Description of problem: Haproxy is in version 2.8.5 in mageia version while 2.8.6 version is available with one major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update. Fixed bug changelog: 2024/02/15 : 2.8.6 - MAJOR: ssl_sock: Always clear retry flags in read/write functions - MEDIUM: cli: fix once for all the problem of missing trailing LFs - MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI - MEDIUM: h1: always reject the NUL character in header values - MEDIUM: h1: Don't support LF only to mark the end of a chunk size - MEDIUM: h3: do not crash on invalid response status code - MEDIUM: h3: fix incorrect snd_buf return value - MEDIUM: mux-h2: refine connection vs stream error on headers - MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty - MEDIUM: mux-quic: report early error on stream - MEDIUM: ocsp: Separate refcount per instance and per store - MEDIUM: pool: fix rare risk of deadlock in pool_flush() - MEDIUM: qpack: allow 6xx..9xx status codes - MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON - MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT) - MEDIUM: quic: Possible buffer overflow when building TLS records - MEDIUM: quic: QUIC CID removed from tree without locking - MEDIUM: quic: remove unsent data from qc_stream_desc buf - MEDIUM: quic: Wrong K CUBIC calculation. - MEDIUM: spoe: Never create new spoe applet if there is no server up - MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing - MEDIUM: stats: unhandled switching rules with TCP frontend - MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending - MEDIUM: stconn: Don't check pending shutdown to wake an applet up - MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable - MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding - MINOR: debug: make ABORT_NOW() store the caller's line number when using abort - MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT - MINOR: debug: make sure calls to ha_crash_now() are never merged - MINOR: diag: always show the version before dumping a diag warning - MINOR: diag: run the final diags before quitting when using -c - MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path() - MINOR: ext-check: add an option to preserve environment variables - MINOR: ext-check: cannot use without preserve-env - MINOR: h1: Don't support LF only at the end of chunks - MINOR: h1-htx: properly initialize the err_pos field - MINOR: h3: add traces for stream sending function - MINOR: h3: check connection error during sending - MINOR: h3: close connection on header list too big - MINOR: h3: close connection on sending alloc errors - MINOR: h3: fix checking on NULL Tx buffer - MINOR: h3: properly handle alloc failure on finalize - MINOR: jwt: fix jwt_verify crash on 32-bit archs - MINOR: mux-h2: also count streams for refused ones - MINOR: mux-h2: support limiting the total number of H2 streams per connection - MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc - MINOR: mux-h2/traces: also suggest invalid header upon parsing error - MINOR: mux-h2/traces: clarify the "rejected H2 request" event - MINOR: mux-h2/traces: explicitly show the error/refused stream states - MINOR: mux-quic: always report error to SC on RESET_STREAM emission - MINOR: mux-quic: do not prevent non-STREAM sending on flow control - MINOR: mworker/cli: fix set severity-output support - MINOR: quic: Add a counter for reordered packets - MINOR: quic: Dynamic packet reordering threshold - MINOR: quic: extract qc_stream_buf free in a dedicated function - MINOR: quic: fix possible integer wrap around in cubic window calculation - MINOR: quic: Missing call to TLS message callbacks - MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT) - MINOR: quic: Stop using 1024th of a second. - MINOR: quic: Update K CUBIC calculation (RFC 9438) - MINOR: quic: Wrong ack ranges handling when reaching the limit. - MINOR: quic: Wrong keylog callback setting. - MINOR: resolvers: default resolvers fails when network not configured - MINOR: ssl: Clear the ckch instance when deleting a crt-list line - MINOR: ssl: Destroy ckch instances before the store during deinit - MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch - MINOR: ssl: Fix error message after ssl_sock_load_ocsp call - MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list" - MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid - MINOR: stats: store the parent proxy in stats ctx (http) - MINOR: vars/cli: fix missing LF after "get var" output Version-Release number of selected component (if applicable): 2.8.5 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
Haproxy has fixed issues in last upstream version 2.8.6 of branch 2.8. Impacted mga9 & cauldron. Suggested advisory: ======================== type: bugfix subject: Updated haproxy package fixes some bugs src: 9: core: - haproxy-2.8.6-1.mga9 description: | Haproxy has a major, few medium and few minor bugs fixed in last upstream version 2.8.6 of branch 2.8 Fixed major bug list: - ssl_sock: Always clear retry flags in read/write functions Fixed medium bug list: - cli: fix once for all the problem of missing trailing LFs - cli: some err/warn msg dumps add LR into CSV output on stat's CLI - h1: always reject the NUL character in header values - h1: Don't support LF only to mark the end of a chunk size - h3: do not crash on invalid response status code - h3: fix incorrect snd_buf return value - mux-h2: refine connection vs stream error on headers - mux-h2: Report too large HEADERS frame only when rxbuf is empty - mux-quic: report early error on stream - ocsp: Separate refcount per instance and per store - pool: fix rare risk of deadlock in pool_flush() - qpack: allow 6xx..9xx status codes - quic: fix crash on invalid qc_stream_buf_free() BUG_ON - quic: keylog callback not called (USE_OPENSSL_COMPAT) - quic: Possible buffer overflow when building TLS records - quic: QUIC CID removed from tree without locking - quic: remove unsent data from qc_stream_desc buf - quic: Wrong K CUBIC calculation. - spoe: Never create new spoe applet if there is no server up - ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing - stats: unhandled switching rules with TCP frontend - stconn: Allow expiration update when READ/WRITE event is pending - stconn: Don't check pending shutdown to wake an applet up - stconn: Forward shutdown on write timeout only if it is forwardable references: - https://bugs.mageia.org/show_bug.cgi?id=32873 - https://www.haproxy.org/download/2.8/src/CHANGELOG
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since Tue 2024-02-20 XX:XX:XX CET; XXs ago Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 18.7M CPU: Xms CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Tue, 20 Feb 2024 02:43:04 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600
Whiteboard: (none) => MGA9-64-OKCC: (none) => mageia, mageiaAssignee: bugsquad => qa-bugsKeywords: (none) => advisory
CC: (none) => j.alberto.vc
$ rpm -qa | grep haproxy haproxy-2.8.6-1.mga9 haproxy-quic-2.8.6-1.mga9
I see where you added the "Advisory" keyword. Did you upload the advisory to SVN? The keyword isn't added until that is done.
CC: (none) => andrewsfarm
I have an MGA9-64 Plasma VirtualBox guest with haproxy installed from the last update. Lacking a package list, I used "*haproxy*" in qarepo and it came back with this: haproxy-2.8.6-1.mga9.x86_64.rpm haproxy-noquic-2.8.6-1.mga9.x86_64.rpm haproxy-quic-2.8.6-1.mga9.x86_64.rpm haproxy-utils-2.8.6-1.mga9.x86_64.rpm Those updated cleanly, but if there were more packages to test I didn't get them. I tried the commands from comment 2 on my system after the update, confirming the OK. Holding back on the validation until I hear confirmation that the advisory has been properly uploaded.
(In reply to Thomas Andrews from comment #4) > I see where you added the "Advisory" keyword. Did you upload the advisory to > SVN? The keyword isn't added until that is done. I did, in fact it was done before submitting to build system. $ svn log 32873.adv ------------------------------------------------------------------------ r15711 | rapsys | 2024-02-20 03:40:04 +0100 (mar. 20 févr. 2024) | 1 ligne Add bugfix advisory M9 haproxy mga#32873 ------------------------------------------------------------------------
(In reply to Thomas Andrews from comment #5) > I have an MGA9-64 Plasma VirtualBox guest with haproxy installed from the > last update. Lacking a package list, I used "*haproxy*" in qarepo and it > came back with this: > > haproxy-2.8.6-1.mga9.x86_64.rpm > haproxy-noquic-2.8.6-1.mga9.x86_64.rpm > haproxy-quic-2.8.6-1.mga9.x86_64.rpm > haproxy-utils-2.8.6-1.mga9.x86_64.rpm > > Those updated cleanly, but if there were more packages to test I didn't get > them. I tried the commands from comment 2 on my system after the update, > confirming the OK. > > Holding back on the validation until I hear confirmation that the advisory > has been properly uploaded. You need to install haproxy with quic or noquic package which contains the binary with or without QUIC protocol support. You may test the utils as well, that's all there is to test. Best regards
For next time I update it, how should I list the packages to help qa tester ?
Status: NEW => ASSIGNED
(In reply to Thomas Andrews from comment #5) > I have an MGA9-64 Plasma VirtualBox guest with haproxy installed from the > last update. Lacking a package list, I used "*haproxy*" in qarepo and it > came back with this: > > haproxy-2.8.6-1.mga9.x86_64.rpm > haproxy-noquic-2.8.6-1.mga9.x86_64.rpm > haproxy-quic-2.8.6-1.mga9.x86_64.rpm > haproxy-utils-2.8.6-1.mga9.x86_64.rpm > > Those updated cleanly, but if there were more packages to test I didn't get > them. I tried the commands from comment 2 on my system after the update, > confirming the OK. > > Holding back on the validation until I hear confirmation that the advisory > has been properly uploaded. You can check in https://svnweb.mageia.org/advisories/bugnumber.adv , in this case https://svnweb.mageia.org/advisories/32873.adv
(In reply to Raphael Gertz from comment #8) > For next time I update it, how should I list the packages to help qa tester ? Others do something like Packages in 9/core/updates_testing ########################################### i586: haproxy-2.8.6-1.mga9.i586.rpm haproxy-noquic-2.8.6-1.mga9.i586.rpm haproxy-quic-2.8.6-1.mga9.i586.rpm haproxy-utils-2.8.6-1.mga9.i586.rpm x86_64: haproxy-2.8.6-1.mga9.x86_64.rpm haproxy-noquic-2.8.6-1.mga9.x86_64.rpm haproxy-quic-2.8.6-1.mga9.x86_64.rpm haproxy-utils-2.8.6-1.mga9.x86_64.rpm From SRPMS: ########################################## haproxy-2.8.6-1.mga9
@Raphael: use this template https://wiki.mageia.org/en/Update_Advisory_Announcement_Example Listing RPM/SRPM and where to find them, helps qa
@Raphael: I did look for the advisory before I questioned it, but apparently not in the right spot because I didn't find it. I was only trying to be thorough. Please understand, someone other than the developer needs to test the update at least for a clean install. This is to help prevent updates slipping through with hidden dependencies, dependencies that might be installed on the developer's system, but not on some of our users' systems. It has happened before, so we do our best to avoid it happening in the future. Please continue to include valid test procedures for us. QA welcomes people of all levels of expertise, and for someone like me, somewhere in the middle, the procedures are very helpful. Thank you. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2024-0064.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED