Description of problem: Haproxy is in version 2.8.12 in mageia version while 2.8.14 version is available with two major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of minor, medium and major bugs fixed, we should update. Fixed bug changelog: 2025/01/29 : 2.8.14 - MAJOR: quic: reject too large CRYPTO frames - MEDIUM: debug: on panic, make the target thread automatically allocate its buf - MEDIUM: mux-h1: Fix how timeouts are applied on H1 connections - MEDIUM: mux-h1: Properly close H1C if an error is reported before sending data - MEDIUM: pattern: prevent uninitialized reads in pat_match_{str,beg} - MEDIUM: queue: Make process_srv_queue return the number of streams - MEDIUM: queues: Do not use pendconn_grab_from_px(). - MEDIUM: queues: Make sure we call process_srv_queue() when leaving - MEDIUM: quic: prevent crash due to CRYPTO parsing error - MEDIUM: quic: support wait-for-handshake - MEDIUM: stconn: Don't forward shut for SC in connecting state - MEDIUM: stconn: Only consider I/O timers to update stream's expiration date - MEDIUM: stconn: Really report blocked send if sends are blocked by an error - MEDIUM: stktable: fix missing lock on some table converters - MINOR: chunk: drop the global thread_dump_buffer - MINOR: config: Alert about extra arguments for errorfile and errorloc - MINOR: debug: make ha_thread_dump_done() take the pointer to be used - MINOR: debug: make mark_tainted() return the previous value - MINOR: debug: replace ha_thread_dump() with its two components - MINOR: debug: slightly change the thread_dump_pointer signification - MINOR: debug: split ha_thread_dump() in two parts - MINOR: init: set HAPROXY_STARTUP_VERSION from the variable, not the macro - MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount - MINOR: quic: do not increase congestion window if app limited - MINOR: quic: ensure a detached coalesced packet can't access its neighbours - MINOR: quic: extend return value of CRYPTO parsing - MINOR: quic: notify connection layer on handshake completion - MINOR: quic: reject NEW_TOKEN frames from clients - MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO - MINOR: quic: simplify qc_parse_pkt_frms() return path - MINOR: quic: use dynamically allocated frame on parsing - MINOR: ssl: put ssl_sock_load_ca under SSL_NO_GENERATE_CERTIFICATES - MINOR: stktable: fix big-endian compatiblity in smp_to_stkey() - MINOR: stream: Properly handle "on-marked-up shutdown-backup-sessions" - MINOR: stream: unblock stream on wait-for-handshake completion 2024/12/12 : 2.8.13 - MAJOR: quic: fix wrong packet building due to already acked frames - MEDIUM: checks: make sure to always apply offsets to now_ms in expiration - MEDIUM: debug: don't set the STUCK flag from debug_handler() - MEDIUM: event_hdl: fix uninitialized value in async mode when no data is provided - MEDIUM: h3: Increase max number of headers when sending headers - MEDIUM: h3: Properly limit the number of headers received - MEDIUM: http-ana: Don't release too early the L7 buffer - MEDIUM: http-ana: Reset request flag about data sent to perform a L7 retry - MEDIUM: mailers: make sure to always apply offsets to now_ms in expiration - MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only - MEDIUM: mux-h2: Check the number of headers in HEADERS frame after decoding - MEDIUM: mux-h2: Don't send RST_STREAM frame for streams with no ID - MEDIUM: mux-h2: Increase max number of headers when encoding HEADERS frames - MEDIUM: pools/memprofile: always clean stale pool info on pool_destroy() - MEDIUM: queue: always dequeue the backend when redistributing the last server - MEDIUM: queue: make sure never to queue when there's no more served conns - MEDIUM: quic: handle retransmit for standalone FIN STREAM - MEDIUM: resolvers: Insert a non-executed resulution in front of the wait list - MEDIUM: sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set - MEDIUM: stream: make stream_shutdown() async-safe - MINOR: activity/memprofile: offer a function to unregister stale info - MINOR: cli: don't show sockpairs in HAPROXY_CLI and HAPROXY_MASTER_CLI - MINOR: Don't report early srv aborts on request forwarding in DONE state - MINOR: h1: do not forward h2c upgrade header token - MINOR: h1-htx: Use default reason if not set when formatting the response - MINOR: h2: reject extended connect for h2c protocol - MINOR: http-ana: Adjust the server status before the L7 retries - MINOR: http-ana: Disable fast-fwd for unfinished req waiting for upgrade - MINOR: http_ana: Report -1 for %Tr for invalid response only - MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state - MINOR: mux_quic: make sure to always apply offsets to now_ms in expiration - MINOR: peers: make sure to always apply offsets to now_ms in expiration - MINOR: quic: convert qc_stream_desc release field to flags - MINOR: quic: implement function to check if STREAM is fully acked - MINOR: quic: prevent freeze after early QCS closure - MINOR: quic: remove startup alert if conn socket-owner unsupported - MINOR: server-state: Fix expiration date of srvrq_check tasks - MINOR: signal: register default handler for SIGINT in signal_init() - MINOR: ssl_sock: fix xprt_set_used() to properly clear the TASK_F_USR1 bit - MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG Version-Release number of selected component (if applicable): 2.8.12 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
type: bugfix subject: Updated haproxy packages fix some bugs src: 9: core: - haproxy-2.8.14-1.mga9 description: | Haproxy has two major, a few medium and a few minor bugs fixed in the last upstream version 2.8.14 of branch 2.8. Fixed major bug list: - quic: reject too large CRYPTO frames - quic: fix wrong packet building due to already acked frames Fixed medium bug list: - checks: make sure to always apply offsets to now_ms in expiration - debug: don't set the STUCK flag from debug_handler() - debug: on panic, make the target thread automatically allocate its buf - event_hdl: fix uninitialized value in async mode when no data is provided - h3: Increase max number of headers when sending headers - h3: Properly limit the number of headers received - http-ana: Don't release too early the L7 buffer - http-ana: Reset request flag about data sent to perform a L7 retry - mailers: make sure to always apply offsets to now_ms in expiration - mux-h1: Fix how timeouts are applied on H1 connections - mux-h1/mux-h2: Reject upgrades with payload on H2 side only - mux-h1: Properly close H1C if an error is reported before sending data - mux-h2: Check the number of headers in HEADERS frame after decoding - mux-h2: Don't send RST_STREAM frame for streams with no ID - mux-h2: Increase max number of headers when encoding HEADERS frames - pattern: prevent uninitialized reads in pat_match_{str,beg} - pools/memprofile: always clean stale pool info on pool_destroy() - queue: always dequeue the backend when redistributing the last server - queue: Make process_srv_queue return the number of streams - queue: make sure never to queue when there's no more served conns - queues: Do not use pendconn_grab_from_px(). - queues: Make sure we call process_srv_queue() when leaving - quic: handle retransmit for standalone FIN STREAM - quic: prevent crash due to CRYPTO parsing error - quic: support wait-for-handshake - resolvers: Insert a non-executed resulution in front of the wait list - sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set - stconn: Don't forward shut for SC in connecting state - stconn: Only consider I/O timers to update stream's expiration date - stconn: Really report blocked send if sends are blocked by an error - stktable: fix missing lock on some table converters - stream: make stream_shutdown() async-safe references: - https://bugs.mageia.org/show_bug.cgi?id=34105 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Previous update tickets: https://bugs.mageia.org/show_bug.cgi?id=33475 https://bugs.mageia.org/show_bug.cgi?id=33593 https://bugs.mageia.org/show_bug.cgi?id=33820 Packages built and uploaded, advisory available. QA should just have to double check, validate update or report if there is something wrong. Packages in 9/core/updates_testing i586: haproxy-2.8.14-1.mga9.i586.rpm haproxy-noquic-2.8.14-1.mga9.i586.rpm haproxy-quic-2.8.14-1.mga9.i586.rpm haproxy-utils-2.8.14-1.mga9.i586.rpm x86_64: haproxy-2.8.14-1.mga9.x86_64.rpm haproxy-noquic-2.8.14-1.mga9.x86_64.rpm haproxy-quic-2.8.14-1.mga9.x86_64.rpm haproxy-utils-2.8.14-1.mga9.x86_64.rpm From SRPMS: haproxy-2.8.14-1.mga9
Keywords: (none) => advisoryWhiteboard: (none) => MGA9-64-OK
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since Fri XXXX-XX-XX XX:XX:XX CET; XXmin ago Process: XXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: X (limit: 65000) Memory: XX.XXXM CPU: XX.XXXs CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Fri, 14 Mar 2025 22:30:41 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600 $ rpm -qa | grep haproxy haproxy-quic-3.0.14-1.mga9 haproxy-3.0.14-1.mga9
Assignee: bugsquad => qa-bugsCC: (none) => andrewsfarm, mageia
RH x86_64 Test noquic LC_ALL=C urpmi haproxy-utils haproxy-noquic To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.14 1.mga9 x86_64 haproxy-noquic 2.8.14 1.mga9 x86_64 haproxy-utils 2.8.14 1.mga9 x86_64 5MB of additional disk space will be used. 1.6MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y installing haproxy-2.8.14-1.mga9.x86_64.rpm haproxy-utils-2.8.14-1.mga9.x86_64.rpm haproxy-noquic-2.8.14-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: haproxy-noquic ################################################################################################## 2/3: haproxy ################################################################################################## 3/3: haproxy-utils ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.14-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8000, 8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Sat 2025-03-15 12:55:52 CST; 15s ago Process: 66845 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 66851 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.1M CPU: 144ms CGroup: /system.slice/haproxy.service ├─66851 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─66853 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws mar 15 12:55:51 jgrey.phoenix systemd[1]: Starting haproxy.service... mar 15 12:55:52 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sat, 15 Mar 2025 18:58:24 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 mod_fcgid/2.3.9 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 Looks OK
RH x86_64 Test quic LC_ALL=C urpmi haproxy-quic To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.14 1.mga9 x86_64 haproxy-quic 2.8.14 1.mga9 x86_64 5.2MB of additional disk space will be used. 1.7MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y installing haproxy-quic-2.8.14-1.mga9.x86_64.rpm haproxy-2.8.14-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: haproxy ################################################################################################## 2/2: haproxy-quic ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.14-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8000, 8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Sat 2025-03-15 13:04:26 CST; 5s ago Process: 94154 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 94159 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 20.7M CPU: 140ms CGroup: /system.slice/haproxy.service ├─94159 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─94161 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws mar 15 13:04:25 jgrey.phoenix systemd[1]: Starting haproxy.service... mar 15 13:04:26 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sat, 15 Mar 2025 19:06:21 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 mod_fcgid/2.3.9 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 Looks OK the mod_fcgid/2.3.9 difference from other test is due to configurations for bug#34072
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2025-0030.html
Status: NEW => RESOLVEDResolution: (none) => FIXED