Bug 32873

Haproxy has fixed issues in last upstream version 2.8.6 of branch 2.8.

Impacted mga9 & cauldron.

Suggested advisory:
========================
type: bugfix
subject: Updated haproxy package fixes some bugs
src:
  9:
   core:
     - haproxy-2.8.6-1.mga9
description: |
  Haproxy has a major, few medium and few minor bugs fixed in last upstream
  version 2.8.6 of branch 2.8

  Fixed major bug list:
  - ssl_sock: Always clear retry flags in read/write functions

  Fixed medium bug list:
  - cli: fix once for all the problem of missing trailing LFs
  - cli: some err/warn msg dumps add LR into CSV output on stat's CLI
  - h1: always reject the NUL character in header values
  - h1: Don't support LF only to mark the end of a chunk size
  - h3: do not crash on invalid response status code
  - h3: fix incorrect snd_buf return value
  - mux-h2: refine connection vs stream error on headers
  - mux-h2: Report too large HEADERS frame only when rxbuf is empty
  - mux-quic: report early error on stream
  - ocsp: Separate refcount per instance and per store
  - pool: fix rare risk of deadlock in pool_flush()
  - qpack: allow 6xx..9xx status codes
  - quic: fix crash on invalid qc_stream_buf_free() BUG_ON
  - quic: keylog callback not called (USE_OPENSSL_COMPAT)
  - quic: Possible buffer overflow when building TLS records
  - quic: QUIC CID removed from tree without locking
  - quic: remove unsent data from qc_stream_desc buf
  - quic: Wrong K CUBIC calculation.
  - spoe: Never create new spoe applet if there is no server up
  - ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
  - stats: unhandled switching rules with TCP frontend
  - stconn: Allow expiration update when READ/WRITE event is pending
  - stconn: Don't check pending shutdown to wake an applet up
  - stconn: Forward shutdown on write timeout only if it is forwardable

references:
 - https://bugs.mageia.org/show_bug.cgi?id=32873
 - https://www.haproxy.org/download/2.8/src/CHANGELOG

$ systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-02-20 XX:XX:XX CET; XXs ago
   Main PID: XXXXXX (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 18.7M
        CPU: Xms
     CGroup: /system.slice/haproxy.service
             ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

$ curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache
alt-svc: h3=":443"; ma=3600

$ curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Tue, 20 Feb 2024 02:43:04 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=3600

Whiteboard: (none) => MGA9-64-OK
CC: (none) => mageia, mageia
Assignee: bugsquad => qa-bugs
Keywords: (none) => advisory

$ rpm -qa | grep haproxy
haproxy-2.8.6-1.mga9
haproxy-quic-2.8.6-1.mga9

I see where you added the "Advisory" keyword. Did you upload the advisory to SVN? The keyword isn't added until that is done.

CC: (none) => andrewsfarm

I have an MGA9-64 Plasma VirtualBox guest with haproxy installed from the last update. Lacking a package list, I used "*haproxy*" in qarepo and it came back with this:

haproxy-2.8.6-1.mga9.x86_64.rpm
haproxy-noquic-2.8.6-1.mga9.x86_64.rpm
haproxy-quic-2.8.6-1.mga9.x86_64.rpm
haproxy-utils-2.8.6-1.mga9.x86_64.rpm

Those updated cleanly, but if there were more packages to test I didn't get them. I tried the commands from comment 2 on my system after the update, confirming the OK.

Holding back on the validation until I hear confirmation that the advisory has been properly uploaded.

(In reply to Thomas Andrews from comment #4)
> I see where you added the "Advisory" keyword. Did you upload the advisory to
> SVN? The keyword isn't added until that is done.

I did, in fact it was done before submitting to build system.

$ svn log 32873.adv
------------------------------------------------------------------------
r15711 | rapsys | 2024-02-20 03:40:04 +0100 (mar. 20 févr. 2024) | 1 ligne

Add bugfix advisory M9 haproxy mga#32873
------------------------------------------------------------------------

(In reply to Thomas Andrews from comment #5)
> I have an MGA9-64 Plasma VirtualBox guest with haproxy installed from the
> last update. Lacking a package list, I used "*haproxy*" in qarepo and it
> came back with this:
> 
> haproxy-2.8.6-1.mga9.x86_64.rpm
> haproxy-noquic-2.8.6-1.mga9.x86_64.rpm
> haproxy-quic-2.8.6-1.mga9.x86_64.rpm
> haproxy-utils-2.8.6-1.mga9.x86_64.rpm
> 
> Those updated cleanly, but if there were more packages to test I didn't get
> them. I tried the commands from comment 2 on my system after the update,
> confirming the OK.
> 
> Holding back on the validation until I hear confirmation that the advisory
> has been properly uploaded.

You need to install haproxy with quic or noquic package which contains the binary with or without QUIC protocol support.

You may test the utils as well, that's all there is to test.

Best regards

For next time I update it, how should I list the packages to help qa tester ?

(In reply to Thomas Andrews from comment #5)
> I have an MGA9-64 Plasma VirtualBox guest with haproxy installed from the
> last update. Lacking a package list, I used "*haproxy*" in qarepo and it
> came back with this:
> 
> haproxy-2.8.6-1.mga9.x86_64.rpm
> haproxy-noquic-2.8.6-1.mga9.x86_64.rpm
> haproxy-quic-2.8.6-1.mga9.x86_64.rpm
> haproxy-utils-2.8.6-1.mga9.x86_64.rpm
> 
> Those updated cleanly, but if there were more packages to test I didn't get
> them. I tried the commands from comment 2 on my system after the update,
> confirming the OK.
> 
> Holding back on the validation until I hear confirmation that the advisory
> has been properly uploaded.

You can check in https://svnweb.mageia.org/advisories/bugnumber.adv , in this case https://svnweb.mageia.org/advisories/32873.adv

(In reply to Raphael Gertz from comment #8)
> For next time I update it, how should I list the packages to help qa tester ?

Others do something like

Packages in 9/core/updates_testing
###########################################
i586:
haproxy-2.8.6-1.mga9.i586.rpm
haproxy-noquic-2.8.6-1.mga9.i586.rpm
haproxy-quic-2.8.6-1.mga9.i586.rpm
haproxy-utils-2.8.6-1.mga9.i586.rpm

x86_64:
haproxy-2.8.6-1.mga9.x86_64.rpm
haproxy-noquic-2.8.6-1.mga9.x86_64.rpm
haproxy-quic-2.8.6-1.mga9.x86_64.rpm
haproxy-utils-2.8.6-1.mga9.x86_64.rpm

From SRPMS:
##########################################

haproxy-2.8.6-1.mga9

@Raphael: use this template https://wiki.mageia.org/en/Update_Advisory_Announcement_Example
Listing RPM/SRPM and where to find them, helps qa

@Raphael: I did look for the advisory before I questioned it, but apparently not in the right spot because I didn't find it. I was only trying to be thorough.

Please understand, someone other than the developer needs to test the update at least for a clean install. This is to help prevent updates slipping through with hidden dependencies, dependencies that might be installed on the developer's system, but not on some of our users' systems. It has happened before, so we do our best to avoid it happening in the future. 

Please continue to include valid test procedures for us. QA welcomes people of all levels of expertise, and for someone like me, somewhere in the middle, the procedures are very helpful. Thank you.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0064.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED