Bug 32570

Summary: Haproxy subversion update
Product: Mageia Reporter: Raphael Gertz <mageia>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, mageia, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: haproxy-2.8.3-9.mga9.src.rpm CVE:
Status comment: will be fixed upstream in 2.8.4

Description Raphael Gertz 2023-11-25 16:09:34 CET 
Description of problem:
Haproxy is in version 2.8.3 in mageia version while 2.8.4 version is available with one major, few medium and few minor security updates for 2.8 branch.

Changelog there:
http://www.haproxy.org/download/2.8/src/CHANGELOG

Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update.

A patch adding 4096 bytes buffer on stdout was added as well to improve logs perfomances.

Fixed bug changelog:
2023/11/17 : 2.8.4
    - BUILD: bug: make BUG_ON() void to avoid a rare warning
    - BUG/MINOR: quic: Leak of frames to send.
    - BUG/MINOR: quic: Wrong cluster secret initialization
    - MINOR: quic: QUIC openssl wrapper implementation
    - MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header
    - MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT
    - MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()
    - MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()
    - MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper
    - MINOR: quic: Export some KDF functions (QUIC-TLS)
    - MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper
    - MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()
    - MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct
    - MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.
    - MINOR: quic: Add "limited-quic" new tuning setting
    - DOC: quic: Add "limited-quic" new tuning setting
    - BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
    - MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
    - MINOR: quic+openssl_compat: Do not start without "limited-quic"
    - MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
    - BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help
    - BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind
    - BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code
    - BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT
    - MINOR: hlua: add hlua_stream_ctx_prepare helper function
    - BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
    - Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
    - CI: musl: highlight section if there are coredumps
    - CI: musl: drop shopt in workflow invocation
    - BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
    - BUG/MINOR: hlua/init: coroutine may not resume itself
    - BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records
    - BUG/MINOR: promex: fix backend_agg_check_status
    - BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1
    - BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
    - BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
    - BUG/MINOR: server: add missing free for server->rdr_pfx
    - MINOR: pattern: fix pat_{parse,match}_ip() function comments
    - BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams
    - BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
    - BUG/MEDIUM: actions: always apply a longest match on prefix lookup
    - BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed
    - BUG/MEDIUM: http-ana: Try to handle response before handling server abort
    - MINOR: hlua: Set context's appctx when the lua socket is created
    - MINOR: hlua: Don't preform operations on a not connected socket
    - MINOR: hlua: Save the lua socket's timeout in its context
    - MINOR: hlua: Save the lua socket's server in its context
    - MINOR: hlua: Test the hlua struct first when the lua socket is connecting
    - BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
    - BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
    - BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
    - BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
    - BUG/MINOR: hq-interop: simplify parser requirement
    - BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
    - BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos
    - BUG/MINOR: quic: reject packet with no frame
    - BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream
    - BUG/MINOR: mux-quic: support initial 0 max-stream-data
    - BUG/MINOR: h3: strengthen host/authority header parsing
    - BUG/MINOR: mux-quic: fix free on qcs-new fail alloc
    - BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash
    - BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request
    - BUG/MINOR: mux-h2: make up other blocked streams upon removal from list
    - BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending
    - BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again
    - BUG/MINOR: trace: fix trace parser error reporting
    - BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task
    - BUG/MEDIUM: peers: Fix synchro for huge number of tables
    - BUG/MINOR: mux-h2: commit the current stream ID even on reject
    - BUG/MINOR: mux-h2: update tracked counters with req cnt/req err
    - DOC: internal: filters: fix reference to entities.pdf
    - BUG/MINOR: ssl: load correctly @system-ca when ca-base is define
    - MINOR: lua: Add flags to configure logging behaviour
    - DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder
    - MINOR: connection: add conn_pr_mode_to_proto_mode() helper func
    - BUG/MEDIUM: server: "proto" not working for dynamic servers
    - BUG/MINOR: quic: do not consider idle timeout on CLOSING state
    - BUG/MINOR: ssl: use a thread-safe sslconns increment
    - MINOR: frontend: implement a dedicated actconn increment function
    - MEDIUM: quic: count quic_conn instance for maxconn
    - MEDIUM: quic: count quic_conn for global sslconns
    - BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA
    - BUG/MINOR: mux-quic: fix early close if unset client timeout
    - BUG/MEDIUM: ssl: segfault when cipher is NULL
    - BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure
    - BUG/MINOR: stktable: missing free in parse_stick_table()
    - BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
    - BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()
    - BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire
    - BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room()
    - BUG/MINOR: stconn: Sanitize report for read activity
    - CLEANUP: htx: Properly indent htx_reserve_max_data() function
    - BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure
    - BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure
    - BUG/MINOR: stick-table/cli: Check for invalid ipv4 key
    - BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts
    - BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period
    - BUG/MEDIUM: pool: fix releasable pool calculation when overloaded
    - BUG/MINOR: quic: idle timer task requeued in the past
    - BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree
    - BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets
    - BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures
    - BUG/MEDIUM: stconn: Don't update stream expiration date if already expired
    - DOC: management: -q is quiet all the time
    - BUG/MINOR: quic: fix retry token check inconsistency
    - DOC: config: use the word 'backend' instead of 'proxy' in 'track' description
    - BUG/MEDIUM: applet: Remove appctx from buffer wait list on release
    - BUG/MINOR: sink: don't learn srv port from srv addr
    - DOC: quic: Wrong syntax for "quic-cc-algo" keyword.
    - BUG/MEDIUM: connection: report connection errors even when no mux is installed
    - BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up
    - MINOR: connection: Add a CTL flag to notify mux it should wait for reads again
    - MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
    - BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only
    - REGTESTS: http: Improve script testing abortonclose option
    - BUG/MEDIUM: stconn: Report a send activity everytime data were sent
    - BUG/MEDIUM: applet: Report a send activity everytime data were sent
    - BUG/MEDIUM: mworker: set the master variable earlier
    - BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented
    - BUG/MEDIUM: stconn: Update fsb date on partial sends
    - MINOR: htx: Use a macro for overhead induced by HTX
    - MINOR: channel: Add functions to get info on buffers and deal with HTX streams
    - BUG/MINOR: stconn: Fix streamer detection for HTX streams
    - BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer
    - BUG/MINOR: stconn/applet: Report send activity only if there was output data
    - BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends

Version-Release number of selected component (if applicable):
2.8.3

How reproducible:
Always

Steps to Reproduce:
1. Check haproxy changelog & see version
Comment 1 Raphael Gertz 2023-11-25 16:24:34 CET 
Haproxy has fixed issues in last upstream version 2.8.4 of branch 2.8.

Impacted mga9 & cauldron.

Suggested advisory:
========================
type: bugfix
subject: Updated haproxy package fixes some bugs
src:
  9:
   core:
     - haproxy-2.8.4-1.mga9
description: |
  Haproxy has a major, few medium and few minor bugs fixed in last upstream
  version 2.8.4 of branch 2.8

  Add a 4096 bytes buffer on stdout to improve access log performances.

  Fixed major bug list:
  - mux-h2: Report a protocol error for any DATA frame before headers

  Fixed medium bug list:
  - hlua: streams don't support mixing lua-load with lua-load-per-thread
  - Revert quic: missing check of dcid for init pkt including a token"
  - hlua: don't pass stale nargs argument to lua_resume()
  - mux-fcgi: Don't swap trash and dbuf when handling STDERR records
  - master/cli: Pin the master CLI on the first thread of the group 1
  - server/cli: don't delete a dynamic server that has streams
  - actions: always apply a longest match on prefix lookup
  - quic_conn: let the scheduler kill the task when needed
  - http-ana: Try to handle response before handling server abort
  - hlua: Initialize appctx used by a lua socket on connect only
  - h1: Ignore C-L value in the H1 parser if T-E is also set
  - stconn: Fix comparison sign in sc_need_room()
  - mux-quic: fix RESET_STREAM on send-only stream
  - quic-conn: free unsent frames on retransmit to prevent crash
  - mux-h2: Don't report an error on shutr if a shutw is pending
  - peers: Be sure to always refresh recconnect timer in sync task
  - peers: Fix synchro for huge number of tables
  - server: "proto" not working for dynamic servers
  - quic: count quic_conn instance for maxconn
  - quic: count quic_conn for global sslconns
  - ssl: segfault when cipher is NULL
  - pattern: don't trim pools under lock in pat_ref_purge_range()
  - stconn: Don't report rcv/snd expiration date if SC cannot epxire
  - Don't apply a max value on room_needed in sc_need_room()
  - quic: fix actconn on quic_conn alloc failure
  - quic: fix sslconns on quic_conn alloc failure
  - freq-ctr: Don't report overshoot for long inactivity period
  - pool: fix releasable pool calculation when overloaded
  - quic: Avoid trying to send ACK frames from an empty ack ranges tree
  - quic: Possible crashes when sending too short Initial packets
  - quic: Avoid some crashes upon TX packet allocation failures
  - stconn: Don't update stream expiration date if already expired
  - applet: Remove appctx from buffer wait list on release
  - connection: report connection errors even when no mux is installed
  - mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
  - stream: Properly handle abortonclose when set on backend only
  - stconn: Report a send activity everytime data were sent
  - applet: Report a send activity everytime data were sent
  - mworker: set the master variable earlier
  - stream: Don't call mux .ctl() callback if not implemented
  - stconn: Update fsb date on partial sends

references:
 - https://bugs.mageia.org/show_bug.cgi?id=32570
 - https://www.haproxy.org/download/2.8/src/CHANGELOG

Keywords: (none) => advisory
Status comment: (none) => will be fixed upstream in 2.8.4

Comment 2 Raphael Gertz 2023-11-25 16:32:10 CET 
$ systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since Sat 2023-11-25 XX:XX:XX CET; Xmin ago
   Main PID: XXXXXX (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 23.1M
        CPU: Xmin Xs
     CGroup: /system.slice/haproxy.service
             ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

$ curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

$ curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Sat, 25 Nov 2023 14:27:39 GMT
content-type: text/html; charset=UTF-8

Status: NEW => ASSIGNED
CC: (none) => mageia, mageia
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2023-11-27 02:16:37 CET 
Used http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/32570/application/0 to get the list of rpms to test:

haproxy-2.8.4-1.mga9.x86_64.rpm
haproxy-noquic-2.8.4-1.mga9.x86_64.rpm
haproxy-quic-2.8.4-1.mga9.x86_64.rpm
haproxy-utils-2.8.4-1.mga9.x86_64.rpm

Installed the current versions of all plus one dependency in a VirtualBox guest, then downloaded the test rpms with qarepo, and updated. There were no installation issues. 

Taking Comment 2 as a demonstration of functionality.

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2023-11-27 17:19:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2023-0126.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED