!67 fix cve-2022-24903

From: @compile_success 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

backport-Add-max-sessions-for-imptcp.c-similar-to-imtcp.c.patch

@@ -0,0 +1,311 @@
+From 6c50426dbfd309c03916918541095e9500ea98c6 Mon Sep 17 00:00:00 2001
+From: Alfred Perlstein <alfred@fb.com>
+Date: Sun, 9 Aug 2020 16:45:56 -0700
+Subject: [PATCH 22/73] Add max sessions for imptcp.c similar to imtcp.c
+
+The max is per-instance, not global across all instances.
+
+There is also a bugfix where if epoll failed I think we could leave a
+session linked in the list of sessions, this code unlinks it.
+---
+ plugins/imptcp/imptcp.c     | 72 ++++++++++++++++++++++++++++---------
+ tests/Makefile.am           |  2 ++
+ tests/imptcp_maxsessions.sh | 46 ++++++++++++++++++++++++
+ 3 files changed, 104 insertions(+), 16 deletions(-)
+ create mode 100755 tests/imptcp_maxsessions.sh
+
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index 4d261a29f..e89971dbe 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -128,6 +128,7 @@ typedef struct configSettings_s {
+ 	uchar *lstnIP;			/* which IP we should listen on? */
+ 	uchar *pszBindRuleset;
+ 	int wrkrMax;			/* max number of workers (actually "helper workers") */
++	int iTCPSessMax;  /* max open connections per instance */
+ } configSettings_t;
+ static configSettings_t cs;
+ 
+@@ -164,6 +165,7 @@ struct instanceConf_s {
+ 	unsigned int ratelimitBurst;
+ 	uchar *startRegex;
+ 	regex_t start_preg;	/* compiled version of startRegex */
++	int iTCPSessMax;    /* max open connections */
+ 	struct instanceConf_s *next;
+ };
+ 
+@@ -173,6 +175,7 @@ struct modConfData_s {
+ 	instanceConf_t *root, *tail;
+ 	int wrkrMax;
+ 	int bProcessOnPoller;
++	int iTCPSessMax;
+ 	sbool configSetViaV2Method;
+ };
+ 
+@@ -182,6 +185,7 @@ static modConfData_t *runModConf = NULL;/* modConf ptr to use for the current lo
+ /* module-global parameters */
+ static struct cnfparamdescr modpdescr[] = {
+ 	{ "threads", eCmdHdlrPositiveInt, 0 },
++	{ "maxsessions", eCmdHdlrInt, 0 },
+ 	{ "processOnPoller", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk modpblk =
+@@ -211,6 +215,7 @@ static struct cnfparamdescr inppdescr[] = {
+ 	{ "defaulttz", eCmdHdlrString, 0 },
+ 	{ "supportoctetcountedframing", eCmdHdlrBinary, 0 },
+ 	{ "framingfix.cisco.asa", eCmdHdlrBinary, 0 },
++	{ "maxsessions", eCmdHdlrInt, 0 },
+ 	{ "notifyonconnectionclose", eCmdHdlrBinary, 0 },
+ 	{ "notifyonconnectionopen", eCmdHdlrBinary, 0 },
+ 	{ "compression.mode", eCmdHdlrGetWord, 0 },
+@@ -269,6 +274,8 @@ struct ptcpsrv_s {
+ 	ruleset_t *pRuleset;
+ 	ptcplstn_t *pLstn;		/* root of our listeners */
+ 	ptcpsess_t *pSess;		/* root of our sessions */
++	int iTCPSessCnt;
++	int iTCPSessMax;
+ 	pthread_mutex_t mutSessLst;
+ 	sbool bKeepAlive;		/* support keep-alive packets */
+ 	sbool bEmitMsgOnClose;
+@@ -401,6 +408,24 @@ destructSess(ptcpsess_t *pSess)
+ 	free(pSess);
+ }
+ 
++/* remove session from server */
++static void
++unlinkSess(ptcpsess_t *pSess) {
++	ptcpsrv_t *pSrv = pSess->pLstn->pSrv;
++	pthread_mutex_lock(&pSrv->mutSessLst);
++	pSrv->iTCPSessCnt--;
++	/* finally unlink session from structures */
++	if(pSess->next != NULL)
++		pSess->next->prev = pSess->prev;
++	if(pSess->prev == NULL) {
++		/* need to update root! */
++		pSrv->pSess = pSess->next;
++	} else {
++		pSess->prev->next = pSess->next;
++	}
++	pthread_mutex_unlock(&pSrv->mutSessLst);
++}
++
+ static void
+ destructSrv(ptcpsrv_t *pSrv)
+ {
+@@ -717,7 +742,7 @@ getPeerNames(prop_t **peerName, prop_t **peerIP, struct sockaddr *pAddr, sbool b
+ 	uchar szHname[NI_MAXHOST+1] = "";
+ 	struct addrinfo hints, *res;
+ 	sbool bMaliciousHName = 0;
+-	
++
+ 	DEFiRet;
+ 
+ 	*peerName = NULL;
+@@ -1470,6 +1495,7 @@ addSess(ptcplstn_t *pLstn, int sock, prop_t *peerName, prop_t *peerIP)
+ 	int pmsg_size_factor;
+ 
+ 	CHKmalloc(pSess = malloc(sizeof(ptcpsess_t)));
++	pSess->next = NULL;
+ 	if(pLstn->pSrv->inst->startRegex == NULL) {
+ 		pmsg_size_factor = 1;
+ 		pSess->pMsg_save = NULL;
+@@ -1494,7 +1520,17 @@ addSess(ptcplstn_t *pLstn, int sock, prop_t *peerName, prop_t *peerIP)
+ 
+ 	/* add to start of server's listener list */
+ 	pSess->prev = NULL;
++
+ 	pthread_mutex_lock(&pSrv->mutSessLst);
++	int iTCPSessMax = pSrv->inst->iTCPSessMax;
++	if (iTCPSessMax > 0 && pSrv->iTCPSessCnt >= iTCPSessMax) {
++		pthread_mutex_unlock(&pSrv->mutSessLst);
++		LogError(0, RS_RET_MAX_SESS_REACHED,
++			"too many tcp sessions - dropping incoming request");
++		ABORT_FINALIZE(RS_RET_MAX_SESS_REACHED);
++	}
++
++	pSrv->iTCPSessCnt++;
+ 	pSess->next = pSrv->pSess;
+ 	if(pSrv->pSess != NULL)
+ 		pSrv->pSess->prev = pSess;
+@@ -1506,6 +1542,9 @@ addSess(ptcplstn_t *pLstn, int sock, prop_t *peerName, prop_t *peerIP)
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+ 		if(pSess != NULL) {
++			if (pSess->next != NULL) {
++				unlinkSess(pSess);
++			}
+ 			free(pSess->pMsg_save);
+ 			free(pSess->pMsg);
+ 			free(pSess);
+@@ -1566,24 +1605,14 @@ static rsRetVal
+ closeSess(ptcpsess_t *pSess)
+ {
+ 	DEFiRet;
+-	
++
+ 	if(pSess->compressionMode >= COMPRESS_STREAM_ALWAYS)
+ 		doZipFinish(pSess);
+ 
+ 	const int sock = pSess->sock;
+ 	close(sock);
+ 
+-	pthread_mutex_lock(&pSess->pLstn->pSrv->mutSessLst);
+-	/* finally unlink session from structures */
+-	if(pSess->next != NULL)
+-		pSess->next->prev = pSess->prev;
+-	if(pSess->prev == NULL) {
+-		/* need to update root! */
+-		pSess->pLstn->pSrv->pSess = pSess->next;
+-	} else {
+-		pSess->prev->next = pSess->next;
+-	}
+-	pthread_mutex_unlock(&pSess->pLstn->pSrv->mutSessLst);
++	unlinkSess(pSess);
+ 
+ 	if(pSess->pLstn->pSrv->bEmitMsgOnClose) {
+ 		LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "imptcp: session on socket %d closed "
+@@ -1641,6 +1670,7 @@ createInstance(instanceConf_t **pinst)
+ 	inst->multiLine = 0;
+ 	inst->socketBacklog = 5;
+ 	inst->pszLstnPortFileName = NULL;
++	inst->iTCPSessMax = -1;
+ 
+ 	/* node created, let's add to config */
+ 	if(loadModConf->tail == NULL) {
+@@ -1698,6 +1728,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *const pNe
+ 	inst->bEmitMsgOnOpen = cs.bEmitMsgOnOpen;
+ 	inst->iAddtlFrameDelim = cs.iAddtlFrameDelim;
+ 	inst->maxFrameSize = cs.maxFrameSize;
++	inst->iTCPSessMax = cs.iTCPSessMax;
+ 
+ finalize_it:
+ 	free(pNewVal);
+@@ -1756,6 +1787,7 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst)
+ 	pSrv->flowControl = inst->flowControl;
+ 	pSrv->pRuleset = inst->pBindRuleset;
+ 	pSrv->pszInputName = ustrdup((inst->pszInputName == NULL) ?  UCHAR_CONSTANT("imptcp") : inst->pszInputName);
++	pSrv->iTCPSessMax = inst->iTCPSessMax;
+ 	CHKiRet(prop.Construct(&pSrv->pInputName));
+ 	CHKiRet(prop.SetString(pSrv->pInputName, pSrv->pszInputName, ustrlen(pSrv->pszInputName)));
+ 	CHKiRet(prop.ConstructFinalize(pSrv->pInputName));
+@@ -2022,13 +2054,13 @@ enqueueIoWork(epolld_t *epd, int dispatchInlineIfQueueFull) {
+ 	int dispatchInline;
+ 	int inlineDispatchThreshold;
+ 	DEFiRet;
+-	
++
+ 	CHKmalloc(n = malloc(sizeof(io_req_t)));
+ 	n->epd = epd;
+-	
++
+ 	inlineDispatchThreshold = DFLT_inlineDispatchThreshold * runModConf->wrkrMax;
+ 	dispatchInline = 0;
+-	
++
+ 	pthread_mutex_lock(&io_q.mut);
+ 	if (dispatchInlineIfQueueFull && io_q.sz > inlineDispatchThreshold) {
+ 		dispatchInline = 1;
+@@ -2200,6 +2232,8 @@ CODESTARTnewInpInst
+ 				ABORT_FINALIZE(RS_RET_PARAM_ERROR);
+ 			}
+ 			free(cstr);
++		} else if(!strcmp(inppblk.descr[i].name, "maxsessions")) {
++			inst->iTCPSessMax = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "keepalive")) {
+ 			inst->bKeepAlive = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "keepalive.probes")) {
+@@ -2248,6 +2282,10 @@ CODESTARTnewInpInst
+ 			ABORT_FINALIZE(RS_RET_ERR);
+ 		}
+ 	}
++
++	if (inst->iTCPSessMax == -1) {
++		inst->iTCPSessMax = loadModConf->iTCPSessMax;
++	}
+ finalize_it:
+ CODE_STD_FINALIZERnewInpInst
+ 	cnfparamvalsDestruct(pvals, &inppblk);
+@@ -2289,6 +2327,8 @@ CODESTARTsetModCnf
+ 			continue;
+ 		if(!strcmp(modpblk.descr[i].name, "threads")) {
+ 			loadModConf->wrkrMax = (int) pvals[i].val.d.n;
++		} else if(!strcmp(modpblk.descr[i].name, "maxsessions")) {
++			loadModConf->iTCPSessMax = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(modpblk.descr[i].name, "processOnPoller")) {
+ 			loadModConf->bProcessOnPoller = (int) pvals[i].val.d.n;
+ 		} else {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index f982dad5d..0df67672c 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -1000,6 +1000,7 @@ TESTS +=  \
+ 	imptcp_no_octet_counted.sh \
+ 	imptcp_multi_line.sh \
+ 	imptcp_spframingfix.sh \
++	imptcp_maxsessions.sh \
+ 	imptcp_nonProcessingPoller.sh \
+ 	imptcp_veryLargeOctateCountedMessages.sh \
+ 	imptcp-basic-hup.sh \
+@@ -2472,6 +2473,7 @@ EXTRA_DIST= \
+ 	testsuites/xlate_more_with_duplicates_and_nomatch.lkp_tbl \
+ 	testsuites/xlate_sparse_array_more_with_duplicates_and_nomatch.lkp_tbl \
+ 	json_var_cmpr.sh \
++	imptcp_maxsessions.sh \
+ 	imptcp_nonProcessingPoller.sh \
+ 	imptcp_veryLargeOctateCountedMessages.sh \
+ 	known_issues.supp \
+diff --git a/tests/imptcp_maxsessions.sh b/tests/imptcp_maxsessions.sh
+new file mode 100755
+index 000000000..3162eb619
+--- /dev/null
++++ b/tests/imptcp_maxsessions.sh
+@@ -0,0 +1,46 @@
++#!/bin/bash
++# Test imtcp with many dropping connections
++# added 2010-08-10 by Rgerhards
++#
++# This file is part of the rsyslog project, released  under GPLv3
++. ${srcdir:=.}/diag.sh init
++skip_platform "FreeBSD"  "This test currently does not work on FreeBSD"
++export NUMMESSAGES=500
++
++MAXSESSIONS=10
++CONNECTIONS=20
++EXPECTED_DROPS=$((CONNECTIONS - MAXSESSIONS))
++
++EXPECTED_STR='too many tcp sessions - dropping incoming request'
++wait_too_many_sessions()
++{
++  test "$(grep "$EXPECTED_STR" "$RSYSLOG_OUT_LOG" | wc -l)" = "$EXPECTED_DROPS"
++}
++
++export QUEUE_EMPTY_CHECK_FUNC=wait_too_many_sessions
++generate_conf
++add_conf '
++$MaxMessageSize 10k
++
++module(load="../plugins/imptcp/.libs/imptcp" maxsessions="'$MAXSESSIONS'")
++input(type="imptcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port")
++action(type="omfile" file=`echo $RSYSLOG_OUT_LOG`)
++
++$template outfmt,"%msg:F,58:2%,%msg:F,58:3%,%msg:F,58:4%\n"
++$OMFileFlushInterval 2
++$OMFileIOBufferSize 256k
++'
++startup
++
++echo "INFO: RSYSLOG_OUT_LOG: $RSYSLOG_OUT_LOG"
++
++echo "About to run tcpflood"
++tcpflood -c$CONNECTIONS -m$NUMMESSAGES -r -d100 -P129
++echo "done run tcpflood"
++shutdown_when_empty
++wait_shutdown
++
++content_count_check "$EXPECTED_STR" $EXPECTED_DROPS
++echo "Got expected drops: $EXPECTED_DROPS, looks good!"
++
++exit_test
+-- 
+2.23.0
+

backport-Close-file-descriptor-when-freshStartTail-is-turned-on.patch

@@ -0,0 +1,22 @@
+From b4a312b6361b7035f161383e3a51c7821958511a Mon Sep 17 00:00:00 2001
+From: alakatos <alakatos@redhat.com>
+Date: Thu, 22 Jul 2021 11:19:16 +0200
+Subject: [PATCH] Close file descriptor when freshStartTail is turned on
+
+
+---
+ plugins/imfile/imfile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
+index db161cc491..ddbd286bb4 100644
+--- a/plugins/imfile/imfile.c
++++ b/plugins/imfile/imfile.c
+@@ -1544,6 +1544,7 @@ openFileWithoutStateFile(act_obj_t *const act)
+ 		const int fd = open(act->name, O_RDONLY | O_CLOEXEC);
+ 		if(fd >= 0) {
+ 			act->pStrm->iCurrOffs = lseek64(fd, 0, SEEK_END);
++			close(fd);
+ 			if(act->pStrm->iCurrOffs < 0) {
+ 				act->pStrm->iCurrOffs = 0;
+ 				LogError(errno, RS_RET_ERR, "imfile: could not query current "

backport-Do-not-create-empty-objects-when-accessing-non-exist.patch

@@ -0,0 +1,75 @@
+From 1a1117c7359d1c9fc687fefdd56455f94f7fee10 Mon Sep 17 00:00:00 2001
+From: Julien Thomas <jthomas@zenetys.com>
+Date: Wed, 23 Sep 2020 20:33:55 +0200
+Subject: [PATCH 63/73] Do not create empty objects when accessing non-existent
+ keys
+
+This is a proposal for Github issue rsyslog/rsyslog#4430:
+accessing a non-existing key creates an empty parent object
+https://github.com/rsyslog/rsyslog/issues/4430
+
+When looking up an object property, the tree of intermediate
+object containers was ceated by get and del functions. The
+patch is an attempt to fix that behavior by passing 0 to the
+bCreate argument of jsonPathFindParent().
+
+There is also one case where the return value of
+jsonPathFindParent() was not checked, in the recurssive call
+of jsonPathFindParent() itself. This was leading to infinite
+loops if bCreate was 0.
+---
+ runtime/msg.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/runtime/msg.c b/runtime/msg.c
+index 3acc4f212..b28cf84c5 100644
+--- a/runtime/msg.c
++++ b/runtime/msg.c
+@@ -3142,7 +3142,7 @@ getJSONPropVal(smsg_t * const pMsg, msgPropDescr_t *pProp, uchar **pRes, rs_size
+ 		field = *jroot;
+ 	} else {
+ 		leaf = jsonPathGetLeaf(pProp->name, pProp->nameLen);
+-		CHKiRet(jsonPathFindParent(*jroot, pProp->name, leaf, &parent, 1));
++		CHKiRet(jsonPathFindParent(*jroot, pProp->name, leaf, &parent, 0));
+ 		if(jsonVarExtract(parent, (char*)leaf, &field) == FALSE)
+ 			field = NULL;
+ 	}
+@@ -3197,7 +3197,7 @@ msgGetJSONPropJSONorString(smsg_t * const pMsg, msgPropDescr_t *pProp, struct js
+ 		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 	leaf = jsonPathGetLeaf(pProp->name, pProp->nameLen);
+-	CHKiRet(jsonPathFindParent(*jroot, pProp->name, leaf, &parent, 1));
++	CHKiRet(jsonPathFindParent(*jroot, pProp->name, leaf, &parent, 0));
+ 	if(jsonVarExtract(parent, (char*)leaf, pjson) == FALSE) {
+ 		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+@@ -3242,7 +3242,7 @@ msgGetJSONPropJSON(smsg_t * const pMsg, msgPropDescr_t *pProp, struct json_objec
+ 		FINALIZE;
+ 	}
+ 	leaf = jsonPathGetLeaf(pProp->name, pProp->nameLen);
+-	CHKiRet(jsonPathFindParent(*jroot, pProp->name, leaf, &parent, 1));
++	CHKiRet(jsonPathFindParent(*jroot, pProp->name, leaf, &parent, 0));
+ 	if(jsonVarExtract(parent, (char*)leaf, pjson) == FALSE) {
+ 		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+@@ -4845,7 +4845,7 @@ jsonPathFindParent(struct json_object *jroot, uchar *name, uchar *leaf, struct j
+ 	namestart = name;
+ 	*parent = jroot;
+ 	while(name < leaf-1) {
+-		jsonPathFindNext(*parent, namestart, &name, leaf, parent, bCreate);
++		CHKiRet(jsonPathFindNext(*parent, namestart, &name, leaf, parent, bCreate));
+ 	}
+ 	if(*parent == NULL)
+ 		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+@@ -5006,7 +5006,7 @@ msgDelJSON(smsg_t * const pM, uchar *name)
+ 		*jroot = NULL;
+ 	} else {
+ 		leaf = jsonPathGetLeaf(name, ustrlen(name));
+-		CHKiRet(jsonPathFindParent(*jroot, name, leaf, &parent, 1));
++		CHKiRet(jsonPathFindParent(*jroot, name, leaf, &parent, 0));
+ 		if(jsonVarExtract(parent, (char*)leaf, &leafnode) == FALSE)
+ 			leafnode = NULL;
+ 		if(leafnode == NULL) {
+-- 
+2.23.0
+

backport-FIX-IMUDP-add-missing-free-during-freeCnf.patch

@@ -0,0 +1,24 @@
+From 9df01d03027468d707320d48bd4c0724eaac6aa4 Mon Sep 17 00:00:00 2001
+From: frikilax <theo.bertin@advens.fr>
+Date: Thu, 25 Jun 2020 15:56:06 +0200
+Subject: [PATCH 03/73] FIX::IMUDP: add missing free during freeCnf()
+
+---
+ plugins/imudp/imudp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/imudp/imudp.c b/plugins/imudp/imudp.c
+index bb6414d4d..4b49e9f12 100644
+--- a/plugins/imudp/imudp.c
++++ b/plugins/imudp/imudp.c
+@@ -1195,6 +1195,7 @@ CODESTARTfreeCnf
+ 		free(inst->pszBindPort);
+ 		free(inst->pszBindAddr);
+ 		free(inst->pszBindDevice);
++		free(inst->pszBindRuleset);
+ 		free(inst->inputname);
+ 		free(inst->dfltTZ);
+ 		del = inst;
+-- 
+2.23.0
+

backport-OMMONGODB-Fixes.patch

@@ -0,0 +1,78 @@
+From cf0a6386d33e1311a6f37a887872949d95f1cc16 Mon Sep 17 00:00:00 2001
+From: Kevin Guillemot <kevin.guillemot@advens.fr>
+Date: Wed, 30 Jun 2021 17:39:13 +0200
+Subject: [PATCH] OMMONGODB :: Fixes
+  - Fix Segmentation fault when server is down
+ - Add server connexion check while resuming
+trust merge open source commit:cf0a6386d33e1311a6f37a887872949d95f1cc16
+
+---
+ plugins/ommongodb/ommongodb.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+ diff --git a/plugins/ommongodb/ommongodb.c b/plugins/ommongodb/ommongodb.c
+index fc3153afd..a8b6ac96f 100644
+--- a/plugins/ommongodb/ommongodb.c
++++ b/plugins/ommongodb/ommongodb.c
+@@ -136,10 +136,12 @@ static void closeMongoDB(instanceData *pData)
+ 	if(pData->client != NULL) {
+ 		if (pData->collection != NULL) {
+ 			mongoc_collection_destroy (pData->collection);
++			pData->collection = NULL;
+ 		}
+-
+ 		mongoc_client_destroy (pData->client);
++		pData->client = NULL;
+ 		mongoc_cleanup ();
++		DBGPRINTF("ommongodb: Mongodb connexion closed.");
+ 	}
+ }
+ 
+@@ -189,6 +191,7 @@ reportMongoError(instanceData *pData)
+ /* The following function is responsible for initializing a
+  * MongoDB connection.
+  * Initially added 2004-10-28 mmeckelein
++ * Improved to check if server is available (ping) @kguillemot 2021-06-30
+  */
+ static rsRetVal initMongoDB(instanceData *pData, int bSilent)
+ {
+@@ -208,7 +211,7 @@ static rsRetVal initMongoDB(instanceData *pData, int bSilent)
+ 		dbgprintf("ommongodb: mongo-c-driver was not built with SSL options, ssl directives will not be used.");
+ #endif
+ 	}
+-	if(pData->client == NULL) {
++	if(!pData->client) {
+ 		if(!bSilent) {
+ 			reportMongoError(pData);
+ 			dbgprintf("ommongodb: can not initialize MongoDB handle");
+@@ -217,6 +220,20 @@ static rsRetVal initMongoDB(instanceData *pData, int bSilent)
+ 	}
+ 	pData->collection = mongoc_client_get_collection (pData->client, pData->db, pData->collection_name);
+ 
++	// Try to contact server
++	bson_t *command, reply;
++	bson_error_t error;
++	command = BCON_NEW ("ping", BCON_INT32 (1));
++	unsigned char retval = mongoc_client_command_simple(pData->client, pData->db, command, NULL, &reply, &error);
++	bson_destroy(&reply);
++	bson_destroy(command);
++	if( !retval ) {
++		DBGPRINTF("ommongodb: ping server error (%u): %s \n", error.code, error.message);
++		closeMongoDB(pData);
++		reportMongoError(pData);
++		ABORT_FINALIZE(RS_RET_SUSPENDED);
++	}
++
+ finalize_it:
+ 	RETiRet;
+ }
+@@ -551,7 +568,7 @@ CODESTARTdoAction
+ 	} else if (is_allowed_error_code(pData, pData->error.code)) {
+ 		dbgprintf("ommongodb: insert error: allowing error code\n");
+ 	} else {
+-		dbgprintf("ommongodb: insert error\n");
++		dbgprintf("ommongodb: insert error %u : %s \n", pData->error.code, pData->error.message);
+ 		reportMongoError(pData);
+ 		/* close on insert error to permit resume */
+ 		closeMongoDB(pData);
+--
+2.23.0

backport-Replace-GNUTLS_SHUT_RDWR-by-GNUTLS_SHUT_WR-when-endi.patch

@@ -0,0 +1,44 @@
+From 405457374661a81893cc3d9ad041e51ec996a7d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Fri, 18 Sep 2020 15:46:25 +0200
+Subject: [PATCH 59/73] Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending
+ TLS connections
+
+Some TLS servers don't reply to graceful shutdown requests "for
+optimization". This results in rsyslog's omfwd+gtls client to wait
+forever for a reply of the TLS server which never comes, due to shutting
+down the connection with gnutls_bye(GNUTLS_SHUT_RDWR).
+
+On systemd systems, commands such as "systemctl restart rsyslog" just
+hang for 1m30 and rsyslogd gets killed upon timeout by systemd.
+
+This patch replaces call to gnutls_bye(GNUTLS_SHUT_RDWR) by calls to
+gnutls_bye(GNUTLS_SHUT_WR) which is sufficient and doesn't wait for a
+server reply.
+
+A Red Hat customer reproduces the hang reliably when sending the logs to
+his Kiwi Syslog server, which apparently doesn't send the TLS reply upon
+connection termination request.
+---
+ runtime/nsd_gtls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
+index ac2d9a41a..1cf73dadc 100644
+--- a/runtime/nsd_gtls.c
++++ b/runtime/nsd_gtls.c
+@@ -1321,9 +1321,9 @@ gtlsEndSess(nsd_gtls_t *pThis)
+ 
+ 	if(pThis->bHaveSess) {
+ 		if(pThis->bIsInitiator) {
+-			gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR);
++			gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_WR);
+ 			while(gnuRet == GNUTLS_E_INTERRUPTED || gnuRet == GNUTLS_E_AGAIN) {
+-				gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR);
++				gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_WR);
+ 			}
+ 		}
+ 		gnutls_deinit(pThis->sess);
+-- 
+2.23.0
+

backport-Replaced-eCmdHdlrPositiveInt-with-eCmdHdlrNonNegInt-.patch

@@ -0,0 +1,133 @@
+From 2e3b767d03f7ee9534a4d93c013a6bc35437ca13 Mon Sep 17 00:00:00 2001
+From: Aaron Levy <aaronmaxlevy@gmail.com>
+Date: Sat, 12 Sep 2020 17:29:44 -0700
+Subject: [PATCH 57/73] Replaced eCmdHdlrPositiveInt with eCmdHdlrNonNegInt
+ where default is 0
+
+---
+ contrib/mmdarwin/mmdarwin.c         | 2 +-
+ contrib/omrabbitmq/omrabbitmq.c     | 2 +-
+ plugins/imfile/imfile.c             | 6 +++---
+ plugins/imtcp/imtcp.c               | 6 +++---
+ runtime/glbl.c                      | 2 +-
+ tests/omrabbitmq_params_invalid3.sh | 4 ++--
+ tools/omfwd.c                       | 6 +++---
+ 7 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/contrib/mmdarwin/mmdarwin.c b/contrib/mmdarwin/mmdarwin.c
+index ea6f4c3ee..e36dbde2c 100644
+--- a/contrib/mmdarwin/mmdarwin.c
++++ b/contrib/mmdarwin/mmdarwin.c
+@@ -124,7 +124,7 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{"filtercode", eCmdHdlrGetWord, 0},			/* optional parameter */
+ 	{"response", eCmdHdlrGetWord, 0},			/* optional parameter */
+ 	{"send_partial", eCmdHdlrBinary, 0},		/* optional parameter */
+-	{"socket_max_use", eCmdHdlrPositiveInt, 0}, /* optional parameter - will disappear in future updates */
++	{"socket_max_use", eCmdHdlrNonNegInt, 0}, /* optional parameter - will disappear in future updates */
+ };
+ static struct cnfparamblk actpblk = {
+ 	CNFPARAMBLK_VERSION,
+diff --git a/contrib/omrabbitmq/omrabbitmq.c b/contrib/omrabbitmq/omrabbitmq.c
+index 12b1ea18e..4d7696459 100644
+--- a/contrib/omrabbitmq/omrabbitmq.c
++++ b/contrib/omrabbitmq/omrabbitmq.c
+@@ -179,7 +179,7 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "routing_key", eCmdHdlrGetWord, 0 },
+ 	{ "routing_key_template", eCmdHdlrGetWord, 0 },
+ 	{ "delivery_mode", eCmdHdlrGetWord, 0 },
+-	{ "expiration", eCmdHdlrPositiveInt, 0 },
++	{ "expiration", eCmdHdlrNonNegInt, 0 },
+ 	{ "populate_properties", eCmdHdlrBinary, 0 },
+ 	{ "body_template", eCmdHdlrGetWord, 0 },
+ 	{ "content_type", eCmdHdlrGetWord, 0 },
+diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
+index 21d654655..db161cc49 100644
+--- a/plugins/imfile/imfile.c
++++ b/plugins/imfile/imfile.c
+@@ -300,7 +300,7 @@ static prop_t *pInputName = NULL;
+ /* module-global parameters */
+ static struct cnfparamdescr modpdescr[] = {
+ 	{ "pollinginterval", eCmdHdlrPositiveInt, 0 },
+-	{ "readtimeout", eCmdHdlrPositiveInt, 0 },
++	{ "readtimeout", eCmdHdlrNonNegInt, 0 },
+ 	{ "timeoutgranularity", eCmdHdlrPositiveInt, 0 },
+ 	{ "sortfiles", eCmdHdlrBinary, 0 },
+ 	{ "statefile.directory", eCmdHdlrString, 0 },
+@@ -335,11 +335,11 @@ static struct cnfparamdescr inppdescr[] = {
+ 	{ "persiststateinterval", eCmdHdlrInt, 0 },
+ 	{ "persiststateaftersubmission", eCmdHdlrBinary, 0 },
+ 	{ "deletestateonfiledelete", eCmdHdlrBinary, 0 },
+-	{ "delay.message", eCmdHdlrPositiveInt, 0 },
++	{ "delay.message", eCmdHdlrNonNegInt, 0 },
+ 	{ "addmetadata", eCmdHdlrBinary, 0 },
+ 	{ "addceetag", eCmdHdlrBinary, 0 },
+ 	{ "statefile", eCmdHdlrString, CNFPARAM_DEPRECATED },
+-	{ "readtimeout", eCmdHdlrPositiveInt, 0 },
++	{ "readtimeout", eCmdHdlrNonNegInt, 0 },
+ 	{ "freshstarttail", eCmdHdlrBinary, 0},
+ 	{ "filenotfounderror", eCmdHdlrBinary, 0},
+ 	{ "needparse", eCmdHdlrBinary, 0},
+diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
+index a1955d979..f1478dc15 100644
+--- a/plugins/imtcp/imtcp.c
++++ b/plugins/imtcp/imtcp.c
+@@ -180,9 +180,9 @@ static struct cnfparamdescr modpdescr[] = {
+ 	{ "streamdriver.TlsVerifyDepth", eCmdHdlrPositiveInt, 0 },
+ 	{ "permittedpeer", eCmdHdlrArray, 0 },
+ 	{ "keepalive", eCmdHdlrBinary, 0 },
+-	{ "keepalive.probes", eCmdHdlrPositiveInt, 0 },
+-	{ "keepalive.time", eCmdHdlrPositiveInt, 0 },
+-	{ "keepalive.interval", eCmdHdlrPositiveInt, 0 },
++	{ "keepalive.probes", eCmdHdlrNonNegInt, 0 },
++	{ "keepalive.time", eCmdHdlrNonNegInt, 0 },
++	{ "keepalive.interval", eCmdHdlrNonNegInt, 0 },
+ 	{ "gnutlsprioritystring", eCmdHdlrString, 0 },
+ 	{ "preservecase", eCmdHdlrBinary, 0 }
+ };
+diff --git a/runtime/glbl.c b/runtime/glbl.c
+index ce390da4e..714f6226d 100644
+--- a/runtime/glbl.c
++++ b/runtime/glbl.c
+@@ -170,7 +170,7 @@ static struct cnfparamdescr cnfparamdescr[] = {
+ 	{ "preservefqdn", eCmdHdlrBinary, 0 },
+ 	{ "debug.onshutdown", eCmdHdlrBinary, 0 },
+ 	{ "debug.logfile", eCmdHdlrString, 0 },
+-	{ "debug.gnutls", eCmdHdlrPositiveInt, 0 },
++	{ "debug.gnutls", eCmdHdlrNonNegInt, 0 },
+ 	{ "debug.unloadmodules", eCmdHdlrBinary, 0 },
+ 	{ "defaultnetstreamdrivercafile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+diff --git a/tests/omrabbitmq_params_invalid3.sh b/tests/omrabbitmq_params_invalid3.sh
+index 991cb3bee..4274dd9d2 100755
+--- a/tests/omrabbitmq_params_invalid3.sh
++++ b/tests/omrabbitmq_params_invalid3.sh
+@@ -11,6 +11,6 @@ action(type="omfile" file="'$RSYSLOG_OUT_LOG'")
+ startup
+ shutdown_when_empty
+ wait_shutdown
+-content_check "parameter 'expiration' cannot be less than one"
++content_check "parameter 'expiration' cannot be less than zero"
+ 
+-exit_test
+\ No newline at end of file
++exit_test
+diff --git a/tools/omfwd.c b/tools/omfwd.c
+index 74d0c8bed..1304f43f3 100644
+--- a/tools/omfwd.c
++++ b/tools/omfwd.c
+@@ -184,9 +184,9 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "maxerrormessages", eCmdHdlrInt, CNFPARAM_DEPRECATED },
+ 	{ "rebindinterval", eCmdHdlrInt, 0 },
+ 	{ "keepalive", eCmdHdlrBinary, 0 },
+-	{ "keepalive.probes", eCmdHdlrPositiveInt, 0 },
+-	{ "keepalive.time", eCmdHdlrPositiveInt, 0 },
+-	{ "keepalive.interval", eCmdHdlrPositiveInt, 0 },
++	{ "keepalive.probes", eCmdHdlrNonNegInt, 0 },
++	{ "keepalive.time", eCmdHdlrNonNegInt, 0 },
++	{ "keepalive.interval", eCmdHdlrNonNegInt, 0 },
+ 	{ "gnutlsprioritystring", eCmdHdlrString, 0 },
+ 	{ "streamdriver", eCmdHdlrGetWord, 0 },
+ 	{ "streamdrivermode", eCmdHdlrInt, 0 },
+-- 
+2.23.0
+

