Description of problem: Haproxy is in version 2.8.9 in mageia version while 2.8.10 version is available with three major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update. Fixed bug changelog: 2024/06/14 : 2.8.10 - MAJOR: connection: fix server used_conns with H2 + reuse safe - MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only) - MAJOR: server: do not delete srv referenced by session - MEDIUM: applet: Fix applet API to put input data in a buffer - MEDIUM: cache: Vary not working properly on anything other than accept-encoding - MEDIUM: config: prevent communication with privileged ports - MEDIUM: evports: do not clear returned events list on signal - MEDIUM: fd: prevent memory waste in fdtab array - MEDIUM: grpc: Fix several unaligned 32/64 bits accesses - MEDIUM: h1: Reject CONNECT request if the target has a scheme - MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection - MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1 - MEDIUM: htx: mark htx_sl as packed since it may be realigned - MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream - MEDIUM: peers: Fix exit condition when max-updates-at-once is reached - MEDIUM: peers/trace: fix crash when listing event types - MEDIUM: quic: don't blindly rely on unaligned accesses - MEDIUM: quic: fix connection freeze on post handshake - MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305 - MEDIUM: server: fix dynamic servers initial settings - MEDIUM: spoe: Always retry when an applet fails to send a frame - MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration - MEDIUM: stconn: Don't forward channel data if input data must be filtered - MEDIUM: stick-tables: properly mark stktable_data as packed - MINOR: activity: fix Delta_calls and Delta_bytes count - MINOR: backend: use cum_sess counters instead of cum_conn - MINOR: cfgparse: remove the correct option on httpcheck send-state warning - MINOR: cli: Report an error to user if command or payload is too big - MINOR: connection: parse PROXY TLV for LOCAL mode - MINOR: debug: make sure DEBUG_STRICT=0 does work as documented - MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets - MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found - MINOR: h1: fix detection of upper bytes in the URI - MINOR: haproxy: only tid 0 must not sleep if got signal - MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP - MINOR: hlua: fix leak in hlua_ckch_set() error path - MINOR: hlua: fix unsafe hlua_pusherror() usage - MINOR: hlua: prevent LJMP in hlua_traceback() - MINOR: hlua: use CertCache.set() from various hlua contexts - MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header - MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values - MINOR: http-htx: Support default path during scheme based normalization - MINOR: listener: always assign distinct IDs to shards - MINOR: log: add dup_logsrv() helper function - MINOR: log: fix lf_text_len() truncate inconsistency - MINOR: log: invalid snprintf() usage in sess_build_logline() - MINOR: log: keep the ref in dup_logger() - MINOR: log: smp_rgs array issues with inherited global log directives - MINOR: mux-quic: fix error code on shutdown for non HTTP/3 - MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null - MINOR: net_helper: Add support for floats/doubles. - MINOR: qpack: fix error code reported on QPACK decoding failure - MINOR: quic: adjust restriction for stateless reset emission - MINOR: quic: prevent crash on qc_kill_conn() - MINOR: server: Don't reset resolver options on a new default-server line - MINOR: server: fix slowstart behavior - MINOR: session: rename private conns elements - MINOR: sock: handle a weird condition with connect() - MINOR: ssl/ocsp: init callback func ptr as NULL - MINOR: stats: Don't state the 303 redirect response is chunked - MINOR: stconn: Fix sc_mux_strm() return value - MINOR: tcpcheck: report correct error in tcp-check rule parser - MINOR: tools: fix possible null-deref in env_expand() on out-of-memory - MINOR: tools/log: invalid encode_{chunk,string} usage Version-Release number of selected component (if applicable): 2.8.6 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
type: bugfix subject: Updated haproxy package fixes some bugs src: 9: core: - haproxy-2.8.10-1.mga9 description: | Haproxy has three major, few medium and few minor bugs fixed in last upstream version 2.8.10 of branch 2.8 Fixed major bug list: - connection: fix server used_conns with H2 + reuse safe - quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only) - server: do not delete srv referenced by session Fixed medium bug list: - applet: Fix applet API to put input data in a buffer - cache: Vary not working properly on anything other than accept-encoding - config: prevent communication with privileged ports - evports: do not clear returned events list on signal - fd: prevent memory waste in fdtab array - grpc: Fix several unaligned 32/64 bits accesses - h1: Reject CONNECT request if the target has a scheme - http-ana: Deliver 502 on keep-alive for fressh server connection - http_ana: ignore NTLM for reuse aggressive/always and no H1 - htx: mark htx_sl as packed since it may be realigned - mux-quic: Create sedesc in same time of the QUIC stream - peers: Fix exit condition when max-updates-at-once is reached - peers/trace: fix crash when listing event types - quic: don't blindly rely on unaligned accesses - quic: fix connection freeze on post handshake - quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305 - server: fix dynamic servers initial settings - spoe: Always retry when an applet fails to send a frame - ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration - stconn: Don't forward channel data if input data must be filtered - stick-tables: properly mark stktable_data as packed references: - https://bugs.mageia.org/show_bug.cgi?id=33475 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Keywords: (none) => advisory
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since Sat 2024-08-XX XX:XX:XX CEST; XX day XXh ago Process: XXXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 64.0M CPU: XXmin XX.XXXs CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Mon, 19 Aug 2024 00:10:07 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600 $ rpm -qa | grep haproxy haproxy-quic-2.8.10-1.mga9 haproxy-2.8.10-1.mga9
Packages in 9/core/updates_testing i586: haproxy-2.8.10-1.mga9.i586.rpm haproxy-noquic-2.8.10-1.mga9.i586.rpm haproxy-quic-2.8.10-1.mga9.i586.rpm haproxy-utils-2.8.10-1.mga9.i586.rpm x86_64: haproxy-2.8.10-1.mga9.x86_64.rpm haproxy-noquic-2.8.10-1.mga9.x86_64.rpm haproxy-quic-2.8.10-1.mga9.x86_64.rpm haproxy-utils-2.8.10-1.mga9.x86_64.rpm From SRPMS: haproxy-2.8.10-1.mga9
Whiteboard: (none) => MGA9-64-OK
Previous update ticket: https://bugs.mageia.org/show_bug.cgi?id=33066 Packages built and uploaded, advisory available. QA should just have to double check, validate update or report if there is something wrong.
Assignee: bugsquad => qa-bugsCC: (none) => j.alberto.vc, mageia, mageia
CC: (none) => andrewsfarm
Installed corretly, up and running. No regressions so far
(In reply to Marc Krämer from comment #5) > Installed corretly, up and running. No regressions so far May you test haproxy 3.0.3 available in cauldron as well, I updated the patch loading pem certificate in /etc/pki/tls/{public,private}/ and it may need validation there is no regression as well. Best regards
I only have a live setup. And my setup don't use any protocols from haproxy, I use it only for loadbalancing on lowest level.
RH mageia 9 x86_64 Test noquic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.10-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.10 1.mga9 x86_64 haproxy-noquic 2.8.10 1.mga9 x86_64 4.8MB of additional disk space will be used. 1.5MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y installing haproxy-noquic-2.8.10-1.mga9.x86_64.rpm haproxy-2.8.10-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: haproxy ################################################################################################## 2/2: haproxy-noquic ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.10-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Wed 2024-08-21 11:55:49 CST; 20s ago Process: 116507 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 116515 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.0M CPU: 140ms CGroup: /system.slice/haproxy.service ├─116515 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─116518 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws ago 21 11:55:49 jgrey.phoenix systemd[1]: Starting haproxy.service... ago 21 11:55:49 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Wed, 21 Aug 2024 17:56:58 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.14 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 Test quic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.10-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.10-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 2 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.10 1.mga9 x86_64 haproxy-quic 2.8.10 1.mga9 x86_64 (medium "Core Updates (distrib3)") lib64quictls81.3 3.0.14 1.1.mga9 x86_64 12MB of additional disk space will be used. 3.8MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.14-1.1.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/lib64quictls81.3-3.0.14-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-2.8.10-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-quic-2.8.10-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/3: lib64quictls81.3 ################################################################################################## 2/3: haproxy ################################################################################################## 3/3: haproxy-quic ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.10-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Wed 2024-08-21 11:59:22 CST; 5s ago Process: 141986 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 141991 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.1M CPU: 105ms CGroup: /system.slice/haproxy.service ├─141991 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─141993 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws ago 21 11:59:22 jgrey.phoenix systemd[1]: Starting haproxy.service... ago 21 11:59:22 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Wed, 21 Aug 2024 18:00:40 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.14 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 As in previous test install haproxy-utils by hand LC_ALL=C urpmi haproxy-utils installing haproxy-utils-2.8.10-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: haproxy-utils ################################################################################################## I like some examples to test the utils, but all is like in previous version, keep the OK, please don't add me to CC list because I get double mails ;)
CC: j.alberto.vc => (none)
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2024-0184.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED