Description of problem: Haproxy is in version 2.8.14 in mageia version while 2.8.15 version is available with few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of minor and medium bugs fixed, we should update. Fixed bug changelog: 2025/04/22 : 2.8.15 - BUILD: compiler: undefine the CONCAT() macro if already defined - BUILD: tools: avoid a build warning on gcc-4.8 in resolve_sym_name() - BUILD: tools: silence a build warning when USE_THREAD=0 - CLEANUP: h3: fix documentation of h3_rcv_buf() - DOC: config: add the missing "profiling.memory" to the global kw index - DOC: config: add "tune.lua.burst-timeout" to the list of global parameters - DOC: config: fix two missing "content" in "tcp-request" examples - DOC: config: reorder "tune.lua.*" keywords by alphabetical order - DOC: htx: clarify <mark> parameter for htx_xfer_blks() - DOC: management: rename some last occurences from domain "dns" to "resolvers" - DOC: option redispatch should mention persist options - MEDIUM: backend: do not overwrite srv dst address on reuse (2) - MEDIUM: backend: fix reuse with set-dst/set-dst-port - MEDIUM: clock: make sure now_ms cannot be TICK_ETERNITY - MEDIUM: debug: close a possible race between thread dump and panic() - MEDIUM: fd: mark FD transferred to another process as FD_CLONED - MEDIUM: filters: Handle filters registered on data with no payload callback - MEDIUM: h3: trim whitespaces in header value prior to QPACK encoding - MEDIUM: h3: trim whitespaces when parsing headers value - MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup() - MEDIUM: hlua: fix hlua_applet_{http,tcp}_fct() yield regression (lost data) - MEDIUM: http-ana: Report 502 from req analyzer only during rsp forwarding - MEDIUM: htx: wrong count computation in htx_xfer_blks() - MEDIUM: mux-quic: do not attach on already closed stream - MEDIUM: mux-quic: fix crash on RS/SS emission if already close local - MEDIUM: peers: prevent learning expiration too far in futur from unsync node - MEDIUM: sample: fix risk of overflow when replacing multiple regex back-refs - MEDIUM: spoe: Don't wakeup idle applets in loop during stopping - MEDIUM: ssl: chosing correct certificate using RSA-PSS with TLSv1.3 - MEDIUM: thread: use pthread_self() not ha_pthread[tid] in set_affinity - MEIDUM: startup: return to initial cwd only after check_config_validity() - MINOR: auth: Fix a leak on error path when parsing user's groups - MINOR: backend: do not overwrite srv dst address on reuse - MINOR: backend: do not use the source port when hashing clientip - MINOR: backend: fix reuse with set-dst/set-dst-port (2) - MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers - MINOR: cfgparse/peers: fix inconsistent check for missing peer server - MINOR: cfgparse/peers: properly handle ignored local peer case - MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or "server" lines - MINOR: cli: export cli_io_handler() to ease symbol resolution - MINOR: cli: Fix a possible infinite loop in _getsocks() - MINOR: cli: Fix memory leak on error for _getsocks command - MINOR: cli: Wait for the last ACK when FDs are xferred from the old worker - MINOR: clock: always use atomic ops for global_now_ms - MINOR: compiler: add a new __decl_thread_var() macro to declare local variables - MINOR: compiler: add a simple macro to concatenate resolved strings - MINOR: config/userlist: Support one 'users' option for 'group' directive - MINOR debug: fix !USE_THREAD_DUMP in ha_thread_dump_fill() - MINOR: fcgi: Don't set the status to 302 if it is already set - MINOR: flt-trace: Support only one name option - MINOR: h2: always trim leading and trailing LWS in header values - MINOR: h3: filter upgrade connection header - MINOR: h3: reject invalid :path in request - MINOR: h3: reject request URI with invalid characters - MINOR: hlua_fcn: fix potential UAF with Queue:pop_wait() - MINOR: hlua: fix invalid errmsg use in hlua_init() - MINOR: http-ana: Properly detect client abort when forwarding the response - MINOR: log: fix gcc warn about truncating NUL terminator while init char arrays - MINOR: mux-h1: always make sure h1s->sd exists in h1_dump_h1s_info() - MINOR: mux-h2: prevent past scheduling with idle connections - MINOR: mux-h2: Properly handle full or truncated HTX messages on shut - MINOR: mux-quic: change return value of qcs_attach_sc() - MINOR: mux-quic: fix BUG_ON() crash on init failure after app-ops - MINOR: mux-quic: handle closure of uni-stream - MINOR: mux-quic: remove extra BUG_ON() in _qcc_send_stream() - MINOR: namespace: handle a possible strdup() failure - MINOR: peers: fix expire learned from a peer not converted from ms to ticks - MINOR: quic: do not crash on CRYPTO ncbuf alloc failure - MINOR: quic: fix CRYPTO payload size calcul for encoding - MINOR: quic: prevent crash on conn access after MUX init failure - MINOR: quic: reserve length field for long header encoding - MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer - MINOR: server: dont return immediately from parse_server() when skipping checks - MINOR: server: fix the "server-template" prefix memory leak - MINOR: sink: add tempo between 2 connection attempts for sft servers - MINOR: sink: add tempo between 2 connection attempts for sft servers (2) - MINOR: spoe: Allow applet creation when closing the last one during stopping - MINOR: spoe: Check the shared waiting queue to shut applets during stopping - MINOR: ssl/cli: "show ssl crt-list" lacks client-sigals - MINOR: ssl/cli: "show ssl crt-list" lacks sigals - MINOR: stats-json: Define JSON_INT_MAX as a signed integer - MINOR: task: add thread safe notification_new and notification_wake variants - MINOR: tcp-rules: Don't forward close during tcp-response content rules eval - MINOR: tinfo: add a new thread flag to indicate a call from a sig handler - MINOR: tools: also protect the library name resolution against concurrent accesse - MINOR: tools: ease the declaration of known symbols in resolve_sym_name() - MINOR: tools: improve symbol resolution without dl_addr - MINOR: tools: resolve main() only once in resolve_sym_name() - MINOR: tools: teach resolve_sym_name() a few more common symbols - MINOR: tools: use only opportunistic symbols resolution - REGTESTS: Fix truncated.vtc to send 0-CRLF - TESTS: Fix build for filltab25.c - TESTS: ist: fix wrong array size Version-Release number of selected component (if applicable): 2.8.14 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
type: bugfix subject: Updated haproxy packages fix some bugs src: 9: core: - haproxy-2.8.15-1.mga9 description: | Haproxy has a few medium and a few minor bugs fixed in the last upstream version 2.8.15 of branch 2.8. Fixed medium bug list: - backend: do not overwrite srv dst address on reuse (2) - backend: fix reuse with set-dst/set-dst-port - clock: make sure now_ms cannot be TICK_ETERNITY - debug: close a possible race between thread dump and panic() - fd: mark FD transferred to another process as FD_CLONED - filters: Handle filters registered on data with no payload callback - h3: trim whitespaces in header value prior to QPACK encoding - h3: trim whitespaces when parsing headers value - hlua/cli: fix cli applet UAF in hlua_applet_wakeup() - hlua: fix hlua_applet_{http,tcp}_fct() yield regression (lost data) - http-ana: Report 502 from req analyzer only during rsp forwarding - htx: wrong count computation in htx_xfer_blks() - mux-quic: do not attach on already closed stream - mux-quic: fix crash on RS/SS emission if already close local - peers: prevent learning expiration too far in futur from unsync node - sample: fix risk of overflow when replacing multiple regex back-refs - spoe: Don't wakeup idle applets in loop during stopping - ssl: chosing correct certificate using RSA-PSS with TLSv1.3 - startup: return to initial cwd only after check_config_validity() - thread: use pthread_self() not ha_pthread[tid] in set_affinity references: - https://bugs.mageia.org/show_bug.cgi?id=34599 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Keywords: (none) => advisory
Previous update tickets: https://bugs.mageia.org/show_bug.cgi?id=33475 https://bugs.mageia.org/show_bug.cgi?id=33593 https://bugs.mageia.org/show_bug.cgi?id=33820 https://bugs.mageia.org/show_bug.cgi?id=34105 Packages built and uploaded, advisory available. QA should just have to double check, validate update or report if there is something wrong. Packages in 9/core/updates_testing i586: haproxy-2.8.15-1.mga9.i586.rpm haproxy-noquic-2.8.15-1.mga9.i586.rpm haproxy-quic-2.8.15-1.mga9.i586.rpm haproxy-utils-2.8.15-1.mga9.i586.rpm x86_64: haproxy-2.8.15-1.mga9.x86_64.rpm haproxy-noquic-2.8.15-1.mga9.x86_64.rpm haproxy-quic-2.8.15-1.mga9.x86_64.rpm haproxy-utils-2.8.15-1.mga9.x86_64.rpm From SRPMS: haproxy-2.8.15-1.mga9
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since XXX XXXX-XX-XX XX:XX:XX XXXX; X week X days ago Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: X (limit: 65000) Memory: XXX.XM CPU: Xh XXmin XX.XXXs CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sat, 30 Aug 2025 15:08:18 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600 $ rpm -qa | grep haproxy haproxy-quic-2.8.15-1.mga9 haproxy-2.8.15-1.mga9
CC: (none) => andrewsfarm, mageiaAssignee: bugsquad => qa-bugsWhiteboard: (none) => MGA9-64-OK
Referenced Bug 32570. No installation issues.Issued the same commands as comment 3, with the same results. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2025-0081.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED