From 59e8f9c5c7b2c0072e2d0009a907b9af2c0f40ba Mon Sep 17 00:00:00 2001
From: Ben Cotton <bcotton@fedoraproject.org>
Date: Sep 05 2019 13:55:27 +0000
Subject: Default to only listening on localhost.


Fixes RHBZ 1749190 (CVE-2019-14511)

---

diff --git a/listen_local.patch b/listen_local.patch
new file mode 100644
index 0000000..46a1342
--- /dev/null
+++ b/listen_local.patch
@@ -0,0 +1,26 @@
+--- sphinx-2.2.11-release-orig/sphinx.conf.in	2019-09-05 08:57:23.608395395 -0400
++++ sphinx-2.2.11-release/sphinx.conf.in	2019-09-05 08:56:43.568117907 -0400
+@@ -810,8 +810,8 @@
+ 	# listen			= 192.168.0.1:9312
+ 	# listen			= 9312
+ 	# listen			= /var/run/searchd.sock
+-	listen			= 9312
+-	listen			= 9306:mysql41
++	listen			= 127.0.0.1:9312
++	listen			= 127.0.0.1:9306:mysql41
+ 
+ 	# log file, searchd run info is logged here
+ 	# optional, default is 'searchd.log'
+--- sphinx-2.2.11-release-orig/sphinx-min.conf.in	2019-09-05 08:59:14.851388059 -0400
++++ sphinx-2.2.11-release/sphinx-min.conf.in	2019-09-05 08:59:44.248857589 -0400
+@@ -49,8 +49,8 @@
+ 
+ searchd
+ {
+-	listen			= 9312
+-	listen			= 9306:mysql41
++	listen			= 127.0.0.1:9312
++	listen			= 127.0.0.1:9306:mysql41
+ 	log			= @CONFDIR@/log/searchd.log
+ 	query_log		= @CONFDIR@/log/query.log
+ 	read_timeout		= 5
diff --git a/sphinx-2.0.3-default_listen.patch b/sphinx-2.0.3-default_listen.patch
deleted file mode 100644
index 07b602d..0000000
--- a/sphinx-2.0.3-default_listen.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -r -U3 sphinx-2.0.3-release.orig/sphinx.conf.in sphinx-2.0.3-release/sphinx.conf.in
---- sphinx-2.0.3-release.orig/sphinx.conf.in	2011-04-18 09:39:40.000000000 -0500
-+++ sphinx-2.0.3-release/sphinx.conf.in	2012-02-14 13:49:19.660872549 -0600
-@@ -716,7 +716,7 @@
- 	# listen			= 192.168.0.1:9312
- 	# listen			= 9312
- 	# listen			= /var/run/searchd.sock
--	listen			= 9312
-+        listen                  = 127.0.0.1:9312
- 	listen			= 9306:mysql41
- 
- 	# log file, searchd run info is logged here
-diff -r -U3 sphinx-2.0.3-release.orig/sphinx-min.conf.in sphinx-2.0.3-release/sphinx-min.conf.in
---- sphinx-2.0.3-release.orig/sphinx-min.conf.in	2011-04-18 09:39:40.000000000 -0500
-+++ sphinx-2.0.3-release/sphinx-min.conf.in	2012-02-14 13:49:55.682449012 -0600
-@@ -54,7 +54,7 @@
- 
- searchd
- {
--	listen			= 9312
-+        listen                  = 127.0.0.1:9312
- 	listen			= 9306:mysql41
- 	log			= @CONFDIR@/log/searchd.log
- 	query_log		= @CONFDIR@/log/query.log
diff --git a/sphinx.spec b/sphinx.spec
index 0a1472d..712c3b0 100644
--- a/sphinx.spec
+++ b/sphinx.spec
@@ -13,7 +13,7 @@
 
 Name:		sphinx
 Version:	2.2.11
-Release:	11%{?dist}
+Release:	12%{?dist}
 Summary:	Free open-source SQL full-text search engine
 License:	GPLv2+
 URL:		http://sphinxsearch.com
@@ -21,7 +21,7 @@ URL:		http://sphinxsearch.com
 Source0:	http://sphinxsearch.com/files/%{name}-%{version}-release.tar.gz
 Source1:	searchd.service
 Patch0:		%{name}-2.0.3-fix_static.patch
-Patch1:		%{name}-2.0.3-default_listen.patch
+Patch1:		listen_local.patch
 
 BuildRequires:  gcc gcc-c++
 BuildRequires:	expat-devel
@@ -281,6 +281,9 @@ chown -R %{sphinx_user}:root %{_localstatedir}/lib/%{name}/
 %{_datadir}/php/*
 
 %changelog
+* Thu Sep 05 2019 Ben Cotton <bcotton@fedoraproject.org> - 2.2.11-12
+- Listen only on localhost (CVE-2019-14511, rhbz#1749190)
+
 * Thu Feb 14 2019 Orion Poplawski <orion@nwra.com> - 2.2.11-11
 - Revert incorrect use of _tmpfiledir rhbx#1551735