diff options
| -rw-r--r-- | valkey-bindnow.patch | 51 | ||||
| -rw-r--r-- | valkey.spec | 10 |
2 files changed, 60 insertions, 1 deletions
diff --git a/valkey-bindnow.patch b/valkey-bindnow.patch new file mode 100644 index 0000000..9a1bede --- /dev/null +++ b/valkey-bindnow.patch @@ -0,0 +1,51 @@ +Adapted for 9.0.3 from + + +From 8051de740dd38172476b04e892e5517630e3eaed Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 11 Mar 2026 11:40:15 +0100 +Subject: [PATCH] Inherit LDFLAGS for TLS and RDMA modules (#3344) + +With current Makefile, `LDFLAGS` are not used for modules. + +This results in security options not applied. + +``` +$ annocheck /usr/lib64/valkey/modules/rdma.so +annocheck: Version 12.99. +Hardened: rdma.so: FAIL: bind-now test because not linked with -Wl,-z,now +Hardened: Rerun annocheck with --verbose to see more information on the tests. +Hardened: rdma.so: Overall: FAIL. +``` + +With this patch + +``` +$ annocheck /usr/lib64/valkey/modules/rdma.so +annocheck: Version 12.99. +Hardened: rdma.so: PASS. +``` + +Signed-off-by: Remi Collet <remi@remirepo.net> +--- + src/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index eb4a6e939a..5d3814d019 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -524,11 +524,11 @@ $(ENGINE_CHECK_AOF_NAME): $(SERVER_NAME) + + # valkey-tls.so + $(TLS_MODULE_NAME): $(SERVER_NAME) +- $(QUIET_CC)$(CC) -o $@ tls.c -shared -fPIC $(TLS_MODULE_CFLAGS) $(TLS_CLIENT_LIBS) ++ $(QUIET_CC)$(CC) $(LDFLAGS) -o $@ tls.c -shared -fPIC $(TLS_MODULE_CFLAGS) $(TLS_CLIENT_LIBS) + + # valkey-rdma.so + $(RDMA_MODULE_NAME): $(SERVER_NAME) +- $(QUIET_CC)$(CC) -o $@ rdma.c -shared -fPIC $(RDMA_MODULE_CFLAGS) ++ $(QUIET_CC)$(CC) $(LDFLAGS) -o $@ rdma.c -shared -fPIC $(RDMA_MODULE_CFLAGS) + + # valkey-cli + $(ENGINE_CLI_NAME): $(ENGINE_CLI_OBJ) diff --git a/valkey.spec b/valkey.spec index b0bd210..859c981 100644 --- a/valkey.spec +++ b/valkey.spec @@ -12,7 +12,7 @@ Name: valkey Version: %{upstream_version}%{?upstream_prever:~%{upstream_prever}} -Release: 1%{?dist} +Release: 2%{?dist} Summary: A persistent key-value database # valkey: BSD-3-Clause # libvalkey: BSD-3-Clause @@ -33,6 +33,9 @@ Source50: https://github.com/valkey-io/%{name}-doc/archive/%{doc_versio Patch0: %{name}-conf.patch # Workaround to https://github.com/valkey-io/valkey/issues/2678 Patch1: %{name}-loadmod.patch +# Properly inherits linker flags for modules +# See https://github.com/valkey-io/valkey/pull/3344 +Patch2: %{name}-bindnow.patch ExcludeArch: %{ix86} @@ -146,6 +149,7 @@ See https://valkey.io/topics/RDMA/ %setup -qn %{name}-%{upstream_version}%{?upstream_prever:-%{upstream_prever}} -a50 %patch -P0 -p1 -b .rpm %patch -P1 -p1 -b .loadmod +%patch -P2 -p1 -b .bindnow mv deps/lua/COPYRIGHT COPYRIGHT-lua mv deps/jemalloc/COPYING COPYING-jemalloc @@ -340,6 +344,10 @@ exit 0 %changelog +* Wed Mar 11 2026 Remi Collet <remi@remirepo.net> - 9.0.3-2 +- fix module linker flags using patch from + https://github.com/valkey-io/valkey/pull/3344 + * Tue Feb 24 2026 Remi Collet <remi@remirepo.net> - 9.0.3-1 - Valkey 9.0.3 - February 23, 2026 - Upgrade urgency SECURITY: This release includes security fixes |