->node->edges, ev->name); +- } +- if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO)) { +- fs_node_walk(etry->act->edge->node, poll_tree); +- } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) { +- in_handleFileEvent(ev, etry); // esentially poll_file()! ++ // if((ev->mask & IN_MOVED_FROM)) { ++ // flag_in_move(etry->act->edge->node->edges, ev->name); ++ // } ++ // if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO)) { ++ // fs_node_walk(etry->act->edge->node, poll_tree); ++ // } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) { ++ // in_handleFileEvent(ev, etry); // esentially poll_file()! ++ // } else { ++ // fs_node_walk(etry->act->edge->node, poll_tree); ++ // } ++ if(!runModConf->deleteStateOnFileMove) { ++ if((ev->mask & IN_MOVED_FROM)) { ++ flag_in_move(etry->act->edge->node->edges, ev->name); ++ } ++ if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO)) { ++ fs_node_walk(etry->act->edge->node, poll_tree); ++ } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) { ++ in_handleFileEvent(ev, etry); // esentially poll_file()! ++ } else { ++ fs_node_walk(etry->act->edge->node, poll_tree); ++ } + } else { +- fs_node_walk(etry->act->edge->node, poll_tree); ++ if((ev->mask & IN_MODIFY) && etry->act->edge->is_file && !(etry->act->is_symlink)) { ++ in_handleFileEvent(ev, etry); // esentially poll_file()! ++ } else { ++ fs_node_walk(etry->act->edge->node, poll_tree); ++ } + } ++ + done: return; + } + diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch b/SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch new file mode 100644 index 0000000..931987a --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch @@ -0,0 +1,163 @@ +diff -up rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan rsyslog-8.2102.0/contrib/imdocker/imdocker.c +--- rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/contrib/imdocker/imdocker.c 2021-07-22 14:10:31.877231143 +0200 +@@ -1527,6 +1527,7 @@ process_json(sbool isInit, const char* j + pInstances->last_container_id, + (unsigned)pInstances->last_container_created); + } ++ // coverity[leaked_storage : FALSE] + CHKiRet(dockerContLogsInstSetUrlById(isInit, pInst, + pInstances->curlm, containerId)); + CHKiRet(dockerContLogReqsAdd(pInstances, pInst)); +diff -up rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c +--- rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c 2021-07-22 14:10:31.877231143 +0200 +@@ -324,7 +324,6 @@ BEGINnewActInst + struct cnfparamvals *pvals; + int i; + int iNumTpls; +- uchar *keydup = NULL; + CODESTARTnewActInst + if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL) + ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS); +@@ -417,14 +416,11 @@ CODESTARTnewActInst + CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)pData->tplName, OMSR_NO_RQD_TPL_OPTS)); + + if (pData->dynaKey) { +- CHKmalloc(keydup = ustrdup(pData->key)); + CHKiRet(OMSRsetEntry(*ppOMSR, 1, ustrdup(pData->key), OMSR_NO_RQD_TPL_OPTS)); +- keydup = NULL; /* handed over */ + } + + CODE_STD_FINALIZERnewActInst + cnfparamvalsDestruct(pvals, &actpblk); +- free(keydup); + ENDnewActInst + + +diff -up rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c +--- rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c 2021-07-22 14:10:31.877231143 +0200 +@@ -778,6 +778,7 @@ static rsRetVal publishRabbitMQ(wrkrInst + ABORT_FINALIZE(RS_RET_RABBITMQ_CONN_ERR); + } + ++ // coverity[identical_branches : FALSE] + if (manage_error(amqp_basic_publish(self->a_conn, 1, exchange, routing_key, + 0, 0, p_amqp_props, body_bytes), "amqp_basic_publish")) { + /* error already notified */ +diff -up rsyslog-8.2102.0/grammar/rainerscript.c.covscan rsyslog-8.2102.0/grammar/rainerscript.c +--- rsyslog-8.2102.0/grammar/rainerscript.c.covscan 2021-02-15 12:06:16.000000000 +0100 ++++ rsyslog-8.2102.0/grammar/rainerscript.c 2021-07-22 14:10:31.878231140 +0200 +@@ -2814,7 +2814,7 @@ evalVar(struct cnfvar *__restrict__ cons + if(bMustBeFreed) + free(pszProp); + } +- ++ // coverity[leaked_storage : FALSE] + } + + /* perform a string comparision operation against a while array. Semantic is +diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan rsyslog-8.2102.0/plugins/imfile/imfile.c +--- rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/plugins/imfile/imfile.c 2021-07-22 14:10:31.878231140 +0200 +@@ -1278,6 +1278,7 @@ static void ATTR_NONNULL(1) + getFileID(act_obj_t *const act) + { + char tmp_id[FILE_ID_HASH_SIZE]; ++ // coverity[buffer_size_warning : FALSE] + strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE); + act->file_id[0] = '\0'; + assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */ +@@ -1290,6 +1291,7 @@ getFileID(act_obj_t *const act) + DBGPRINTF("getFileID partial or error read, ret %d\n", r); + } + if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */ ++ // coverity[buffer_size_warning : FALSE] + strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE); + } + DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id); +@@ -1544,6 +1546,7 @@ openFileWithoutStateFile(act_obj_t *cons + const int fd = open(act->name, O_RDONLY | O_CLOEXEC); + if(fd >= 0) { + act->pStrm->iCurrOffs = lseek64(fd, 0, SEEK_END); ++ close(fd); + if(act->pStrm->iCurrOffs < 0) { + act->pStrm->iCurrOffs = 0; + LogError(errno, RS_RET_ERR, "imfile: could not query current " +diff -up rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan rsyslog-8.2102.0/plugins/imptcp/imptcp.c +--- rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/plugins/imptcp/imptcp.c 2021-07-22 14:10:31.878231140 +0200 +@@ -1920,6 +1920,7 @@ lstnActivity(ptcplstn_t *const pLstn) + } + + finalize_it: ++ // coverity[leaked_handle : FALSE] + RETiRet; + } + +diff -up rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c +--- rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c 2021-07-22 14:10:31.879231138 +0200 +@@ -394,7 +394,7 @@ CODEmodInit_QueryRegCFSLineHdlr + ABORT_FINALIZE(RS_RET_NO_MSG_PASSING); + } + +- ++ // coverity[identical_branches : FALSE] + CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, + resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); + ENDmodInit +diff -up rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c +--- rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c 2021-07-22 14:10:31.879231138 +0200 +@@ -368,6 +368,7 @@ writeDataError(wrkrInstanceData_t *const + } + + finalize_it: ++ // coverity[leaked_storage : FALSE] + RETiRet; + } + +diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan rsyslog-8.2102.0/runtime/nsd_gtls.c +--- rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2021-07-22 14:17:06.183174167 +0200 +@@ -227,7 +227,7 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis) + pThis->bOurKeyIsInit = 1; + CHKgnutls(gnutls_x509_privkey_import(pThis->ourKey, &data, GNUTLS_X509_FMT_PEM)); + free(data.data); +- ++ data.data = NULL; + + finalize_it: + if(iRet == RS_RET_CERTLESS) { +diff -up rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan rsyslog-8.2102.0/runtime/nsd_ptcp.c +--- rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan 2021-02-15 08:20:04.000000000 +0100 ++++ rsyslog-8.2102.0/runtime/nsd_ptcp.c 2021-07-22 14:10:31.879231138 +0200 +@@ -191,6 +191,7 @@ SetTlsVerifyDepth(nsd_t __attribute__((u + nsd_ptcp_t *pThis = (nsd_ptcp_t*) pNsd; + DEFiRet; + ISOBJ_TYPE_assert((pThis), nsd_ptcp); ++ // coverity[identical_branches : FALSE] + if (verifyDepth == 0) { + FINALIZE; + } +diff -up rsyslog-8.2102.0/tools/rsyslogd.c.covscan rsyslog-8.2102.0/tools/rsyslogd.c +--- rsyslog-8.2102.0/tools/rsyslogd.c.covscan 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/tools/rsyslogd.c 2021-07-22 14:10:31.879231138 +0200 +@@ -293,6 +293,7 @@ writePidFile(void) + free((void*)tmpPidFile); + } + finalize_it: ++ // coverity[leaked_storage : FALSE] + RETiRet; + } + +@@ -1026,6 +1027,7 @@ splitOversizeMessage(smsg_t *const pMsg) + /* if necessary, write partial last segment */ + if(len_last_segment != 0) { + CHKmalloc(pMsg_seg = MsgDup(pMsg)); ++ // coverity[copy_paste_error : FALSE] + MsgSetRawMsg(pMsg_seg, rawmsg + (nsegments * maxlen), len_last_segment); + submitMsg2(pMsg_seg); + } diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch b/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch new file mode 100644 index 0000000..f95dd5a --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch @@ -0,0 +1,20 @@ +diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c +--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2021-06-15 12:30:35.238832058 +0200 ++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2021-06-15 12:32:04.699721356 +0200 +@@ -565,6 +565,8 @@ persistJournalState(void) + ABORT_FINALIZE(RS_RET_IO_ERROR); + } + ++ fflush(sf); ++ + /* change the name of the file to the configured one */ + if (rename(tmp_sf, cs.stateFile) < 0) { + LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile); +@@ -586,6 +588,7 @@ persistJournalState(void) + LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir()); + ABORT_FINALIZE(RS_RET_IO_ERROR); + } ++ closedir(wd); + } + + DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch b/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch new file mode 100644 index 0000000..344eef6 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch @@ -0,0 +1,102 @@ +diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c +--- rsyslog-8.2102.0/runtime/cfsysline.c.orig 2021-08-04 07:16:02.663163106 +0200 ++++ rsyslog-8.2102.0/runtime/cfsysline.c 2021-08-04 07:18:05.952490008 +0200 +@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR + assert(*pp != NULL); + + if(getSubString(pp, (char*) szName, sizeof(szName), ' ') != 0) { +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "could not extract group name: %s\n", (char*)szName); +- exit(1); /* good exit */ +- } else { +- LogError(0, RS_RET_NOT_FOUND, "could not extract group name"); +- ABORT_FINALIZE(RS_RET_NOT_FOUND); +- } ++ LogError(0, RS_RET_NOT_FOUND, "could not extract group name"); ++ ABORT_FINALIZE(RS_RET_NOT_FOUND); + } + + do { +@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR + LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName); + } + iRet = RS_RET_NOT_FOUND; +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "ID for group '%s' could not be found or error\n", szName); +- exit(1); /* good exit */ +- } + } else { + if(pSetHdlr == NULL) { + /* we should set value directly to var */ +@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR + assert(*pp != NULL); + + if(getSubString(pp, (char*) szName, sizeof(szName), ' ') != 0) { +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "could not extract user name: %s\n", (char*)szName); +- exit(1); /* good exit */ +- } else { +- LogError(0, RS_RET_NOT_FOUND, "could not extract user name"); +- ABORT_FINALIZE(RS_RET_NOT_FOUND); +- } ++ LogError(0, RS_RET_NOT_FOUND, "could not extract user name"); ++ ABORT_FINALIZE(RS_RET_NOT_FOUND); + } + + getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf); + + if(ppwBuf == NULL) { +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName); +- exit(1); /* good exit */ +- } else { +- LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName); +- iRet = RS_RET_NOT_FOUND; +- } ++ LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName); ++ iRet = RS_RET_NOT_FOUND; + } else { + if(pSetHdlr == NULL) { + /* we should set value directly to var */ +diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c +--- rsyslog-8.2102.0/runtime/glbl.c.orig 2021-08-04 07:18:19.301633677 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.c 2021-08-04 07:19:02.409019106 +0200 +@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc + { "environment", eCmdHdlrArray, 0 }, + { "processinternalmessages", eCmdHdlrBinary, 0 }, + { "umask", eCmdHdlrFileCreateMode, 0 }, +- { "security.abortonidresolutionfail", eCmdHdlrBinary, 0 }, + { "internal.developeronly.options", eCmdHdlrInt, 0 }, + { "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 }, + { "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 }, +@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void) + glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) { + loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n; +- } else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) { +- loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) { + *(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) { +diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c +--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2021-08-04 07:19:13.103104854 +0200 ++++ rsyslog-8.2102.0/runtime/rsconf.c 2021-08-04 07:19:44.635357684 +0200 +@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh + pThis->globals.maxErrMsgToStderr = -1; + pThis->globals.umask = -1; + pThis->globals.gidDropPrivKeepSupplemental = 0; +- pThis->globals.abortOnIDResolutionFail = 1; + pThis->templates.root = NULL; + pThis->templates.last = NULL; + pThis->templates.lastStatic = NULL; +diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h +--- rsyslog-8.2102.0/runtime/rsconf.h.orig 2021-08-04 07:20:15.848607958 +0200 ++++ rsyslog-8.2102.0/runtime/rsconf.h 2021-08-04 07:20:42.782823920 +0200 +@@ -73,7 +73,6 @@ struct globals_s { + int uidDropPriv; /* user-id to which priveleges should be dropped to */ + int gidDropPriv; /* group-id to which priveleges should be dropped to */ + int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */ +- int abortOnIDResolutionFail; + int umask; /* umask to use */ + uchar *pszConfDAGFile; /* name of config DAG file, non-NULL means generate one */ + diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch b/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch new file mode 100644 index 0000000..710f48c --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch @@ -0,0 +1,26 @@ +diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c +--- rsyslog-8.2102.0/runtime/ratelimit.c.orig 2021-07-27 10:37:50.972903104 +0200 ++++ rsyslog-8.2102.0/runtime/ratelimit.c 2021-07-27 10:38:26.141002988 +0200 +@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c + { + DEFiRet; + rsRetVal localRet; +- int severity = 0; + + *ppRepMsg = NULL; + +@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c + DBGPRINTF("Message discarded, parsing error %d\n", localRet); + ABORT_FINALIZE(RS_RET_DISCARDMSG); + } +- severity = pMsg->iSeverity; + } + } + + /* Only the messages having severity level at or below the + * treshold (the value is >=) are subject to ratelimiting. */ +- if(ratelimit->interval && (severity >= ratelimit->severity)) { ++ if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) { + char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */ + snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg), + getAPPNAME(pMsg, 0)); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch b/SOURCES/rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch new file mode 100644 index 0000000..20817c6 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch @@ -0,0 +1,11 @@ +diff -up ./rsyslog-8.2102.0/runtime/nsd_gtls.c.ori ./rsyslog-8.2102.0/runtime/nsd_gtls.c +--- rsyslog-8.2102.0/runtime/nsd_gtls.c.ori 2022-01-17 15:50:08.285827256 +0100 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2022-01-17 15:52:33.282594512 +0100 +@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew + pNew->gnutlsPriorityString = pThis->gnutlsPriorityString; + pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth; + pNew->dataTypeCheck = pThis->dataTypeCheck; ++ pNew->bSANpriority = pThis->bSANpriority; + + /* if we reach this point, we are in TLS mode */ + iRet = gtlsInitSession(pNew); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch b/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch new file mode 100644 index 0000000..0c3a3a7 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch @@ -0,0 +1,215 @@ +diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c +--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig 2022-04-11 09:26:17.826271989 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2022-04-11 09:33:28.702012052 +0200 +@@ -556,7 +556,9 @@ gtlsRecordRecv(nsd_gtls_t *pThis) + DEFiRet; + + ISOBJ_TYPE_assert(pThis, nsd_gtls); +- DBGPRINTF("gtlsRecordRecv: start\n"); ++ DBGPRINTF("gtlsRecordRecv: start (Pending Data: %zd | Wanted Direction: %s)\n", ++ gnutls_record_check_pending(pThis->sess), ++ (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ ? "READ" : "WRITE") ); + + lenRcvd = gnutls_record_recv(pThis->sess, pThis->pszRcvBuf, NSD_GTLS_MAX_RCVBUF); + if(lenRcvd >= 0) { +@@ -581,14 +583,30 @@ gtlsRecordRecv(nsd_gtls_t *pThis) + (NSD_GTLS_MAX_RCVBUF+lenRcvd)); + pThis->lenRcvBuf = NSD_GTLS_MAX_RCVBUF+lenRcvd; + } else { +- goto sslerr; ++ if (lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) { ++ goto sslerragain; /* Go to ERR AGAIN handling */ ++ } else { ++ /* Do all other error handling */ ++ int gnuRet = lenRcvd; ++ ABORTgnutls; ++ } + } + } + } else if(lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) { +-sslerr: +- pThis->rtryCall = gtlsRtry_recv; +- dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n"); +- ABORT_FINALIZE(RS_RET_RETRY); ++sslerragain: ++ /* Check if the underlaying file descriptor needs to read or write data!*/ ++ if (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ) { ++ pThis->rtryCall = gtlsRtry_recv; ++ dbgprintf("GnuTLS receive requires a retry, this most probably is OK and no error condition\n"); ++ ABORT_FINALIZE(RS_RET_RETRY); ++ } else { ++ uchar *pErr = gtlsStrerror(lenRcvd); ++ LogError(0, RS_RET_GNUTLS_ERR, "GnuTLS receive error %zd has wrong read direction(wants write) " ++ "- this could be caused by a broken connection. GnuTLS reports: %s\n", ++ lenRcvd, pErr); ++ free(pErr); ++ ABORT_FINALIZE(RS_RET_GNUTLS_ERR); ++ } + } else { + int gnuRet = lenRcvd; + ABORTgnutls; +@@ -1978,6 +1996,7 @@ static rsRetVal + Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf) + { + int iSent; ++ int wantsWriteData = 0; + nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; + DEFiRet; + ISOBJ_TYPE_assert(pThis, nsd_gtls); +@@ -1998,10 +2017,12 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t * + break; + } + if(iSent != GNUTLS_E_INTERRUPTED && iSent != GNUTLS_E_AGAIN) { ++ /* Check if the underlaying file descriptor needs to read or write data!*/ ++ wantsWriteData = gnutls_record_get_direction(pThis->sess); + uchar *pErr = gtlsStrerror(iSent); +- LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d - this " +- "could be caused by a broken connection. GnuTLS reports: %s \n", +- iSent, pErr); ++ LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d, wantsWriteData=%d - this " ++ "could be caused by a broken connection. GnuTLS reports: %s\n", ++ iSent, wantsWriteData, pErr); + free(pErr); + gnutls_perror(iSent); + ABORT_FINALIZE(RS_RET_GNUTLS_ERR); +diff -up rsyslog-8.2102.0/runtime/nsd_gtls.h.orig rsyslog-8.2102.0/runtime/nsd_gtls.h +--- rsyslog-8.2102.0/runtime/nsd_gtls.h.orig 2022-04-11 09:26:32.744262781 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.h 2022-04-11 09:34:29.909982895 +0200 +@@ -33,6 +33,11 @@ typedef enum { + gtlsRtry_recv = 2 + } gtlsRtryCall_t; /**< IDs of calls that needs to be retried */ + ++typedef enum { ++ gtlsDir_READ = 0, /**< GNUTLS wants READ */ ++ gtlsDir_WRITE = 1 /**< GNUTLS wants WRITE */ ++} gtlsDirection_t; ++ + typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */ + + /* the nsd_gtls object */ +diff -up rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig rsyslog-8.2102.0/runtime/nsdsel_gtls.c +--- rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig 2022-04-11 09:26:42.529256742 +0200 ++++ rsyslog-8.2102.0/runtime/nsdsel_gtls.c 2022-04-11 09:38:27.425869737 +0200 +@@ -81,6 +81,7 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds + + ISOBJ_TYPE_assert(pThis, nsdsel_gtls); + ISOBJ_TYPE_assert(pNsdGTLS, nsd_gtls); ++ DBGPRINTF("Add on nsd %p:\n", pNsdGTLS); + if(pNsdGTLS->iMode == 1) { + if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) { + ++pThis->iBufferRcvReady; +@@ -99,6 +100,8 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds + } + } + ++ dbgprintf("nsdsel_gtls: reached end on nsd %p, calling nsdsel_ptcp.Add with waitOp %d... \n", pNsdGTLS, waitOp); ++ + /* if we reach this point, we need no special handling */ + CHKiRet(nsdsel_ptcp.Add(pThis->pTcp, pNsdGTLS->pTcp, waitOp)); + +@@ -120,7 +123,8 @@ Select(nsdsel_t *pNsdsel, int *piNumRead + if(pThis->iBufferRcvReady > 0) { + /* we still have data ready! */ + *piNumReady = pThis->iBufferRcvReady; +- dbgprintf("nsdsel_gtls: doing dummy select, data present\n"); ++ dbgprintf("nsdsel_gtls: doing dummy select for %p->iBufferRcvReady=%d, data present\n", ++ pThis, pThis->iBufferRcvReady); + } else { + iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady); + } +@@ -138,7 +142,7 @@ doRetry(nsd_gtls_t *pNsd) + DEFiRet; + int gnuRet; + +- dbgprintf("GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall); ++ dbgprintf("doRetry: GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall); + + /* We follow a common scheme here: first, we do the systen call and + * then we check the result. So far, the result is checked after the +@@ -151,7 +155,7 @@ doRetry(nsd_gtls_t *pNsd) + case gtlsRtry_handshake: + gnuRet = gnutls_handshake(pNsd->sess); + if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) { +- dbgprintf("GnuTLS handshake retry did not finish - " ++ dbgprintf("doRetry: GnuTLS handshake retry did not finish - " + "setting to retry (this is OK and can happen)\n"); + FINALIZE; + } else if(gnuRet == 0) { +@@ -167,9 +171,20 @@ doRetry(nsd_gtls_t *pNsd) + } + break; + case gtlsRtry_recv: +- dbgprintf("retrying gtls recv, nsd: %p\n", pNsd); +- CHKiRet(gtlsRecordRecv(pNsd)); +- pNsd->rtryCall = gtlsRtry_None; /* we are done */ ++ dbgprintf("doRetry: retrying gtls recv, nsd: %p\n", pNsd); ++ iRet = gtlsRecordRecv(pNsd); ++ if (iRet == RS_RET_RETRY) { ++ // Check if there is pending data ++ size_t stBytesLeft = gnutls_record_check_pending(pNsd->sess); ++ if (stBytesLeft > 0) { ++ // We are in retry and more data waiting, finalize it ++ goto finalize_it; ++ } else { ++ dbgprintf("doRetry: gtlsRecordRecv returned RETRY, but there is no pending" ++ "data on nsd: %p\n", pNsd); ++ } ++ } ++ pNsd->rtryCall = gtlsRtry_None; /* no more data, we are done */ + gnuRet = 0; + break; + case gtlsRtry_None: +@@ -241,7 +256,7 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd, + * socket. -- rgerhards, 2010-11-20 + */ + if(pThis->iBufferRcvReady) { +- dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n"); ++ dbgprintf("nsd_gtls: dummy read, %p->buffer not available for this FD\n", pThis); + *pbIsReady = 0; + FINALIZE; + } +diff -up rsyslog-8.2102.0/runtime/tcpsrv.c.orig rsyslog-8.2102.0/runtime/tcpsrv.c +--- rsyslog-8.2102.0/runtime/tcpsrv.c.orig 2022-04-11 09:27:00.376245726 +0200 ++++ rsyslog-8.2102.0/runtime/tcpsrv.c 2022-04-11 09:41:57.885777708 +0200 +@@ -609,14 +609,15 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t * + int oserr = 0; + + ISOBJ_TYPE_assert(pThis, tcpsrv); +- DBGPRINTF("netstream %p with new data\n", (*ppSess)->pStrm); ++ prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ DBGPRINTF("netstream %p with new data from remote peer %s\n", (*ppSess)->pStrm, pszPeer); + /* Receive message */ + iRet = pThis->pRcvData(*ppSess, buf, sizeof(buf), &iRcvd, &oserr); + switch(iRet) { + case RS_RET_CLOSED: + if(pThis->bEmitMsgOnClose) { + errno = 0; +- prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ // prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); + LogError(0, RS_RET_PEER_CLOSED_CONN, "Netstream session %p closed by remote " + "peer %s.\n", (*ppSess)->pStrm, pszPeer); + } +@@ -632,13 +633,13 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t * + /* in this case, something went awfully wrong. + * We are instructed to terminate the session. + */ +- prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ // prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); + LogError(oserr, localRet, "Tearing down TCP Session from %s", pszPeer); + CHKiRet(closeSess(pThis, ppSess, pPoll)); + } + break; + default: +- prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ // prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); + LogError(oserr, iRet, "netstream session %p from %s will be closed due to error", + (*ppSess)->pStrm, pszPeer); + CHKiRet(closeSess(pThis, ppSess, pPoll)); +@@ -838,6 +839,7 @@ RunSelect(tcpsrv_t *pThis, nsd_epworkset + while(iTCPSess != -1) { + /* TODO: access to pNsd is NOT really CLEAN, use method... */ + CHKiRet(nssel.Add(pSel, pThis->pSessions[iTCPSess]->pStrm, NSDSEL_RD)); ++ DBGPRINTF("tcpsrv process session %d:\n", iTCPSess); + /* now get next... */ + iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess); + } diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch b/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch new file mode 100644 index 0000000..01a6fc4 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch @@ -0,0 +1,51 @@ +--- a/source/configuration/actions.rst 2020-01-13 09:35:54.000000000 +0100 ++++ b/source/configuration/actions.rst 2022-03-09 10:46:23.945881936 +0100 +@@ -90,6 +90,12 @@ + provided to the action in question, the action name as well as + the rsyslog status code roughly explaining why it failed. + ++- **action.errorfile.maxsize** integer ++ ++ In some cases, error file needs to be limited in size. ++ This option allows specifying a maximum size, in bytes, for the error file. ++ When error file reaches that size, no more errors are written to it. ++ + - **action.execOnlyOnceEveryInterval** integer + + Execute action only if the last execute is at last seconds in the +--- a/build/_sources/configuration/actions.rst.txt 2020-01-13 09:35:54.000000000 +0100 ++++ b/build/_sources/configuration/actions.rst.txt 2022-03-09 11:17:44.391213038 +0100 +@@ -90,6 +90,12 @@ + provided to the action in question, the action name as well as + the rsyslog status code roughly explaining why it failed. + ++- **action.errorfile.maxsize** integer ++ ++ In some cases, error file needs to be limited in size. ++ This option allows specifying a maximum size, in bytes, for the error file. ++ When error file reaches that size, no more errors are written to it. ++ + - **action.execOnlyOnceEveryInterval** integer + + Execute action only if the last execute is at last seconds in the +--- a/build/configuration/actions.html 2021-02-15 12:53:30.000000000 +0100 ++++ b/build/configuration/actions.html 2022-03-09 11:27:04.035799702 +0100 +@@ -122,6 +122,11 @@ + provided to the action in question, the action name as well as + the rsyslog status code roughly explaining why it failed.

      + ++

    • action.errorfile.maxsize integer

      ++

      In some cases, error file needs to be limited in size. ++This option allows specifying a maximum size, in bytes, for the error file. ++When error file reaches that size, no more errors are written to it.

      ++
      • +

    • action.execOnlyOnceEveryInterval integer

      +

      Execute action only if the last execute is at last seconds in the + past (more info in ommail, but may be used with any action)

      +@@ -672,4 +677,4 @@ + + +- +\ No newline at end of file ++ diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch b/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch new file mode 100644 index 0000000..ba5bec9 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch @@ -0,0 +1,192 @@ +--- rsyslog-8.2102.0-ori/action.c 2021-02-15 12:06:16.000000000 +0100 ++++ rsyslog-8.2102.0-changes/action.c 2022-03-10 11:00:11.027242300 +0100 +@@ -198,6 +198,7 @@ + { "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */ + { "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */ + { "action.errorfile", eCmdHdlrString, 0 }, ++ { "action.errorfile.maxsize", eCmdHdlrInt, 0 }, + { "action.writeallmarkmessages", eCmdHdlrBinary, 0 }, /* legacy: actionwriteallmarkmessages */ + { "action.execonlyeverynthtime", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtime */ + { "action.execonlyeverynthtimetimeout", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtimetimeout */ +@@ -400,6 +401,8 @@ + pThis->iResumeRetryCount = 0; + pThis->pszName = NULL; + pThis->pszErrFile = NULL; ++ pThis->maxErrFileSize = 0; ++ pThis->errFileWritten = 0; + pThis->pszExternalStateFile = NULL; + pThis->fdErrFile = -1; + pThis->bWriteAllMarkMsgs = 1; +@@ -1436,6 +1439,14 @@ + pThis->pszName, pThis->pszErrFile); + goto done; + } ++ if (pThis->maxErrFileSize > 0) { ++ struct stat statbuf; ++ if (fstat(pThis->fdErrFile, &statbuf) == -1) { ++ LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile); ++ goto done; ++ } ++ pThis->errFileWritten += statbuf.st_size; ++ } + } + + for(int i = 0 ; i < nparams ; ++i) { +@@ -1454,16 +1465,26 @@ + char *const rendered = strdup((char*)fjson_object_to_json_string(etry)); + if(rendered == NULL) + goto done; +- const size_t toWrite = strlen(rendered) + 1; +- /* note: we use the '\0' inside the string to store a LF - we do not +- * otherwise need it and it safes us a copy/realloc. +- */ +- rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */ +- const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite); +- if(wrRet != (ssize_t) toWrite) { +- LogError(errno, RS_RET_IO_ERROR, +- "action %s: error writing errorFile %s, write returned %lld", +- pThis->pszName, pThis->pszErrFile, (long long) wrRet); ++ size_t toWrite = strlen(rendered) + 1; ++ // Check if need to truncate the amount of bytes to write ++ if (pThis->maxErrFileSize > 0) { ++ if (pThis->errFileWritten + toWrite > pThis->maxErrFileSize) { ++ // Truncate to the pending available ++ toWrite = pThis->maxErrFileSize - pThis->errFileWritten; ++ } ++ pThis->errFileWritten += toWrite; ++ } ++ if(toWrite > 0) { ++ /* note: we use the '\0' inside the string to store a LF - we do not ++ * otherwise need it and it safes us a copy/realloc. ++ */ ++ rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */ ++ const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite); ++ if(wrRet != (ssize_t) toWrite) { ++ LogError(errno, RS_RET_IO_ERROR, ++ "action %s: error writing errorFile %s, write returned %lld", ++ pThis->pszName, pThis->pszErrFile, (long long) wrRet); ++ } + } + free(rendered); + +@@ -2048,6 +2069,8 @@ + continue; /* this is handled seperately during module select! */ + } else if(!strcmp(pblk.descr[i].name, "action.errorfile")) { + pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL); ++ } else if(!strcmp(pblk.descr[i].name, "action.errorfile.maxsize")) { ++ pAction->maxErrFileSize = pvals[i].val.d.n; + } else if(!strcmp(pblk.descr[i].name, "action.externalstate.file")) { + pAction->pszExternalStateFile = es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(pblk.descr[i].name, "action.writeallmarkmessages")) { +--- rsyslog-8.2102.0-ori/action.h 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0-changes/action.h 2022-03-04 11:36:47.024588972 +0100 +@@ -77,6 +77,8 @@ + /* error file */ + const char *pszErrFile; + int fdErrFile; ++ size_t maxErrFileSize; ++ size_t errFileWritten; + pthread_mutex_t mutErrFile; + /* external stat file system */ + const char *pszExternalStateFile; +--- rsyslog-8.2102.0-ori/tests/Makefile.am 2021-02-15 12:06:16.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/Makefile.am 2022-03-04 11:38:01.625095709 +0100 +@@ -695,7 +695,8 @@ + mysql-actq-mt.sh \ + mysql-actq-mt-withpause.sh \ + action-tx-single-processing.sh \ +- action-tx-errfile.sh ++ action-tx-errfile.sh \ ++ action-tx-errfile-maxsize.sh + + mysql-basic.log: mysqld-start.log + mysql-basic-cnf6.log: mysqld-start.log +@@ -2156,6 +2157,8 @@ + sndrcv_omudpspoof_nonstdpt.sh \ + sndrcv_gzip.sh \ + action-tx-single-processing.sh \ ++ omfwd-errfile-maxsize.sh \ ++ action-tx-errfile-maxsize.sh \ + action-tx-errfile.sh \ + testsuites/action-tx-errfile.result \ + pipeaction.sh \ +--- rsyslog-8.2102.0-ori/tests/omfwd-errfile-maxsize.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize.sh 2022-03-04 11:39:02.060506234 +0100 +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# part of the rsyslog project, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++ ++export MAX_ERROR_SIZE=1999 ++ ++generate_conf ++add_conf ' ++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist" ++ action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'") ++' ++startup ++shutdown_when_empty ++wait_shutdown ++check_file_exists ${RSYSLOG2_OUT_LOG} ++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE} ++exit_test +--- rsyslog-8.2102.0-ori/tests/action-tx-errfile-maxsize.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/action-tx-errfile-maxsize.sh 2022-03-04 11:59:22.592796989 +0100 +@@ -0,0 +1,35 @@ ++#!/bin/bash ++# part of the rsyslog project, released under ASL 2.0 ++ ++. ${srcdir:=.}/diag.sh init ++ ++export NUMMESSAGES=50 # enough to generate big file ++export MAX_ERROR_SIZE=100 ++ ++generate_conf ++add_conf ' ++$ModLoad ../plugins/ommysql/.libs/ommysql ++global(errormessagestostderr.maxnumber="5") ++ ++template(type="string" name="tpl" string="insert into SystemEvents (Message, Facility) values (\"%msg%\", %$!facility%)" option.sql="on") ++ ++if((not($msg contains "error")) and ($msg contains "msgnum:")) then { ++ set $.num = field($msg, 58, 2); ++ if $.num % 2 == 0 then { ++ set $!facility = $syslogfacility; ++ } else { ++ set $/cntr = 0; ++ } ++ action(type="ommysql" name="mysql_action_errfile_maxsize" server="127.0.0.1" template="tpl" ++ db="'$RSYSLOG_DYNNAME'" uid="rsyslog" pwd="testbench" action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'") ++} ++' ++mysql_prep_for_test ++startup ++injectmsg ++shutdown_when_empty ++wait_shutdown ++mysql_get_data ++check_file_exists ${RSYSLOG2_OUT_LOG} ++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE} ++exit_test +--- rsyslog-8.2102.0/tests/omfwd-errfile-maxsize-filled.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize-filled.sh 2022-03-08 16:24:01.174365289 +0100 +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# part of the rsyslog project, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++ERRFILE=$(mktemp) ++export MAX_ERROR_SIZE=1999 ++export INITIAL_FILE_SIZE=$((MAX_ERROR_SIZE - 100)) ++dd if=/dev/urandom of=${ERRFILE} bs=1 count=${INITIAL_FILE_SIZE} ++generate_conf ++add_conf ' ++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist" ++ action.errorfile="'$ERRFILE'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'") ++' ++startup ++shutdown_when_empty ++wait_shutdown ++check_file_exists ${ERRFILE} ++file_size_check ${ERRFILE} ${MAX_ERROR_SIZE} ++exit_test ++rm ${ERRFILE} diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch b/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch new file mode 100644 index 0000000..5c46529 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch @@ -0,0 +1,25 @@ +--- rsyslog-8.2102.0/doc/configuration/global/index.html 2021-02-15 12:53:30.000000000 +0100 ++++ rsyslog-8.2102.0.backup.doc.202209071236/doc/configuration/global/index.html 2022-09-07 12:33:21.318360707 +0200 +@@ -119,7 +119,14 @@ + network stream driver to use. + Defaults to ptcp.

      +
      • +-

    • $DefaultNetstreamDriverCAFile </path/to/cafile.pem>

      ++

    • $DefaultNetstreamDriverCAFile </path/to/cafile.pem>

      ++
      • ++

    • $NetstreamDriverCAExtraFiles </path/to/extracafile.pem> - ++This directive allows to configure multiple additional extra CA files. ++This is intended for SSL certificate chains to work appropriately, ++as the different CA files in the chain need to be specified. ++It must be remarked that this directive only works with the OpenSSL driver. ++

      +
      • +

    • $DefaultNetstreamDriverCertFile </path/to/certfile.pem>

      +
      • +@@ -311,4 +318,4 @@ + + +- +\ No newline at end of file ++ diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch b/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch new file mode 100644 index 0000000..172bc51 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch @@ -0,0 +1,682 @@ +--- rsyslog-8.2102.0.ori/runtime/glbl.h 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.h 2022-09-06 11:13:31.538674778 +0200 +@@ -72,6 +72,7 @@ + SIMP_PROP(DfltNetstrmDrvrCAF, uchar*) + SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*) + SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*) ++ SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*) + SIMP_PROP(ParserControlCharacterEscapePrefix, uchar) + SIMP_PROP(ParserDropTrailingLFOnReception, int) + SIMP_PROP(ParserEscapeControlCharactersOnReceive, int) +--- rsyslog-8.2102.0.ori/runtime/glbl.c 2022-09-06 10:37:26.440149338 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.c 2022-09-06 11:12:06.198378210 +0200 +@@ -122,6 +122,7 @@ + static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */ + static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */ + static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */ ++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */ + int bTerminateInputs = 0; /* global switch that inputs shall terminate ASAP (1=> terminate) */ + static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */ + static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */ +@@ -176,6 +177,7 @@ + { "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 }, + { "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 }, + { "defaultnetstreamdriver", eCmdHdlrString, 0 }, ++ { "netstreamdrivercaextrafiles", eCmdHdlrString, 0 }, + { "maxmessagesize", eCmdHdlrSize, 0 }, + { "oversizemsg.errorfile", eCmdHdlrGetWord, 0 }, + { "oversizemsg.report", eCmdHdlrBinary, 0 }, +@@ -307,6 +309,8 @@ + /* TODO: use custom function which frees existing value */ + SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*) + /* TODO: use custom function which frees existing value */ ++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*) ++/* TODO: use custom function which frees existing value */ + + #undef SIMP_PROP + #undef SIMP_PROP_SET +@@ -830,6 +834,13 @@ + return(pszDfltNetstrmDrvr == NULL ? DFLT_NETSTRM_DRVR : pszDfltNetstrmDrvr); + } + ++/* return the additional ca extra files */ ++static uchar* ++GetNetstrmDrvrCAExtraFiles(void) ++{ ++ return(pszNetstrmDrvrCAExtraFiles); ++} ++ + + /* return the current default netstream driver CA File */ + static uchar* +@@ -925,6 +936,7 @@ + SIMP_PROP(DfltNetstrmDrvrCAF) + SIMP_PROP(DfltNetstrmDrvrKeyFile) + SIMP_PROP(DfltNetstrmDrvrCertFile) ++ SIMP_PROP(NetstrmDrvrCAExtraFiles) + #ifdef USE_UNLIMITED_SELECT + SIMP_PROP(FdSetSize) + #endif +@@ -945,6 +957,8 @@ + pszDfltNetstrmDrvrKeyFile = NULL; + free(pszDfltNetstrmDrvrCertFile); + pszDfltNetstrmDrvrCertFile = NULL; ++ free(pszNetstrmDrvrCAExtraFiles); ++ pszNetstrmDrvrCAExtraFiles = NULL; + free(LocalHostNameOverride); + LocalHostNameOverride = NULL; + free(oversizeMsgErrorFile); +@@ -1350,6 +1364,9 @@ + free(pszDfltNetstrmDrvr); + pszDfltNetstrmDrvr = (uchar*) + es_str2cstr(cnfparamvals[i].val.d.estr, NULL); ++ } else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) { ++ free(pszNetstrmDrvrCAExtraFiles); ++ pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL); + } else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) { + bPreserveFQDN = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, +@@ -1546,6 +1563,8 @@ + &pszDfltNetstrmDrvrKeyFile, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL, + &pszDfltNetstrmDrvrCertFile, NULL)); ++ CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL, ++ &pszNetstrmDrvrCAExtraFiles, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL)); +@@ -1579,6 +1598,7 @@ + free(pszDfltNetstrmDrvrCAF); + free(pszDfltNetstrmDrvrKeyFile); + free(pszDfltNetstrmDrvrCertFile); ++ free(pszNetstrmDrvrCAExtraFiles); + free(pszWorkDir); + free(LocalDomain); + free(LocalHostName); +--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-09-06 11:25:18.144130340 +0200 +@@ -88,6 +88,7 @@ + static short bHaveCA; + static short bHaveCert; + static short bHaveKey; ++static short bHaveExtraCAFiles; + static int bAnonInit; + static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER; + +@@ -413,7 +414,8 @@ + { + DEFiRet; + DBGPRINTF("openssl: entering osslGlblInit\n"); +- const char *caFile, *certFile, *keyFile; ++ const char *caFile, *certFile, *keyFile, *extraCaFile; ++ char *extraCaFiles; + + /* Setup OpenSSL library */ + if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) { +@@ -450,9 +452,27 @@ + } else { + bHaveKey = 1; + } ++ extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles(); ++ if(extraCaFiles == NULL) { ++ bHaveExtraCAFiles = 0; ++ } else { ++ bHaveExtraCAFiles = 1; ++ } + + /* Create main CTX Object */ + ctx = SSL_CTX_new(SSLv23_method()); ++ if(bHaveExtraCAFiles == 1) { ++ while((extraCaFile = strsep(&extraCaFiles, ","))) { ++ if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) { ++ LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. " ++ "Check at least: 1) file path is correct, 2) file exist, " ++ "3) permissions are correct, 4) file content is correct. " ++ "Open ssl error info may follow in next messages"); ++ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit"); ++ ABORT_FINALIZE(RS_RET_TLS_CERT_ERR); ++ } ++ } ++ } + if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) { + LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. " + "Check at least: 1) file path is correct, 2) file exist, " +@@ -476,7 +496,7 @@ + "Open ssl error info may follow in next messages"); + osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit"); + ABORT_FINALIZE(RS_RET_TLS_KEY_ERR); +- } ++ } + + /* Set CTX Options */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); /* Disable insecure SSLv2 Protocol */ +--- rsyslog-8.2102.0.ori/tests/Makefile.am 2022-09-06 10:37:26.447149363 +0200 ++++ rsyslog-8.2102.0/tests/Makefile.am 2022-09-06 12:05:55.443600359 +0200 +@@ -1247,7 +1247,8 @@ + sndrcv_tls_ossl_servercert_gtls_clientanon.sh \ + sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \ + sndrcv_tls_gtls_servercert_ossl_clientanon.sh \ +- sndrcv_tls_gtls_serveranon_ossl_clientanon.sh ++ sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \ ++ sndrcv_ossl_cert_chain.sh + endif + endif + +@@ -2575,6 +2576,7 @@ + sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \ + sndrcv_tls_gtls_servercert_ossl_clientanon.sh \ + sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \ ++ sndrcv_ossl_cert_chain.sh \ + omtcl.sh \ + omtcl.tcl \ + pmsnare-default.sh \ +--- rsyslog-8.2102.0.ori/tests/sndrcv_ossl_cert_chain.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/sndrcv_ossl_cert_chain.sh 2022-09-06 10:48:41.512496691 +0200 +@@ -0,0 +1,76 @@ ++#!/bin/bash ++# alorbach, 2019-01-16 ++# This file is part of the rsyslog project, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++export NUMMESSAGES=1000 ++# uncomment for debugging support: ++#export RSYSLOG_DEBUG="debug nostdout noprintmutexaction" ++export RSYSLOG_DEBUGLOG="log" ++generate_conf ++export PORT_RCVR="$(get_free_port)" ++### This is important, as it must be exactly the same ++### as the ones configured in used certificates ++export HOSTNAME="fedora" ++add_conf ' ++global( ++ DefaultNetstreamDriver="ossl" ++ DefaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-cert.pem'" ++ DefaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/server-cert.pem'" ++ DefaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/server-key.pem'" ++ NetstreamDriverCAExtraFiles="'$srcdir/testsuites/certchain/ca-root-cert.pem'" ++) ++ ++module( load="../plugins/imtcp/.libs/imtcp" ++ StreamDriver.Name="ossl" ++ StreamDriver.Mode="1" ++ PermittedPeer="'$HOSTNAME'" ++ StreamDriver.AuthMode="x509/name" ) ++# then SENDER sends to this port (not tcpflood!) ++input( type="imtcp" port="'$PORT_RCVR'" ) ++ ++$template outfmt,"%msg:F,58:2%\n" ++$template dynfile,"'$RSYSLOG_OUT_LOG'" # trick to use relative path names! ++:msg, contains, "msgnum:" ?dynfile;outfmt ++' ++startup ++export RSYSLOG_DEBUGLOG="log2" ++#valgrind="valgrind" ++generate_conf 2 ++export TCPFLOOD_PORT="$(get_free_port)" ++add_conf ' ++global( ++ defaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-root-cert.pem'" ++ defaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/client-cert.pem'" ++ defaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/client-key.pem'" ++) ++ ++# Note: no TLS for the listener, this is for tcpflood! ++$ModLoad ../plugins/imtcp/.libs/imtcp ++input( type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" ) ++ ++# set up the action ++action( type="omfwd" ++ protocol="tcp" ++ target="127.0.0.1" ++ port="'$PORT_RCVR'" ++ StreamDriver="ossl" ++ StreamDriverMode="1" ++ StreamDriverAuthMode="x509/name" ++ StreamDriverPermittedPeers="'$HOSTNAME'" ++ ) ++' 2 ++startup 2 ++ ++# now inject the messages into instance 2. It will connect to instance 1, ++# and that instance will record the data. ++tcpflood -m$NUMMESSAGES -i1 ++wait_file_lines ++# shut down sender when everything is sent, receiver continues to run concurrently ++shutdown_when_empty 2 ++wait_shutdown 2 ++# now it is time to stop the receiver as well ++shutdown_when_empty ++wait_shutdown ++ ++seq_check 1 $NUMMESSAGES ++exit_test +diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem +--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem 2022-09-06 10:48:41.513496694 +0200 +@@ -0,0 +1,29 @@ ++-----BEGIN CERTIFICATE----- ++MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ ++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh ++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe ++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw ++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0 ++MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G ++CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC ++M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi ++MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz ++sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn ++2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7 ++nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc ++gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85 +++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz ++LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E ++BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD ++VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV ++HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho ++dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld ++FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ ++uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId ++ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r ++wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ ++OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44 ++9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT ++DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0 ++jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA== ++-----END CERTIFICATE----- +diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem +--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem 2022-09-06 10:48:41.513496694 +0200 +@@ -0,0 +1,29 @@ ++-----BEGIN CERTIFICATE----- ++MIIE6jCCA1KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ ++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh ++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe ++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMG0xCzAJBgNVBAYTAkNaMRAw ++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0 ++MQwwCgYDVQQLEwNHU1MxHTAbBgNVBAMTFHJzeXNsb2crY2hhaW4rY2Fyb290MIIB ++ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuqAAv1OIGwQqCi1Mflrq8Buo ++G3UtiD8cMEovjzndFV4Ww5fm+R2vCv+tHq6a85mLL0wdqXh+/bAyDzxaULheXZel ++rGPuUFEH2BpOwKXBd31Vx1x32aN9iaoaND/JVQSp+9PeP9zyKeZIN2vFSyNK7LCA ++hdDXVoYeTktXMbm0vB2vMKk+5Vzc7WfyMfrdDvciuULzLU1RzRS2/RkHNlve5iVQ ++XbNN6CpVtXb0K/kcp4SQIVbNTD/g6Z3JnewSWwqjM9/axTC17rpqhsxaWk712Zjo ++lYeuWKfaF9eRXU951u/vrXMMRkDZe0cq5OiTbc1uUQag7uXkbUtEk5HDSihUWwxz ++MegUdUBXFN6EJ7OauWFOeyVJbbvPRa3q9fdlLILvv5/9SiMim6avcj6DlyUz2RhC ++YPh/gJHItuIbZ6hEU+aKqiDYMTHyibRoqOMZgsc8Vo1JAHQTI6gA8JQtGtjEbzIR ++GFkQkj4tvAQQgl5fs9nuweH9GoIaBl1IoIVZyR9PAgMBAAGjgZQwgZEwDwYDVR0T ++AQH/BAUwAwEB/zAkBgNVHREEHTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3Jh ++MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUr/RYFo8A1eqBi3sGMwqNvwHVk5sw ++KQYDVR0fBCIwIDAeoBygGoYYaHR0cDovLzEyNy4wLjAuMS9nZXRjcmwvMA0GCSqG ++SIb3DQEBCwUAA4IBgQBn/NZeqYon25QY1RmjYkCQ0B+uXsquGURETP30hQ+ltbbG ++u4jP+ll+oYkGVt1+eBi8Qw+rf8Qk3Q/+jmCoGS9vVjQc97r3YJxnFb3zB4HDCWdZ ++qXK7GeBlFA4XAtJO0ya8HCx4znuXKiNwqrJJHyyW2gvkY9raRkKOzj3/9jQXgAw4 ++1d8NR9SxjKA2PnCSWNdVQOAm4us2tJXJexvbRx+b9Yu8LgUX/AdT4zqkIV8n6oFV ++XNaGyOsDN/+4JEsKbBixL+g3Y6yQHrwKMYq/Gh1WF33u2yYCzMU4Lw9AoYRG0jHi ++iAFchiwneGdC7E+To+qNdH5QJY38ZI7kWg3ADcXzwhTmvVUz5DNub9raE6yZZ4uf ++CyTGAJjH9USuhwH3unmB0kDjEOExIJHm+9uNA8S/81cwoCl2pz/hzr2fQwR2YLSa ++ox9p6cnQmnkL2j2QXhTvjDIswJmxuR43yqDIZUlx6cq1pTSJeN+8WcB2iK61p4DH ++JhH8af3aLUI5FNNgjas= ++-----END CERTIFICATE----- +diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem +--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem 2022-09-06 10:48:41.513496694 +0200 +@@ -0,0 +1,26 @@ ++-----BEGIN CERTIFICATE----- ++MIIEXjCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ ++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh ++dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy ++MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV ++BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK ++BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitjbGllbnQwggEiMA0G ++CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSIbnL1ViRk9CAPerSirUpBtnR4qYD ++XzPSkVJzX5PKLJkeJ6z6oIPoioh59+70ipL5K4ETkmbUFaKP+Lrk7l53BvAnP8Ba ++1rWNV2gzgyiihGCs7N/iamh9Rzj5lQCvzUJhiTcphcptV+0IIf9rbEggEazbSg1A ++BHxS8EBUx+ddVJc6MAlEbA/sstkqfE14k8YZPZlU9ZmLjyHbsQbfXFegYee6WMP0 ++M7CqrMZ0ZWvDRWgqWOE+b8agmIKPb2VxJXuR3iXBJk8ANcrRzn/tXShMuGK5KiWL ++a6mFrzR6w55DgjIAKkmPO43jMO/qbWB91RVys/ztK7qIoXm3yadOeIU1AgMBAAGj ++gYwwgYkwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAkBgNVHREE ++HTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3JhMB0GA1UdDgQWBBSoW3Alxk4+ ++6Uwv80/UE5C5rT4e6TAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAN ++BgkqhkiG9w0BAQsFAAOCAYEA5Nbnwixitghw9Zg3DANXFXiOsQBx7KEup7+x7edw ++n9r2raqNJEjT2Fv+ClEA3CIdPF+4wjoolOPezrNJxKO3UpYCQeO4ZU/QVl8BX8NB ++4v1rUqXsvhE//4FcLvMM+6n8Nrtt1VRhks8N0b0p/md9dFKGucd4otPZm0sbOrsg ++nrhDYzZiFAzJg3zFwOOHzxP6iKj2mfq+2XRiKl7SlbnEj/8l21Ne1V+mDV5++AEZ ++N/quuf8zYHwwuc3Y8K84doow9yBpFqrpBbazb8586utrAbTbytCqskzImFIjo5Oa ++1ujWArMDsVGGr+NzFWwCTz8VTNNJ5H1cBin0gT41/OwUQv8DIJqzmSFTg9Uqmb2V ++ZwjIvMGE4Tz8phzD0IbSXYmQsSeku4olIDM1d+vLvBlipGAeInmA+nZmeZwdD04c ++poqUj+H3mj1r6WOlk2ivV0TUZKO/JHydkBVf2EQJlEmGuSq/7S889fx3GT7jGcOb ++gl5LlIaraMgA48dK8gJUWtJh ++-----END CERTIFICATE----- +diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem +--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem 2022-09-06 12:10:13.808498227 +0200 +@@ -0,0 +1,134 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Medium (2048 bits) ++ ++modulus: ++ 00:d2:21:b9:cb:d5:58:91:93:d0:80:3d:ea:d2:8a:b5 ++ 29:06:d9:d1:e2:a6:03:5f:33:d2:91:52:73:5f:93:ca ++ 2c:99:1e:27:ac:fa:a0:83:e8:8a:88:79:f7:ee:f4:8a ++ 92:f9:2b:81:13:92:66:d4:15:a2:8f:f8:ba:e4:ee:5e ++ 77:06:f0:27:3f:c0:5a:d6:b5:8d:57:68:33:83:28:a2 ++ 84:60:ac:ec:df:e2:6a:68:7d:47:38:f9:95:00:af:cd ++ 42:61:89:37:29:85:ca:6d:57:ed:08:21:ff:6b:6c:48 ++ 20:11:ac:db:4a:0d:40:04:7c:52:f0:40:54:c7:e7:5d ++ 54:97:3a:30:09:44:6c:0f:ec:b2:d9:2a:7c:4d:78:93 ++ c6:19:3d:99:54:f5:99:8b:8f:21:db:b1:06:df:5c:57 ++ a0:61:e7:ba:58:c3:f4:33:b0:aa:ac:c6:74:65:6b:c3 ++ 45:68:2a:58:e1:3e:6f:c6:a0:98:82:8f:6f:65:71:25 ++ 7b:91:de:25:c1:26:4f:00:35:ca:d1:ce:7f:ed:5d:28 ++ 4c:b8:62:b9:2a:25:8b:6b:a9:85:af:34:7a:c3:9e:43 ++ 82:32:00:2a:49:8f:3b:8d:e3:30:ef:ea:6d:60:7d:d5 ++ 15:72:b3:fc:ed:2b:ba:88:a1:79:b7:c9:a7:4e:78:85 ++ 35: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 1f:0c:c4:bb:8d:e6:ec:7b:ff:0f:34:17:02:cd:64:3f ++ 8f:b7:97:ff:f9:af:fd:dd:56:7c:0a:c6:e9:94:99:07 ++ 46:08:e2:ab:f8:cc:c7:31:11:67:61:3e:75:9c:c4:ed ++ 3a:cc:66:e2:51:7b:c8:52:fa:16:74:16:89:c5:7f:47 ++ ef:4a:85:42:32:56:39:eb:d1:da:dc:96:e0:06:9d:1d ++ 1a:7b:f2:f4:92:2c:4f:0c:53:fd:e3:43:55:3a:a5:05 ++ ee:0b:ac:8f:02:2a:0b:46:36:cc:40:d9:d1:31:ca:e6 ++ 92:36:0c:a1:40:9b:f9:0d:b5:e3:b2:5d:d4:bc:27:5a ++ 17:fd:3f:bd:8e:44:55:f2:e3:96:ac:cc:11:be:65:01 ++ 55:98:92:92:ac:59:46:fd:e2:11:80:eb:18:56:6a:82 ++ 3c:79:ec:30:b7:06:9b:97:55:74:36:17:7e:d8:c6:95 ++ 4e:a5:e1:55:5a:2a:d6:5d:cc:86:39:88:82:ba:31:19 ++ 98:d7:26:28:09:fe:b4:38:fe:1b:43:19:19:4f:ae:f2 ++ 27:18:d6:07:9a:c2:1c:66:2d:5a:e6:22:2e:ca:71:26 ++ dc:76:8f:2e:f3:84:e3:61:5f:77:d3:63:8a:d0:6b:42 ++ 2a:6f:1b:98:91:b9:82:8d:d4:c4:f3:92:98:b4:a4:f1 ++ ++ ++prime1: ++ 00:e1:f4:19:35:e3:e2:e7:14:a6:56:8b:45:f9:2b:19 ++ bb:13:b3:66:73:44:5d:ca:69:cb:73:d9:78:5a:0f:fd ++ de:ba:74:b3:53:70:a9:ab:52:22:34:78:a2:26:4a:aa ++ 8f:1b:65:c1:3e:df:65:8c:9b:9a:70:04:ae:70:f6:ea ++ c4:e5:20:fa:16:e0:4f:56:f4:7b:d1:14:cc:94:e1:3c ++ 58:02:82:98:20:cd:13:cf:a2:49:13:7a:88:c1:84:72 ++ 97:4f:1b:e8:d5:cb:6d:43:dd:d2:b8:09:dd:4f:ee:ce ++ 03:0b:c4:c2:9b:cf:3d:a0:a3:57:fd:1c:c9:eb:af:ae ++ 67: ++ ++prime2: ++ 00:ee:13:05:f0:4c:13:e2:f8:27:53:c4:ad:89:d9:31 ++ b9:1b:e8:17:b9:db:36:cd:54:0c:15:eb:50:85:e4:8b ++ 03:c4:f2:6d:a0:41:dc:99:21:7e:1e:8a:a1:5e:86:fe ++ 53:d2:72:53:73:8a:7e:a2:43:83:d5:af:b0:e0:1a:89 ++ b5:3f:b3:26:d2:8e:92:0d:ed:d1:29:ee:c5:f1:ff:fc ++ 67:2c:a6:5d:4c:27:40:8a:5c:a1:23:d4:3f:11:bb:eb ++ 51:84:be:83:ec:73:3c:2e:ff:43:f6:74:16:b8:95:36 ++ 2a:0b:1e:04:81:04:08:7a:40:21:dd:fb:dd:97:0a:76 ++ 03: ++ ++coefficient: ++ 00:a0:4c:15:4b:85:2f:81:6b:2e:e7:68:31:84:84:09 ++ c4:45:55:01:da:3d:25:9d:37:67:ab:19:0b:1f:d3:9f ++ fc:09:12:31:66:5a:93:d8:d9:f2:00:c7:f7:03:0d:2b ++ 9d:2d:b8:38:d0:82:de:03:e7:21:03:29:4f:2a:2b:b5 ++ 70:a3:bc:5b:bd:0e:f1:8b:bc:22:58:4a:b4:8f:fd:f5 ++ d4:f3:99:31:b1:db:f6:1d:d9:12:a2:48:0a:d0:05:1a ++ 72:dc:8e:30:67:3c:e0:6a:b5:dc:93:6f:e4:17:79:a1 ++ 63:2e:25:78:ef:86:d7:9c:f3:dd:5b:d2:bd:62:4f:44 ++ f9: ++ ++exp1: ++ 60:a2:e2:49:5f:0e:83:20:1c:c7:f4:c6:d7:7b:2c:85 ++ 0b:36:f6:01:24:63:2c:97:b4:b0:f6:78:77:a4:51:42 ++ 79:e2:41:73:d5:42:6b:88:34:22:d6:d9:1a:a1:62:72 ++ d4:17:df:df:40:f2:10:81:d8:3a:42:76:4c:cf:fd:b6 ++ 79:fc:71:99:69:13:e5:af:a8:68:d2:89:70:bf:27:ec ++ c8:1e:0c:6c:32:e9:5f:2b:1c:2f:dd:7f:31:ac:b0:c9 ++ af:c6:d2:fc:e5:04:f5:3a:a0:cd:9f:42:6c:d6:48:7b ++ 9b:03:ea:eb:72:65:fc:17:00:21:bb:b7:4c:3a:95:cf ++ ++ ++exp2: ++ 00:a1:a7:61:1c:ed:4b:83:8e:24:86:08:c2:1d:1b:d1 ++ 5b:73:cb:80:70:be:9c:d3:87:02:3d:cf:ee:79:3b:d9 ++ f8:d1:3e:1b:99:f9:9e:a4:8b:cd:6b:47:8e:92:f4:ee ++ b4:53:ed:35:24:fb:21:49:64:b6:9b:de:14:27:d7:5d ++ 32:28:f2:a8:a5:c8:10:fc:4c:42:fe:4a:17:36:5f:2f ++ 2f:8f:6d:d7:63:e2:33:3c:bf:f0:da:b7:3f:ab:f7:01 ++ ad:f4:88:b8:63:51:4b:c8:4d:a4:04:30:87:4d:06:64 ++ 24:e0:2f:9d:b7:4c:d9:c4:c8:cf:36:3f:d3:12:c0:13 ++ a9: ++ ++ ++Public Key PIN: ++ pin-sha256:I1Gv1FM9aCxvuCmF0uDnbDbIJgm1TFB2dtJV5v2iCEA= ++Public Key ID: ++ sha256:2351afd4533d682c6fb82985d2e0e76c36c82609b54c507676d255e6fda20840 ++ sha1:a85b7025c64e3ee94c2ff34fd41390b9ad3e1ee9 ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpAIBAAKCAQEA0iG5y9VYkZPQgD3q0oq1KQbZ0eKmA18z0pFSc1+TyiyZHies +++qCD6IqIeffu9IqS+SuBE5Jm1BWij/i65O5edwbwJz/AWta1jVdoM4MoooRgrOzf ++4mpofUc4+ZUAr81CYYk3KYXKbVftCCH/a2xIIBGs20oNQAR8UvBAVMfnXVSXOjAJ ++RGwP7LLZKnxNeJPGGT2ZVPWZi48h27EG31xXoGHnuljD9DOwqqzGdGVrw0VoKljh ++Pm/GoJiCj29lcSV7kd4lwSZPADXK0c5/7V0oTLhiuSoli2upha80esOeQ4IyACpJ ++jzuN4zDv6m1gfdUVcrP87Su6iKF5t8mnTniFNQIDAQABAoIBAB8MxLuN5ux7/w80 ++FwLNZD+Pt5f/+a/93VZ8CsbplJkHRgjiq/jMxzERZ2E+dZzE7TrMZuJRe8hS+hZ0 ++FonFf0fvSoVCMlY569Ha3JbgBp0dGnvy9JIsTwxT/eNDVTqlBe4LrI8CKgtGNsxA ++2dExyuaSNgyhQJv5DbXjsl3UvCdaF/0/vY5EVfLjlqzMEb5lAVWYkpKsWUb94hGA ++6xhWaoI8eewwtwabl1V0Nhd+2MaVTqXhVVoq1l3MhjmIgroxGZjXJigJ/rQ4/htD ++GRlPrvInGNYHmsIcZi1a5iIuynEm3HaPLvOE42Ffd9NjitBrQipvG5iRuYKN1MTz ++kpi0pPECgYEA4fQZNePi5xSmVotF+SsZuxOzZnNEXcppy3PZeFoP/d66dLNTcKmr ++UiI0eKImSqqPG2XBPt9ljJuacASucPbqxOUg+hbgT1b0e9EUzJThPFgCgpggzRPP ++okkTeojBhHKXTxvo1cttQ93SuAndT+7OAwvEwpvPPaCjV/0cyeuvrmcCgYEA7hMF ++8EwT4vgnU8StidkxuRvoF7nbNs1UDBXrUIXkiwPE8m2gQdyZIX4eiqFehv5T0nJT ++c4p+okOD1a+w4BqJtT+zJtKOkg3t0SnuxfH//Gcspl1MJ0CKXKEj1D8Ru+tRhL6D ++7HM8Lv9D9nQWuJU2KgseBIEECHpAId373ZcKdgMCgYBgouJJXw6DIBzH9MbXeyyF ++Czb2ASRjLJe0sPZ4d6RRQnniQXPVQmuINCLW2RqhYnLUF9/fQPIQgdg6QnZMz/22 ++efxxmWkT5a+oaNKJcL8n7MgeDGwy6V8rHC/dfzGssMmvxtL85QT1OqDNn0Js1kh7 ++mwPq63Jl/BcAIbu3TDqVzwKBgQChp2Ec7UuDjiSGCMIdG9Fbc8uAcL6c04cCPc/u ++eTvZ+NE+G5n5nqSLzWtHjpL07rRT7TUk+yFJZLab3hQn110yKPKopcgQ/ExC/koX ++Nl8vL49t12PiMzy/8Nq3P6v3Aa30iLhjUUvITaQEMIdNBmQk4C+dt0zZxMjPNj/T ++EsATqQKBgQCgTBVLhS+Bay7naDGEhAnERVUB2j0lnTdnqxkLH9Of/AkSMWZak9jZ ++8gDH9wMNK50tuDjQgt4D5yEDKU8qK7Vwo7xbvQ7xi7wiWEq0j/311POZMbHb9h3Z ++EqJICtAFGnLcjjBnPOBqtdyTb+QXeaFjLiV474bXnPPdW9K9Yk9E+Q== ++-----END RSA PRIVATE KEY----- +diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem +--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem 2022-09-06 10:48:41.513496694 +0200 +@@ -0,0 +1,55 @@ ++-----BEGIN CERTIFICATE----- ++MIIEVTCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ ++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh ++dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy ++MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV ++BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK ++BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitzZXJ2ZXIwggEiMA0G ++CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3mDP67/SPVbCCgInxXNr9sOLz2yWx ++fa4jtgdbgWK5mib4XdPYTdH6hRiur/n6yn9rzhDeFFMUhSwQpQ81OyZfUFNU0A0q ++x7AZMgVOm3ZqMDk8O57UfuSdURJJPsEwMzZ8Q5d6wyq7xheX0DZjB8LUN8J6SX4w ++K2Ok1wCBOQdfjvW09tOVqQK7puHq85UWsEBTiZ7ie1Fg6FLNscPVoavjNNyYAORM ++Vz0Byv1zBdJzBHufqHUdjX7uMkUPcKfiU/TjQWMRYF3Yp5z2wFohi4Zgtise7xW5 ++SfgcAIjA1bm5xMIaiUxRUZHUhCaoj6c2vZygrFO7MuB/2ngoEbqZ57pdAgMBAAGj ++gYMwgYAwDAYDVR0TAQH/BAIwADAwBgNVHREEKTAnggZmZWRvcmGHBH8AAAGBF3Jv ++b3RAZmVkb3JhdGxzd3d3c2VydmVyMB0GA1UdDgQWBBRxxQqJoRCHlrmwDLcB0aU3 ++W/QRbDAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjANBgkqhkiG9w0B ++AQsFAAOCAYEAkheMCnXNDh2fOhMyOifBFKqlUUsYzZoYU5UNweZijdKAKxJ4zdsS ++i31a2IG4ePBPX7PShUUr2E1PEQ2XBDi/HcCoK54qcqzhxGS83Rf/2YxN4BjU8jaA ++7RhIA0fv5haKxxhjRIDT6vsAXPB0HM/f3Y+E21GVbsQVUE1pP8QrDkcU0EwIjEfW ++tFEBitmb0s/11d8/ZLdYAuvvfzDzuN9kuAcj5dkdpB5Wo9R3h2NXnD6EIWIUHn/I ++zwgXdb/n9gUI6jQMC6shFjXScVT2jgjfziWi/M66PBbtEbEnhOEKdbW0o2lPiL3j ++2UDj6fMshRBAnSoBtEYm/lywBs3vDUGpMUSQFIAwPgUkizAl5DEdmE9PLqRL9HNT ++UIg8tQql9Xr29edEiuMHpIyH8eEa+KI2CpKG3KfYDBMaC7z9MvkpYuSuIG3dsQxy ++YguWDH7c0iosQVpHx8dxj5Exj1/QOXcD5tAVY/+DBe48nRzDTlZmRGQjtqr6Nw0j ++BIXBoqaes0D4 ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ ++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh ++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe ++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw ++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0 ++MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G ++CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC ++M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi ++MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz ++sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn ++2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7 ++nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc ++gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85 +++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz ++LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E ++BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD ++VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV ++HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho ++dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld ++FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ ++uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId ++ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r ++wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ ++OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44 ++9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT ++DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0 ++jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA== ++-----END CERTIFICATE----- +diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem +--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem 2022-09-06 12:10:28.635549755 +0200 +@@ -0,0 +1,133 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Medium (2048 bits) ++ ++modulus: ++ 00:b7:98:33:fa:ef:f4:8f:55:b0:82:80:89:f1:5c:da ++ fd:b0:e2:f3:db:25:b1:7d:ae:23:b6:07:5b:81:62:b9 ++ 9a:26:f8:5d:d3:d8:4d:d1:fa:85:18:ae:af:f9:fa:ca ++ 7f:6b:ce:10:de:14:53:14:85:2c:10:a5:0f:35:3b:26 ++ 5f:50:53:54:d0:0d:2a:c7:b0:19:32:05:4e:9b:76:6a ++ 30:39:3c:3b:9e:d4:7e:e4:9d:51:12:49:3e:c1:30:33 ++ 36:7c:43:97:7a:c3:2a:bb:c6:17:97:d0:36:63:07:c2 ++ d4:37:c2:7a:49:7e:30:2b:63:a4:d7:00:81:39:07:5f ++ 8e:f5:b4:f6:d3:95:a9:02:bb:a6:e1:ea:f3:95:16:b0 ++ 40:53:89:9e:e2:7b:51:60:e8:52:cd:b1:c3:d5:a1:ab ++ e3:34:dc:98:00:e4:4c:57:3d:01:ca:fd:73:05:d2:73 ++ 04:7b:9f:a8:75:1d:8d:7e:ee:32:45:0f:70:a7:e2:53 ++ f4:e3:41:63:11:60:5d:d8:a7:9c:f6:c0:5a:21:8b:86 ++ 60:b6:2b:1e:ef:15:b9:49:f8:1c:00:88:c0:d5:b9:b9 ++ c4:c2:1a:89:4c:51:51:91:d4:84:26:a8:8f:a7:36:bd ++ 9c:a0:ac:53:bb:32:e0:7f:da:78:28:11:ba:99:e7:ba ++ 5d: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 68:06:20:25:a5:82:0f:18:c1:3b:20:33:88:83:51:3d ++ 7e:d5:08:d0:79:a9:f8:89:0b:88:de:e0:55:0e:28:15 ++ 94:d1:12:f0:ae:55:61:8d:2d:8e:8f:a3:fb:e2:c2:8b ++ b1:fc:7f:08:25:c1:f1:15:87:a3:22:b2:dc:39:58:83 ++ 96:d2:b0:72:75:93:70:b3:71:83:2b:08:a0:03:57:25 ++ 5d:b8:a8:1b:55:51:54:9d:62:4b:17:1f:2c:7c:ef:f7 ++ 86:2f:12:0c:27:ba:f5:cb:c6:a0:69:03:f7:d6:74:e8 ++ a3:73:58:b0:7d:84:33:81:70:eb:b5:48:82:94:8f:ea ++ 4c:c7:9c:58:02:90:68:b1:64:29:df:a8:8a:69:15:d4 ++ 49:21:2f:aa:25:f1:e7:10:8b:93:37:ca:51:d3:4e:d6 ++ de:cf:60:04:6b:10:41:1b:f5:0f:be:b7:2a:cd:41:44 ++ 50:25:be:e5:57:60:1e:3e:e9:d7:70:86:68:a6:4f:3d ++ 7d:d8:0e:7f:9b:de:de:e6:02:35:33:9f:b6:68:bb:cd ++ 2f:33:69:09:9e:da:91:6b:16:89:db:14:20:59:3a:92 ++ 7e:78:4e:e1:02:3f:c8:a5:3f:bd:f2:bc:3a:da:f2:97 ++ 06:f5:96:eb:c8:09:f7:04:cb:7f:e2:e2:12:52:d4:21 ++ ++ ++prime1: ++ 00:ed:e4:b8:72:ee:b0:9e:38:db:f8:e7:fa:52:a5:94 ++ 4a:4b:05:54:f0:96:23:72:d6:01:ba:9f:f4:3e:65:24 ++ 29:c0:47:4a:6f:a9:a4:02:36:c5:2c:c5:ea:cd:09:5c ++ 2d:8e:3c:56:aa:e4:e7:85:32:a8:a7:4f:18:12:17:8c ++ 93:15:07:da:3e:f4:df:33:7e:35:39:59:2d:f4:1c:ba ++ 65:e8:42:c7:75:a0:c2:53:47:ad:ee:74:44:21:6a:42 ++ 75:7f:40:1f:8b:06:0e:df:c3:02:4d:50:58:75:f2:29 ++ 58:e2:0c:a0:7b:fe:be:c4:ab:76:ff:24:c1:4b:e6:ce ++ 75: ++ ++prime2: ++ 00:c5:91:7c:48:59:dd:05:68:5c:8a:46:0b:3b:69:92 ++ 80:d1:c6:28:27:88:c8:a9:73:7c:32:ee:87:a7:31:29 ++ ff:56:38:41:07:3e:0f:01:5c:cf:eb:93:db:e7:fb:b9 ++ e7:15:94:93:ea:fa:f8:60:79:c6:16:d2:db:9b:64:5f ++ c3:b8:f0:52:c0:e7:ff:e0:9a:94:22:fb:7e:5e:80:8f ++ c0:ca:46:f4:87:91:e7:ad:6d:74:26:d1:fa:c0:f8:f5 ++ 7e:b3:0c:bb:23:5e:7d:5d:8b:c9:2e:68:76:be:d4:b4 ++ 75:de:3c:70:70:ad:1e:64:de:e4:1d:f7:df:af:46:0f ++ 49: ++ ++coefficient: ++ 00:89:f1:2c:f9:14:89:25:21:7a:ad:75:30:f0:b1:e7 ++ 20:b3:14:14:d7:c9:b6:78:3c:c7:c8:92:3a:64:8e:47 ++ d0:10:fc:01:a9:a6:25:a5:61:6d:8f:da:d4:85:fa:06 ++ 9f:a5:27:a8:7d:38:e2:67:19:65:ab:a9:00:52:8c:f3 ++ 51:fe:f9:a6:4f:ab:47:04:0a:86:ae:f0:fe:3d:2d:72 ++ 76:6d:ad:03:48:af:23:67:92:28:34:83:bc:45:7d:c0 ++ 45:ca:89:4a:4f:dd:11:a6:3a:5a:23:47:f4:7c:82:42 ++ dc:e8:56:85:d8:1b:9d:08:9c:6e:ca:17:58:d7:d4:bb ++ 77: ++ ++exp1: ++ 21:50:b8:ac:0f:d5:58:33:2a:4b:2f:61:95:15:6f:31 ++ 00:54:9c:d2:9c:94:16:4e:f6:2b:06:9f:93:e5:62:2d ++ 1e:aa:5d:38:4a:0f:97:e7:c7:b1:3f:7e:64:7c:7d:16 ++ 3c:27:23:14:07:be:8c:9e:cd:93:b0:b5:f4:42:ac:03 ++ 25:1c:d6:69:9e:ad:6b:6e:af:51:7a:b5:be:cc:0f:26 ++ 9a:62:4f:c0:9f:64:d7:78:e0:58:d6:9b:7b:fa:7f:98 ++ 28:db:f8:0e:e6:28:4b:19:ea:46:9d:8b:e5:e8:a5:f5 ++ b6:a2:82:0f:1b:5b:e7:fb:03:4d:33:fe:85:fc:aa:c9 ++ ++ ++exp2: ++ 59:36:db:22:68:c1:ef:a1:32:b8:95:ec:98:85:91:cc ++ 6d:ed:c7:50:22:ea:49:ea:86:59:11:71:5c:44:4d:2c ++ aa:28:78:e4:e6:57:2c:4c:56:ef:90:33:2b:4c:76:a4 ++ 2d:10:8c:c2:fd:55:8f:6b:2d:d2:3c:a1:42:48:4f:1e ++ 38:b2:fd:0b:73:38:0e:9a:7e:ee:55:16:b9:61:e0:88 ++ 34:4f:5a:38:a5:e0:32:66:4c:9f:03:0e:f2:78:f9:92 ++ 9f:13:ce:a5:a8:13:80:5c:91:1a:4d:bd:e1:6a:77:9b ++ 0a:21:cc:bc:74:d0:56:c8:77:c6:38:9a:5f:b1:89:51 ++ ++ ++ ++Public Key PIN: ++ pin-sha256:FSR0pC1TUEe+ZMU7YSVDDmYP4hmDlsIJRKf4D8LiJZ8= ++Public Key ID: ++ sha256:152474a42d535047be64c53b6125430e660fe2198396c20944a7f80fc2e2259f ++ sha1:71c50a89a1108796b9b00cb701d1a5375bf4116c ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAt5gz+u/0j1WwgoCJ8Vza/bDi89slsX2uI7YHW4FiuZom+F3T ++2E3R+oUYrq/5+sp/a84Q3hRTFIUsEKUPNTsmX1BTVNANKsewGTIFTpt2ajA5PDue ++1H7knVESST7BMDM2fEOXesMqu8YXl9A2YwfC1DfCekl+MCtjpNcAgTkHX471tPbT ++lakCu6bh6vOVFrBAU4me4ntRYOhSzbHD1aGr4zTcmADkTFc9Acr9cwXScwR7n6h1 ++HY1+7jJFD3Cn4lP040FjEWBd2Kec9sBaIYuGYLYrHu8VuUn4HACIwNW5ucTCGolM ++UVGR1IQmqI+nNr2coKxTuzLgf9p4KBG6mee6XQIDAQABAoIBAGgGICWlgg8YwTsg ++M4iDUT1+1QjQean4iQuI3uBVDigVlNES8K5VYY0tjo+j++LCi7H8fwglwfEVh6Mi ++stw5WIOW0rBydZNws3GDKwigA1clXbioG1VRVJ1iSxcfLHzv94YvEgwnuvXLxqBp ++A/fWdOijc1iwfYQzgXDrtUiClI/qTMecWAKQaLFkKd+oimkV1EkhL6ol8ecQi5M3 ++ylHTTtbez2AEaxBBG/UPvrcqzUFEUCW+5VdgHj7p13CGaKZPPX3YDn+b3t7mAjUz ++n7Zou80vM2kJntqRaxaJ2xQgWTqSfnhO4QI/yKU/vfK8Otrylwb1luvICfcEy3/i ++4hJS1CECgYEA7eS4cu6wnjjb+Of6UqWUSksFVPCWI3LWAbqf9D5lJCnAR0pvqaQC ++NsUsxerNCVwtjjxWquTnhTKop08YEheMkxUH2j703zN+NTlZLfQcumXoQsd1oMJT ++R63udEQhakJ1f0AfiwYO38MCTVBYdfIpWOIMoHv+vsSrdv8kwUvmznUCgYEAxZF8 ++SFndBWhcikYLO2mSgNHGKCeIyKlzfDLuh6cxKf9WOEEHPg8BXM/rk9vn+7nnFZST ++6vr4YHnGFtLbm2Rfw7jwUsDn/+CalCL7fl6Aj8DKRvSHkeetbXQm0frA+PV+swy7 ++I159XYvJLmh2vtS0dd48cHCtHmTe5B33369GD0kCgYAhULisD9VYMypLL2GVFW8x ++AFSc0pyUFk72Kwafk+ViLR6qXThKD5fnx7E/fmR8fRY8JyMUB76Mns2TsLX0QqwD ++JRzWaZ6ta26vUXq1vswPJppiT8CfZNd44FjWm3v6f5go2/gO5ihLGepGnYvl6KX1 ++tqKCDxtb5/sDTTP+hfyqyQKBgFk22yJowe+hMriV7JiFkcxt7cdQIupJ6oZZEXFc ++RE0sqih45OZXLExW75AzK0x2pC0QjML9VY9rLdI8oUJITx44sv0LczgOmn7uVRa5 ++YeCINE9aOKXgMmZMnwMO8nj5kp8TzqWoE4BckRpNveFqd5sKIcy8dNBWyHfGOJpf ++sYlRAoGBAInxLPkUiSUheq11MPCx5yCzFBTXybZ4PMfIkjpkjkfQEPwBqaYlpWFt ++j9rUhfoGn6UnqH044mcZZaupAFKM81H++aZPq0cECoau8P49LXJ2ba0DSK8jZ5Io ++NIO8RX3ARcqJSk/dEaY6WiNH9HyCQtzoVoXYG50InG7KF1jX1Lt3 ++-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch b/SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch new file mode 100644 index 0000000..de64bcc --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch @@ -0,0 +1,195 @@ +diff -up rsyslog-8.2102.0/configure.ac.orig rsyslog-8.2102.0/configure.ac +--- rsyslog-8.2102.0/configure.ac.orig 2022-11-21 11:39:40.717183684 +0100 ++++ rsyslog-8.2102.0/configure.ac 2022-11-21 11:40:18.697206706 +0100 +@@ -387,6 +387,28 @@ if test "$enable_fmhash_xxhash" = "yes"; + ]) + fi + ++AC_ARG_ENABLE(libcap-ng, ++ [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])], ++ [case "${enableval}" in ++ yes) enable_libcapng="yes" ;; ++ no) enable_libcapng="no" ;; ++ *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;; ++ esac], ++ [enable_libcapng=no] ++) ++ ++if test "$enable_libcapng" = "yes"; then ++ PKG_CHECK_MODULES( ++ [LIBCAPNG], ++ [libcap-ng >= 0.8.2], ++ [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])], ++ [AC_MSG_ERROR(libcap-ng is not present.)] ++ ) ++ CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS" ++ LIBS="$LIBS $LIBCAPNG_LIBS" ++fi ++ ++ + + #gssapi + AC_ARG_ENABLE(gssapi_krb5, +@@ -2688,6 +2710,7 @@ echo " liblogging-stdlog support enab + echo " libsystemd enabled: $enable_libsystemd" + echo " kafka static linking enabled: $enable_kafka_static" + echo " atomic operations enabled: $enable_atomic_operations" ++echo " libcap-ng support enabled: $enable_libcapng" + echo + echo "---{ input plugins }---" + if test "$unamestr" != "AIX"; then +diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c +--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2022-11-21 11:40:31.926214720 +0100 ++++ rsyslog-8.2102.0/runtime/rsconf.c 2022-11-21 11:44:26.742356979 +0100 +@@ -33,6 +33,9 @@ + #include + #include + #include ++#ifdef ENABLE_LIBCAPNG ++ #include ++#endif + + #include "rsyslog.h" + #include "obj.h" +@@ -546,6 +549,7 @@ rsRetVal doDropPrivGid(void) + uchar szBuf[1024]; + DEFiRet; + ++#ifndef ENABLE_LIBCAPNG + if(!ourConf->globals.gidDropPrivKeepSupplemental) { + res = setgroups(0, NULL); /* remove all supplemental group IDs */ + if(res) { +@@ -560,9 +564,19 @@ rsRetVal doDropPrivGid(void) + if(res) { + rs_strerror_r(errno, (char*)szBuf, sizeof(szBuf)); + LogError(0, RS_RET_ERR_DROP_PRIV, +- "could not set requested group id: %s", szBuf); ++ "could not set requested group id: %s via setgid()", szBuf); + ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV); + } ++#else ++ int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP; ++ res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags); ++ if (res) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv); ++ ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR); ++ } ++#endif ++ + DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res); + snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d", + ourConf->globals.gidDropPriv); +@@ -599,7 +613,14 @@ static void doDropPrivUid(int iUid) + iUid, szBuf); + } + ++#ifndef ENABLE_LIBCAPNG + res = setuid(iUid); ++ // res = setuid(cnf->globals.uidDropPriv); ++#else ++ int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP; ++ res = capng_change_id(iUid, -1, capng_flags); ++#endif ++ + if(res) { + /* if we can not set the userid, this is fatal, so let's unconditionally abort */ + perror("could not set requested userid"); +diff -up rsyslog-8.2102.0/runtime/rsyslog.h.orig rsyslog-8.2102.0/runtime/rsyslog.h +--- rsyslog-8.2102.0/runtime/rsyslog.h.orig 2022-11-21 11:45:09.007382588 +0100 ++++ rsyslog-8.2102.0/runtime/rsyslog.h 2022-11-21 11:45:31.333396112 +0100 +@@ -582,6 +582,7 @@ enum rsRetVal_ /** return value. All + RS_RET_RABBITMQ_CHANNEL_ERR = -2449, /**< RabbitMQ Connection error */ + RS_RET_NO_WRKDIR_SET = -2450, /**< working directory not set, but desired by functionality */ + RS_RET_ERR_QUEUE_FN_DUP = -2451, /**< duplicate queue file name */ ++ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */ + + /* RainerScript error messages (range 1000.. 1999) */ + RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ +diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c +--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2022-11-21 11:45:17.587387786 +0100 ++++ rsyslog-8.2102.0/tools/rsyslogd.c 2022-11-21 11:46:19.509425295 +0100 +@@ -38,6 +38,10 @@ + # include + #endif + ++#ifdef ENABLE_LIBCAPNG ++ #include ++#endif ++ + #include "rsyslog.h" + #include "wti.h" + #include "ratelimit.h" +@@ -321,7 +325,7 @@ checkStartupOK(void) + fprintf(stderr, "rsyslogd: error reading pid file, cannot start up\n"); + ABORT_FINALIZE(RS_RET_ERR); + } +- ++ + /* ok, we got a pid, let's check if the process is running */ + const pid_t pid = (pid_t) pf_pid; + if(kill(pid, 0) == 0 || errno != ESRCH) { +@@ -1594,7 +1598,7 @@ initAll(int argc, char **argv) + localRet = RS_RET_OK; + } + CHKiRet(localRet); +- ++ + CHKiRet(rsyslogd_InitStdRatelimiters()); + + if(bChDirRoot) { +@@ -2019,7 +2023,7 @@ deinitAll(void) + /* close the inputs */ + DBGPRINTF("Terminating input threads...\n"); + glbl.SetGlobalInputTermination(); +- ++ + thrdTerminateAll(); + + /* and THEN send the termination log message (see long comment above) */ +@@ -2142,6 +2146,45 @@ main(int argc, char **argv) + if(log_dflt != NULL && !strcmp(log_dflt, "1")) + bProcessInternalMessages = 1; + dbgClassInit(); ++ ++#ifdef ENABLE_LIBCAPNG ++ /* ++ * Drop capabilities to the necessary set ++ */ ++ int capng_rc; ++ capng_clear(CAPNG_SELECT_BOTH); ++ ++ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_BLOCK_SUSPEND, ++ CAP_CHOWN, ++ CAP_IPC_LOCK, ++ CAP_LEASE, ++ CAP_NET_ADMIN, ++ CAP_NET_BIND_SERVICE, ++ CAP_PERFMON, ++ CAP_SETGID, ++ CAP_SETUID, ++ CAP_SYS_ADMIN, ++ CAP_SYS_CHROOT, ++ CAP_SYS_RESOURCE, ++ CAP_SYSLOG, ++ -1 ++ )) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not update the internal posix capabilities settings " ++ "based on the options passed to it, capng_updatev=%d\n", capng_rc); ++ exit(-1); ++ } ++ ++ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not transfer the specified internal posix capabilities " ++ "settings to the kernel, capng_apply=%d\n", capng_rc); ++ exit(-1); ++ } ++ DBGPRINTF("Capabilities were dropped successfully\n"); ++#endif ++ + initAll(argc, argv); + #ifdef HAVE_LIBSYSTEMD + sd_notify(0, "READY=1"); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch new file mode 100644 index 0000000..8e46b35 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch @@ -0,0 +1,20 @@ +diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c +index 6c24b5a2db..78cfc3bae2 100644 +--- a/plugins/imklog/imklog.c ++++ b/plugins/imklog/imklog.c +@@ -453,6 +453,7 @@ ENDactivateCnf + + BEGINfreeCnf + CODESTARTfreeCnf ++ free(pModConf->pszBindRuleset); + ENDfreeCnf + + +@@ -475,7 +476,6 @@ CODESTARTmodExit + if(pInputName != NULL) + prop.Destruct(&pInputName); + +- free(runModConf->pszBindRuleset); + /* release objects we used */ + objRelease(glbl, CORE_COMPONENT); + objRelease(net, CORE_COMPONENT); diff --git a/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch b/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch new file mode 100644 index 0000000..e3b1453 --- /dev/null +++ b/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch @@ -0,0 +1,30 @@ +diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c +--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig 2022-05-09 12:22:59.050623119 +0200 ++++ rsyslog-8.37.0/plugins/imptcp/imptcp.c 2022-05-09 12:34:39.979854853 +0200 +@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ // *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); +diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c +--- rsyslog-8.37.0/runtime/tcps_sess.c.orig 2022-05-09 12:23:12.789627661 +0200 ++++ rsyslog-8.37.0/runtime/tcps_sess.c 2022-05-09 12:36:51.426898549 +0200 +@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ // *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff --git a/SOURCES/rsyslog.conf b/SOURCES/rsyslog.conf new file mode 100644 index 0000000..b51e844 --- /dev/null +++ b/SOURCES/rsyslog.conf @@ -0,0 +1,79 @@ +# rsyslog configuration file + +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html + +#### GLOBAL DIRECTIVES #### + +# Where to place auxiliary files +global(workDirectory="/var/lib/rsyslog") + +# Use default timestamp format +module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") + +# Include all config files in /etc/rsyslog.d/ +include(file="/etc/rsyslog.d/*.conf" mode="optional") + +#### MODULES #### + +module(load="imuxsock" # provides support for local system logging (e.g. via logger command) + SysSock.Use="off") # Turn off message reception via local log socket; + # local messages are retrieved through imjournal now. +module(load="imjournal" # provides access to the systemd journal + StateFile="imjournal.state") # File to store the position in the journal +#module(load="imklog") # reads kernel messages (the same are read from journald) +#module(load="immark") # provides --MARK-- message capability + +# Provides UDP syslog reception +# for parameters see http://www.rsyslog.com/doc/imudp.html +#module(load="imudp") # needs to be done just once +#input(type="imudp" port="514") + +# Provides TCP syslog reception +# for parameters see http://www.rsyslog.com/doc/imtcp.html +#module(load="imtcp") # needs to be done just once +#input(type="imtcp" port="514") + +#### RULES #### + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/maillog + + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +*.emerg :omusrmsg:* + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + + +# ### sample forwarding rule ### +#action(type="omfwd" +# # An on-disk queue is created for this action. If the remote host is +# # down, messages are spooled to disk and sent when it is up again. +#queue.filename="fwdRule1" # unique name prefix for spool files +#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible) +#queue.saveonshutdown="on" # save messages to disk on shutdown +#queue.type="LinkedList" # run asynchronously +#action.resumeRetryCount="-1" # infinite retries if host is down +# # Remote Logging (we use TCP for reliable delivery) +# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514 +#Target="remote_host" Port="XXX" Protocol="tcp") diff --git a/SOURCES/rsyslog.log b/SOURCES/rsyslog.log new file mode 100644 index 0000000..db85401 --- /dev/null +++ b/SOURCES/rsyslog.log @@ -0,0 +1,12 @@ +/var/log/cron +/var/log/maillog +/var/log/messages +/var/log/secure +/var/log/spooler +{ + missingok + sharedscripts + postrotate + /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true + endscript +} diff --git a/SOURCES/rsyslog.service b/SOURCES/rsyslog.service new file mode 100644 index 0000000..9c13b1d --- /dev/null +++ b/SOURCES/rsyslog.service @@ -0,0 +1,22 @@ +[Unit] +Description=System Logging Service +;Requires=syslog.socket +Documentation=man:rsyslogd(8) +Documentation=https://www.rsyslog.com/doc/ + +[Service] +Type=notify +EnvironmentFile=-/etc/sysconfig/rsyslog +ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS +ExecReload=/usr/bin/kill -HUP $MAINPID +UMask=0066 +StandardOutput=null +Restart=on-failure + +# Increase the default a bit in order to allow many simultaneous +# files to be monitored, we might need a lot of fds. +LimitNOFILE=16384 + +[Install] +WantedBy=multi-user.target +;Alias=syslog.service diff --git a/SOURCES/rsyslog.sysconfig b/SOURCES/rsyslog.sysconfig new file mode 100644 index 0000000..bc65731 --- /dev/null +++ b/SOURCES/rsyslog.sysconfig @@ -0,0 +1,5 @@ +# Options for rsyslogd +# Syslogd options are deprecated since rsyslog v3. +# If you want to use them, switch to compatibility mode 2 by "-c 2" +# See rsyslogd(8) for more details +SYSLOGD_OPTIONS="" diff --git a/SPECS/rsyslog.spec b/SPECS/rsyslog.spec new file mode 100644 index 0000000..b93d816 --- /dev/null +++ b/SPECS/rsyslog.spec @@ -0,0 +1,1534 @@ +%define rsyslog_statedir %{_sharedstatedir}/rsyslog +%define rsyslog_pkidir %{_sysconfdir}/pki/rsyslog +%define rsyslog_docdir %{_docdir}/rsyslog + +Summary: Enhanced system logging and kernel message trapping daemon +Name: rsyslog +Version: 8.2102.0 +Release: 111%{?dist} +License: (GPLv3+ and ASL 2.0) +URL: http://www.rsyslog.com/ +Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz +Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.tar.gz +Source2: rsyslog.conf +Source3: rsyslog.sysconfig +Source4: rsyslog.log +Source5: rsyslog.service +# Add qpid-proton as another source, enable omamqp1 module in a +# separatae sub-package with it statically linked(see rhbz#1713427) +Source6: qpid-proton-0.34.0.tar.gz + +Patch0: rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch +Patch1: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch +Patch2: rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch +Patch3: rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch +Patch4: rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch +Patch5: rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch +Patch6: rsyslog-8.2102.0-rhbz1938863-covscan.patch +Patch7: rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch +Patch8: rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch +Patch9: openssl3-compatibility.patch +Patch10: rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch +Patch11: rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch +Patch12: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch +Patch13: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch +Patch14: rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch +Patch15: rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch +Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch +Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch +Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: dos2unix +BuildRequires: flex +BuildRequires: libgcrypt-devel +BuildRequires: libfastjson-devel >= 0.99.8 +BuildRequires: libestr-devel >= 0.1.9 +BuildRequires: libtool +BuildRequires: libuuid-devel +BuildRequires: pkgconfig +BuildRequires: python3-docutils +# make sure systemd is in a version