Description of problem: Haproxy is in version 2.8.4 in mageia version while 2.8.5 version is available with one major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update. Fixed bug changelog: 2023/12/07 : 2.8.5 - BUG/MAJOR: quic: complete thread migration before tcp-rules - BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover() - BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover() - BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover() - BUG/MINOR: stream/cli: report correct stream age in "show sess" - MINOR: stktable: add stktable_deinit function - BUG/MINOR: proxy/stktable: missing frees on proxy cleanup - REGTESTS: http: add a test to validate chunked responses delivery - BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly - BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them - BUG/MEDIUM: quic: Possible crash for connections to be killed - BUG/MINOR: quic: Possible RX packet memory leak under heavy load - BUG/MINOR: server: do not leak default-server in defaults sections - DOC: 51d: updated 51Degrees repo URL for v3.2.10 - DOC: config: fix timeout check inheritance restrictions - REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY - DOC: lua: add sticktable class reference from Proxy.stktable - DOC: lua: fix Proxy.get_mode() output - BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding - BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request() - BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1 - BUG/MINOR: h3: fix TRAILERS encoding - BUG/MINOR: h3: always reject PUSH_PROMISE - DOC: config: fix missing characters in set-spoe-group action - BUG/MINOR: quic_tp: fix preferred_address decoding - BUG/MINOR: config: Stopped parsing upon unmatched environment variables - BUG/MINOR: cfgparse-listen: fix warning being reported as an alert - DOC: config: specify supported sections for "max-session-srv-conns" - DOC: config: add matrix entry for "max-session-srv-conns" - DOC: config: fix monitor-fail typo - REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter - BUG/MINOR: sample: Make the `word` converter compatible with `-m found` - DOC: Clarify the differences between field() and word() - BUG/MEDIUM: peers: fix partial message decoding - BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed - BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load - BUG/MINOR: quic: Possible leak of TX packets under heavy load - BUG/MINOR: quic: Missing QUIC connection path member initialization - BUG/MINOR: quic: Packet number spaces too lately initialized - BUG/MINOR: ssl: Double free of OCSP Certificate ID - MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback - BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate - BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) - BUG/MEDIUM: proxy: always initialize the default settings after init Version-Release number of selected component (if applicable): 2.8.4 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
Haproxy has fixed issues in last upstream version 2.8.5 of branch 2.8. Impacted mga9 & cauldron. Suggested advisory: ======================== type: bugfix subject: Updated haproxy package fixes some bugs src: 9: core: - haproxy-2.8.5-1.mga9 description: | Haproxy has a major, few medium and few minor bugs fixed in last upstream version 2.8.5 of branch 2.8 Fixed major bug list: - quic: complete thread migration before tcp-rules Fixed medium bug list: - mux-h2: fail earlier on malloc in takeover() - mux-h1: fail earlier on malloc in takeover() - mux-fcgi: fail earlier on malloc in takeover() - quic: Possible crash for connections to be killed - master/cli: Properly pin the master CLI on thread 1 / group 1 - peers: fix partial message decoding - quic: Possible crash during retransmissions and heavy load - proxy: always initialize the default settings after init references: - https://bugs.mageia.org/show_bug.cgi?id=32618 - https://www.haproxy.org/download/2.8/src/CHANGELOG
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since Mon 2023-12-11 XX:XX:XX CET; Xmin ago Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 36.3M CPU: Xmin Xs CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Tue, 12 Dec 2023 01:14:09 GMT content-type: text/html; charset=UTF-8
CC: (none) => mageiaAssignee: mageia => qa-bugsWhiteboard: (none) => MGA9-64-OKKeywords: (none) => advisory
CC: (none) => mageia
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
$ rpm -qa | grep haproxy haproxy-quic-2.8.5-1.mga9 haproxy-2.8.5-1.mga9 You may install haproxy-noquic instead if you prefer. (uses openssl instead of quictls library) x86_64 Rpm list: haproxy-2.8.5-1.mga9.x86_64.rpm haproxy-noquic-2.8.5-1.mga9.x86_64.rpm haproxy-quic-2.8.5-1.mga9.x86_64.rpm haproxy-utils-2.8.5-1.mga9.x86_64.rpm
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2023-0143.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
@raphael: can you explain quic/noquic in the package description?? currently it is "HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has a reputation for being fast and efficient. Build without QUIC protocol support." it is not clear, one is linked to openssl/quic - and what difference it makes for the user.
At the end of description: "Build without QUIC protocol support." First google result on QUIC is a wikipedia entry about it. Openssl don't include (Yet) the QUIC protocol which is kept as an overlay in quictls until it's enventualy integrated in openssl. What do you suggest as description improvement ? For me it seemed clear enough.
For me it is not clear, noquic is linked to openssl. As you decided to make two packages, what is the "benefit" not using quic? Is it faster, smaller? How do I decide to use quic or noquic?
(In reply to Marc Krämer from comment #7) > For me it is not clear, noquic is linked to openssl. As you decided to make > two packages, what is the "benefit" not using quic? Is it faster, smaller? > How do I decide to use quic or noquic? Basicaly I was using quic, it was available at first with a rpm rebuild argument until I managed a more proper solution. I had some help when it went down to "negociate" with the OpenSSL maintainer who was not happy about a concurrent ssl library inclusion. With some patches quictls was isolated to not contaminate other distribution packages pathing the way for a quic-enabled haproxy package. Performance wise, it would have been better to package LibreSSL or WolfSSL, but it's kind easier and safe to follow openssl patch set and updates... I didn't found back the reference, but it was written somewhere something like that: Haproxy QUIC is production ready, we use it on our haproxy website, but it may required to disable it on short notice if something critical happen. The reasonable choice seemed to have a conservative fallback noquic package and a quic version for adventurous people ;) See: https://www.haproxy.org/#news https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status https://www.mail-archive.com/haproxy@formilux.org/msg42914.html To decide if you use quic or not read: https://www.haproxy.com/blog/how-to-enable-quic-load-balancing-on-haproxy Right now if someone wants to enable it, he has everything. It seems reasonable to me that one should voluntarily install the package with the "QUIC" functionality, uncomment the configuration lines before exposing relatively recent code on a port open to the wide Internet.
Ok. Why don't you add some hint in the quic package: QUIC: This version uses the quic library for ssl tls and quic protocol. More information on quic can be found here. https://www.haproxy.com/blog/how-to-enable-quic-load-balancing-on-haproxy Note this is only relevant for Layer 7 connections. NO_QUIC: This version uses the traditional ssl library for ssl and tls protocol. If you want Layer 7 quic protcol connections, use the ha-proxy-quic version.