Description of problem: Haproxy is in version 2.8.6 in mageia version while 2.8.9 version is available with one major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update. Fixed bug changelog: 2024/04/05 : 2.8.9 - BUILD: proxy: Replace free_logformat_list() to manually release log-format 2024/04/05 : 2.8.8 - MAJOR: hlua: improper lock usage with hlua_ctx_resume() - MAJOR: promex: fix crash on deleted server - MAJOR: server: fix stream crash due to deleted server - MEDIUM: applet: Immediately free appctx on early error - MEDIUM: cli: Warn if pipelined commands are delimited by a \n - MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets - MEDIUM: hlua: Don't loop if a lua socket does not consume received data - MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP() - MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) - MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block - MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection - MEDIUM: quic: fix transient send error with listener socket - MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout - MEDIUM: spoe: Return an invalid frame on recv if size is too small - MEDIUM: ssl: Fix crash in ocsp-update log function - MINOR: backend: properly handle redispatch 0 - MINOR: cfgparse: report proper location for log-format-sd errors - MINOR: cli: Remove useless loop on commands to find unescaped semi-colon - MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener - MINOR: connection: add a new mux_ctl to report number of connection glitches - MINOR: connection: add sample fetches to report per-connection glitches - MINOR: hlua: Be able to disable logging from lua - MINOR: hlua: don't call ha_alert() in hlua_event_subscribe() - MINOR: hlua: don't use lua_tostring() from unprotected contexts - MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel - MINOR: hlua: fix missing lock in hlua_filter_delete() - MINOR: hlua: fix possible crash in hlua_filter_new() under load - MINOR: hlua: fix unsafe lua_tostring() usage with empty stack - MINOR: hlua: improper lock usage in hlua_filter_callback() - MINOR: hlua: improper lock usage in hlua_filter_new() - MINOR: hlua: missing lock in hlua_filter_new() - MINOR: hlua: segfault when loading the same filter from different contexts - MINOR: hlua: use accessors for stream hlua ctx - MINOR: ist: allocate nul byte on istdup - MINOR: ist: only store NUL byte on succeeded alloc - MINOR: listener: Don't schedule frontend without task in listener_release() - MINOR: listener: Wake proxy's mngmt task up if necessary on session release - MINOR: mux-h2: add a counter of "glitches" on a connection - MINOR: mux-h2: always use h2c_report_glitch() - MINOR: mux-h2: count excess of CONTINUATION frames as a glitch - MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch - MINOR: mux-h2: count rejected DATA frames against the connection's flow control - MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES - MINOR: mux-quic: close all QCS before freeing QCC tasklet - MINOR: proxy: fix logformat expression leak in use_backend rules - MINOR: qpack: reject invalid dynamic table capacity - MINOR: qpack: reject invalid increment count decoding - MINOR: quic: fix output of show quic - MINOR: quic: reject HANDSHAKE_DONE as server - MINOR: quic: reject unknown frame type - MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support - MINOR: server: allow cookie for dynamic servers - MINOR: server: fix persistence cookie for dynamic servers - MINOR: server: ignore 'enabled' for dynamic servers - MINOR: server: 'source' interface ignored from 'default-server' directive - MINOR: session: ensure conn owner is set after insert into session - MINOR: sink: fix a race condition in the TCP log forwarding code - MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop - MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist - MINOR: ssl/cli: typo in new ssl crl-file CLI description - MINOR: ssl: Detect more 'ocsp-update' incompatibilities - MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm() - MINOR: ssl: Wrong ocsp-update "incompatibility" error message - MINOR: stats: drop srv refcount on early release - MINOR: tools: seed the statistical PRNG slightly better - OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6} 2024/02/26 : 2.8.7 - MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI Version-Release number of selected component (if applicable): 2.8.6 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
Haproxy has fixed issues in last upstream version 2.8.9 of branch 2.8. Impacted mga9 & cauldron. Suggested advisory: ======================== type: bugfix subject: Updated haproxy package fixes some bugs src: 9: core: - haproxy-2.8.9-1.mga9 description: | Haproxy has a major, few medium and few minor bugs fixed in last upstream version 2.8.9 of branch 2.8 Fixed major bug list: - hlua: improper lock usage with hlua_ctx_resume() - promex: fix crash on deleted server - server: fix stream crash due to deleted server - ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI Fixed medium bug list: - applet: Immediately free appctx on early error - cli: Warn if pipelined commands are delimited by a \n - hlua: Be able to garbage collect uninitialized lua sockets - hlua: Don't loop if a lua socket does not consume received data - hlua: improper lock usage with SET_SAFE_LJMP() - hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) - mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block - mux-h2: allow to set the glitches threshold to kill a connection - quic: fix transient send error with listener socket - spoe: Don't rely on stream's expiration to detect processing timeout - spoe: Return an invalid frame on recv if size is too small - ssl: Fix crash in ocsp-update log function references: - https://bugs.mageia.org/show_bug.cgi?id=33066 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Keywords: (none) => advisory
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since Tue XX:XX:XX CET; XXs ago Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 20.9M CPU: 8.865s CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Tue, 09 Apr 2024 03:44:50 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600 $ rpm -qa | grep haproxy haproxy-quic-2.8.9-1.mga9 haproxy-2.8.9-1.mga9
Whiteboard: (none) => MGA9-64-OK
Packages in 9/core/updates_testing ########################################### i586: haproxy-2.8.9-1.mga9.i586.rpm haproxy-noquic-2.8.9-1.mga9.i586.rpm haproxy-quic-2.8.9-1.mga9.i586.rpm haproxy-utils-2.8.9-1.mga9.i586.rpm x86_64: haproxy-2.8.9-1.mga9.x86_64.rpm haproxy-noquic-2.8.9-1.mga9.x86_64.rpm haproxy-quic-2.8.9-1.mga9.x86_64.rpm haproxy-utils-2.8.9-1.mga9.x86_64.rpm From SRPMS: ########################################## haproxy-2.8.9-1.mga9
CC: (none) => j.alberto.vc, mageia, mageiaAssignee: bugsquad => qa-bugs
Previous update ticket: https://bugs.mageia.org/show_bug.cgi?id=32873
Packages built and uploaded, advisory available. QA should just have to double check, validate update or report if there is something wrong.
RH mageia 9 x86_64 Test noquic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.9-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.9 1.mga9 x86_64 haproxy-noquic 2.8.9 1.mga9 x86_64 4.8MB of additional disk space will be used. 1.5MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y Installation without issues curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Tue, 09 Apr 2024 19:31:14 GMT server: Apache/2.4.59 (Mageia) OpenSSL/3.0.12 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "xx-xxxxxxxxxxxxx" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8
RH mageia 9 x86_54 Test quic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.9-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.9-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 2 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.9 1.mga9 x86_64 haproxy-quic 2.8.9 1.mga9 x86_64 (medium "Core Updates (distrib3)") lib64quictls81.3 3.0.12 1.1.mga9 x86_64 12MB of additional disk space will be used. 3.8MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.12-1.1.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/lib64quictls81.3-3.0.12-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-quic-2.8.9-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-2.8.9-1.mga9.x86_64.rpm Preparing... ###################################################################################### 1/3: lib64quictls81.3 ###################################################################################### 2/3: haproxy ###################################################################################### 3/3: haproxy-quic ###################################################################################### curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Tue, 09 Apr 2024 19:42:31 GMT server: Apache/2.4.59 (Mageia) OpenSSL/3.0.12 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "xx-xxxxxxxxxxxxx" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 As bot versions not get haproxy-utils as require LC_ALL=C urpmi haproxy-utils installing haproxy-utils-2.8.9-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/1: haproxy-utils ######################################################################################
CC: (none) => andrewsfarm
Look good for me
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2024-0124.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED