Bug 34105 - Haproxy 2.8 subversion 12 to 14 update
Summary: Haproxy 2.8 subversion 12 to 14 update
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-14 23:11 CET by Raphael Gertz
Modified: 2025-03-17 17:34 CET (History)
3 users (show)

See Also:
Source RPM: haproxy-2.8.12-1.1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Raphael Gertz 2025-03-14 23:11:48 CET
Description of problem:
Haproxy is in version 2.8.12 in mageia version while 2.8.14 version is available with two major, few medium and few minor security updates for 2.8 branch.

Changelog there:
http://www.haproxy.org/download/2.8/src/CHANGELOG

Last version of 2.8 branch has a lot of minor, medium and major bugs fixed, we should update.

Fixed bug changelog:
2025/01/29 : 2.8.14
    - MAJOR: quic: reject too large CRYPTO frames
    - MEDIUM: debug: on panic, make the target thread automatically allocate its buf
    - MEDIUM: mux-h1: Fix how timeouts are applied on H1 connections
    - MEDIUM: mux-h1: Properly close H1C if an error is reported before sending data
    - MEDIUM: pattern: prevent uninitialized reads in pat_match_{str,beg}
    - MEDIUM: queue: Make process_srv_queue return the number of streams
    - MEDIUM: queues: Do not use pendconn_grab_from_px().
    - MEDIUM: queues: Make sure we call process_srv_queue() when leaving
    - MEDIUM: quic: prevent crash due to CRYPTO parsing error
    - MEDIUM: quic: support wait-for-handshake
    - MEDIUM: stconn: Don't forward shut for SC in connecting state
    - MEDIUM: stconn: Only consider I/O timers to update stream's expiration date
    - MEDIUM: stconn: Really report blocked send if sends are blocked by an error
    - MEDIUM: stktable: fix missing lock on some table converters
    - MINOR: chunk: drop the global thread_dump_buffer
    - MINOR: config: Alert about extra arguments for errorfile and errorloc
    - MINOR: debug: make ha_thread_dump_done() take the pointer to be used
    - MINOR: debug: make mark_tainted() return the previous value
    - MINOR: debug: replace ha_thread_dump() with its two components
    - MINOR: debug: slightly change the thread_dump_pointer signification
    - MINOR: debug: split ha_thread_dump() in two parts
    - MINOR: init: set HAPROXY_STARTUP_VERSION from the variable, not the macro
    - MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount
    - MINOR: quic: do not increase congestion window if app limited
    - MINOR: quic: ensure a detached coalesced packet can't access its neighbours
    - MINOR: quic: extend return value of CRYPTO parsing
    - MINOR: quic: notify connection layer on handshake completion
    - MINOR: quic: reject NEW_TOKEN frames from clients
    - MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO
    - MINOR: quic: simplify qc_parse_pkt_frms() return path
    - MINOR: quic: use dynamically allocated frame on parsing
    - MINOR: ssl: put ssl_sock_load_ca under SSL_NO_GENERATE_CERTIFICATES
    - MINOR: stktable: fix big-endian compatiblity in smp_to_stkey()
    - MINOR: stream: Properly handle "on-marked-up shutdown-backup-sessions"
    - MINOR: stream: unblock stream on wait-for-handshake completion

2024/12/12 : 2.8.13
    - MAJOR: quic: fix wrong packet building due to already acked frames
    - MEDIUM: checks: make sure to always apply offsets to now_ms in expiration
    - MEDIUM: debug: don't set the STUCK flag from debug_handler()
    - MEDIUM: event_hdl: fix uninitialized value in async mode when no data is provided
    - MEDIUM: h3: Increase max number of headers when sending headers
    - MEDIUM: h3: Properly limit the number of headers received
    - MEDIUM: http-ana: Don't release too early the L7 buffer
    - MEDIUM: http-ana: Reset request flag about data sent to perform a L7 retry
    - MEDIUM: mailers: make sure to always apply offsets to now_ms in expiration
    - MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only
    - MEDIUM: mux-h2: Check the number of headers in HEADERS frame after decoding
    - MEDIUM: mux-h2: Don't send RST_STREAM frame for streams with no ID
    - MEDIUM: mux-h2: Increase max number of headers when encoding HEADERS frames
    - MEDIUM: pools/memprofile: always clean stale pool info on pool_destroy()
    - MEDIUM: queue: always dequeue the backend when redistributing the last server
    - MEDIUM: queue: make sure never to queue when there's no more served conns
    - MEDIUM: quic: handle retransmit for standalone FIN STREAM
    - MEDIUM: resolvers: Insert a non-executed resulution in front of the wait list
    - MEDIUM: sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set
    - MEDIUM: stream: make stream_shutdown() async-safe
    - MINOR: activity/memprofile: offer a function to unregister stale info
    - MINOR: cli: don't show sockpairs in HAPROXY_CLI and HAPROXY_MASTER_CLI
    - MINOR: Don't report early srv aborts on request forwarding in DONE state
    - MINOR: h1: do not forward h2c upgrade header token
    - MINOR: h1-htx: Use default reason if not set when formatting the response
    - MINOR: h2: reject extended connect for h2c protocol
    - MINOR: http-ana: Adjust the server status before the L7 retries
    - MINOR: http-ana: Disable fast-fwd for unfinished req waiting for upgrade
    - MINOR: http_ana: Report -1 for %Tr for invalid response only
    - MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state
    - MINOR: mux_quic: make sure to always apply offsets to now_ms in expiration
    - MINOR: peers: make sure to always apply offsets to now_ms in expiration
    - MINOR: quic: convert qc_stream_desc release field to flags
    - MINOR: quic: implement function to check if STREAM is fully acked
    - MINOR: quic: prevent freeze after early QCS closure
    - MINOR: quic: remove startup alert if conn socket-owner unsupported
    - MINOR: server-state: Fix expiration date of srvrq_check tasks
    - MINOR: signal: register default handler for SIGINT in signal_init()
    - MINOR: ssl_sock: fix xprt_set_used() to properly clear the TASK_F_USR1 bit
    - MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG

Version-Release number of selected component (if applicable):
2.8.12

How reproducible:
Always

Steps to Reproduce:
1. Check haproxy changelog & see version
Comment 1 Raphael Gertz 2025-03-14 23:16:26 CET
type: bugfix
subject: Updated haproxy packages fix some bugs
src:
  9:
   core:
     - haproxy-2.8.14-1.mga9
description: |
  Haproxy has two major, a few medium and a few minor bugs fixed in the last
  upstream version 2.8.14 of branch 2.8.

  Fixed major bug list:
  - quic: reject too large CRYPTO frames
  - quic: fix wrong packet building due to already acked frames

  Fixed medium bug list:
  - checks: make sure to always apply offsets to now_ms in expiration
  - debug: don't set the STUCK flag from debug_handler()
  - debug: on panic, make the target thread automatically allocate its buf
  - event_hdl: fix uninitialized value in async mode when no data is provided
  - h3: Increase max number of headers when sending headers
  - h3: Properly limit the number of headers received
  - http-ana: Don't release too early the L7 buffer
  - http-ana: Reset request flag about data sent to perform a L7 retry
  - mailers: make sure to always apply offsets to now_ms in expiration
  - mux-h1: Fix how timeouts are applied on H1 connections
  - mux-h1/mux-h2: Reject upgrades with payload on H2 side only
  - mux-h1: Properly close H1C if an error is reported before sending data
  - mux-h2: Check the number of headers in HEADERS frame after decoding
  - mux-h2: Don't send RST_STREAM frame for streams with no ID
  - mux-h2: Increase max number of headers when encoding HEADERS frames
  - pattern: prevent uninitialized reads in pat_match_{str,beg}
  - pools/memprofile: always clean stale pool info on pool_destroy()
  - queue: always dequeue the backend when redistributing the last server
  - queue: Make process_srv_queue return the number of streams
  - queue: make sure never to queue when there's no more served conns
  - queues: Do not use pendconn_grab_from_px().
  - queues: Make sure we call process_srv_queue() when leaving
  - quic: handle retransmit for standalone FIN STREAM
  - quic: prevent crash due to CRYPTO parsing error
  - quic: support wait-for-handshake
  - resolvers: Insert a non-executed resulution in front of the wait list
  - sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set
  - stconn: Don't forward shut for SC in connecting state
  - stconn: Only consider I/O timers to update stream's expiration date
  - stconn: Really report blocked send if sends are blocked by an error
  - stktable: fix missing lock on some table converters
  - stream: make stream_shutdown() async-safe
references:
 - https://bugs.mageia.org/show_bug.cgi?id=34105
 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Comment 2 Raphael Gertz 2025-03-14 23:18:33 CET
Previous update tickets:
https://bugs.mageia.org/show_bug.cgi?id=33475
https://bugs.mageia.org/show_bug.cgi?id=33593
https://bugs.mageia.org/show_bug.cgi?id=33820

Packages built and uploaded, advisory available.

QA should just have to double check, validate update or report if there is something wrong.

Packages in 9/core/updates_testing
i586:
haproxy-2.8.14-1.mga9.i586.rpm
haproxy-noquic-2.8.14-1.mga9.i586.rpm
haproxy-quic-2.8.14-1.mga9.i586.rpm
haproxy-utils-2.8.14-1.mga9.i586.rpm

x86_64:
haproxy-2.8.14-1.mga9.x86_64.rpm
haproxy-noquic-2.8.14-1.mga9.x86_64.rpm
haproxy-quic-2.8.14-1.mga9.x86_64.rpm
haproxy-utils-2.8.14-1.mga9.x86_64.rpm

From SRPMS:
haproxy-2.8.14-1.mga9

Keywords: (none) => advisory
Whiteboard: (none) => MGA9-64-OK

Comment 3 Raphael Gertz 2025-03-14 23:31:51 CET
$ systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since Fri XXXX-XX-XX XX:XX:XX CET; XXmin ago
    Process: XXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: XXXXXX (haproxy)
     Status: "Ready."
      Tasks: X (limit: 65000)
     Memory: XX.XXXM
        CPU: XX.XXXs
     CGroup: /system.slice/haproxy.service
             ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

$ curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache
alt-svc: h3=":443"; ma=3600

$ curl -I -k https://127.0.0.1:8000
HTTP/2 200
date: Fri, 14 Mar 2025 22:30:41 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=3600

$ rpm -qa | grep haproxy
haproxy-quic-3.0.14-1.mga9
haproxy-3.0.14-1.mga9
Raphael Gertz 2025-03-14 23:33:34 CET

Assignee: bugsquad => qa-bugs
CC: (none) => andrewsfarm, mageia

Comment 4 katnatek 2025-03-15 20:01:56 CET
RH x86_64

Test noquic

LC_ALL=C urpmi haproxy-utils haproxy-noquic
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.14       1.mga9        x86_64  
  haproxy-noquic                 2.8.14       1.mga9        x86_64  
  haproxy-utils                  2.8.14       1.mga9        x86_64  
5MB of additional disk space will be used.
1.6MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


installing haproxy-2.8.14-1.mga9.x86_64.rpm haproxy-utils-2.8.14-1.mga9.x86_64.rpm haproxy-noquic-2.8.14-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: haproxy-noquic        ##################################################################################################
      2/3: haproxy               ##################################################################################################
      3/3: haproxy-utils         ##################################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.14-1.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8000, 8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

systemctl start haproxy.service
systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Sat 2025-03-15 12:55:52 CST; 15s ago
    Process: 66845 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 66851 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 16.1M
        CPU: 144ms
     CGroup: /system.slice/haproxy.service
             ├─66851 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─66853 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

mar 15 12:55:51 jgrey.phoenix systemd[1]: Starting haproxy.service...
mar 15 12:55:52 jgrey.phoenix systemd[1]: Started haproxy.service.

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Sat, 15 Mar 2025 18:58:24 GMT
server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 mod_fcgid/2.3.9
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "ab-60d1f3e5ca682"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

Looks  OK
Comment 5 katnatek 2025-03-15 20:08:05 CET
RH x86_64

Test quic

LC_ALL=C urpmi haproxy-quic
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.14       1.mga9        x86_64  
  haproxy-quic                   2.8.14       1.mga9        x86_64  
5.2MB of additional disk space will be used.
1.7MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


installing haproxy-quic-2.8.14-1.mga9.x86_64.rpm haproxy-2.8.14-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: haproxy               ##################################################################################################
      2/2: haproxy-quic          ##################################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.14-1.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8000, 8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------


systemctl start haproxy.service
systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Sat 2025-03-15 13:04:26 CST; 5s ago
    Process: 94154 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 94159 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 20.7M
        CPU: 140ms
     CGroup: /system.slice/haproxy.service
             ├─94159 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─94161 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

mar 15 13:04:25 jgrey.phoenix systemd[1]: Starting haproxy.service...
mar 15 13:04:26 jgrey.phoenix systemd[1]: Started haproxy.service.

curl -I http://127.0.0.1:8000
HTTP/1.1 302 Found
content-length: 0
location: https://127.0.0.1:8000/
cache-control: no-cache

curl -I -k https://127.0.0.1:8000
HTTP/2 200 
date: Sat, 15 Mar 2025 19:06:21 GMT
server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 mod_fcgid/2.3.9
last-modified: Fri, 22 Dec 2023 20:41:41 GMT
etag: "ab-60d1f3e5ca682"
accept-ranges: bytes
content-length: 171
content-type: text/html; charset=UTF-8

Looks OK the mod_fcgid/2.3.9 difference from other test is due to configurations
for bug#34072
Comment 6 Thomas Andrews 2025-03-16 23:46:00 CET
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2025-03-17 17:34:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2025-0030.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.