Description of problem:
Haproxy is in version 2.8.15 in mageia version while 2.8.16 version is available with a critical, a major, few medium and few minor security updates for 2.8 branch.

Changelog there:
http://www.haproxy.org/download/2.8/src/CHANGELOG

Last version of 2.8 branch has a lot of minor and medium bugs fixed, we should update.

Fixed bug changelog:
2025/10/03 : 2.8.16
    - CRITICAL: mjson: fix possible DoS when parsing numbers
    - MAJOR: listeners: transfer connection accounting when switching listeners
    - MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout
    - MEDIUM: check: Set SOCKERR by default when a connection error is reported
    - MEDIUM: checks: fix ALPN inheritance from server
    - MEDIUM: dns: Reset reconnect tempo when connection is finally established
    - MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info
    - MEDIUM: h1: Allow reception if we have early data
    - MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field
    - MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly
    - MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services
    - MEDIUM: hlua: Report to SC when data were consumed on a lua socket
    - MEDIUM: hlua: Report to SC when output data are blocked on a lua socket
    - MEDIUM: http-client: Ask for more room when request data cannot be xferred
    - MEDIUM: http-client: Don't wake http-client applet if nothing was xferred
    - MEDIUM: http-client: Drain the request if an early response is received
    - MEDIUM: http-client: Notify applet has more data to deliver until the EOM
    - MEDIUM: http-client: Properly inc input data when HTX blocks are xferred
    - MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer
    - MEDIUM: httpclient: Throw an error if an lua httpclient instance is reused
    - MEDIUM: mux-h2: Properly handle connection error during preface sending
    - MEDIUM: server: Duplicate healthcheck's alpn inherited from default server
    - MEDIUM: ssl: ca-file directory mode must read every certificates of a file
    - MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers
    - MEDIUM: ssl: create the mux immediately on early data
    - MEDIUM: ssl: Fix 0rtt to the server
    - MEDIUM: ssl: fix build with AWS-LC
    - MEDIUM: threads: Disable the workaround to load libgcc_s on macOS
    - MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found
    - MINOR: activity: fix reporting of task latency
    - MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init
    - MINOR: cli: fix too many args detection for commands
    - MINOR: cli: Issue an error when too many args are passed for a command
    - MINOR: config/server: reject QUIC addresses
    - MINOR: dns: add tempo between 2 connection attempts for dns servers
    - MINOR: dns: prevent ds accumulation within dss
    - MINOR: h2: forbid 'Z' as well in header field names checks
    - MINOR: h3: don't insert more than one Host header
    - MINOR: h3: Fix errors introduced because of failed backport
    - MINOR: h3: forbid 'Z' as well in header field names checks
    - MINOR: h3: Set HTX flags corresponding to the scheme found in the request
    - MINOR: halog: exit with error when some output filters are set simultaneosly
    - MINOR: haproxy: be sure not to quit too early on soft stop
    - MINOR: hlua: Fix Channel:data() and Channel:line() to respect documentation
    - MINOR: hlua: Skip headers when a receive is performed on an HTTP applet
    - MINOR: hlua: take default-path into account with lua-load-per-thread
    - MINOR: http-client: Ignore 1XX interim responses in non-HTX mode
    - MINOR: http-client: Reject any 101-switching-protocols response
    - MINOR: init: Initialize random seed earlier in the init process
    - MINOR: init: relax LSTCHK_NETADM checks for non root
    - MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter
    - MINOR: limits: compute_ideal_maxconn: don't cap remain if fd_hard_limit=0
    - MINOR: listener: really assign distinct IDs to shards
    - MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation
    - MINOR: mux-h1: Don't pretend connection was released for TCP>H1>H2 upgrade
    - MINOR: mux-h1: Fix trace message in h1_detroy() to not relay on connection
    - MINOR: mux-h1: fix wrong lock label
    - MINOR: mux-h2: Reset streams with NO_ERROR code if full response was already sent
    - MINOR: mux-quic: do not decode if conn in error
    - MINOR: ocsp: Crash when updating CA during ocsp updates
    - MINOR: proxy: only use proxy_inc_fe_cum_sess_ver_ctr() with frontends
    - MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested
    - MINOR: quic: fix room check if padding requested
    - MINOR: quic: fix TP reject on invalid max-ack-delay
    - MINOR: quic: reject invalid max_udp_payload size
    - MINOR: quic: reject retry_source_cid TP on server side
    - MINOR: quic: use proper error code on invalid received TP value
    - MINOR: quic: use proper error code on invalid server TP
    - MINOR: quic: use proper error code on missing CID in TPs
    - MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding
    - MINOR: resolvers: always normalize FQDN from response
    - MINOR: server: Update healthcheck when server settings are changed via CLI
    - MINOR: sink: detect and warn when using "send-proxy" options with ring servers
    - MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR
    - MINOR: stream: Avoid recursive evaluation for unique-id based on itself
    - MINOR: threads: fix soft-stop without multithreading support
    - BUILD: acl: silence a possible null deref warning in parse_acl_expr()
    - BUILD: compat: always set _POSIX_VERSION to ease comparisons
    - BUILD: makefile: enable backtrace by default on musl
    - CI: vtest: Rely on VTest2 to run regression tests
    - CLEANUP: dns: remove unused dns_stream_server struct member
    - CLEANUP: quic: Useless BIO_METHOD initialization
    - DOC: config: clarify some known limitations of the json_query() converter
    - DOC: config: prefer-last-server: add notes for non-deterministic algorithms
    - DOC: config: recommend disabling libc-based resolution with resolvers
    - DOC: config: recommend single quoting passwords
    - DOC: config: restore default values for resolvers hold directive
    - DOC: configuration: add details on prefer-client-ciphers
    - DOC: configuration: confuse "strict-mode" with "zero-warning"
    - DOC: Fix 'jwt_verify' converter doc
    - DOC: hlua: Add a note to warn user about httpclient object reuse
    - DOC: hlua: fix a few typos in HTTPMessage.set_body_len() documentation
    - DOC: list missing global QUIC settings
    - DOC: management: clarify usage of -V with -c
    - DOC: management: fix typo in commit f4f93c56
    - DOC: ring: refer to newer RFC5424
    - DOC: unreliable sockpair@ on macOS
    - MEDIUM: hlua: Add function to change the body length of an HTTP Message
    - MINOR: applet: add appctx_schedule() macro
    - MINOR: compiler: add __nonstring macro
    - MINOR: doc: add missing statistics column
    - MINOR: doc: add missing statistics column
    - MINOR: http: add a function to validate characters of :authority
    - MINOR: quic: Add useful error traces about qc_ssl_sess_init() failures
    - MINOR: quic: extend return value during TP parsing
    - OPTIM: check: do not delay MUX for ALPN if SSL not active
    - REGTESTS: Explicitly allow failing shell commands in some scripts
    - REGTESTS: Make the script testing conditional set-var compatible with Vtest2
    - SCRIPTS: drop the HTML generation from announce-release
    - Revert "MINOR: config/server: reject QUIC addresses"
    - Revert "BUILD: makefile: enable backtrace by default on musl"

Version-Release number of selected component (if applicable):
2.8.15

How reproducible:
Always

Steps to Reproduce:
1. Check haproxy changelog & see version