that isn't affected by rhbz#974132 +BuildRequires: systemd-devel >= 204-8 +BuildRequires: zlib-devel +BuildRequires: libcap-ng-devel + +Recommends: %{name}-logrotate = %version-%release +Requires: bash >= 2.0 +%{?systemd_ordering} + +Provides: syslog +Obsoletes: sysklogd < 1.5-11 + +%package logrotate +Summary: Log rotation for rsyslog +Requires: %name = %version-%release +Requires: logrotate >= 3.5.2 + +%package crypto +Summary: Encryption support +Requires: %name = %version-%release + +%package doc +Summary: HTML documentation for rsyslog +BuildArch: noarch + +%package elasticsearch +Summary: ElasticSearch output module for rsyslog +Requires: %name = %version-%release +BuildRequires: libcurl-devel + +%package mmfields +Summary: Fields extraction module +Requires: %name = %version-%release + +%package mmjsonparse +Summary: JSON enhanced logging support +Requires: %name = %version-%release + +%package mmnormalize +Summary: Log normalization support for rsyslog +Requires: %name = %version-%release +BuildRequires: libestr-devel liblognorm-devel >= 1.0.2 + +%package mmaudit +Summary: Message modification module supporting Linux audit format +Requires: %name = %version-%release + +%package mmsnmptrapd +Summary: Message modification module for snmptrapd generated messages +Requires: %name = %version-%release + +%package mysql +Summary: MySQL support for rsyslog +Requires: %name = %version-%release +BuildRequires: mariadb-connector-c-devel + +%package pgsql +Summary: PostgresSQL support for rsyslog +Requires: %name = %version-%release +BuildRequires: libpq-devel + +%package gssapi +Summary: GSSAPI authentication and encryption support for rsyslog +Requires: %name = %version-%release +BuildRequires: krb5-devel + +%package relp +Summary: RELP protocol support for rsyslog +Requires: %name = %version-%release +Requires: librelp >= 1.9.0 +BuildRequires: librelp-devel >= 1.9.0 + +%package gnutls +Summary: TLS protocol support for rsyslog via GnuTLS library +Requires: %name = %version-%release +BuildRequires: gnutls-devel + +%package openssl +Summary: TLS protocol support for rsyslog via OpenSSL library +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: openssl-devel + +%package snmp +Summary: SNMP protocol support for rsyslog +Requires: %name = %version-%release +BuildRequires: net-snmp-devel + +%package udpspoof +Summary: Provides the omudpspoof module +Requires: %name = %version-%release +BuildRequires: libnet-devel + +%package omamqp1 +Summary: Provides the omamqp1 module +Requires: %name = %version-%release +Requires: cyrus-sasl-lib +Requires: openssl-libs +BuildRequires: cmake +BuildRequires: make +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: cyrus-sasl-devel +BuildRequires: openssl-devel +BuildRequires: python3 + +%package kafka +Summary: Provides the omkafka module +Requires: %name = %version-%release +BuildRequires: librdkafka-devel + +%package mmkubernetes +Summary: Provides the mmkubernetes module +Requires: %name = %version-%release +BuildRequires: libcurl-devel + +%description +Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL, +syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, +and fine grain output format control. It is compatible with stock sysklogd +and can be used as a drop-in replacement. Rsyslog is simple to set up, with +advanced features suitable for enterprise-class, encryption-protected syslog +relay chains. + +%description logrotate +This subpackage contains the default logrotate configuration for rsyslog. + +%description crypto +This package contains a module providing log file encryption and a +command line tool to process encrypted logs. + +%description doc +This subpackage contains documentation for rsyslog. + +%description elasticsearch +This module provides the capability for rsyslog to feed logs directly into +Elasticsearch. + +%description mmjsonparse +This module provides the capability to recognize and parse JSON enhanced +syslog messages. + +%description mmnormalize +This module provides the capability to normalize log messages via liblognorm. + +%description mmaudit +This module provides message modification supporting Linux audit format +in various settings. + +%description mmsnmptrapd +This message modification module takes messages generated from snmptrapd and +modifies them so that they look like they originated from the read originator. + +%description mmfields +The mmfield module permits to extract fields. Using this module is of special +advantage if a field-based log format is to be processed, like for example CEF +and either a large number of fields is needed or a specific field is used multiple +times inside filters. + +%description mysql +The rsyslog-mysql package contains a dynamic shared object that will add +MySQL database support to rsyslog. + +%description pgsql +The rsyslog-pgsql package contains a dynamic shared object that will add +PostgreSQL database support to rsyslog. + +%description gssapi +The rsyslog-gssapi package contains the rsyslog plugins which support GSSAPI +authentication and secure connections. GSSAPI is commonly used for Kerberos +authentication. + +%description relp +The rsyslog-relp package contains the rsyslog plugins that provide +the ability to receive syslog messages via the reliable RELP +protocol. + +%description gnutls +The rsyslog-gnutls package contains the rsyslog plugins that provide the +ability to send and receive syslog messages via upcoming syslog-transport-tls +IETF standard protocol. + +%description openssl +The rsyslog-openssl package contains the rsyslog plugins that provide the +ability to send and receive syslog messages via TCP or RELP using TLS +encryption via OpenSSL library. For details refer to rsyslog doc on imtcp +and omfwd modules. + +%description snmp +The rsyslog-snmp package contains the rsyslog plugin that provides the +ability to send syslog messages as SNMPv1 and SNMPv2c traps. + +%description udpspoof +This module is similar to the regular UDP forwarder, but permits to +spoof the sender address. Also, it enables to circle through a number +of source ports. + +%description omamqp1 +The omamqp1 output module can be used to send log messages via an AMQP +1.0-compatible messaging bus. + +%description kafka +The rsyslog-kafka package provides module for Apache Kafka output. + +%description mmkubernetes +The rsyslog-mmkubernetes package provides module for adding kubernetes +container metadata. + +%prep +# set up rsyslog-doc sources +%setup -q -a 1 -T -c +%patch0 -p1 + +rm -r LICENSE README.md source build/objects.inv +mv build doc +# set up rsyslog sources +%setup -q -D +# Unpack qpid-proton for rhel +%setup -q -D -T -b 6 + +%patch1 -p1 -b .default-tag +%patch2 -p1 -b .fd-leak-on-fsync +%patch3 -p1 -b .timeout +%patch4 -p1 -b .imuxsock-rate-limit +%patch5 -p1 -b .abort-on-id-resolution-fail +%patch6 -p1 -b .covscan +%patch7 -p1 -b .prioritize-SAN +%patch8 -p1 -b .errfile-maxsize +%patch10 -p1 -b .statefile-fix +%patch11 -p1 +%patch12 -p1 -b .gnutls-broken-connection +%patch13 -p1 -b .CVE +%patch14 -p1 -b .extra-ca-files +%patch15 -p1 -b .extra-ca-files-doc +%patch16 -p1 -b .libcap-ng +%patch17 -p1 -b .imklog-leak +%patch18 -p1 -b .capabilities-drop-credential + +pushd .. +%patch9 -p1 -b .openssl-compatibility +popd + +%build +# Add additional flags as per https://one.redhat.com/rhel-developer-guide/#_what_are_the_required_flags +%ifarch aarch64 +export CFLAGS="$RPM_OPT_FLAGS -mbranch-protection=standard" +%else +export CFLAGS="$RPM_OPT_FLAGS -fcf-protection=full" +%endif + +%ifarch sparc64 +#sparc64 need big PIC +export CFLAGS="$RPM_OPT_FLAGS -fPIC" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpic" +%endif +# build the proton first +( + cd %{_builddir}/qpid-proton-0.34.0 + mkdir bld + cd bld + + # Need ENABLE_FUZZ_TESTING=NO to avoid a link failure + # Find python include dir and python library from + # https://stackoverflow.com/questions/24174394/cmake-is-not-able-to-find-python-libraries + cmake .. \ + -DBUILD_BINDINGS="" \ + -DBUILD_STATIC_LIBS=YES \ + -DENABLE_FUZZ_TESTING=NO \ + -DPYTHON_INCLUDE_DIR=$(python3 -c "from distutils.sysconfig import get_python_inc; print(get_python_inc())") \ + -DPYTHON_LIBRARY=$(python3 -c "import distutils.sysconfig as sysconfig; print(sysconfig.get_config_var('LIBDIR'))") \ + -DCMAKE_AR="/usr/bin/gcc-ar" -DCMAKE_NM="/usr/bin/gcc-nm" -DCMAKE_RANLIB="/usr/bin/gcc-ranlib" + make -j8 +) + +%ifarch sparc64 +#sparc64 need big PIE +export CFLAGS="$RPM_OPT_FLAGS -fPIE" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpie" +%endif +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" + +# the hiredis-devel package doesn't provide a pkg-config file +sed -i 's/%{version}/%{version}-%{release}/g' configure.ac +autoreconf -if +%configure \ + --prefix=/usr \ + --disable-static \ + --disable-testbench \ + --enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.34.0/bld/c/include" \ + --enable-elasticsearch \ + --enable-generate-man-pages \ + --enable-gnutls \ + --enable-openssl \ + --enable-gssapi-krb5 \ + --enable-imfile \ + --enable-imjournal \ + --enable-imkafka \ + --enable-impstats \ + --enable-imptcp \ + --enable-libcap-ng \ + --enable-mail \ + --enable-mmanon \ + --enable-mmaudit \ + --enable-mmcount \ + --enable-mmkubernetes \ + --enable-mmjsonparse \ + --enable-mmnormalize \ + --enable-mmfields \ + --enable-mmsnmptrapd \ + --enable-mmutf8fix \ + --enable-mysql \ + --enable-omhttp \ + --enable-omjournal \ + --enable-omprog \ + --enable-omstdout \ + --enable-omudpspoof \ + --enable-omuxsock \ + --enable-pgsql \ + --enable-pmaixforwardedfrom \ + --enable-pmcisconames \ + --enable-pmlastmsg \ + --enable-pmsnare \ + --enable-relp \ + --enable-snmp \ + --enable-unlimited-select \ + --enable-usertools \ + --enable-omkafka + +make V=1 + +%check +make V=1 check + +%install +make V=1 DESTDIR=%{buildroot} install + +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d +install -d -m 755 %{buildroot}%{_unitdir} +install -d -m 755 %{buildroot}%{_sysconfdir}/rsyslog.d +install -d -m 700 %{buildroot}%{rsyslog_statedir} +install -d -m 700 %{buildroot}%{rsyslog_pkidir} +install -d -m 755 %{buildroot}%{rsyslog_docdir}/html + +install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog +install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/rsyslog +install -p -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/rsyslog.service +install -p -m 644 plugins/ommysql/createDB.sql %{buildroot}%{rsyslog_docdir}/mysql-createDB.sql +install -p -m 644 plugins/ompgsql/createDB.sql %{buildroot}%{rsyslog_docdir}/pgsql-createDB.sql +dos2unix tools/recover_qi.pl +install -p -m 644 tools/recover_qi.pl %{buildroot}%{rsyslog_docdir}/recover_qi.pl +install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir} +# extract documentation +cp -r doc/* %{buildroot}%{rsyslog_docdir}/html +# get rid of libtool libraries +rm -f %{buildroot}%{_libdir}/rsyslog/*.la +# imdiag and liboverride is only used for testing +rm -f %{buildroot}%{_libdir}/rsyslog/imdiag.so +rm -f %{buildroot}%{_libdir}/rsyslog/liboverride_gethostname.so + +%post +for n in /var/log/{messages,secure,maillog,spooler} +do + [ -f $n ] && continue + umask 066 && touch $n +done +%systemd_post rsyslog.service + +%preun +%systemd_preun rsyslog.service + +%postun +%systemd_postun_with_restart rsyslog.service + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING* +%doc AUTHORS ChangeLog README.md +%{rsyslog_docdir} +%exclude %{rsyslog_docdir}/html +%exclude %{rsyslog_docdir}/mysql-createDB.sql +%exclude %{rsyslog_docdir}/pgsql-createDB.sql +%dir %{_libdir}/rsyslog +%dir %{_sysconfdir}/rsyslog.d +%dir %{rsyslog_statedir} +%dir %{rsyslog_pkidir} +%{_sbindir}/rsyslogd +%{_mandir}/man5/rsyslog.conf.5.gz +%{_mandir}/man8/rsyslogd.8.gz +%{_unitdir}/rsyslog.service +%config(noreplace) %{_sysconfdir}/rsyslog.conf +%config(noreplace) %{_sysconfdir}/sysconfig/rsyslog +# plugins +%{_libdir}/rsyslog/fmhash.so +%{_libdir}/rsyslog/fmhttp.so +%{_libdir}/rsyslog/imfile.so +%{_libdir}/rsyslog/imjournal.so +%{_libdir}/rsyslog/imklog.so +%{_libdir}/rsyslog/immark.so +%{_libdir}/rsyslog/impstats.so +%{_libdir}/rsyslog/imptcp.so +%{_libdir}/rsyslog/imtcp.so +%{_libdir}/rsyslog/imudp.so +%{_libdir}/rsyslog/imuxsock.so +%{_libdir}/rsyslog/lmnet.so +%{_libdir}/rsyslog/lmnetstrms.so +%{_libdir}/rsyslog/lmnsd_ptcp.so +%{_libdir}/rsyslog/lmregexp.so +%{_libdir}/rsyslog/lmtcpclt.so +%{_libdir}/rsyslog/lmtcpsrv.so +%{_libdir}/rsyslog/lmzlibw.so +%{_libdir}/rsyslog/mmanon.so +%{_libdir}/rsyslog/mmcount.so +%{_libdir}/rsyslog/mmexternal.so +%{_libdir}/rsyslog/mmutf8fix.so +%{_libdir}/rsyslog/omhttp.so +%{_libdir}/rsyslog/omjournal.so +%{_libdir}/rsyslog/ommail.so +%{_libdir}/rsyslog/omprog.so +%{_libdir}/rsyslog/omstdout.so +%{_libdir}/rsyslog/omtesting.so +%{_libdir}/rsyslog/omuxsock.so +%{_libdir}/rsyslog/pmaixforwardedfrom.so +%{_libdir}/rsyslog/pmcisconames.so +%{_libdir}/rsyslog/pmlastmsg.so +%{_libdir}/rsyslog/pmsnare.so + +%files logrotate +%config(noreplace) %{_sysconfdir}/logrotate.d/rsyslog + +%files crypto +%{_bindir}/rscryutil +%{_mandir}/man1/rscryutil.1.gz +%{_libdir}/rsyslog/lmcry_gcry.so + +%files doc +%doc %{rsyslog_docdir}/html + +%files elasticsearch +%{_libdir}/rsyslog/omelasticsearch.so + +%files mmaudit +%{_libdir}/rsyslog/mmaudit.so + +%files mmjsonparse +%{_libdir}/rsyslog/mmjsonparse.so + +%files mmnormalize +%{_libdir}/rsyslog/mmnormalize.so + +%files mmfields +%{_libdir}/rsyslog/mmfields.so + +%files mmsnmptrapd +%{_libdir}/rsyslog/mmsnmptrapd.so + +%files mysql +%doc %{rsyslog_docdir}/mysql-createDB.sql +%{_libdir}/rsyslog/ommysql.so + +%files pgsql +%doc %{rsyslog_docdir}/pgsql-createDB.sql +%{_libdir}/rsyslog/ompgsql.so + +%files gssapi +%{_libdir}/rsyslog/lmgssutil.so +%{_libdir}/rsyslog/imgssapi.so +%{_libdir}/rsyslog/omgssapi.so + +%files relp +%{_libdir}/rsyslog/imrelp.so +%{_libdir}/rsyslog/omrelp.so + +%files gnutls +%{_libdir}/rsyslog/lmnsd_gtls.so + +%files openssl +%{_libdir}/rsyslog/lmnsd_ossl.so + +%files snmp +%{_libdir}/rsyslog/omsnmp.so + +%files udpspoof +%{_libdir}/rsyslog/omudpspoof.so + +%files omamqp1 +%{_libdir}/rsyslog/omamqp1.so + +%files kafka +%{_libdir}/rsyslog/imkafka.so +%{_libdir}/rsyslog/omkafka.so + +%files mmkubernetes +%{_libdir}/rsyslog/mmkubernetes.so +%doc %{rsyslog_docdir}/k8s_filename.rulebase +%doc %{rsyslog_docdir}/k8s_container_name.rulebase + + +%changelog +* Fri Apr 14 2023 MSVSphere Packaging Team - 8.2102.0-111 +- Rebuilt for MSVSphere 9.2 beta + +* Wed Feb 22 2023 Attila Lakatos - 8.2102.0-111 +- Rebuild + resolves: rhbz#2169748 + resolves: rhbz#2158659 + +* Fri Feb 17 2023 Attila Lakatos -8.2102.0-110 +- Do not preserve capabilities when changing credentials + resolves: rhbz#2169748 +- Remove unnecessary capability CAP_PERFMON +- Add CAP_DAC_OVERRIDE to bypass file read and write permission checks + resolves: rhbz#2158659 + +* Mon Jan 09 2023 Attila Lakatos - 8.2102.0-109 +- Make rsyslog-relp require librelp>= 1.9.0 + resolves: rhbz#2124440 +- Reorder logrotate parameters to work with POSIXLY_CORRECT env var + resolves: rhbz#2124488 + +* Fri Jan 06 2023 Attila Lakatos - 8.2102.0-108 +- Fix invalid memory adressing in imklog that could case abort + resolves: rhbz#2157659 + +* Mon Nov 21 2022 Attila Lakatos - 8.2102.0-107 +- Drop capabilities to only the neccessary set with libcap-ng + resolves: rhbz#2127404 + +* Tue Sep 06 2022 Sergio Arroutbi - 8.2102.0-106 +- Enable multiple SSL CA files + resolves: rhbz#2124849 + +* Mon May 09 2022 Attila Lakatos - 8.2102.0-105 +- Address CVE-2022-24903, Heap-based overflow in TCP syslog server + resolves: rhbz#2081403 + +* Tue Apr 19 2022 Attila Lakatos - 8.2102.0-104 +- Do not save patched doc files + resolves: rhbz#2069664 + +* Tue Apr 05 2022 Attila Lakatos - 8.2102.0-103 +- Add deleteStateOnFileMove imfile module option + resolves: rhbz#2069664 +- Add inotify_rm_watch() inotify API call when object needs to be destroyed + resolves: rhbz#2070528 +- Fix error handling in gtlsRecordRecv, which can cause full CPU usage + +* Fri Mar 11 2022 Sergio Arroutbi - 8.2102.0-102 +- Add action.errorfile.maxsize parameter + resolves: rhbz#2064318 + +* Wed Jan 19 2022 Sergio Arroutbi - 8.2102.0-101 +- Prioritize SAN + resolves: rhbz#2021076 + +* Mon Jan 17 2022 Sergio Arroutbi - 8.2102.0-100 +- Enable mmfields module + resolves: rhbz#2027971 + +* Tue Oct 26 2021 Davide Cavalca - 8.2102.0-10 +- Split out logrotate config and dependency into a subpackage + resolves: rhbz#1992155 + +* Fri Aug 27 2021 Attila Lakatos - 8.2102.0-9 +- Add required flags for branch protection +- Add missing tests folder +- Resolve issues detected by covscan + resolves: rhbz#1938863 + +* Mon Aug 23 2021 Attila Lakatos - 8.2102.0-8 +- Resolve issues detected by covscan + resolves: rhbz#1938863 + +* Wed Aug 18 2021 Attila Lakatos - 8.2102.0-7 +- Enable openssl + resolves: rhbz#1972058 +- Close dir when fsync=on + resolves: rhbz#1972069 +- Do not exit when user/group can not be found + resolves: rhbz#1990868 +- Remove abortOnIDResolution fail +- Always use message severity when comparing with ratelimit severity + resolves: rhbz#1990869 + +* Tue Aug 10 2021 Mohan Boddu - 8.2102.0-6 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 8.2102.0-5 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Mon May 31 2021 Attila Lakatos - 8.2102.0-4 +- Spec file clean up +- Port to OpenSSL 3.0 + resolves: rhbz#1964823 + +* Fri Apr 16 2021 Mohan Boddu - 8.2102.0-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Mar 17 2021 Attila Lakatos - 8.2102.0-2 +- Remove rsyslog-recover-qi.pl from bindir, so it does not add dep on /usr/bin/perl + resolves: rhbz#1939556 + +* Wed Mar 03 2021 Attila Lakatos - 8.2102.0-1 +- rebase to upstream version 8.2102.0 + resolves: rhbz#1905363 +- enable additional plugins: imkafka, mmutf8fix + +* Mon Feb 08 2021 Pavel Raiskup - 8.2010.0-3 +- rebuild for libpq ABI fix rhbz#1908268 + +* Wed Jan 27 2021 Fedora Release Engineering - 8.2010.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Nov 25 2020 Attila Lakatos - 8.2010.0-1 +- rebase to upstream version 8.2010.0 + resolves: rhbz#1890330 + +* Fri Sep 18 2020 Attila Lakatos - 8.2008.0-2 +- rebuild package + +* Thu Sep 17 2020 Attila Lakatos - 8.2008.0-1 +- rebase to upstream version 8.2008.0 + resolves: rhbz#1829092 + resolves: rhbz#1823862 + resolves: rhbz#1876773 +- add service file back(upstream does not ship it anymore) + +* Thu Aug 27 2020 Josef Řídký - 8.2002.0-5 +- Rebuilt for new net-snmp release + +* Thu Aug 20 2020 Attila Lakatos - 8.2002.0-4 +- enable configuration reload in the service + resolves: rhbz#1868636 + +* Sat Aug 01 2020 Fedora Release Engineering - 8.2002.0-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 8.2002.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Mar 27 2020 Jiri Vymazal - 8.2002.0-1 +- rebase to upstream version 8.2002.0 + resolves: rhbz#1807097 + +* Mon Feb 03 2020 Jiri Vymazal - 8.2001.0-1 +- rebase to upstream version 8.2001.0 + resolves: rhbz#1790731 + +* Thu Jan 30 2020 Fedora Release Engineering - 8.1911.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Nov 14 2019 Jiri Vymazal - 8.1911.0-1 +- rebase to upstream version 8.1911.0 + resolves: rhbz#1771468 + +* Thu Oct 17 2019 Jiri Vymazal - 8.1910.0-1 +- rebase to upstream version 8.1910.0 + resolves: rhbz#1743537 + +* Fri Jul 26 2019 Fedora Release Engineering - 8.1907.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jul 10 2019 Jiri Vymazal - 8.1907.0-1 +- rebase to upstream version 8.1905.0 + resolves: rhbz#1716391 + +* Mon May 13 2019 Jiri Vymazal - 8.1904.0-1 +- rebase to upstream version 8.1904.0 + resolves: rhbz#1668473 + +* Sat Feb 02 2019 Fedora Release Engineering - 8.39.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 23 2019 Bogdan Dobrelya - 8.39.0-2 +- Use systemd_ordering macro + +* Wed Dec 05 2018 Jiri Vymazal - 8.39.0-1 +- rebase to upstream version 8.39.0 + resolves: rhbz#1649081 + resolves: rhbz#1615014 + +* Wed Oct 10 2018 Jiri Vymazal - 8.38.0-1 +- rebase to upstream version 8.38.0 + resolves: rhbz#1632432 + resolves: rhbz#1627944 + +* Fri Aug 10 2018 Jiri Vymazal - 8.37.0-1 +- added mmkubernetes rulebases as doc files + resolves: rhbz#1614440 + +* Wed Aug 08 2018 Jiri Vymazal - 8.37.0-1 +- rebase to upstream version 8.37.0 + resolves: rhbz#1612079 + resolves: rhbz#1598217 + resolves: rhbz#1544139 +- dropped needless libee dependency +- bumped librelp dependency to actually needed version + +* Wed Jul 25 2018 Jiri Vymazal - 8.36.0-3 +- fixed a typo in commented-out part of default conf + reordered it + resolves: rhbz#1579592 + +* Tue Jul 24 2018 Jason L Tibbitts III - 8.36.0-3 +- Rebuild for unannounced net-snmp soversion bump. +- Use python3-docutils because rst2man has moved there. + +* Mon Jul 23 2018 Jiri Vymazal - 8.36.0-2 +- added gcc to buildrequires following f29 system-wide change + +* Sat Jul 14 2018 Fedora Release Engineering - 8.36.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Jiri Vymazal - 8.36.0-1 +- rebase to 8.36.0 + - removed stdlog dependency as upstream is going to drop it +- following upstream naming of pidfile +- removed needless conditionals + +* Fri Jun 8 2018 Remi Collet - 8.35.0-4 +- rebuild with libbson and libmongc 1.10.2 (soname back to 0) + +* Mon May 28 2018 Remi Collet - 8.35.0-3 +- rebuild with libbson and libmongc 1.10.0 + +* Thu May 17 2018 Radovan Sroka - 8.35.0-2 +- rebase to 8.35.0 + +* Thu Apr 05 2018 Jiri Vymazal - 8.34.0-1 +- rebase to 8.34.0 +- added mmkubernetes module +- added fmhttp module +- finished converting rsyslog config to new syntax +- dropped obsolete defattr statements from spec + +* Fri Feb 09 2018 Fedora Release Engineering - 8.32.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 11 2018 Jiri Vymazal - 8.32.0-1 +- rebase to 8.32.0 +- now requires higher version of libfastjson + +* Thu Dec 14 2017 Radovan Sroka - 8.31.0-2 +- added also cyrus-sasl-devel dependency + +* Thu Dec 14 2017 Radovan Sroka - 8.31.0-1 +- update to 8.31.0 +- removed upstreamed patches +- added dependecies mongo-c-driver-devel snappy-devel +- removed depricated dependecies libmongo-client +- mongodb plugin now uses new driver with TLS,... + +* Tue Nov 28 2017 Jiri Vymazal - 8.30.0-4 +- changed rsyslog-doc to noarch + +* Mon Nov 20 2017 Radovan Sroka - 8.30.0-4 +- rebuild due to libqpid-proton.so + +* Wed Oct 25 2017 Radovan Sroka - 8.30.0-3 +- rebuild + +* Wed Oct 25 2017 Radovan Sroka - 8.30.0-2 +- imjournal didn't work at all +- added imjournal patch for rhbz#1505853 + +* Mon Oct 23 2017 Radovan Sroka - 8.30.0-1 +- rebase to 8.30.0 +- added patch that resolves imgssapi compilation errors + +* Mon Oct 9 2017 Marek Tamaskovic - 8.29.0-4 +- mysql-devel changed for mariadb-connector-c-devel + resolves: rhbz#1493695 +- repaired changelog + +* Tue Aug 15 2017 Radovan Sroka - 8.29.0-2 +- rebuild, bumped release number + +* Tue Aug 15 2017 Marek Tamaskovic - 8.29.0-1 +- rebase to 8.29.0 + +* Thu Aug 03 2017 Fedora Release Engineering - 8.27.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 8.27.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon May 22 2017 Radovan Sroka - 8.27.0-1 +- dropped patch2 (upstreamed) +- rebase to 8.27.0 + +* Tue Apr 18 2017 Radovan Sroka - 8.26.0-1 +- rebase to 8.26.0 +- added doc patch rhbz#1436113 +- dropped chdir patch, https://github.com/rsyslog/rsyslog/pull/1420 +- moved dependency libgcrypt to rsyslog core + +* Wed Mar 01 2017 Jiri Vymazal - 8.25.0-2 +- rebased doc subpackage to 8.25.0 as well +- dropped upstreamed doc patch + +* Tue Feb 28 2017 Jiri Vymazal - 8.25.0-1 +- rebase to 8.25.0 upstream source version + +* Mon Feb 27 2017 Jiri Vymazal - 8.24.0-7 +- forced rebuild because of libqpid-proton rebase + +* Mon Feb 20 2017 Jiri Vymazal - 8.24.0-6 +- fixed typo in chdir location + resolves: rhbz#1422542 +- updated one more directive in default config + resolves: rhbz#1419625 + +* Fri Feb 17 2017 Jiri Vymazal - 8.24.0-5 +- new default config, using RainerScript wherever possible + resolves: rhbz#1419625 +- updated testbench guard as testbench now needs explicit configuration + see: rhbz#1211194 +- added patch to make chdir call after chroot + resolves: rhbz#1422542 + +* Sat Feb 11 2017 Fedora Release Engineering - 8.24.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 03 2017 Jiri Vymazal - 8.24.0-3 +- new kafka sub-package, adding omkafka module + see: rhbz#1418720 + +* Mon Jan 16 2017 Jiri Vymazal - 8.24.0-2 +- reverted symlink to syslog.service - not needed + see: rhbz#1343132 + +* Fri Jan 13 2017 Jiri Vymazal - 8.24.0-1 +- rsyslog rebase to 8.24 +- changed name of created file in logrotate.d to non-generic one + resolves: rhbz1269244 +- added symlink to syslog.service + resolves: rhbz1343132 +- added documentation for recover_qi + resolves: rhbz1286707 +- changed default .conf added imuxsock, seqfault is not present anymore + https://github.com/rsyslog/rsyslog/pull/1289 + +* Tue Dec 20 2016 Radovan Sroka - 8.23.0-2 +- added forgoten patch rsyslog-8.23.0-msg_c_nonoverwrite_merge.patch + +* Tue Dec 20 2016 Radovan Sroka - 8.23.0-1 +- rebase to 8.23.0 +- change build requires from libfastjson to libfastjson-devel + +* Thu Nov 10 2016 Tomas Sykora 8.22.0-1 +- rebase to 8.22.0 + - added omamqp1 subpackage + - changed BuildRequires from json-c to libfastjson + +* Wed Oct 05 2016 Radovan Sroka 8.21.0-1 +- rebase to 8.21.0 +- dropped rsyslog-8.12.0-gnutls-detection.patch +- dropped rsyslog-8.8.0-immutable-json-props.patch + - remove from specs but nor from git + - could be useful in future + +* Thu Feb 04 2016 Fedora Release Engineering - 8.12.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Sep 25 2015 Tomas Heinrich 8.12.0-2 +- rebuild for soname bump in hiredis-0.13.2 + +* Tue Sep 1 2015 Radovan Sroka 8.12.0-1 +- rebase to 8.12.0 + - drop patches merged upstream +- resolve detection of the new GnuTLS package + - add autoconf to BuildRequires +- add --enable-generate-man-pages to configure parameters; + the rscryutil man page isn't generated without it + https://github.com/rsyslog/rsyslog/pull/469 + +* Wed Jun 24 2015 Tomas Heinrich 8.10.0-1 +- rebase to 8.10.0 +- drop patches merged upstream +- use the right macro to specify the default pidfile + resolves: rhbz#1224972 +- make logrotate tolerate missing log files + resolves: rhbz#1205889 +- set the default service umask to 0066 + resolves: rhbz#1228192 +- use systemctl for sending SIGHUP to the service + related: rhbz#1224972 +- add a patch to prevent a crash on empty messages + resolves: rhbz#1224538 +- add a patch to fix several default parameters for message queues + resolves: rhbz#1205696 +- add a patch to fix the storage size for a configuration option + +* Thu Jun 18 2015 Fedora Release Engineering - 8.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Apr 21 2015 Remi Collet 8.8.0-3 +- rebuild for new librabbitmq + +* Fri Mar 20 2015 Tomas Heinrich 8.8.0-2 +- add a patch to fix default syslog priority assigned to journal + messages which have none + +* Thu Mar 19 2015 Tomas Heinrich 8.8.0-1 +- rebase to 8.8.0 + resolves: rhbz#1069690 + - drop patches merged upstream + - version the dependency on liblognorm-devel + - enable mmcount, mmexternal modules, + remove imdiag, omruleset and pmrfc3164sd modules + resolves: rhbz#1156359 +- add dos2unix to build requirements +- make the build process more verbose +- in accordance with an upstream change, the rsyslog service is now + restarted automatically upon failure +- adjust the default configuration file for the removal of + /etc/rsyslog.d/listen.conf by the systemd package + resolves: rhbz#1116864 +- disable the imklog module by default; kernel messages are read from journald + resolves: rhbz#1083564 +- if there is no saved position in the journal, log only messages that are + received after rsyslog is started; this is a safety measure to prevent + excessive resource utilization +- use documentation from the standalone rsyslog-docs project +- move documentation from all subpackages into a single directory +- mark the recover_qi.pl script as documentation + +* Tue Oct 07 2014 Tomas Heinrich 7.4.10-5 +- fix CVE-2014-3634 + +* Mon Aug 18 2014 Fedora Release Engineering - 7.4.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Aug 04 2014 Tom Callaway - 7.4.10-3 +- fix license handling +- fix build against latest json-c + +* Sun Jun 08 2014 Fedora Release Engineering - 7.4.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun May 18 2014 Tomas Heinrich 7.4.10-1 +- rebase to 7.4.10 + - drop patches merged upstream + - add a build dependency on liblogging-stdlog + +* Thu Apr 24 2014 Tomas Mraz - 7.4.8-2 +- Rebuild for new libgcrypt + +* Mon Feb 10 2014 Tomas Heinrich 7.4.8-1 +- rebase to 7.4.8 +- drop patch4, merged upstream + rsyslog-7.4.7-bz1030044-remove-ads.patch +- add an explicit requirement on the version of libestr +- drop the "v5" string from the conf file as it's misleading +- add rsyslog-7.4.8-omjournal-warning.patch to fix + a condition for issuing a warning in omjournal +- add rsyslog-7.4.8-dont-link-libee.patch to prevent + linking the main binary with libee +- replace rsyslog-7.3.15-imuxsock-warning.patch + with rsyslog-7.4.8-imuxsock-wrn.patch +- link to libhiredis explicitly +- add a patch to prevent message loss in imjournal + rsyslog-7.4.8-bz1026804-imjournal-message-loss.patch +- move the rscryutil man page to the crypto subpackage + +* Sun Feb 09 2014 Lubomir Rintel 7.4.7-3 +- Fixed 32-bit PowerPC build + +* Mon Jan 27 2014 Tomas Heinrich 7.4.7-2 +- rebuild for libdbi-0.9.0-1 + +* Mon Jan 06 2014 Tomas Heinrich 7.4.7-1 +- rebase to 7.4.7 +- install the rsyslog-recover-qi.pl tool +- fix a typo in a package description +- add missing defattr directives +- add a patch to remove references to Google ads in the html docs + rsyslog-7.4.7-bz1030044-remove-ads.patch + Resolves: #1030044 +- add a patch to allow numeric specification of UIDs/GUIDs + rsyslog-7.4.7-numeric-uid.patch +- change the installation prefix to "/usr" + Resolves: #1032577 + +* Sun Aug 04 2013 Fedora Release Engineering - 7.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 09 2013 Tomas Heinrich 7.4.2-1 +- rebase to 7.4.2 + most importantly, this release fixes a potential vulnerability, + see http://www.lsexperts.de/advisories/lse-2013-07-03.txt + the impact should be low as only those using the omelasticsearch + plugin with a specific configuration are exposed + +* Mon Jun 17 2013 Tomas Heinrich 7.4.1-1 +- rebase to 7.4.1 + this release adds code that somewhat mitigates damage in cases + where large amounts of messages are received from systemd + journal (see rhbz#974132) +- regenerate patch 0 +- drop patches merged upstream: 4..8 +- add a dependency on the version of systemd which resolves the bug + mentioned above +- update option name in rsyslog.conf + +* Wed Jun 12 2013 Tomas Heinrich 7.4.0-1 +- rebase to 7.4.0 +- drop autoconf automake libtool from BuildRequires +- depends on systemd >= 201 because of the sd_journal_get_events() api +- add a patch to prevent a segfault in imjournal caused by a bug in + systemd journal +- add a patch to prevent an endless loop in the ratelimiter +- add a patch to prevent another endless loop in the ratelimiter +- add a patch to prevent a segfault in imjournal for undefined state file +- add a patch to correctly reset state in the ratelimiter + +* Tue Jun 04 2013 Tomas Heinrich 7.3.15-1.20130604git6e72fa6 +- rebase to an upstream snapshot, effectively version 7.3.15 + plus several more changes +- drop patches 3, 4 - merged upstream +- add a patch to silence warnings emitted by the imuxsock module +- drop the imkmsg plugin +- enable compilation of additional modules + imjournal, mmanon, omjournal, omrabbitmq +- new subpackages: crypto, rabbitmq +- add python-docutils and autoconf to global BuildRequires +- drop the option for backwards compatibility from the + sysconfig file - it is no longer supported +- call autoreconf to prepare the snapshot for building +- switch the local message source from imuxsock to imjournal + the imuxsock module is left enabled so it is easy to swich back to + it and because systemd drops a file into /etc/rsyslog.d which only + imuxsock can parse + +* Wed Apr 10 2013 Tomas Heinrich 7.3.10-1 +- rebase to 7.3.10 +- add a patch to resolve #950088 - ratelimiter segfault, merged upstream + rsyslog-7.3.10-ratelimit-segv.patch +- add a patch to correct a default value, merged upstream + rsyslog-7.3.10-correct-def-val.patch +- drop patch 5 - fixed upstream + +* Thu Apr 04 2013 Tomas Heinrich 7.3.9-1 +- rebase to 7.3.9 + +* Thu Feb 14 2013 Fedora Release Engineering - 7.2.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Jan 21 2013 Tomas Heinrich 7.2.5-2 +- update a line in rsyslog.conf for the new syntax + +* Sun Jan 13 2013 Tomas Heinrich 7.2.5-1 +- upgrade to upstream version 7.2.5 +- update the compatibility mode in sysconfig file + +* Mon Dec 17 2012 Tomas Heinrich 7.2.4-2 +- add a condition to disable several subpackages + +* Mon Dec 10 2012 Tomas Heinrich 7.2.4-1 +- upgrade to upstream version 7.2.4 +- remove trailing whitespace + +* Tue Nov 20 2012 Tomas Heinrich 7.2.2-1 +- upgrade to upstream version 7.2.2 + update BuildRequires +- remove patches merged upstream + rsyslog-5.8.7-sysklogd-compat-1-template.patch + rsyslog-5.8.7-sysklogd-compat-2-option.patch + rsyslog-5.8.11-close-fd1-when-forking.patch +- add patch from Milan Bartos + rsyslog-7.2.1-msg_c_nonoverwrite_merge.patch +- remove the rsyslog-sysvinit package +- clean up BuildRequires, Requires +- remove the 'BuildRoot' tag +- split off a doc package +- compile additional modules (some of them in separate packages): + elasticsearch + hiredis + mmjsonparse + mmnormalize + mmaudit + mmsnmptrapd + mongodb +- correct impossible timestamps in older changelog entries +- correct typos, trailing spaces, etc +- s/RPM_BUILD_ROOT/{buildroot}/ +- remove the 'clean' section +- replace post* scriptlets with systemd macros + +* Sat Jul 21 2012 Fedora Release Engineering - 5.8.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 20 2012 Tomas Heinrich 5.8.11-2 +- update systemd patch: remove the 'ExecStartPre' option + +* Wed May 23 2012 Tomas Heinrich 5.8.11-1 +- upgrade to new upstream stable version 5.8.11 +- add impstats and imptcp modules +- include new license text files +- consider lock file in 'status' action +- add patch to update information on debugging in the man page +- add patch to prevent debug output to stdout after forking +- add patch to support ssl certificates with domain names longer than 128 chars + +* Fri Mar 30 2012 Jon Ciesla 5.8.7-2 +- libnet rebuild. + +* Mon Jan 23 2012 Tomas Heinrich 5.8.7-1 +- upgrade to new upstream version 5.8.7 +- change license from 'GPLv3+' to '(GPLv3+ and ASL 2.0)' + http://blog.gerhards.net/2012/01/rsyslog-licensing-update.html +- use a specific version for obsoleting sysklogd +- add patches for better sysklogd compatibility (taken from upstream) + +* Sat Jan 14 2012 Fedora Release Engineering - 5.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Oct 25 2011 Tomas Heinrich 5.8.6-1 +- upgrade to new upstream version 5.8.6 +- obsolete sysklogd + Resolves: #748495 + +* Tue Oct 11 2011 Tomas Heinrich 5.8.5-3 +- modify logrotate configuration to omit boot.log + Resolves: #745093 + +* Tue Sep 06 2011 Tomas Heinrich 5.8.5-2 +- add systemd-units to BuildRequires for the _unitdir macro definition + +* Mon Sep 05 2011 Tomas Heinrich 5.8.5-1 +- upgrade to new upstream version (CVE-2011-3200) + +* Fri Jul 22 2011 Tomas Heinrich 5.8.2-3 +- move the SysV init script into a subpackage +- Resolves: 697533 + +* Mon Jul 11 2011 Tomas Heinrich 5.8.2-2 +- rebuild for net-snmp-5.7 (soname bump in libnetsnmp) + +* Mon Jun 27 2011 Tomas Heinrich 5.8.2-1 +- upgrade to new upstream version 5.8.2 + +* Mon Jun 13 2011 Tomas Heinrich 5.8.1-2 +- scriptlet correction +- use macro in unit file's path + +* Fri May 20 2011 Tomas Heinrich 5.8.1-1 +- upgrade to new upstream version +- correct systemd scriptlets (#705829) + +* Mon May 16 2011 Bill Nottingham - 5.7.9-3 +- combine triggers (as rpm will only execute one) - fixes upgrades (#699198) + +* Tue Apr 05 2011 Tomas Heinrich 5.7.10-1 +- upgrade to new upstream version 5.7.10 + +* Wed Mar 23 2011 Dan Horák - 5.7.9-2 +- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) + +* Fri Mar 18 2011 Tomas Heinrich 5.7.9-1 +- upgrade to new upstream version 5.7.9 +- enable compilation of several new modules, + create new subpackages for some of them +- integrate changes from Lennart Poettering + to add support for systemd + - add rsyslog-5.7.9-systemd.patch to tweak the upstream + service file to honour configuration from /etc/sysconfig/rsyslog + +* Fri Mar 18 2011 Dennis Gilmore - 5.6.2-3 +- sparc64 needs big PIE + +* Wed Feb 09 2011 Fedora Release Engineering - 5.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 20 2010 Tomas Heinrich 5.6.2-1 +- upgrade to new upstream stable version 5.6.2 +- drop rsyslog-5.5.7-remove_include.patch; applied upstream +- provide omsnmp module +- use correct name for lock file (#659398) +- enable specification of the pid file (#579411) +- init script adjustments + +* Wed Oct 06 2010 Tomas Heinrich 5.5.7-1 +- upgrade to upstream version 5.5.7 +- update configuration and init files for the new major version +- add several directories for storing auxiliary data +- add ChangeLog to documentation +- drop unlimited-select.patch; integrated upstream +- add rsyslog-5.5.7-remove_include.patch to fix compilation + +* Tue Sep 07 2010 Tomas Heinrich 4.6.3-2 +- build rsyslog with PIE and RELRO + +* Thu Jul 15 2010 Tomas Heinrich 4.6.3-1 +- upgrade to new upstream stable version 4.6.3 + +* Wed Apr 07 2010 Tomas Heinrich 4.6.2-1 +- upgrade to new upstream stable version 4.6.2 +- correct the default value of the OMFileFlushOnTXEnd directive + +* Thu Feb 11 2010 Tomas Heinrich 4.4.2-6 +- modify rsyslog-4.4.2-unlimited-select.patch so that + running autoreconf is not needed +- remove autoconf, automake, libtool from BuildRequires +- change exec-prefix to nil + +* Wed Feb 10 2010 Tomas Heinrich 4.4.2-5 +- remove '_smp_mflags' make argument as it seems to be + producing corrupted builds + +* Mon Feb 08 2010 Tomas Heinrich 4.4.2-4 +- redefine _libdir as it doesn't use _exec_prefix + +* Thu Dec 17 2009 Tomas Heinrich 4.4.2-3 +- change exec-prefix to / + +* Wed Dec 09 2009 Robert Scheck 4.4.2-2 +- run libtoolize to avoid errors due mismatching libtool version + +* Thu Dec 03 2009 Tomas Heinrich 4.4.2-1 +- upgrade to new upstream stable version 4.4.2 +- add support for arbitrary number of open file descriptors + +* Mon Sep 14 2009 Tomas Heinrich 4.4.1-2 +- adjust init script according to guidelines (#522071) + +* Thu Sep 03 2009 Tomas Heinrich 4.4.1-1 +- upgrade to new upstream stable version + +* Fri Aug 21 2009 Tomas Mraz - 4.2.0-3 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering - 4.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jul 14 2009 Tomas Heinrich 4.2.0-1 +- upgrade + +* Mon Apr 13 2009 Tomas Heinrich 3.21.11-1 +- upgrade + +* Tue Mar 31 2009 Lubomir Rintel 3.21.10-4 +- Backport HUPisRestart option + +* Wed Mar 18 2009 Tomas Heinrich 3.21.10-3 +- fix variables' type conversion in expression-based filters (#485937) + +* Wed Feb 25 2009 Fedora Release Engineering - 3.21.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Tomas Heinrich 3.21.10-1 +- upgrade + +* Sat Jan 24 2009 Caolán McNamara 3.21.9-3 +- rebuild for dependencies + +* Wed Jan 07 2009 Tomas Heinrich 3.21.9-2 +- fix several legacy options handling +- fix internal message output (#478612) + +* Mon Dec 15 2008 Peter Vrabec 3.21.9-1 +- update is fixing $AllowedSender security issue + +* Mon Sep 15 2008 Peter Vrabec 3.21.3-4 +- use RPM_OPT_FLAGS +- use same pid file and logrotate file as syslog-ng (#441664) +- mark config files as noreplace (#428155) + +* Mon Sep 01 2008 Tomas Heinrich 3.21.3-3 +- fix a wrong module name in the rsyslog.conf manual page (#455086) +- expand the rsyslog.conf manual page (#456030) + +* Thu Aug 28 2008 Tomas Heinrich 3.21.3-2 +- fix clock rollback issue (#460230) + +* Wed Aug 20 2008 Peter Vrabec 3.21.3-1 +- upgrade to bugfix release + +* Wed Jul 23 2008 Peter Vrabec 3.21.0-1 +- upgrade + +* Mon Jul 14 2008 Peter Vrabec 3.19.9-2 +- adjust default config file + +* Fri Jul 11 2008 Lubomir Rintel 3.19.9-1 +- upgrade + +* Wed Jun 25 2008 Peter Vrabec 3.19.7-3 +- rebuild because of new gnutls + +* Fri Jun 13 2008 Peter Vrabec 3.19.7-2 +- do not translate Oopses (#450329) + +* Fri Jun 13 2008 Peter Vrabec 3.19.7-1 +- upgrade + +* Wed May 28 2008 Peter Vrabec 3.19.4-1 +- upgrade + +* Mon May 26 2008 Peter Vrabec 3.19.3-1 +- upgrade to new upstream release + +* Wed May 14 2008 Tomas Heinrich 3.16.1-1 +- upgrade + +* Tue Apr 08 2008 Peter Vrabec 3.14.1-5 +- prevent undesired error description in legacy + warning messages + +* Tue Apr 08 2008 Peter Vrabec 3.14.1-4 +- adjust symbol lookup method to 2.6 kernel + +* Tue Apr 08 2008 Peter Vrabec 3.14.1-3 +- fix segfault of expression based filters + +* Mon Apr 07 2008 Peter Vrabec 3.14.1-2 +- init script fixes (#441170,#440968) + +* Fri Apr 04 2008 Peter Vrabec 3.14.1-1 +- upgrade + +* Tue Mar 25 2008 Peter Vrabec 3.12.4-1 +- upgrade + +* Wed Mar 19 2008 Peter Vrabec 3.12.3-1 +- upgrade +- fix some significant memory leaks + +* Tue Mar 11 2008 Peter Vrabec 3.12.1-2 +- init script fixes (#436854) +- fix config file parsing (#436722) + +* Thu Mar 06 2008 Peter Vrabec 3.12.1-1 +- upgrade + +* Wed Mar 05 2008 Peter Vrabec 3.12.0-1 +- upgrade + +* Mon Feb 25 2008 Peter Vrabec 3.11.5-1 +- upgrade + +* Fri Feb 01 2008 Peter Vrabec 3.11.0-1 +- upgrade to the latests development release +- provide PostgresSQL support +- provide GSSAPI support + +* Mon Jan 21 2008 Peter Vrabec 2.0.0-7 +- change from requires sysklogd to conflicts sysklogd + +* Fri Jan 18 2008 Peter Vrabec 2.0.0-6 +- change logrotate file +- use rsyslog own pid file + +* Thu Jan 17 2008 Peter Vrabec 2.0.0-5 +- fixing bad descriptor (#428775) + +* Wed Jan 16 2008 Peter Vrabec 2.0.0-4 +- rename logrotate file + +* Wed Jan 16 2008 Peter Vrabec 2.0.0-3 +- fix post script and init file + +* Wed Jan 16 2008 Peter Vrabec 2.0.0-2 +- change pid filename and use logrotata script from sysklogd + +* Tue Jan 15 2008 Peter Vrabec 2.0.0-1 +- upgrade to stable release +- spec file clean up + +* Wed Jan 02 2008 Peter Vrabec 1.21.2-1 +- new upstream release + +* Thu Dec 06 2007 Release Engineering - 1.19.11-2 +- Rebuild for deps + +* Thu Nov 29 2007 Peter Vrabec 1.19.11-1 +- new upstream release +- add conflicts (#400671) + +* Mon Nov 19 2007 Peter Vrabec 1.19.10-1 +- new upstream release + +* Wed Oct 03 2007 Peter Vrabec 1.19.6-3 +- remove NUL character from recieved messages + +* Tue Sep 25 2007 Tomas Heinrich 1.19.6-2 +- fix message suppression (303341) + +* Tue Sep 25 2007 Tomas Heinrich 1.19.6-1 +- upstream bugfix release + +* Tue Aug 28 2007 Peter Vrabec 1.19.2-1 +- upstream bugfix release +- support for negative app selector, patch from + theinric@redhat.com + +* Fri Aug 17 2007 Peter Vrabec 1.19.0-1 +- new upstream release with MySQL support(as plugin) + +* Wed Aug 08 2007 Peter Vrabec 1.18.1-1 +- upstream bugfix release + +* Mon Aug 06 2007 Peter Vrabec 1.18.0-1 +- new upstream release + +* Thu Aug 02 2007 Peter Vrabec 1.17.6-1 +- upstream bugfix release + +* Mon Jul 30 2007 Peter Vrabec 1.17.5-1 +- upstream bugfix release +- fix typo in provides + +* Wed Jul 25 2007 Jeremy Katz - 1.17.2-4 +- rebuild for toolchain bug + +* Tue Jul 24 2007 Peter Vrabec 1.17.2-3 +- take care of sysklogd configuration files in %%post + +* Tue Jul 24 2007 Peter Vrabec 1.17.2-2 +- use EVR in provides/obsoletes sysklogd + +* Mon Jul 23 2007 Peter Vrabec 1.17.2-1 +- upstream bug fix release + +* Fri Jul 20 2007 Peter Vrabec 1.17.1-1 +- upstream bug fix release +- include html docs (#248712) +- make "-r" option compatible with sysklogd config (248982) + +* Tue Jul 17 2007 Peter Vrabec 1.17.0-1 +- feature rich upstream release + +* Thu Jul 12 2007 Peter Vrabec 1.15.1-2 +- use obsoletes and hadle old config files + +* Wed Jul 11 2007 Peter Vrabec 1.15.1-1 +- new upstream bugfix release + +* Tue Jul 10 2007 Peter Vrabec 1.15.0-1 +- new upstream release introduce capability to generate output + file names based on templates + +* Tue Jul 03 2007 Peter Vrabec 1.14.2-1 +- new upstream bugfix release + +* Mon Jul 02 2007 Peter Vrabec 1.14.1-1 +- new upstream release with IPv6 support + +* Tue Jun 26 2007 Peter Vrabec 1.13.5-3 +- add BuildRequires for zlib compression feature + +* Mon Jun 25 2007 Peter Vrabec 1.13.5-2 +- some spec file adjustments. +- fix syslog init script error codes (#245330) + +* Fri Jun 22 2007 Peter Vrabec 1.13.5-1 +- new upstream release + +* Fri Jun 22 2007 Peter Vrabec 1.13.4-2 +- some spec file adjustments. + +* Mon Jun 18 2007 Peter Vrabec 1.13.4-1 +- upgrade to new upstream release + +* Wed Jun 13 2007 Peter Vrabec 1.13.2-2 +- DB support off + +* Tue Jun 12 2007 Peter Vrabec 1.13.2-1 +- new upstream release based on redhat patch + +* Fri Jun 08 2007 Peter Vrabec 1.13.1-2 +- rsyslog package provides its own kernel log. daemon (rklogd) + +* Mon Jun 04 2007 Peter Vrabec 1.13.1-1 +- Initial rpm build