Prepare release v1.7.14

Update to go1.12.8
Make hijackConnectionTracker.Close thread safe
2019-08-14 02:06:03 -07:00 · 2019-08-14 01:52:05 -07:00 · 2019-08-12 02:34:04 -07:00
13 changed files with 76 additions and 100 deletions
--- a/.semaphoreci/golang.sh
+++ b/.semaphoreci/golang.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -e
+
+curl -O https://dl.google.com/go/go1.12.linux-amd64.tar.gz
+
+tar -xvf go1.12.linux-amd64.tar.gz
+rm -rf go1.12.linux-amd64.tar.gz
+
+sudo mkdir -p /usr/local/golang/1.12/go
+sudo mv go /usr/local/golang/1.12/
+
+sudo rm /usr/local/bin/go
+sudo chmod +x /usr/local/golang/1.12/go/bin/go
+sudo ln -s /usr/local/golang/1.12/go/bin/go /usr/local/bin/go
+
+export GOROOT="/usr/local/golang/1.12/go"
+export GOTOOLDIR="/usr/local/golang/1.12/go/pkg/tool/linux_amd64"
+
+go version
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Change Log

+## [v1.7.14](https://github.com/containous/traefik/tree/v1.7.14) (2019-08-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.13...v1.7.14)
+
+**Bug fixes:**
+- Update to go1.12.8 ([#5201](https://github.com/containous/traefik/pull/5201) by [ldez](https://github.com/ldez)). HTTP/2 Denial of Service [CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) and [CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)
+- **[server]** Make hijackConnectionTracker.Close thread safe ([#5194](https://github.com/containous/traefik/pull/5194) by [jlevesy](https://github.com/jlevesy))
+
 ## [v1.7.13](https://github.com/containous/traefik/tree/v1.7.13) (2019-08-07)
 [All Commits](https://github.com/containous/traefik/compare/v1.7.12...v1.7.13)

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -13,7 +13,7 @@ You need to run the `binary` target. This will create binaries for Linux platfor
 $ make binary
 docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
 Sending build context to Docker daemon 295.3 MB
-Step 0 : FROM golang:1.11-alpine
+Step 0 : FROM golang:1.12-alpine
 ---> 8c6473912976
 Step 1 : RUN go get github.com/golang/dep/cmd/dep
 [...]
--- a/2
+++ b/2
@@ -76,7 +76,7 @@ test-integration: build ## run the integration tests
 	TEST_HOST=1 ./script/make.sh test-integration

 validate: build  ## validate code, vendor and autogen
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-govet validate-golint validate-misspell validate-vendor validate-autogen
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-golint validate-misspell validate-vendor validate-autogen

 build: dist
 	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.11-alpine
+FROM golang:1.12-alpine

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -6,7 +6,6 @@ RUN apk --update upgrade \
    && rm -rf /var/cache/apk/*

 RUN go get golang.org/x/lint/golint \
-&& go get github.com/kisielk/errcheck \
 && go get github.com/client9/misspell/cmd/misspell

 # Which docker version to test on
--- a/exp.Dockerfile
+++ b/exp.Dockerfile
@@ -12,7 +12,7 @@ RUN yarn install
 RUN npm run build

 # BUILD
-FROM golang:1.11-alpine as gobuild
+FROM golang:1.12-alpine as gobuild

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
--- a/middlewares/retry_test.go
+++ b/middlewares/retry_test.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/http/httptrace"
+	"strconv"
 	"strings"
 	"testing"

@@ -35,7 +36,7 @@ func TestRetry(t *testing.T) {
 			desc:                  "no retry when max request attempts is one",
 			maxRequestAttempts:    1,
 			wantRetryAttempts:     0,
-			wantResponseStatus:    http.StatusInternalServerError,
+			wantResponseStatus:    http.StatusBadGateway,
 			amountFaultyEndpoints: 1,
 		},
 		{
@@ -56,7 +57,7 @@ func TestRetry(t *testing.T) {
 			desc:                  "max attempts exhausted delivers the 5xx response",
 			maxRequestAttempts:    3,
 			wantRetryAttempts:     2,
-			wantResponseStatus:    http.StatusInternalServerError,
+			wantResponseStatus:    http.StatusBadGateway,
 			amountFaultyEndpoints: 3,
 		},
 	}
@@ -82,17 +83,18 @@ func TestRetry(t *testing.T) {
 				t.Fatalf("Error creating load balancer: %s", err)
 			}

-			basePort := 33444
+			// out of range port
+			basePort := 1133444
 			for i := 0; i < test.amountFaultyEndpoints; i++ {
 				// 192.0.2.0 is a non-routable IP for testing purposes.
 				// See: https://stackoverflow.com/questions/528538/non-routable-ip-address/18436928#18436928
 				// We only use the port specification here because the URL is used as identifier
 				// in the load balancer and using the exact same URL would not add a new server.
-				loadBalancer.UpsertServer(testhelpers.MustParseURL("http://192.0.2.0:" + string(basePort+i)))
+				_ = loadBalancer.UpsertServer(testhelpers.MustParseURL("http://192.0.2.0:" + strconv.Itoa(basePort+i)))
 			}

 			// add the functioning server to the end of the load balancer list
-			loadBalancer.UpsertServer(testhelpers.MustParseURL(backendServer.URL))
+			_ = loadBalancer.UpsertServer(testhelpers.MustParseURL(backendServer.URL))

 			retryListener := &countingRetryListener{}
 			retry := NewRetry(test.maxRequestAttempts, loadBalancer, retryListener)
@@ -154,17 +156,18 @@ func TestRetryWebsocket(t *testing.T) {
 				t.Fatalf("Error creating load balancer: %s", err)
 			}

-			basePort := 33444
+			// out of range port
+			basePort := 1133444
 			for i := 0; i < test.amountFaultyEndpoints; i++ {
 				// 192.0.2.0 is a non-routable IP for testing purposes.
 				// See: https://stackoverflow.com/questions/528538/non-routable-ip-address/18436928#18436928
 				// We only use the port specification here because the URL is used as identifier
 				// in the load balancer and using the exact same URL would not add a new server.
-				loadBalancer.UpsertServer(testhelpers.MustParseURL("http://192.0.2.0:" + string(basePort+i)))
+				_ = loadBalancer.UpsertServer(testhelpers.MustParseURL("http://192.0.2.0:" + strconv.Itoa(basePort+i)))
 			}

 			// add the functioning server to the end of the load balancer list
-			loadBalancer.UpsertServer(testhelpers.MustParseURL(backendServer.URL))
+			_ = loadBalancer.UpsertServer(testhelpers.MustParseURL(backendServer.URL))

 			retryListener := &countingRetryListener{}
 			retry := NewRetry(test.maxRequestAttempts, loadBalancer, retryListener)
--- a/script/.validate
+++ b/script/.validate
@@ -5,7 +5,7 @@ if [ -z "${VALIDATE_UPSTREAM:-}" ]; then
 	# are running more than one validate bundlescript

 	VALIDATE_REPO='https://github.com/containous/traefik.git'
-	VALIDATE_BRANCH='master'
+	VALIDATE_BRANCH='v1.7'

        # Should not be needed for now O:)
 	# if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
--- a/script/make.sh
+++ b/script/make.sh
@@ -3,9 +3,8 @@ set -e

 # List of bundles to create when no argument is passed
 DEFAULT_BUNDLES=(
-	validate-gofmt
-	validate-govet
 	generate
+	validate-gofmt
 	binary

 	test-unit
--- a/script/validate-errcheck
+++ b/script/validate-errcheck
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
-unset IFS
-
-errors=()
-failedErrcheck=$(errcheck .)
-if [ "$failedErrcheck" ]; then
-    errors+=( "$failedErrcheck" )
-fi
-
-if [ ${#errors[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files have been errchecked.'
-else
-	{
-		echo "Errors from errcheck:"
-		for err in "${errors[@]}"; do
-			echo "$err"
-		done
-		echo
-		echo 'Please fix the above errors. You can test via "errcheck" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/script/validate-govet
+++ b/script/validate-govet
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
-unset IFS
-
-errors=()
-for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed passes go vet
-	failedVet=$(go tool vet -printf=false "$f")
-	if [ "$failedVet" ]; then
-		errors+=( "$failedVet" )
-	fi
-done
-
-if [ ${#errors[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files have been vetted.'
-else
-	{
-		echo "Errors from govet:"
-		for err in "${errors[@]}"; do
-			echo "$err"
-		done
-		echo
-		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/server/server.go
+++ b/server/server.go
@@ -85,6 +85,8 @@ func (h *hijackConnectionTracker) Shutdown(ctx context.Context) error {

 // Close close all the connections in the tracked connections list
 func (h *hijackConnectionTracker) Close() {
+	h.lock.Lock()
+	defer h.lock.Unlock()
 	for conn := range h.conns {
 		if err := conn.Close(); err != nil {
 			log.Errorf("Error while closing Hijacked conn: %v", err)
--- a/tls/certificate.go
+++ b/tls/certificate.go
@@ -16,36 +16,41 @@ import (
 var (
 	// MinVersion Map of allowed TLS minimum versions
 	MinVersion = map[string]uint16{
-		`VersionTLS10`: tls.VersionTLS10,
-		`VersionTLS11`: tls.VersionTLS11,
-		`VersionTLS12`: tls.VersionTLS12,
+		"VersionTLS10": tls.VersionTLS10,
+		"VersionTLS11": tls.VersionTLS11,
+		"VersionTLS12": tls.VersionTLS12,
+		"VersionTLS13": tls.VersionTLS13,
 	}

 	// CipherSuites Map of TLS CipherSuites from crypto/tls
 	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
 	CipherSuites = map[string]uint16{
-		`TLS_RSA_WITH_RC4_128_SHA`:                tls.TLS_RSA_WITH_RC4_128_SHA,
-		`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		`TLS_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		`TLS_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		`TLS_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-		`TLS_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-		`TLS_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-		`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-		`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-		`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
+		"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		"TLS_AES_128_GCM_SHA256":                  tls.TLS_AES_128_GCM_SHA256,
+		"TLS_AES_256_GCM_SHA384":                  tls.TLS_AES_256_GCM_SHA384,
+		"TLS_CHACHA20_POLY1305_SHA256":            tls.TLS_CHACHA20_POLY1305_SHA256,
+		"TLS_FALLBACK_SCSV":                       tls.TLS_FALLBACK_SCSV,
 	}
 )
Author	SHA1	Message	Date
Ludovic Fernandez	f397342f16	Prepare release v1.7.14	2019-08-14 02:06:03 -07:00
Ludovic Fernandez	989a59cc29	Update to go1.12.8	2019-08-14 01:52:05 -07:00
Julien Levesy	c5b71592c8	Make hijackConnectionTracker.Close thread safe	2019-08-12 02:34:04 -07:00