Description of problem: Haproxy is in version 2.8.10 in mageia version while 2.8.11 version is available with one major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update. Fixed bug changelog: 2024/09/19 : 2.8.11 - MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state - MEDIUM: bwlim: Be sure to never set the analyze expiration date in past - MEDIUM: cache/stats: Wait to have the request before sending the response - MEDIUM: cli: Always release back endpoint between two commands on the mcli - MEDIUM: clock: also update the date offset on time jumps - MEDIUM: clock: detect and cover jumps during execution - MEDIUM: debug/cli: fix "show threads" crashing with low thread counts - MEDIUM: h1: Reject empty Transfer-encoding header - MEDIUM: h2: Only report early HTX EOM for tunneled streams - MEDIUM: h3: ensure the ":method" pseudo header is totally valid - MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid - MEDIUM: http-ana: Report error on write error waiting for the response - MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn - MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2) - MEDIUM: jwt: Clear SSL error queue on error when checking the signature - MEDIUM: mux-h1: Properly handle empty message when an error is triggered - MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream - MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path - MEDIUM: mworker/cli: fix pipelined modes on master CLI - MEDIUM: pattern: prevent UAF on reused pattern expr - MEDIUM: promex: Wait to have the request before sending the response - MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue() - MEDIUM: queue: implement a flag to check for the dequeuing - MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking - MEDIUM: quic: fix race-condition in quic_get_cid_tid() - MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content - MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread - MEDIUM: ssl: initialize the SSL stack explicitely - MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path - MEDIUM: stconn: Report error on SC on send if a previous SE error was set - MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready - MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() - MINOR: activity: make the memory profiling hash size configurable at build time - MINOR: cfgparse-listen: fix option httpslog override warning message - MINOR: channel: implement ci_insert() function - MINOR: cli: Atomically inc the global request counter between CLI commands - MINOR: clock: make time jump corrections a bit more accurate - MINOR: clock: validate that now_offset still applies to the current date - MINOR: fcgi-app: handle a possible strdup() failure - MINOR: h1: Fail to parse empty transfer coding names - MINOR: h1: Reject empty coding name as last transfer-encoding value - MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission - MINOR: h3: properly reject too long header responses - MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct() - MINOR: jwt: don't try to load files with HMAC algorithm - MINOR: jwt: fix variable initialisation - MINOR: mux-quic: do not send too big MAX_STREAMS ID - MINOR: mux-quic: fix crash on qcs SD alloc failure - MINOR: pattern: do not leave a leading comma on "set" error messages - MINOR: pattern: pat_ref_set: fix UAF reported by coverity - MINOR: pattern: pat_ref_set: return 0 if err was found - MINOR: pattern: prevent const sample from being tampered in pat_match_beg() - MINOR: polling: fix time reporting when using busy polling - MINOR: proto_tcp: delete fd from fdtab if listen() fails - MINOR: proto_tcp: keep error msg if listen() fails - MINOR: proto_uxst: delete fd from fdtab if listen() fails - MINOR: proxy: fix check_{command,path} leak on deinit() - MINOR: proxy: fix dyncookie_key leak on deinit() - MINOR: proxy: fix header_unique_id leak on deinit() - MINOR: proxy: fix log_tag leak on deinit() - MINOR: proxy: fix server_id_hdr_name leak on deinit() - MINOR: proxy: fix source interface and usesrc leaks on deinit() - MINOR: queue: add a function to check for TOCTOU after queueing - MINOR: quic: fix BUG_ON() on Tx pkt alloc failure - MINOR: quic: fix computed length of emitted STREAM frames - MINOR: quic: fix race condition in qc_check_dcid() - MINOR: quic: fix race-condition on trace for CID retrieval - MINOR: quic: Lack of precision when computing K (cubic only cc) - MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE - MINOR: server: Don't warn fallback IP is used during init-addr resolution - MINOR: session: Eval L4/L5 rules defined in the default section - MINOR: stconn: Request to send something to be woken up when the pipe is full - MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter - MINOR: trace: automatically start in waiting mode with "start <evt>" - MINOR: trace/quic: enable conn/session pointer recovery from quic_conn - MINOR: trace/quic: make "qconn" selectable as a lockon criterion - MINOR: trace/quic: permit to lock on frontend/connect/session etc Version-Release number of selected component (if applicable): 2.8.10 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
type: bugfix subject: Updated haproxy package fixes some bugs src: 9: core: - haproxy-2.8.11-1.mga9 description: | Haproxy has one major, few medium and few minor bugs fixed in last upstream version 2.8.11 of branch 2.8 Fixed major bug list: - mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state Fixed medium bug list: - bwlim: Be sure to never set the analyze expiration date in past - cache/stats: Wait to have the request before sending the response - cli: Always release back endpoint between two commands on the mcli - clock: also update the date offset on time jumps - clock: detect and cover jumps during execution - debug/cli: fix "show threads" crashing with low thread counts - h1: Reject empty Transfer-encoding header - h2: Only report early HTX EOM for tunneled streams - h3: ensure the ":method" pseudo header is totally valid - h3: ensure the ":scheme" pseudo header is totally valid - http-ana: Report error on write error waiting for the response - init: fix fd_hard_limit default in compute_ideal_maxconn - init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2) - jwt: Clear SSL error queue on error when checking the signature - mux-h1: Properly handle empty message when an error is triggered - mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream - mux-pt/mux-h1: Release the pipe on connection error on sending path - mworker/cli: fix pipelined modes on master CLI - pattern: prevent UAF on reused pattern expr - promex: Wait to have the request before sending the response - queue: deal with a rare TOCTOU in assign_server_and_queue() - queue: implement a flag to check for the dequeuing - quic: fix possible exit from qc_check_dcid() without unlocking - quic: fix race-condition in quic_get_cid_tid() - quic: prevent conn freeze on 0RTT undeciphered content - spoe: Be sure to create a SPOE applet if none on the current thread - ssl: initialize the SSL stack explicitely - ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path - stconn: Report error on SC on send if a previous SE error was set - stream: Prevent mux upgrades if client connection is no longer ready - trace: fix null deref in lockon mechanism since TRACE_ENABLED() references: - https://bugs.mageia.org/show_bug.cgi?id=33593 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Keywords: (none) => advisory
Previous update ticket: https://bugs.mageia.org/show_bug.cgi?id=33475 Packages built and uploaded, advisory available. QA should just have to double check, validate update or report if there is something wrong. Packages in 9/core/updates_testing i586: haproxy-2.8.11-1.mga9.i586.rpm haproxy-noquic-2.8.11-1.mga9.i586.rpm haproxy-quic-2.8.11-1.mga9.i586.rpm haproxy-utils-2.8.11-1.mga9.i586.rpm x86_64: haproxy-2.8.11-1.mga9.x86_64.rpm haproxy-noquic-2.8.11-1.mga9.x86_64.rpm haproxy-quic-2.8.11-1.mga9.x86_64.rpm haproxy-utils-2.8.11-1.mga9.x86_64.rpm From SRPMS: haproxy-2.8.11-1.mga9
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Fri 2024-09-XX XX:XX:XX CEST; XXmin ago Process: XXXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 21.4M CPU: XX.XXXs CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Thu, 26 Sep 2024 23:03:34 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600 $ rpm -qa | grep haproxy haproxy-quic-2.8.11-1.mga9 haproxy-2.8.11-1.mga9
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, mageia, mageiaAssignee: bugsquad => qa-bugs
RH mageia 9 x86_64 Test noquic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.11-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.11-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.11-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.11 1.mga9 x86_64 haproxy-noquic 2.8.11 1.mga9 x86_64 4.8MB of additional disk space will be used. 1.5MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y installing haproxy-2.8.11-1.mga9.x86_64.rpm haproxy-noquic-2.8.11-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: haproxy-noquic ################################################################################################## 2/2: haproxy ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.11-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Fri 2024-09-27 18:11:52 CST; 19s ago Process: 21900 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 21906 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.1M CPU: 128ms CGroup: /system.slice/haproxy.service ├─21906 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─21908 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws sep 27 18:11:52 jgrey.phoenix systemd[1]: Starting haproxy.service... sep 27 18:11:52 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sat, 28 Sep 2024 00:13:28 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 Test quic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.11-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.11-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.11-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 2 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.11 1.mga9 x86_64 haproxy-quic 2.8.11 1.mga9 x86_64 (medium "Core Updates (distrib3)") lib64quictls81.3 3.0.14 1.1.mga9 x86_64 12MB of additional disk space will be used. 3.8MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.14-1.1.mga9.x86_64.rpm installing //home/katnatek/qa-testing/x86_64/haproxy-2.8.11-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64quictls81.3-3.0.14-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-quic-2.8.11-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/3: lib64quictls81.3 ################################################################################################## 2/3: haproxy-quic ################################################################################################## 3/3: haproxy ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.11-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Fri 2024-09-27 18:16:48 CST; 18s ago Process: 47512 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 47517 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.1M CPU: 127ms CGroup: /system.slice/haproxy.service ├─47517 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─47519 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws sep 27 18:16:48 jgrey.phoenix systemd[1]: Starting haproxy.service... sep 27 18:16:48 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sat, 28 Sep 2024 00:19:18 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 all is like in previous version, keep the OK As in previous test install haproxy-utils by hand LC_ALL=C urpmi haproxy-utils installing haproxy-utils-2.8.11-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: haproxy-utils ##################################################################################################
Thank you, katnatek. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2024-0203.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED