Bug 33475 - Haproxy subversion update
Summary: Haproxy subversion update
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-08-19 02:04 CEST by Raphael Gertz
Modified: 2024-08-22 19:26 CEST (History)
4 users (show)

See Also:
Source RPM: haproxy-2.8.9-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Raphael Gertz 2024-08-19 02:04:02 CEST
Description of problem:
Haproxy is in version 2.8.9 in mageia version while 2.8.10 version is available with three major, few medium and few minor security updates for 2.8 branch.

Changelog there:
http://www.haproxy.org/download/2.8/src/CHANGELOG

Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update.

Fixed bug changelog:

2024/06/14 : 2.8.10
    - MAJOR: connection: fix server used_conns with H2 + reuse safe
    - MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
    - MAJOR: server: do not delete srv referenced by session
    - MEDIUM: applet: Fix applet API to put input data in a buffer
    - MEDIUM: cache: Vary not working properly on anything other than accept-encoding
    - MEDIUM: config: prevent communication with privileged ports
    - MEDIUM: evports: do not clear returned events list on signal
    - MEDIUM: fd: prevent memory waste in fdtab array
    - MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
    - MEDIUM: h1: Reject CONNECT request if the target has a scheme
    - MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection
    - MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
    - MEDIUM: htx: mark htx_sl as packed since it may be realigned
    - MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
    - MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
    - MEDIUM: peers/trace: fix crash when listing event types
    - MEDIUM: quic: don't blindly rely on unaligned accesses
    - MEDIUM: quic: fix connection freeze on post handshake
    - MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305
    - MEDIUM: server: fix dynamic servers initial settings
    - MEDIUM: spoe: Always retry when an applet fails to send a frame
    - MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration
    - MEDIUM: stconn: Don't forward channel data if input data must be filtered
    - MEDIUM: stick-tables: properly mark stktable_data as packed
    - MINOR: activity: fix Delta_calls and Delta_bytes count
    - MINOR: backend: use cum_sess counters instead of cum_conn
    - MINOR: cfgparse: remove the correct option on httpcheck send-state warning
    - MINOR: cli: Report an error to user if command or payload is too big
    - MINOR: connection: parse PROXY TLV for LOCAL mode
    - MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
    - MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets
    - MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found
    - MINOR: h1: fix detection of upper bytes in the URI
    - MINOR: haproxy: only tid 0 must not sleep if got signal
    - MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
    - MINOR: hlua: fix leak in hlua_ckch_set() error path
    - MINOR: hlua: fix unsafe hlua_pusherror() usage
    - MINOR: hlua: prevent LJMP in hlua_traceback()
    - MINOR: hlua: use CertCache.set() from various hlua contexts
    - MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header
    - MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
    - MINOR: http-htx: Support default path during scheme based normalization
    - MINOR: listener: always assign distinct IDs to shards
    - MINOR: log: add dup_logsrv() helper function
    - MINOR: log: fix lf_text_len() truncate inconsistency
    - MINOR: log: invalid snprintf() usage in sess_build_logline()
    - MINOR: log: keep the ref in dup_logger()
    - MINOR: log: smp_rgs array issues with inherited global log directives
    - MINOR: mux-quic: fix error code on shutdown for non HTTP/3
    - MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null
    - MINOR: net_helper: Add support for floats/doubles.
    - MINOR: qpack: fix error code reported on QPACK decoding failure
    - MINOR: quic: adjust restriction for stateless reset emission
    - MINOR: quic: prevent crash on qc_kill_conn()
    - MINOR: server: Don't reset resolver options on a new default-server line
    - MINOR: server: fix slowstart behavior
    - MINOR: session: rename private conns elements
    - MINOR: sock: handle a weird condition with connect()
    - MINOR: ssl/ocsp: init callback func ptr as NULL
    - MINOR: stats: Don't state the 303 redirect response is chunked
    - MINOR: stconn: Fix sc_mux_strm() return value
    - MINOR: tcpcheck: report correct error in tcp-check rule parser
    - MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
    - MINOR: tools/log: invalid encode_{chunk,string} usage

Version-Release number of selected component (if applicable):
2.8.6

How reproducible:
Always

Steps to Reproduce:
1. Check haproxy changelog & see version
Comment 1 Raphael Gertz 2024-08-19 02:08:13 CEST
type: bugfix
subject: Updated haproxy package fixes some bugs
src:
  9:
   core:
     - haproxy-2.8.10-1.mga9
description: |
  Haproxy has three major, few medium and few minor bugs fixed in last upstream
  version 2.8.10 of branch 2.8

  Fixed major bug list:
  - connection: fix server used_conns with H2 + reuse safe
  - quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
  - server: do not delete srv referenced by session

  Fixed medium bug list:
  - applet: Fix applet API to put input data in a buffer
  - cache: Vary not working properly on anything other than accept-encoding
  - config: prevent communication with privileged ports
  - evports: do not clear returned events list on signal
  - fd: prevent memory waste in fdtab array
  - grpc: Fix several unaligned 32/64 bits accesses
  - h1: Reject CONNECT request if the target has a scheme
  - http-ana: Deliver 502 on keep-alive for fressh server connection
  - http_ana: ignore NTLM for reuse aggressive/always and no H1
  - htx: mark htx_sl as packed since it may be realigned
  - mux-quic: Create sedesc in same time of the QUIC stream
  - peers: Fix exit condition when max-updates-at-once is reached
  - peers/trace: fix crash when listing event types
  - quic: don't blindly rely on unaligned accesses
  - quic: fix connection freeze on post handshake
  - quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305
  - server: fix dynamic servers initial settings
  - spoe: Always retry when an applet fails to send a frame
  - ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration
  - stconn: Don't forward channel data if input data must be filtered
  - stick-tables: properly mark stktable_data as packed

references:
 - https://bugs.mageia.org/show_bug.cgi?id=33475
 - https://www.haproxy.org/download/2.8/src/CHANGELOG

Keywords: (none) => advisory

Comment 2 Raphael Gertz 2024-08-19 02:11:00 CEST
$ systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since Sat 2024-08-XX XX:XX:XX CEST; XX day XXh ago
    Process: XXXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: XXXXXX (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 64.0M
        CPU: XXmin XX.XXXs
     CGroup: /system.slice/haproxy.service
             ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

$ curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache
alt-svc: h3=":443"; ma=3600

$ curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Mon, 19 Aug 2024 00:10:07 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=3600

$ rpm -qa | grep haproxy
haproxy-quic-2.8.10-1.mga9
haproxy-2.8.10-1.mga9
Comment 3 Raphael Gertz 2024-08-19 02:12:12 CEST
Packages in 9/core/updates_testing
i586:
haproxy-2.8.10-1.mga9.i586.rpm
haproxy-noquic-2.8.10-1.mga9.i586.rpm
haproxy-quic-2.8.10-1.mga9.i586.rpm
haproxy-utils-2.8.10-1.mga9.i586.rpm

x86_64:
haproxy-2.8.10-1.mga9.x86_64.rpm
haproxy-noquic-2.8.10-1.mga9.x86_64.rpm
haproxy-quic-2.8.10-1.mga9.x86_64.rpm
haproxy-utils-2.8.10-1.mga9.x86_64.rpm

From SRPMS:
haproxy-2.8.10-1.mga9

Whiteboard: (none) => MGA9-64-OK

Comment 4 Raphael Gertz 2024-08-19 02:13:33 CEST
Previous update ticket:
https://bugs.mageia.org/show_bug.cgi?id=33066

Packages built and uploaded, advisory available.

QA should just have to double check, validate update or report if there is something wrong.

Assignee: bugsquad => qa-bugs
CC: (none) => j.alberto.vc, mageia, mageia

Raphael Gertz 2024-08-19 02:14:30 CEST

CC: (none) => andrewsfarm

Comment 5 Marc Krämer 2024-08-21 00:17:02 CEST
Installed corretly, up and running. No regressions so far
Comment 6 Raphael Gertz 2024-08-21 02:30:48 CEST
(In reply to Marc Krämer from comment #5)
> Installed corretly, up and running. No regressions so far

May you test haproxy 3.0.3 available in cauldron as well, I updated the patch loading pem certificate in /etc/pki/tls/{public,private}/ and it may need validation there is no regression as well.

Best regards
Comment 7 Marc Krämer 2024-08-21 11:09:21 CEST
I only have a live setup. And my setup don't use any protocols from haproxy, I use it only for loadbalancing on lowest level.
Comment 8 katnatek 2024-08-21 20:05:33 CEST
RH mageia 9 x86_64

Test noquic

LC_ALL=C urpmi haproxy
In order to satisfy the 'haproxy-server[== 2.8.10-1.mga9]' dependency, one of the following packages is needed:
 1- haproxy-noquic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
 2- haproxy-quic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.10       1.mga9        x86_64  
  haproxy-noquic                 2.8.10       1.mga9        x86_64  
4.8MB of additional disk space will be used.
1.5MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


installing haproxy-noquic-2.8.10-1.mga9.x86_64.rpm haproxy-2.8.10-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: haproxy               ##################################################################################################
      2/2: haproxy-noquic        ##################################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.10-1.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

systemctl start haproxy.service
systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Wed 2024-08-21 11:55:49 CST; 20s ago
    Process: 116507 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 116515 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 16.0M
        CPU: 140ms
     CGroup: /system.slice/haproxy.service
             ├─116515 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─116518 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

ago 21 11:55:49 jgrey.phoenix systemd[1]: Starting haproxy.service...
ago 21 11:55:49 jgrey.phoenix systemd[1]: Started haproxy.service.

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Wed, 21 Aug 2024 17:56:58 GMT
server: Apache/2.4.62 (Mageia) OpenSSL/3.0.14
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "ab-60d1f3e5ca682"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

Test quic


LC_ALL=C urpmi haproxy
In order to satisfy the 'haproxy-server[== 2.8.10-1.mga9]' dependency, one of the following packages is needed:
 1- haproxy-noquic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
 2- haproxy-quic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
What is your choice? (1-2) 2
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.10       1.mga9        x86_64  
  haproxy-quic                   2.8.10       1.mga9        x86_64  
(medium "Core Updates (distrib3)")
  lib64quictls81.3               3.0.14       1.1.mga9      x86_64  
12MB of additional disk space will be used.
3.8MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.14-1.1.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/lib64quictls81.3-3.0.14-1.1.mga9.x86_64.rpm                                                        
//home/katnatek/qa-testing/x86_64/haproxy-2.8.10-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/haproxy-quic-2.8.10-1.mga9.x86_64.rpm
Preparing...                     ##################################################################################################
      1/3: lib64quictls81.3      ##################################################################################################
      2/3: haproxy               ##################################################################################################
      3/3: haproxy-quic          ##################################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.10-1.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

systemctl start haproxy.service
systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Wed 2024-08-21 11:59:22 CST; 5s ago
    Process: 141986 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 141991 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 16.1M
        CPU: 105ms
     CGroup: /system.slice/haproxy.service
             ├─141991 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─141993 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

ago 21 11:59:22 jgrey.phoenix systemd[1]: Starting haproxy.service...
ago 21 11:59:22 jgrey.phoenix systemd[1]: Started haproxy.service.

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

 curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Wed, 21 Aug 2024 18:00:40 GMT
server: Apache/2.4.62 (Mageia) OpenSSL/3.0.14
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "ab-60d1f3e5ca682"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

As in previous test install haproxy-utils by hand

LC_ALL=C urpmi haproxy-utils 


installing haproxy-utils-2.8.10-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: haproxy-utils         ##################################################################################################

I like some examples to test the utils, but all is like in previous version, keep the OK, please don't add me to CC list because I get double mails ;)

CC: j.alberto.vc => (none)

Comment 9 Thomas Andrews 2024-08-22 14:25:43 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2024-08-22 19:26:13 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0184.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.