Bug 33066

Summary: Haproxy subversion update
Product: Mageia Reporter: Raphael Gertz <mageia>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, j.alberto.vc, mageia, mageia, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: haproxy-2.8.6-1.mga9.src.rpm CVE:
Status comment:

Description Raphael Gertz 2024-04-09 05:36:38 CEST 
Description of problem:
Haproxy is in version 2.8.6 in mageia version while 2.8.9 version is available with one major, few medium and few minor security updates for 2.8 branch.

Changelog there:
http://www.haproxy.org/download/2.8/src/CHANGELOG

Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update.

Fixed bug changelog:
2024/04/05 : 2.8.9
    - BUILD: proxy: Replace free_logformat_list() to manually release log-format

2024/04/05 : 2.8.8
    - MAJOR: hlua: improper lock usage with hlua_ctx_resume()
    - MAJOR: promex: fix crash on deleted server
    - MAJOR: server: fix stream crash due to deleted server
    - MEDIUM: applet: Immediately free appctx on early error
    - MEDIUM: cli: Warn if pipelined commands are delimited by a \n
    - MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets
    - MEDIUM: hlua: Don't loop if a lua socket does not consume received data
    - MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()
    - MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)
    - MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block
    - MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection
    - MEDIUM: quic: fix transient send error with listener socket
    - MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout
    - MEDIUM: spoe: Return an invalid frame on recv if size is too small
    - MEDIUM: ssl: Fix crash in ocsp-update log function
    - MINOR: backend: properly handle redispatch 0
    - MINOR: cfgparse: report proper location for log-format-sd errors
    - MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
    - MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener
    - MINOR: connection: add a new mux_ctl to report number of connection glitches
    - MINOR: connection: add sample fetches to report per-connection glitches
    - MINOR: hlua: Be able to disable logging from lua
    - MINOR: hlua: don't call ha_alert() in hlua_event_subscribe()
    - MINOR: hlua: don't use lua_tostring() from unprotected contexts
    - MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel
    - MINOR: hlua: fix missing lock in hlua_filter_delete()
    - MINOR: hlua: fix possible crash in hlua_filter_new() under load
    - MINOR: hlua: fix unsafe lua_tostring() usage with empty stack
    - MINOR: hlua: improper lock usage in hlua_filter_callback()
    - MINOR: hlua: improper lock usage in hlua_filter_new()
    - MINOR: hlua: missing lock in hlua_filter_new()
    - MINOR: hlua: segfault when loading the same filter from different contexts
    - MINOR: hlua: use accessors for stream hlua ctx
    - MINOR: ist: allocate nul byte on istdup
    - MINOR: ist: only store NUL byte on succeeded alloc
    - MINOR: listener: Don't schedule frontend without task in listener_release()
    - MINOR: listener: Wake proxy's mngmt task up if necessary on session release
    - MINOR: mux-h2: add a counter of "glitches" on a connection
    - MINOR: mux-h2: always use h2c_report_glitch()
    - MINOR: mux-h2: count excess of CONTINUATION frames as a glitch
    - MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch
    - MINOR: mux-h2: count rejected DATA frames against the connection's flow control
    - MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES
    - MINOR: mux-quic: close all QCS before freeing QCC tasklet
    - MINOR: proxy: fix logformat expression leak in use_backend rules
    - MINOR: qpack: reject invalid dynamic table capacity
    - MINOR: qpack: reject invalid increment count decoding
    - MINOR: quic: fix output of show quic
    - MINOR: quic: reject HANDSHAKE_DONE as server
    - MINOR: quic: reject unknown frame type
    - MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support
    - MINOR: server: allow cookie for dynamic servers
    - MINOR: server: fix persistence cookie for dynamic servers
    - MINOR: server: ignore 'enabled' for dynamic servers
    - MINOR: server: 'source' interface ignored from 'default-server' directive
    - MINOR: session: ensure conn owner is set after insert into session
    - MINOR: sink: fix a race condition in the TCP log forwarding code
    - MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop
    - MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist
    - MINOR: ssl/cli: typo in new ssl crl-file CLI description
    - MINOR: ssl: Detect more 'ocsp-update' incompatibilities
    - MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()
    - MINOR: ssl: Wrong ocsp-update "incompatibility" error message
    - MINOR: stats: drop srv refcount on early release
    - MINOR: tools: seed the statistical PRNG slightly better
    - OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}

2024/02/26 : 2.8.7
    - MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI

Version-Release number of selected component (if applicable):
2.8.6

How reproducible:
Always

Steps to Reproduce:
1. Check haproxy changelog & see version
Comment 1 Raphael Gertz 2024-04-09 05:42:38 CEST 
Haproxy has fixed issues in last upstream version 2.8.9 of branch 2.8.

Impacted mga9 & cauldron.

Suggested advisory:
========================
type: bugfix
subject: Updated haproxy package fixes some bugs
src:
  9:
   core:
     - haproxy-2.8.9-1.mga9
description: |
  Haproxy has a major, few medium and few minor bugs fixed in last upstream
  version 2.8.9 of branch 2.8

  Fixed major bug list:
  - hlua: improper lock usage with hlua_ctx_resume()
  - promex: fix crash on deleted server
  - server: fix stream crash due to deleted server
  - ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI

  Fixed medium bug list:
  - applet: Immediately free appctx on early error
  - cli: Warn if pipelined commands are delimited by a \n
  - hlua: Be able to garbage collect uninitialized lua sockets
  - hlua: Don't loop if a lua socket does not consume received data
  - hlua: improper lock usage with SET_SAFE_LJMP()
  - hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)
  - mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block
  - mux-h2: allow to set the glitches threshold to kill a connection
  - quic: fix transient send error with listener socket
  - spoe: Don't rely on stream's expiration to detect processing timeout
  - spoe: Return an invalid frame on recv if size is too small
  - ssl: Fix crash in ocsp-update log function

references:
 - https://bugs.mageia.org/show_bug.cgi?id=33066
 - https://www.haproxy.org/download/2.8/src/CHANGELOG

Keywords: (none) => advisory

Comment 2 Raphael Gertz 2024-04-09 05:46:24 CEST 
$ systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since Tue XX:XX:XX CET; XXs ago
   Main PID: XXXXXX (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 20.9M
        CPU: 8.865s
     CGroup: /system.slice/haproxy.service
             ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

$ curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache
alt-svc: h3=":443"; ma=3600

$ curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Tue, 09 Apr 2024 03:44:50 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=3600

$ rpm -qa | grep haproxy
haproxy-quic-2.8.9-1.mga9
haproxy-2.8.9-1.mga9

Whiteboard: (none) => MGA9-64-OK

Comment 3 Raphael Gertz 2024-04-09 05:47:18 CEST 
Packages in 9/core/updates_testing
###########################################
i586:
haproxy-2.8.9-1.mga9.i586.rpm
haproxy-noquic-2.8.9-1.mga9.i586.rpm
haproxy-quic-2.8.9-1.mga9.i586.rpm
haproxy-utils-2.8.9-1.mga9.i586.rpm

x86_64:
haproxy-2.8.9-1.mga9.x86_64.rpm
haproxy-noquic-2.8.9-1.mga9.x86_64.rpm
haproxy-quic-2.8.9-1.mga9.x86_64.rpm
haproxy-utils-2.8.9-1.mga9.x86_64.rpm

From SRPMS:
##########################################
haproxy-2.8.9-1.mga9
Raphael Gertz 2024-04-09 05:49:08 CEST

CC: (none) => j.alberto.vc, mageia, mageia
Assignee: bugsquad => qa-bugs

Comment 4 Raphael Gertz 2024-04-09 05:50:05 CEST 
Previous update ticket:
https://bugs.mageia.org/show_bug.cgi?id=32873
Comment 5 Raphael Gertz 2024-04-09 05:53:43 CEST 
Packages built and uploaded, advisory available.

QA should just have to double check, validate update or report if there is something wrong.
Comment 6 katnatek 2024-04-09 21:40:09 CEST 
RH mageia 9 x86_64

Test noquic

 LC_ALL=C urpmi haproxy
In order to satisfy the 'haproxy-server[== 2.8.9-1.mga9]' dependency, one of the following packages is needed:
 1- haproxy-noquic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
 2- haproxy-quic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.9        1.mga9        x86_64  
  haproxy-noquic                 2.8.9        1.mga9        x86_64  
4.8MB of additional disk space will be used.
1.5MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y

Installation without issues

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Tue, 09 Apr 2024 19:31:14 GMT
server: Apache/2.4.59 (Mageia) OpenSSL/3.0.12
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "xx-xxxxxxxxxxxxx"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8
Comment 7 katnatek 2024-04-09 21:44:37 CEST 
RH mageia 9 x86_54

Test quic

LC_ALL=C urpmi haproxy
In order to satisfy the 'haproxy-server[== 2.8.9-1.mga9]' dependency, one of the following packages is needed:
 1- haproxy-noquic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
 2- haproxy-quic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
What is your choice? (1-2) 2
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.9        1.mga9        x86_64  
  haproxy-quic                   2.8.9        1.mga9        x86_64  
(medium "Core Updates (distrib3)")
  lib64quictls81.3               3.0.12       1.1.mga9      x86_64  
12MB of additional disk space will be used.
3.8MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.12-1.1.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/lib64quictls81.3-3.0.12-1.1.mga9.x86_64.rpm                                            
//home/katnatek/qa-testing/x86_64/haproxy-quic-2.8.9-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/haproxy-2.8.9-1.mga9.x86_64.rpm
Preparing...                     ######################################################################################
      1/3: lib64quictls81.3      ######################################################################################
      2/3: haproxy               ######################################################################################
      3/3: haproxy-quic          ######################################################################################

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Tue, 09 Apr 2024 19:42:31 GMT
server: Apache/2.4.59 (Mageia) OpenSSL/3.0.12
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "xx-xxxxxxxxxxxxx"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

As bot versions not get haproxy-utils as require

LC_ALL=C urpmi haproxy-utils 


installing haproxy-utils-2.8.9-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/1: haproxy-utils         ######################################################################################
katnatek 2024-04-09 21:44:53 CEST

CC: (none) => andrewsfarm

Comment 8 katnatek 2024-04-09 21:45:18 CEST 
Look good for me
Comment 9 Thomas Andrews 2024-04-09 23:38:08 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2024-04-10 06:04:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0124.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED