Bug 33820 - Haproxy subversion update
Summary: Haproxy subversion update
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-30 19:04 CET by Raphael Gertz
Modified: 2024-12-02 18:46 CET (History)
4 users (show)

See Also:
Source RPM: haproxy-2.8.11-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Raphael Gertz 2024-11-30 19:04:22 CET
Description of problem:
Haproxy is in version 2.8.11 in mageia version while 2.8.12 version is available with one major, few medium and few minor security updates for 2.8 branch.

Changelog there:
http://www.haproxy.org/download/2.8/src/CHANGELOG

Last version of 2.8 branch has a lot of fixed minor, medium and major bugs, we should update.

Fixed bug changelog:

2024/11/08 : 2.8.12
    - CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry
    - DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options
    - DOC: config: fix rfc7239 forwarded typo in desc
    - MAJOR: ocsp: Separate refcount per instance and per store
    - MEDIUM: cli: Deadlock when setting frontend maxconn
    - MEDIUM: connection/http-reuse: fix address collision on unhandled address families
    - MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option
    - MEDIUM: hlua: make hlua_ctx_renew() safe
    - MEDIUM: hlua: properly handle sample func errors in hlua_run_sample_{fetch,conv}()
    - MEDIUM: mux-pt: Never fully close the connection on shutdown
    - MEDIUM: mux-quic: ensure timeout server is active for short requests
    - MEDIUM: server: fix race on servers_list during server deletion
    - MEDIUM: server: server stuck in maintenance after FQDN change
    - MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
    - MEDIUM: stconn: Report blocked send if sends are blocked by an error
    - MINOR: activity/memprofile: always return "other" bin on NULL return address
    - MINOR: cfgparse-global: fix allowed args number for setenv
    - MINOR: cli: remove non-printable characters from 'debug dev fd'
    - MINOR: http-ana: Don't report a server abort if response payload is invalid
    - MINOR: http-ana: Fix wrong client abort reports during responses forwarding
    - MINOR: http-ana: Report internal error if an action yields on a final eval
    - MINOR: httpclient: return NULL when no proxy available during httpclient_new()
    - MINOR: mux-quic: do not close STREAM with empty FIN if no data sent
    - MINOR: mworker: fix mworker-max-reloads parser
    - MINOR: pools: export the pools variable
    - MINOR: server: fix dynamic server leak with check on failed init
    - MINOR: server: make sure the HMAINT state is part of MAINT
    - MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly
    - MINOR: stream: Save last evaluated rule on invalid yield
    - REGTESTS: Never reuse server connection in http-messaging/truncated.vtc

Version-Release number of selected component (if applicable):
2.8.11

How reproducible:
Always

Steps to Reproduce:
1. Check haproxy changelog & see version
Comment 1 Raphael Gertz 2024-11-30 19:09:30 CET
type: bugfix
subject: Updated haproxy package fixes some bugs
src:
  9:
   core:
     - haproxy-2.8.12-1.1.mga9
description: |
  Haproxy has one major, few medium and few minor bugs fixed in last upstream
  version 2.8.12 of branch 2.8

  Fixed major bug list:
  - ocsp: Separate refcount per instance and per store

  Fixed medium bug list:
  - cli: Deadlock when setting frontend maxconn
  - connection/http-reuse: fix address collision on unhandled address families
  - h1: Accept invalid T-E values with accept-invalid-http-response option
  - hlua: make hlua_ctx_renew() safe
  - hlua: properly handle sample func errors in hlua_run_sample_{fetch,conv}()
  - mux-pt: Never fully close the connection on shutdown
  - mux-quic: ensure timeout server is active for short requests
  - server: fix race on servers_list during server deletion
  - server: server stuck in maintenance after FQDN change
  - ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
  - stconn: Report blocked send if sends are blocked by an error

references:
 - https://bugs.mageia.org/show_bug.cgi?id=33820
 - https://www.haproxy.org/download/2.8/src/CHANGELOG

Keywords: (none) => advisory

Comment 2 Raphael Gertz 2024-11-30 19:10:54 CET
Previous update tickets:
https://bugs.mageia.org/show_bug.cgi?id=33475
https://bugs.mageia.org/show_bug.cgi?id=33593

Packages built and uploaded, advisory available.

QA should just have to double check, validate update or report if there is something wrong.

Packages in 9/core/updates_testing
i586:
haproxy-2.8.12-1.1.mga9.i586.rpm
haproxy-noquic-2.8.12-1.1.mga9.i586.rpm
haproxy-quic-2.8.12-1.1.mga9.i586.rpm
haproxy-utils-2.8.12-1.1.mga9.i586.rpm

x86_64:
haproxy-2.8.12-1.1.mga9.x86_64.rpm
haproxy-noquic-2.8.12-1.1.mga9.x86_64.rpm
haproxy-quic-2.8.12-1.1.mga9.x86_64.rpm
haproxy-utils-2.8.12-1.1.mga9.x86_64.rpm

From SRPMS:
haproxy-2.8.12-1.1.mga9

Whiteboard: (none) => MGA9-64-OK

Comment 3 Raphael Gertz 2024-11-30 19:13:27 CET
$ systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since XXX 2024-XX-XX XX:XX:XX CET; XXmin ago
    Process: XXXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: XXXXXX (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 23.8M
        CPU: Xmin X.Xs
     CGroup: /system.slice/haproxy.service
             ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

$ curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache
alt-svc: h3=":443"; ma=3600

$ curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Thu, 26 Sep 2024 23:03:34 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=3600

$ rpm -qa | grep haproxy
haproxy-quic-2.8.12-1.1.mga9
haproxy-2.8.12-1.1.mga9
Raphael Gertz 2024-11-30 19:15:32 CET

CC: (none) => andrewsfarm, mageia, mageia
Assignee: bugsquad => qa-bugs

Comment 4 katnatek 2024-12-01 17:10:23 CET
RH mageia 9 x86_64

Test noquic

LC_ALL=C urpmi haproxy haproxy-utils
In order to satisfy the 'haproxy-server[== 2.8.12-1.1.mga9]' dependency, one of the following packages is needed:
 1- haproxy-noquic-2.8.12-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
 2- haproxy-quic-2.8.12-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.12       1.1.mga9      x86_64  
  haproxy-noquic                 2.8.12       1.1.mga9      x86_64  
  haproxy-utils                  2.8.12       1.1.mga9      x86_64  
4.8MB of additional disk space will be used.
1.6MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


installing haproxy-2.8.12-1.1.mga9.x86_64.rpm haproxy-utils-2.8.12-1.1.mga9.x86_64.rpm haproxy-noquic-2.8.12-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: haproxy-noquic        ##################################################################################################
      2/3: haproxy               ##################################################################################################
      3/3: haproxy-utils         ##################################################################################################
      1/1: removing haproxy-utils-2.8.11-1.mga9.x86_64
                                 ##################################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.12-1.1.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8000, 8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

systemctl start haproxy.service
systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Sun 2024-12-01 10:03:03 CST; 9s ago
    Process: 18331 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 18337 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 16.1M
        CPU: 124ms
     CGroup: /system.slice/haproxy.service
             ├─18337 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─18339 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

dic 01 10:03:03 jgrey.phoenix systemd[1]: Starting haproxy.service...
dic 01 10:03:03 jgrey.phoenix systemd[1]: Started haproxy.service.

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Sun, 01 Dec 2024 16:04:46 GMT
server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "ab-60d1f3e5ca682"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

Test quic

LC_ALL=C urpmi haproxy haproxy-utils
In order to satisfy the 'haproxy-server[== 2.8.12-1.1.mga9]' dependency, one of the following packages is needed:
 1- haproxy-noquic-2.8.12-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
 2- haproxy-quic-2.8.12-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install)
What is your choice? (1-2) 2
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.12       1.1.mga9      x86_64  
  haproxy-quic                   2.8.12       1.1.mga9      x86_64  
  haproxy-utils                  2.8.12       1.1.mga9      x86_64  
5.4MB of additional disk space will be used.
1.7MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


installing haproxy-utils-2.8.12-1.1.mga9.x86_64.rpm haproxy-quic-2.8.12-1.1.mga9.x86_64.rpm haproxy-2.8.12-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: haproxy               ##################################################################################################
      2/3: haproxy-quic          ##################################################################################################
      3/3: haproxy-utils         ##################################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.12-1.1.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8000, 8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

systemctl start haproxy.service
systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Sun 2024-12-01 10:07:53 CST; 6s ago
    Process: 44265 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 44270 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 21.4M
        CPU: 128ms
     CGroup: /system.slice/haproxy.service
             ├─44270 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─44275 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

dic 01 10:07:53 jgrey.phoenix systemd[1]: Starting haproxy.service...
dic 01 10:07:53 jgrey.phoenix systemd[1]: Started haproxy.service.

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Sun, 01 Dec 2024 16:09:17 GMT
server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "ab-60d1f3e5ca682"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

OK for me
Comment 5 Thomas Andrews 2024-12-01 23:14:14 CET
Validating.
Comment 6 Thomas Andrews 2024-12-02 17:59:41 CET
Oops. Forgot to change the Keywords field.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2024-12-02 18:46:29 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.