backport-config-bugfix-intended-warning-emitted-as-error.patch

@@ -0,0 +1,30 @@
+From 24816cd9ddefacd60aa9d7023a71bb24314c5957 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Wed, 26 Aug 2020 13:17:16 +0200
+Subject: [PATCH 37/73] config bugfix: intended warning emitted as error
+
+When there are actions configured after a STOP, a warning should be
+emitted. In fact, an error message is generated. This prevents the
+construct, which may have some legit uses in exotic settings. It
+may also break older configs, but as the message is an error
+for so long now, this should be no longer of concern.
+---
+ grammar/rainerscript.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
+index 2157451a0..34f4804f1 100644
+--- a/grammar/rainerscript.c
++++ b/grammar/rainerscript.c
+@@ -5041,7 +5041,7 @@ cnfstmtOptimize(struct cnfstmt *root)
+ 			break;
+ 		case S_STOP:
+ 			if(stmt->next != NULL)
+-				parser_errmsg("STOP is followed by unreachable statements!\n");
++				parser_warnmsg("STOP is followed by unreachable statements!\n");
+ 			break;
+ 		case S_UNSET: /* nothing to do */
+ 			break;
+-- 
+2.23.0
+

backport-core-bugfix-potential-segfault-on-querey-of-PROGRAMN.patch

@@ -0,0 +1,57 @@
+From 6cffa83af3ca1368ab406324fb01d5e1c32af902 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 11 Sep 2020 13:14:50 +0200
+Subject: [PATCH] core bugfix: potential segfault on querey of PROGRAMNAME
+ property
+
+A data race can happen on variable iLenProgram as it is not guarded
+by the message mutex at time of query. This can lead to it being
+non -1 while the buffer has not yet properly set up.
+
+Thanks to github user wsp1991 for alerting us and a related
+patch proposal.
+
+replaces https://github.com/rsyslog/rsyslog/pull/4300
+---
+ runtime/msg.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/runtime/msg.c b/runtime/msg.c
+index 6468a0d55..3acc4f212 100644
+--- a/runtime/msg.c
++++ b/runtime/msg.c
+@@ -2619,22 +2619,21 @@ MsgGetStructuredData(smsg_t * const pM, uchar **pBuf, rs_size_t *len)
+ uchar * ATTR_NONNULL(1)
+ getProgramName(smsg_t *const pM, const sbool bLockMutex)
+ {
++	if(bLockMutex == LOCK_MUTEX) {
++		MsgLock(pM);
++	}
++
+ 	if(pM->iLenPROGNAME == -1) {
+ 		if(pM->iLenTAG == 0) {
+ 			uchar *pRes;
+ 			rs_size_t bufLen = -1;
+-			getTAG(pM, &pRes, &bufLen, bLockMutex);
++			getTAG(pM, &pRes, &bufLen, MUTEX_ALREADY_LOCKED);
+ 		}
++		aquireProgramName(pM);
++	}
+ 
+-		if(bLockMutex == LOCK_MUTEX) {
+-			MsgLock(pM);
+-			/* need to re-check, things may have change in between! */
+-			if(pM->iLenPROGNAME == -1)
+-				aquireProgramName(pM);
+-			MsgUnlock(pM);
+-		} else {
+-			aquireProgramName(pM);
+-		}
++	if(bLockMutex == LOCK_MUTEX) {
++		MsgUnlock(pM);
+ 	}
+ 	return (pM->iLenPROGNAME < CONF_PROGNAME_BUFSIZE) ? pM->PROGNAME.szBuf
+ 						       : pM->PROGNAME.ptr;
+-- 
+2.23.0
+

backport-core-bugfix-segfault-if-disk-queue-file-cannot-be-cr.patch

@@ -0,0 +1,133 @@
+From 6763185783f78dc8947103f454a3ddb28c46d362 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Wed, 26 Aug 2020 17:39:49 +0200
+Subject: [PATCH 43/73] core bugfix: segfault if disk-queue file cannot be
+ created
+
+When using Disk Queue and a queue.filename that can not be created
+by rsyslog, the service does not switch to another queue type as
+supposed to and crashes at a later step.
+
+closes: https://github.com/rsyslog/rsyslog/issues/4282
+---
+ runtime/stream.c        |  1 +
+ tests/Makefile.am       |  2 ++
+ tests/diag.sh           |  2 +-
+ tests/diskqueue-fail.sh | 35 +++++++++++++++++++++++++++++++++++
+ tools/rsyslogd.c        |  9 +++++++--
+ 5 files changed, 46 insertions(+), 3 deletions(-)
+ create mode 100755 tests/diskqueue-fail.sh
+
+diff --git a/runtime/stream.c b/runtime/stream.c
+index 044a097ef..abe4ffb4b 100644
+--- a/runtime/stream.c
++++ b/runtime/stream.c
+@@ -2079,6 +2079,7 @@ static rsRetVal strmWriteChar(strm_t *__restrict__ const pThis, const uchar c)
+ 	if(pThis->iBufPtr == pThis->sIOBufSize) {
+ 		CHKiRet(strmFlushInternal(pThis, 0));
+ 	}
++
+ 	/* we now always have space for one character, so we simply copy it */
+ 	*(pThis->pIOBuf + pThis->iBufPtr) = c;
+ 	pThis->iBufPtr++;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 0df67672c..3b296a106 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -289,6 +289,7 @@ TESTS +=  \
+ 	diskqueue.sh \
+ 	diskqueue-fsync.sh \
+ 	diskqueue-full.sh \
++	diskqueue-fail.sh \
+ 	diskqueue-non-unique-prefix.sh \
+ 	rulesetmultiqueue.sh \
+ 	rulesetmultiqueue-v6.sh \
+@@ -1644,6 +1645,7 @@ EXTRA_DIST= \
+ 	diskq-rfc5424.sh \
+ 	rfc5424parser-sp_at_msg_start.sh \
+ 	diskqueue-full.sh \
++	diskqueue-fail.sh \
+ 	diskqueue.sh \
+ 	diskqueue-non-unique-prefix.sh \
+ 	arrayqueue.sh \
+diff --git a/tests/diag.sh b/tests/diag.sh
+index bc0e408ce..de12d05da 100755
+--- a/tests/diag.sh
++++ b/tests/diag.sh
+@@ -710,7 +710,7 @@ content_count_check() {
+ 		grep_opt=-F
+ 	fi
+ 	file=${3:-$RSYSLOG_OUT_LOG}
+-	count=$(grep -c -F -- "$1" <${RSYSLOG_OUT_LOG})
++	count=$(grep -c $grep_opt -- "$1" <${RSYSLOG_OUT_LOG})
+ 	if [ ${count:=0} -ne "$2" ]; then
+ 	    grep -c -F -- "$1" <${RSYSLOG_OUT_LOG}
+ 	    printf '\n============================================================\n'
+diff --git a/tests/diskqueue-fail.sh b/tests/diskqueue-fail.sh
+new file mode 100755
+index 000000000..a8c63b26b
+--- /dev/null
++++ b/tests/diskqueue-fail.sh
+@@ -0,0 +1,35 @@
++#!/bin/bash
++# checks that nothing bad happens if a DA (disk) queue runs out
++# of configured disk space
++# addd 2017-02-07 by RGerhards, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++export NUMMESSAGES=100
++generate_conf
++add_conf '
++module(	load="../plugins/imtcp/.libs/imtcp")
++input(type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" ruleset="queuefail")
++
++template(name="outfmt" type="string"
++	 string="%msg:F,58:2%,%msg:F,58:3%,%msg:F,58:4%\n")
++
++ruleset(
++	name="queuefail"
++	queue.type="Disk"
++	queue.filename="fssailstocreate"
++	queue.maxDiskSpace="4m"
++	queue.maxfilesize="1m"
++	queue.timeoutenqueue="300000"
++	queue.lowwatermark="5000"
++) {
++	action(type="omfile" template="outfmt" file="'$RSYSLOG_OUT_LOG'")
++}
++'
++startup
++
++tcpflood -p$TCPFLOOD_PORT -m$NUMMESSAGES
++
++shutdown_when_empty
++wait_shutdown
++seq_check
++
++exit_test
+diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
+index d2e4833eb..d752bf7ad 100644
+--- a/tools/rsyslogd.c
++++ b/tools/rsyslogd.c
+@@ -808,12 +808,17 @@ rsRetVal createMainQueue(qqueue_t **ppQueue, uchar *pszQueueName, struct nvlst *
+ }
+ 
+ rsRetVal
+-startMainQueue(qqueue_t *pQueue)
++startMainQueue(qqueue_t *const pQueue)
+ {
+ 	DEFiRet;
+ 	CHKiRet_Hdlr(qqueueStart(pQueue)) {
+ 		/* no queue is fatal, we need to give up in that case... */
+-		LogError(0, iRet, "could not start (ruleset) main message queue"); \
++		LogError(0, iRet, "could not start (ruleset) main message queue");
++		pQueue->qType = QUEUETYPE_DIRECT;
++		CHKiRet_Hdlr(qqueueStart(pQueue)) {
++			/* no queue is fatal, we need to give up in that case... */
++			LogError(0, iRet, "fatal error: could not even start queue in direct mode");
++		}
+ 	}
+ 	RETiRet;
+ }
+-- 
+2.23.0
+

backport-core-network-obey-net.enableDNS-off-when-querying-lo.patch

@@ -0,0 +1,26 @@
+From de0750c6c28b76be9573bc08386bc2fad54b80a1 Mon Sep 17 00:00:00 2001
+From: Kalle Kankare <kalle.kankare@vincit.fi>
+Date: Mon, 11 Nov 2019 10:01:36 +0200
+Subject: [PATCH 60/73] core/network: obey net.enableDNS=off when querying
+ local hostname
+
+---
+ runtime/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/net.c b/runtime/net.c
+index e503810c5..d98395a77 100644
+--- a/runtime/net.c
++++ b/runtime/net.c
+@@ -1186,7 +1186,7 @@ getLocalHostname(uchar **ppName)
+ 
+ 	char *dot = strstr(hnbuf, ".");
+ 	struct addrinfo *res = NULL;
+-	if(!empty_hostname && dot == NULL) {
++	if(!empty_hostname && dot == NULL && !glbl.GetDisableDNS()) {
+ 		/* we need to (try) to find the real name via resolver */
+ 		struct addrinfo flags;
+ 		memset(&flags, 0, sizeof(flags));
+-- 
+2.23.0
+

backport-gnutls-Added-handshake-error-handling-into-doRetry-h.patch

@@ -0,0 +1,47 @@
+From 1cf08f0a268eacc345b6cc48921ee25748ded175 Mon Sep 17 00:00:00 2001
+From: Andre lorbach <alorbach@adiscon.com>
+Date: Tue, 6 Oct 2020 14:24:51 +0200
+Subject: [PATCH 68/73] gnutls: Added handshake error handling into doRetry
+ handler.
+
+If the tls handshake does not immediatelly finish, gnutls_handShake is called in
+doRetry handler again. However the error handling was not
+complete in the doRetry handler. A failed gnutls_handShake call
+did not abort the connection and properly caused unexpected
+problems like in issues:
+
+https://github.com/rsyslog/rsyslog/issues/4270
+https://github.com/rsyslog/rsyslog/issues/4288
+---
+ runtime/nsdsel_gtls.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c
+index 195431514..6ed7187e5 100644
+--- a/runtime/nsdsel_gtls.c
++++ b/runtime/nsdsel_gtls.c
+@@ -150,10 +150,20 @@ doRetry(nsd_gtls_t *pNsd)
+ 	switch(pNsd->rtryCall) {
+ 		case gtlsRtry_handshake:
+ 			gnuRet = gnutls_handshake(pNsd->sess);
+-			if(gnuRet == 0) {
++			if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
++				dbgprintf("GnuTLS handshake retry did not finish - "
++					"setting to retry (this is OK and can happen)\n");
++				FINALIZE;
++			} else if(gnuRet == 0) {
+ 				pNsd->rtryCall = gtlsRtry_None; /* we are done */
+ 				/* we got a handshake, now check authorization */
+ 				CHKiRet(gtlsChkPeerAuth(pNsd));
++			} else {
++				uchar *pGnuErr = gtlsStrerror(gnuRet);
++				LogError(0, RS_RET_TLS_HANDSHAKE_ERR,
++					"GnuTLS handshake retry returned error: %s\n", pGnuErr);
++				free(pGnuErr);
++				ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR);
+ 			}
+ 			break;
+ 		case gtlsRtry_recv:
+-- 
+2.23.0
+

backport-gnutls-Propagate-CheckExtendedKeyPurpose-when-accept.patch

@@ -0,0 +1,29 @@
+From 37a19fb8997b9b61a7d75852e37110330a07c0d2 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Mon, 10 Aug 2020 16:37:43 +0200
+Subject: [PATCH 17/73] gnutls: Propagate CheckExtendedKeyPurpose when
+ accepting connection
+
+Previously, when the server accepts a new connection, it doesn't
+properly set the dataTypeCheck field based on the listening socket.
+That results in skipping ExtendedKeyUsage (EKU) check on the client
+certificates.
+---
+ runtime/nsd_gtls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
+index 2eed4246d..ac2d9a41a 100644
+--- a/runtime/nsd_gtls.c
++++ b/runtime/nsd_gtls.c
+@@ -1788,6 +1788,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+ 	pNew->pPermPeers = pThis->pPermPeers;
+ 	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
++	pNew->dataTypeCheck = pThis->dataTypeCheck;
+ 
+ 	/* if we reach this point, we are in TLS mode */
+ 	iRet = gtlsInitSession(pNew);
+-- 
+2.23.0
+

backport-imfile-bugfix-hash-char-invalidly-added-in-readmode-0.patch

@@ -0,0 +1,30 @@
+From d93c5e9d4830197a36830ba285bc5179312cbfc3 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Mon, 9 Aug 2021 12:38:06 +0200
+Subject: [PATCH] imfile bugfix: hash char invalidly added in readmode != 0
+
+If imfile is ingesting log files with readMode set to 2 or 1, the resulting
+messages all have a '#' character at the end. This patch corrects the behaviour.
+
+Note: if some external script "supported" the bug of extra hash character at
+the end of line, it may be necessary to update them.
+
+closes https://github.com/rsyslog/rsyslog/issues/4491
+
+---
+ runtime/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/stream.c b/runtime/stream.c
+index abe4ffb4bd..23cde86a07 100644
+--- a/runtime/stream.c
++++ b/runtime/stream.c
+@@ -888,7 +888,7 @@ strmReadLine(strm_t *const pThis, cstr_t **ppCStr, uint8_t mode, sbool bEscapeLF
+ {
+ 	uchar c;
+ 	uchar finished;
+-	const int escapeLFString_len = (escapeLFString == NULL) ? 3 : strlen((char*) escapeLFString);
++	const int escapeLFString_len = (escapeLFString == NULL) ? 4 : strlen((char*) escapeLFString);
+ 	DEFiRet;
+ 
+ 	assert(pThis != NULL);

backport-imjournal-flush-buffer-before-fsync.patch

@@ -0,0 +1,39 @@
+From 6a1faa065a60c080915f1abdcfa82bc39b88d895 Mon Sep 17 00:00:00 2001
+From: Gerd Rausch <gerd.rausch@oracle.com>
+Date: Thu, 15 Apr 2021 11:16:29 -0700
+Subject: [PATCH] imjournal: flush buffer before fsync
+ Flush the FILE* buffer before rename & fsync in order
+to not end up syncing an empty file.
+ Also, close WorkDir on fsync in order to prevent
+file descriptor leakage.
+ Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
+Signed-off-by: Venu Busireddy <venu.busireddy@oracle.com>
+trust merge open source commit:6a1faa065a60c080915f1abdcfa82bc39b88d895
+
+---
+ plugins/imjournal/imjournal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+ diff --git a/plugins/imjournal/imjournal.c b/plugins/imjournal/imjournal.c
+index 35c3f8f9b..62a5ab206 100644
+--- a/plugins/imjournal/imjournal.c
++++ b/plugins/imjournal/imjournal.c
+@@ -562,6 +562,8 @@ persistJournalState(void)
+ 		ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 	}
+ 
++	fflush(sf);
++
+ 	/* change the name of the file to the configured one */
+ 	if (rename(tmp_sf, cs.stateFile) < 0) {
+ 		LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
+@@ -583,6 +585,8 @@ persistJournalState(void)
+ 			LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
+ 			ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 		}
++
++		closedir(wd);
+ 	}
+ 
+ 	DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);
+-- 
+2.23.0

backport-imptcp-bugfix-keep-alive-interval-was-incorrectly-set.patch

@@ -0,0 +1,36 @@
+From 9121c4ea5aeaac9b1ee7bd8c308c8fde95bc39b4 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Wed, 4 Aug 2021 08:03:46 +0200
+Subject: [PATCH] imptcp bugfix: keep alive interval was incorrectly set
+
+The interval was accidentally set to keep alive interval. This has been
+corrected.
+
+closes https://github.com/rsyslog/rsyslog/issues/4609
+4
+---
+ plugins/imptcp/imptcp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index e89971dbe8..cdd29d4fd5 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1721,7 +1721,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *const pNe
+ 	inst->pBindRuleset = NULL;
+ 	inst->bSuppOctetFram = cs.bSuppOctetFram;
+ 	inst->bKeepAlive = cs.bKeepAlive;
+-	inst->iKeepAliveIntvl = cs.iKeepAliveTime;
++	inst->iKeepAliveIntvl = cs.iKeepAliveIntvl;
+ 	inst->iKeepAliveProbes = cs.iKeepAliveProbes;
+ 	inst->iKeepAliveTime = cs.iKeepAliveTime;
+ 	inst->bEmitMsgOnClose = cs.bEmitMsgOnClose;
+@@ -1750,7 +1750,7 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst)
+ 	pSrv->bSuppOctetFram = inst->bSuppOctetFram;
+ 	pSrv->bSPFramingFix = inst->bSPFramingFix;
+ 	pSrv->bKeepAlive = inst->bKeepAlive;
+-	pSrv->iKeepAliveIntvl = inst->iKeepAliveTime;
++	pSrv->iKeepAliveIntvl = inst->iKeepAliveIntvl;
+ 	pSrv->iKeepAliveProbes = inst->iKeepAliveProbes;
+ 	pSrv->iKeepAliveTime = inst->iKeepAliveTime;
+ 	pSrv->bEmitMsgOnClose = inst->bEmitMsgOnClose;

backport-imtcp-bugfix-broken-connection-not-necessariy-detect.patch

@@ -0,0 +1,30 @@
+From 29afbafcd5950ed31a3831f9f4fbe1649a0ea49b Mon Sep 17 00:00:00 2001
+From: Leo Fang <leofang_94@163.com>
+Date: Wed, 27 May 2020 10:45:29 +0800
+Subject: [PATCH] imtcp bugfix: broken connection not necessariy detected
+
+Due to an invalid return code check, broken TCP sessions could not
+necessarily be detected "right in time". This can result is the loss
+of one message.
+
+closes https://github.com/rsyslog/rsyslog/issues/4227
+---
+ runtime/nsd_ptcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
+index de3ab38f9..2b56efdb8 100644
+--- a/runtime/nsd_ptcp.c
++++ b/runtime/nsd_ptcp.c
+@@ -952,7 +952,7 @@ CheckConnection(nsd_t *pNsd)
+ 	ISOBJ_TYPE_assert(pThis, nsd_ptcp);
+ 
+ 	rc = recv(pThis->sock, msgbuf, 1, MSG_DONTWAIT | MSG_PEEK);
+-	if(rc == 0 && errno != EAGAIN) {
++	if(rc == 0) {
+ 		dbgprintf("CheckConnection detected broken connection - closing it (rc %d, errno %d)\n", rc, errno);
+ 		/* in this case, the remote peer had shut down the connection and we
+ 		 * need to close our side, too.
+-- 
+2.23.0
+

backport-lookup-table-bugfix-data-race-on-lookup-table-reload.patch

@@ -0,0 +1,28 @@
+From 389484010fd95d611873e80bdbca898d9671170a Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 29 Jan 2021 09:25:09 +0100
+Subject: [PATCH] lookup table bugfix: data race on lookup table reload
+ A data race could happen when a lookup table was reloaded. We found
+this while moving to newer version of TSAN, but have no matching
+report from practice. However, there is a potential for this to cause
+a segfault under "bad circumstances".
+trust merge open source commit:389484010fd95d611873e80bdbca898d9671170a
+
+---
+ grammar/rainerscript.c | 2 ++
+ 1 file changed, 2 insertions(+)
+ diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
+index 2e358353e..c86985962 100644
+--- a/grammar/rainerscript.c
++++ b/grammar/rainerscript.c
+@@ -2377,6 +2377,8 @@ doFunct_Lookup(struct cnffunc *__restrict__ const func,
+ 		return;
+ 	}
+ 	cnfexprEval(func->expr[1], &srcVal, usrptr, pWti);
++	pthread_rwlock_rdlock(&((lookup_ref_t*)func->funcdata)->rwlock);
++	pthread_rwlock_unlock(&((lookup_ref_t*)func->funcdata)->rwlock);
+ 	lookup_table = ((lookup_ref_t*)func->funcdata)->self;
+ 	if (lookup_table != NULL) {
+ 		lookup_key_type = lookup_table->key_type;
+-- 
+2.23.0

backport-msg-memory-leak-in-msgAddJSON-if-jsonPathFindParent-.patch

@@ -0,0 +1,32 @@
+From c54d3d5e8cb45f2ad1b0166524f6407172df80c8 Mon Sep 17 00:00:00 2001
+From: Julien Thomas <jthomas@zenetys.com>
+Date: Fri, 9 Oct 2020 21:21:10 +0200
+Subject: [PATCH 70/73] msg: memory leak in msgAddJSON() if
+ jsonPathFindParent() failed
+
+There is a missing call to json_object_put(json) if the call to
+jsonPathFindParent() failed. It's leaking memory.
+---
+ runtime/msg.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/msg.c b/runtime/msg.c
+index 8e86d2944..0dc86c0ed 100644
+--- a/runtime/msg.c
++++ b/runtime/msg.c
+@@ -4966,7 +4966,11 @@ msgAddJSON(smsg_t * const pM, uchar *name, struct json_object *json, int force_r
+ 			*jroot = json_object_new_object();
+ 		}
+ 		leaf = jsonPathGetLeaf(name, ustrlen(name));
+-		CHKiRet(jsonPathFindParent(*jroot, name, leaf, &parent, 1));
++		iRet = jsonPathFindParent(*jroot, name, leaf, &parent, 1);
++		if (unlikely(iRet != RS_RET_OK)) {
++			json_object_put(json);
++			FINALIZE;
++		}
+ 		if (json_object_get_type(parent) != json_type_object) {
+ 			DBGPRINTF("msgAddJSON: not a container in json path,"
+ 				"name is '%s'\n", name);
+-- 
+2.23.0
+

backport-msg-segfault-in-jsonPathFindNext-when-root-is-not-an.patch

@@ -0,0 +1,40 @@
+From e5dc93e076f0c9ba9458b3c634bbf2b5d53201e2 Mon Sep 17 00:00:00 2001
+From: Julien Thomas <jthomas@zenetys.com>
+Date: Fri, 9 Oct 2020 21:18:01 +0200
+Subject: [PATCH 69/73] msg: segfault in jsonPathFindNext() when <root> is not
+ an object
+
+The segfault gets happens when <bCreate> is 1 and when the <root>
+container where to insert the <namebuf> key is not an object.
+
+Here is simple reproducible test case:
+
+// ensure we start fresh
+// unnecessary if there was no previous set
+unset $!;
+
+set $! = "";
+set $!event!created = 123;
+---
+ runtime/msg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/runtime/msg.c b/runtime/msg.c
+index ebb9fdd6d..8e86d2944 100644
+--- a/runtime/msg.c
++++ b/runtime/msg.c
+@@ -4826,6 +4826,11 @@ jsonPathFindNext(struct json_object *root, uchar *namestart, uchar **name, uchar
+ 		if(!bCreate) {
+ 			ABORT_FINALIZE(RS_RET_JNAME_INVALID);
+ 		} else {
++			if (json_object_get_type(root) != json_type_object) {
++				DBGPRINTF("jsonPathFindNext with bCreate: not a container in json path, "
++					"name is '%s'\n", namestart);
++				ABORT_FINALIZE(RS_RET_INVLD_SETOP);
++			}
+ 			json = json_object_new_object();
+ 			json_object_object_add(root, (char*)namebuf, json);
+ 		}
+-- 
+2.23.0
+

backport-omelasticsearch-Fix-reply-buffer-reset-after-health-.patch

@@ -0,0 +1,42 @@
+From 694c0cc1068a78f9aee80a69eccc98d1cde06c88 Mon Sep 17 00:00:00 2001
+From: Julien Thomas <jthomas@zenetys.com>
+Date: Mon, 20 Jul 2020 11:21:49 +0200
+Subject: [PATCH 26/73] omelasticsearch: Fix reply buffer reset after health
+ check
+
+This is a proposal to fix github issue #4127 "omelasticsearch
+failure parsing elasticsearch reply in 8.2001.0".
+
+The issue happens when more than one server is defined on the
+action. On that condition a health check is made through
+checkConn() before sending the POST. The replyLen should be
+set back to 0 after the health check, otherwise the response
+data received from the POST gets appended to the end of the
+last health check.
+---
+ plugins/omelasticsearch/omelasticsearch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 5590a49e2..8fcf92c3f 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -1567,7 +1567,6 @@ curlPost(wrkrInstanceData_t *pWrkrData, uchar *message, int msglen, uchar **tpls
+ 
+ 	PTR_ASSERT_SET_TYPE(pWrkrData, WRKR_DATA_TYPE_ES);
+ 
+-	pWrkrData->replyLen = 0;
+ 	if ((pWrkrData->pData->rebindInterval > -1) &&
+ 		(pWrkrData->nOperations > pWrkrData->pData->rebindInterval)) {
+ 		curl_easy_setopt(curl, CURLOPT_FRESH_CONNECT, 1);
+@@ -1588,6 +1587,7 @@ curlPost(wrkrInstanceData_t *pWrkrData, uchar *message, int msglen, uchar **tpls
+ 		/* needs to be called to support ES HA feature */
+ 		CHKiRet(checkConn(pWrkrData));
+ 	}
++	pWrkrData->replyLen = 0;
+ 	CHKiRet(setPostURL(pWrkrData, tpls));
+ 
+ 	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char *)message);
+-- 
+2.23.0
+

backport-omfwd-bugfix-segfault-or-error-if-port-not-given.patch

@@ -0,0 +1,36 @@
+From 4529fa02b674f689d1cbc6925663824ea6882a15 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Mon, 15 Feb 2021 09:05:05 +0100
+Subject: [PATCH] omfwd bugfix: segfault or error if port not given
+ If omfwd is configured via RainerScript config format and the "port"
+parameter is not given, a segfault will most likely happen on
+connection establishment for TCP connections. For UDP, this is
+usually not the case.
+ Alternatively, in any case, errors may happen.
+ Note that the segfault will usually happen right on restart so this
+was easy to detect.
+ We did not receive reports from practice. Instead, we found the bug
+while conducting other work.
+trust merge open source commit:4529fa02b674f689d1cbc6925663824ea6882a15
+
+---
+ tools/omfwd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+ diff --git a/tools/omfwd.c b/tools/omfwd.c
+index 1304f43f3..5a210444e 100644
+--- a/tools/omfwd.c
++++ b/tools/omfwd.c
+@@ -1336,6 +1336,11 @@ CODESTARTnewActInst
+ 		}
+ 	}
+ 
++	/* check if no port is set. If so, we use the IANA-assigned port of 514 */
++	if(pData->port == NULL) {
++		CHKmalloc(pData->port = strdup("514"));
++	}
++
+ 	if(complevel != -1) {
+ 		pData->compressionLevel = complevel;
+ 		if(pData->compressionMode == COMPRESS_NEVER) {
+-- 
+2.23.0

backport-openssl-network-driver-bugfix-small-memory-leak.patch

@@ -0,0 +1,41 @@
+From ad08ed2634fa8be1d07312966803fd156038578d Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Thu, 8 Jul 2021 14:30:50 +0200
+Subject: [PATCH] openssl network driver bugfix: small memory leak
+ Fixes a static, non-growing memory leak which existed when parameter
+"GnutTLSPriorityString" was used. This was primarily a cosmetic issue,
+but caused some grief during development in regard to memory leak
+detectors.
+ Note: yes, this is for openssl -- the parameter name is history ;-)
+trust merge open source commit:ad08ed2634fa8be1d07312966803fd156038578d
+
+---
+ runtime/nsd_ossl.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+ diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index d6188db23..8fff75338 100644
+--- a/runtime/nsd_ossl.c
++++ b/runtime/nsd_ossl.c
+@@ -1785,11 +1785,8 @@ finalize_it:
+ }
+ 
+ 
+-/* Empty wrapper for GNUTLS helper function
+- * TODO: implement a similar capability
+- */
+ static rsRetVal
+-SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unused)) uchar *gnutlsPriorityString)
++SetGnutlsPriorityString(nsd_t *const pNsd, uchar *const gnutlsPriorityString)
+ {
+ 	DEFiRet;
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+@@ -1869,6 +1866,7 @@ SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unus
+ 						pThis->gnutlsPriorityString);
+ 				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ 			}
++			SSL_CONF_CTX_free(cctx);
+ 		}
+ #else
+ 		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+-- 
+2.23.0

backport-tcp-subsystem-fix-cosmetic-memory-leak-on-shutdown.patch

@@ -0,0 +1,38 @@
+From c6cdf972e5cf1691a6dadb50ce0402257271bc78 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Thu, 1 Jul 2021 14:24:50 +0200
+Subject: [PATCH] tcp subsystem: fix cosmetic memory leak on shutdown
+ Memory for config parameter was not free'd on rsyslog shutdown. This had
+no real consequence, but caused memleak alerts during development.
+trust merge open source commit:c6cdf972e5cf1691a6dadb50ce0402257271bc78
+
+---
+ plugins/imtcp/imtcp.c | 1 +
+ tools/omfwd.c         | 1 +
+ 2 files changed, 2 insertions(+)
+ diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
+index f1478dc15..63d4a0d51 100644
+--- a/plugins/imtcp/imtcp.c
++++ b/plugins/imtcp/imtcp.c
+@@ -707,6 +707,7 @@ BEGINfreeCnf
+ CODESTARTfreeCnf
+ 	free(pModConf->pszStrmDrvrName);
+ 	free(pModConf->pszStrmDrvrAuthMode);
++	free(pModConf->gnutlsPriorityString);
+ 	free(pModConf->pszStrmDrvrPermitExpiredCerts);
+ 	if(pModConf->permittedPeers != NULL) {
+ 		cnfarrayContentDestruct(pModConf->permittedPeers);
+diff --git a/tools/omfwd.c b/tools/omfwd.c
+index 5a210444e..1131268d4 100644
+--- a/tools/omfwd.c
++++ b/tools/omfwd.c
+@@ -405,6 +405,7 @@ CODESTARTfreeInstance
+ 	free(pData->pszStrmDrvr);
+ 	free(pData->pszStrmDrvrAuthMode);
+ 	free(pData->pszStrmDrvrPermitExpiredCerts);
++	free(pData->gnutlsPriorityString);
+ 	free(pData->port);
+ 	free(pData->networkNamespace);
+ 	free(pData->target);
+-- 
+2.23.0

backport-tcpsrv-bugfix-abort-if-no-listener-could-be-started.patch

@@ -0,0 +1,58 @@
+From 3d23c7ac8aea5e1ac0118978d457aa7819531879 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Wed, 7 Jul 2021 13:16:28 +0200
+Subject: [PATCH] tcpsrv bugfix: abort if no listener could be started
+ Modules (like imtcp and imdiag) which use tcpsrv could abort or
+otherwise malfunction if no listener for a specific input could
+be started.
+ Found during implementing a new feature, no report from practice.
+But could very well happen.
+trust merge open source commit:3d23c7ac8aea5e1ac0118978d457aa7819531879
+
+---
+ plugins/imdiag/imdiag.c | 1 +
+ plugins/imtcp/imtcp.c   | 1 +
+ runtime/tcpsrv.c        | 5 +++++
+ 3 files changed, 7 insertions(+)
+ diff --git a/plugins/imdiag/imdiag.c b/plugins/imdiag/imdiag.c
+index 3e27ee4d3..f5662e894 100644
+--- a/plugins/imdiag/imdiag.c
++++ b/plugins/imdiag/imdiag.c
+@@ -126,6 +126,7 @@ static rsRetVal
+ doOpenLstnSocks(tcpsrv_t *pSrv)
+ {
+ 	ISOBJ_TYPE_assert(pSrv, tcpsrv);
++	dbgprintf("in imdiag doOpenLstnSocks\n");
+ 	return tcpsrv.create_tcp_socket(pSrv);
+ }
+ 
+diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
+index 63d4a0d51..858f70f1f 100644
+--- a/plugins/imtcp/imtcp.c
++++ b/plugins/imtcp/imtcp.c
+@@ -229,6 +229,7 @@ static rsRetVal
+ doOpenLstnSocks(tcpsrv_t *pSrv)
+ {
+ 	ISOBJ_TYPE_assert(pSrv, tcpsrv);
++	dbgprintf("in imtcp doOpenLstnSocks\n");
+ 	return tcpsrv.create_tcp_socket(pSrv);
+ }
+ 
+diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
+index baa8892d8..2b6bea252 100644
+--- a/runtime/tcpsrv.c
++++ b/runtime/tcpsrv.c
+@@ -926,6 +926,11 @@ Run(tcpsrv_t *pThis)
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 
++	if(pThis->iLstnCurr == 0) {
++		dbgprintf("tcpsrv: no listeneres at all (probably init error), terminating\n");
++		RETiRet; /* somewhat "dirty" exit to avoid issue with cancel handler */
++	}
++
+ 	/* check if we need to start the worker pool. Once it is running, all is
+ 	 * well. Shutdown is done on modExit.
+ 	 */
+-- 
+2.23.0

backport-tcpsrv-bugfix-potential-sluggishnes-and-hang-on-shut.patch

@@ -0,0 +1,35 @@
+From b160813f8296397fb971e4aef9faf7f903a3bb7f Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Tue, 27 Apr 2021 08:27:34 +0200
+Subject: [PATCH] tcpsrv bugfix: potential sluggishnes and hang on shutdown
+ tcpsrv is used by multiple other modules (imtcp, imdiag, imgssapi, and,
+in theory, also others - even ones we do not know about). However, the
+internal synchornization did not properly take multiple tcpsrv users
+in consideration.
+ As such, a single user could hang under some circumstances. This was
+caused by improperly awaking all users from a pthread condition wait.
+That in turn could lead to some sluggish behaviour and, in rare cases,
+a hang at shutdown.
+ Note: it was highly unlikely to experience real problems with the
+officially provided modules.
+ This patch corrects the situation.
+trust merge open source commit:b160813f8296397fb971e4aef9faf7f903a3bb7f
+
+---
+ runtime/tcpsrv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
+index 2f16677b0..baa8892d8 100644
+--- a/runtime/tcpsrv.c
++++ b/runtime/tcpsrv.c
+@@ -711,7 +711,7 @@ wrkr(void *const myself)
+ 		pthread_mutex_lock(&wrkrMut);
+ 		me->pSrv = NULL;	/* indicate we are free again */
+ 		--wrkrRunning;
+-		pthread_cond_signal(&wrkrIdle);
++		pthread_cond_broadcast(&wrkrIdle);
+ 	}
+ 	me->enabled = 0; /* indicate we are no longer available */
+ 	pthread_mutex_unlock(&wrkrMut);
+-- 
+2.23.0

backport-testbench-set-msg-size-to-64kb-for-sndrcv_omudpspoof.patch

@@ -0,0 +1,26 @@
+From 4e5741807e7d237ecfac647bd530fd5e5c970e5d Mon Sep 17 00:00:00 2001
+From: Andre lorbach <alorbach@adiscon.com>
+Date: Mon, 20 Jul 2020 08:35:57 +0200
+Subject: [PATCH] testbench: set msg size to 64kb for
+ sndrcv_omudpspoof-bigmsg.sh test
+
+---
+ tests/sndrcv_omudpspoof-bigmsg.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/sndrcv_omudpspoof-bigmsg.sh b/tests/sndrcv_omudpspoof-bigmsg.sh
+index ee11b0a..6d61793 100755
+--- a/tests/sndrcv_omudpspoof-bigmsg.sh
++++ b/tests/sndrcv_omudpspoof-bigmsg.sh
+@@ -8,7 +8,7 @@ if [ "$EUID" -ne 0 ]; then
+ fi
+ export TCPFLOOD_EXTRA_OPTS="-b1 -W1"
+ export NUMMESSAGES=1
+-export MESSAGESIZE=16384 #65000 #32768 #16384
++export MESSAGESIZE=65000 #65000 #32768 #16384
+ #export RSYSLOG_DEBUG="debug nologfuncflow noprintmutexaction nostdout"
+ #export RSYSLOG_DEBUGLOG="log"
+ 
+-- 
+1.8.3.1
+

backport-testbench-simplify-test-ID-generation-a-bit.patch

@@ -0,0 +1,25 @@
+From 19e80e9e5c8d5cfee8a455a59d076c9ad60844e6 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Tue, 1 Sep 2020 14:33:41 +0200
+Subject: [PATCH] testbench: simplify test ID generation a bit
+
+---
+ tests/diag.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/diag.sh b/tests/diag.sh
+index bc0e408ce..481be9890 100755
+--- a/tests/diag.sh
++++ b/tests/diag.sh
+@@ -2491,7 +2491,7 @@ case $1 in
+ 			echo "hint: was init accidentally called twice?"
+ 			exit 2
+ 		fi
+-		export RSYSLOG_DYNNAME="rstb_$(./test_id $(basename $0))$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 4 | head -n 1)"
++		export RSYSLOG_DYNNAME="rstb_$(./test_id $(basename $0))$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head --bytes 4)"
+ 		export RSYSLOG_OUT_LOG="${RSYSLOG_DYNNAME}.out.log"
+ 		export RSYSLOG2_OUT_LOG="${RSYSLOG_DYNNAME}_2.out.log"
+ 		export RSYSLOG_PIDBASE="${RSYSLOG_DYNNAME}:" # also used by instance 2!
+-- 
+2.23.0
+

bugfix-CVE-2022-24903.patch

@@ -0,0 +1,46 @@
+From 086085772c067616055b3eb3445ee8e50c80ae04 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: [PATCH] net bugfix: potential buffer overrun
+
+Conflict:no introduced imhttp.c
+Reference:https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
+
+---
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c     | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index cdd29d4..e47a7c9 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 58528c8..4170688 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -387,7 +387,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
+-- 
+2.27.0
+

openEuler-print-main-queue-info-to-journal-when-queue-full.patch

@@ -0,0 +1,80 @@
+From 27ee1b988a465e5f89e8a9234f4a01c34cab4387 Mon Sep 17 00:00:00 2001
+From: wangshouping <wangshouping@huawei.com>
+Date: Mon, 27 Apr 2020 08:53:18 -0400
+Subject: [PATCH] print main queue info to journal when queue full
+
+Signed-off-by: wangshouping <wangshouping@huawei.com>
+---
+ runtime/queue.c  | 27 +++++++++++++++++++++++++++
+ 1 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/queue.c b/runtime/queue.c
+index e988e44..9faf5aa 100644
+--- a/runtime/queue.c
++++ b/runtime/queue.c
+@@ -47,6 +47,7 @@
+ #include <errno.h>
+ #include <inttypes.h>
+ #include <sys/vfs.h>
++#include <systemd/sd-journal.h>
+ 
+ #include "rsyslog.h"
+ #include "queue.h"
+@@ -116,6 +117,14 @@ rsRetVal qqueueSetSpoolDir(qqueue_t *pThis, uchar *pszSpoolDir, int lenSpoolDir)
+ /* some constants for queuePersist () */
+ #define QUEUE_CHECKPOINT	1
+ #define QUEUE_NO_CHECKPOINT	0
++#define TIME_OUT		300
++#define TIMEOUT_ENQUEUE_ZERO     1
++#define TIMEOUT_ENQUEUE_NONZERO  2
++
++struct timespec g_lastTime = {
++	.tv_sec = 0,
++	.tv_nsec = 0,
++};
+ 
+ /* tables for interfacing with the v6 config system */
+ static struct cnfparamdescr cnfpdescr[] = {
+@@ -2985,6 +2992,24 @@ finalize_it:
+ 	RETiRet;
+ }
+ 
++void PrintQueueFullLog(qqueue_t *pThis, int flag)
++{
++	struct timespec timeNow;
++
++	clock_gettime(CLOCK_MONOTONIC, &timeNow);
++	if (timeNow.tv_sec - g_lastTime.tv_sec > TIME_OUT) {
++		if (flag == TIMEOUT_ENQUEUE_ZERO) {
++			sd_journal_print(LOG_NOTICE, "doEnqSingleObject: queue FULL - configured for immediate "
++					"discarding QueueSize=%d MaxQueueSize=%d sizeOnDisk=%lld "
++					"sizeOnDiskMax=%lld\n", pThis->iQueueSize, pThis->iMaxQueueSize,
++					pThis->tVars.disk.sizeOnDisk, pThis->sizeOnDiskMax);
++		} else if (flag == TIMEOUT_ENQUEUE_NONZERO) {
++			sd_journal_print(LOG_NOTICE, "doEnqSingleObject: queue FULL, iQueueSize=%d MaxQueueSize=%d - waiting %dms to drain.\n",
++					pThis->iQueueSize, pThis->iMaxQueueSize, pThis->toEnq);
++		}
++		g_lastTime.tv_sec = timeNow.tv_sec;
++	}
++}
+ 
+ /* enqueue a single data object.
+  * Note that the queue mutex MUST already be locked when this function is called.
+@@ -3082,12 +3107,14 @@ doEnqSingleObj(qqueue_t *pThis, flowControl_t flowCtlType, smsg_t *pMsg)
+ 					"discarding QueueSize=%d MaxQueueSize=%d sizeOnDisk=%lld "
+ 					"sizeOnDiskMax=%lld\n", pThis->iQueueSize, pThis->iMaxQueueSize,
+ 					pThis->tVars.disk.sizeOnDisk, pThis->sizeOnDiskMax);
++			PrintQueueFullLog(pThis, TIMEOUT_ENQUEUE_ZERO);
+ 			STATSCOUNTER_INC(pThis->ctrFDscrd, pThis->mutCtrFDscrd);
+ 			msgDestruct(&pMsg);
+ 			ABORT_FINALIZE(RS_RET_QUEUE_FULL);
+ 		} else {
+ 			DBGOPRINT((obj_t*) pThis, "doEnqSingleObject: queue FULL - waiting %dms to drain.\n",
+ 				pThis->toEnq);
++			PrintQueueFullLog(pThis, TIMEOUT_ENQUEUE_NONZERO);
+ 			if(glbl.GetGlobalInputTermState()) {
+ 				DBGOPRINT((obj_t*) pThis, "doEnqSingleObject: queue FULL, discard due to "
+ 					"FORCE_TERM.\n");
+-- 
+2.19.1
+

openEuler-print-main-queue-info-to-journal-when-receive-USR1-signal.patch

@@ -0,0 +1,80 @@
+From 27ee1b988a465e5f89e8a9234f4a01c34cab4387 Mon Sep 17 00:00:00 2001
+From: wangshouping <wangshouping@huawei.com>
+Date: Mon, 27 Apr 2020 08:53:18 -0400
+Subject: [PATCH] print main queue info to journal when receive USR1 signal
+
+Signed-off-by: wangshouping <wangshouping@huawei.com>
+---
+ tools/rsyslogd.c | 19 ++++++++++++++++++-
+ 1 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
+index 7832693..ad92b20 100644
+--- a/tools/rsyslogd.c
++++ b/tools/rsyslogd.c
+@@ -38,6 +38,7 @@
+ #ifdef HAVE_LIBSYSTEMD
+ #	include <systemd/sd-daemon.h>
+ #endif
++#include <systemd/sd-journal.h>
+ 
+ #include "rsyslog.h"
+ #include "wti.h"
+@@ -181,6 +182,7 @@ void rsyslogdDoDie(int sig);
+ /* global data items */
+ static int bChildDied;
+ static int bHadHUP;
++static int g_bRecordQueue;
+ static int doFork = 1; 	/* fork - run in daemon mode - read-only after startup */
+ int bFinished = 0;	/* used by termination signal handler, read-only except there
+ 			 * is either 0 or the number of the signal that requested the
+@@ -1267,8 +1269,13 @@ rsyslogdDebugSwitch(void)
+ 		dbgprintf("\n");
+ 		debugging_on = 0;
+ 	}
++
+ }
+ 
++static void RsyslogdDebugQueue(void)
++{
++	g_bRecordQueue = 1;
++}
+ 
+ /* This is the main entry point into rsyslogd. Over time, we should try to
+  * modularize it a bit more...
+@@ -1616,7 +1623,7 @@ initAll(int argc, char **argv)
+ 		hdlr_enable(SIGINT,  rsyslogdDoDie);
+ 		hdlr_enable(SIGQUIT, rsyslogdDoDie);
+ 	} else {
+-		hdlr_enable(SIGUSR1, SIG_IGN);
++		hdlr_enable(SIGUSR1, RsyslogdDebugQueue);
+ 		hdlr_enable(SIGINT,  SIG_IGN);
+ 		hdlr_enable(SIGQUIT, SIG_IGN);
+ 	}
+@@ -1953,6 +1960,7 @@ mainloop(void)
+ 	sigaddset(&sigblockset, SIGTERM);
+ 	sigaddset(&sigblockset, SIGCHLD);
+ 	sigaddset(&sigblockset, SIGHUP);
++	sigaddset(&sigblockset, SIGUSR1);
+ 
+ 	do {
+ 		processImInternal();
+@@ -1967,6 +1975,15 @@ mainloop(void)
+ 			doHUP();
+ 			bHadHUP = 0;
+ 		}
++		if (g_bRecordQueue) {
++			if (pMsgQueue != NULL) {
++				sd_journal_print(LOG_NOTICE, "main queue size information: current QueueSize=%d MaxQueueSize=%d\n",
++						pMsgQueue->iQueueSize, pMsgQueue->iMaxQueueSize);
++			} else {
++				sd_journal_print(LOG_NOTICE, "main queue size information: pMsgQueue is NULL!\n");
++			}
++			g_bRecordQueue = 0;
++		}
+ 
+ 		if(bFinished)
+ 			break;	/* exit as quickly as possible */
+-- 
+2.19.1
+

openEuler-rsyslog.service.in-create-PID-file.patch

@@ -0,0 +1,30 @@
+From 540fea48c4fb300b8ec5ebe9a37387460264efef Mon Sep 17 00:00:00 2001
+From: wangshouping <wangshouping@huawei.com>
+Date: Thu, 5 Mar 2020 21:55:21 -0500
+Subject: [PATCH] rsyslog.service.in: create PID file
+
+Signed-off-by: wangshouping <wangshouping@huawei.com>
+---
+ rsyslog.service.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/rsyslog.service.in b/rsyslog.service.in
+index b761ae5..2fd89b0 100644
+--- a/rsyslog.service.in
++++ b/rsyslog.service.in
+@@ -6,7 +6,11 @@ Documentation=https://www.rsyslog.com/doc/
+ 
+ [Service]
+ Type=notify
+-ExecStart=@sbindir@/rsyslogd -n -iNONE
++ExecStart=@sbindir@/rsyslogd -n -i/var/run/rsyslogd.pid
++ExecStartPost=/bin/bash /usr/bin/timezone_update.sh
++UMask=0066
++StartLimitBurst=100
++RestartSec=1s
+ StandardOutput=null
+ Restart=on-failure
+ 
+-- 
+2.19.1
+

rsyslog-8.37.0-initialize-variables-and-check-return-value.patch

@@ -57,19 +57,6 @@ index 3a93b37..1656de7 100644
  	}else
  	       /* submit message */
  	       enqMsg((uchar *)message, (uchar *) sys_iden_help, facility, severity, &tv, json, 0);
-diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
-index 6b531b1..7832693 100644
---- a/tools/rsyslogd.c
-+++ b/tools/rsyslogd.c
-@@ -266,7 +266,7 @@ static rsRetVal
- writePidFile(void)
- {
- 	FILE *fp;
--	int fd;
-+	int fd = -1;
- 	DEFiRet;
- 
- 	const char *tmpPidFile;
 -- 
 2.19.1
 

rsyslog.spec

@@ -4,7 +4,7 @@
 
 Name:           rsyslog
 Version:        8.2006.0
-Release:        4
+Release:        8
 Summary:        The rocket-fast system for log processing
 License:        (GPLv3+ and ASL 2.0)
 URL:            http://www.rsyslog.com/
@@ -16,12 +16,45 @@ Source4:        rsyslog.log
 Source5:        os_rotate_and_save_log.sh
 Source6:        os_check_timezone_for_rsyslog.sh
 Source7:        timezone.cron
+Source8:        timezone_update.sh
+
+Patch6000:      backport-testbench-set-msg-size-to-64kb-for-sndrcv_omudpspoof.patch
+Patch6001:      backport-FIX-IMUDP-add-missing-free-during-freeCnf.patch
+Patch6002:      backport-gnutls-Propagate-CheckExtendedKeyPurpose-when-accept.patch
+Patch6003:      backport-Add-max-sessions-for-imptcp.c-similar-to-imtcp.c.patch
+Patch6004:      backport-omelasticsearch-Fix-reply-buffer-reset-after-health-.patch
+Patch6005:      backport-config-bugfix-intended-warning-emitted-as-error.patch
+Patch6006:      backport-core-bugfix-segfault-if-disk-queue-file-cannot-be-cr.patch
+Patch6007:      backport-imtcp-bugfix-broken-connection-not-necessariy-detect.patch
+Patch6008:      backport-core-bugfix-potential-segfault-on-querey-of-PROGRAMN.patch
+Patch6009:      backport-Replaced-eCmdHdlrPositiveInt-with-eCmdHdlrNonNegInt-.patch
+Patch6010:      backport-Replace-GNUTLS_SHUT_RDWR-by-GNUTLS_SHUT_WR-when-endi.patch
+Patch6011:      backport-core-network-obey-net.enableDNS-off-when-querying-lo.patch
+Patch6012:      backport-Do-not-create-empty-objects-when-accessing-non-exist.patch
+Patch6013:      backport-gnutls-Added-handshake-error-handling-into-doRetry-h.patch
+Patch6014:      backport-msg-segfault-in-jsonPathFindNext-when-root-is-not-an.patch
+Patch6015:      backport-msg-memory-leak-in-msgAddJSON-if-jsonPathFindParent-.patch
+Patch6016:      backport-testbench-simplify-test-ID-generation-a-bit.patch
+Patch6017:      backport-lookup-table-bugfix-data-race-on-lookup-table-reload.patch
+Patch6018:      backport-omfwd-bugfix-segfault-or-error-if-port-not-given.patch
+Patch6019:      backport-imjournal-flush-buffer-before-fsync.patch
+Patch6020:      backport-OMMONGODB-Fixes.patch
+Patch6021:      backport-openssl-network-driver-bugfix-small-memory-leak.patch
+Patch6022:      backport-tcpsrv-bugfix-abort-if-no-listener-could-be-started.patch
+Patch6023:      backport-tcpsrv-bugfix-potential-sluggishnes-and-hang-on-shut.patch
+Patch6024:      backport-tcp-subsystem-fix-cosmetic-memory-leak-on-shutdown.patch
+Patch6025:      backport-imptcp-bugfix-keep-alive-interval-was-incorrectly-set.patch
+Patch6026:      backport-imfile-bugfix-hash-char-invalidly-added-in-readmode-0.patch
+Patch6027:      backport-Close-file-descriptor-when-freshStartTail-is-turned-on.patch
+Patch6028:	bugfix-CVE-2022-24903.patch
 
 Patch9000:      rsyslog-8.24.0-ensure-parent-dir-exists-when-writting-log-file.patch
 Patch9001:      bugfix-rsyslog-7.4.7-imjournal-add-monotonic-timestamp.patch
 Patch9002:      bugfix-rsyslog-7.4.7-add-configuration-to-avoid-memory-leak.patch
-Patch9003:      rsyslog-8.24.0-set-permission-of-syslogd-dot-pid-to-0644.patch
 Patch9004:      rsyslog-8.37.0-initialize-variables-and-check-return-value.patch
+Patch9005:      openEuler-rsyslog.service.in-create-PID-file.patch
+Patch9006:      openEuler-print-main-queue-info-to-journal-when-queue-full.patch
+Patch9007:      openEuler-print-main-queue-info-to-journal-when-receive-USR1-signal.patch
 
 BuildRequires:  gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool
 BuildRequires:  libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel
@@ -226,6 +259,7 @@ mkdir -p $RPM_BUILD_ROOT/etc/cron.d/
 install -m 0600 %{_sourcedir}/timezone.cron $RPM_BUILD_ROOT/etc/cron.d/
 install -m 0500 %{SOURCE5} $RPM_BUILD_ROOT%{_bindir}/os_rotate_and_save_log.sh
 install -m 0500 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/os_check_timezone_for_rsyslog.sh
+install -m 0500 %{SOURCE8} $RPM_BUILD_ROOT%{_bindir}/timezone_update.sh
 
 cp -r doc/* $RPM_BUILD_ROOT%{rsyslog_docdir}/html
 
@@ -242,6 +276,7 @@ do
 	umask 066 && touch $n
 done
 %systemd_post rsyslog.service
+systemctl daemon-reload >/dev/null 2>&1
 
 %preun
 %systemd_preun rsyslog.service
@@ -265,6 +300,7 @@ done
 %{_sbindir}/rsyslogd
 %attr(500,root,root) %{_bindir}/os_rotate_and_save_log.sh
 %attr(500,root,root) %{_bindir}/os_check_timezone_for_rsyslog.sh
+%attr(500,root,root) %{_bindir}/timezone_update.sh
 /etc/cron.d/timezone.cron
 %{_unitdir}/rsyslog.service
 %config(noreplace) %{_sysconfdir}/rsyslog.conf
@@ -356,6 +392,24 @@ done
 %{_mandir}/man1/rscryutil.1.gz
 
 %changelog
+* Mon May 23 2022 zhanghaolian <zhanghaolian@huawei.com> - 8.2006.0-8
+- DESC:fix CVE-2022-24903
+
+* Thu Sep 16 2021 wuchaochao <wuchaochao4@huawei.com> - 8.2006.0-7
+- backport patches from upstream
+
+* Mon May 10 2021 shixuantong <shixuantong@huawei.com> - 8.2006.0-6
+- Type:NA
+- ID:NA
+- SUG:NA
+- DESC:add timezone_update.sh to Source8 and update patch
+
+* Fri Jan 15 2020 shangyibin<shangyibin1@huawei.com> - 8.2006.0-5
+- Type:NA
+- ID:NA
+- SUG:NA
+- DESC:patch round repair.
+
 * Fri Jan 8 2020 shangyibin<shangyibin1@huawei.com> - 8.2006.0-4
 - Type:NA
 - ID:NA

timezone_update.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+umask 0066
+/usr/bin/date +%Z%z > /etc/localtime_tmp