Description of problem: Haproxy is in version 2.8.16 in mageia version while 2.8.18 version is available with two major, few medium and few minor security updates for 2.8 branch. Changelog there: http://www.haproxy.org/download/2.8/src/CHANGELOG Last version of 2.8 branch has a lot of minor and medium bugs fixed, we should update. Fixed bug changelog: 2025/12/25 : 2.8.18 - Revert "MEDIUM: mux-h2: make sure not to move a dead connection to idle" 2025/12/19 : 2.8.17 - CLEANUP: quic: remove a useless CRYPTO frame variable assignment - MAJOR: quic: use ncbmbuf for CRYPTO handling - MAJOR: stream: Force channel analysis on successful synchronous send - MEDIUM: dns: bind the nameserver sockets to the initiating thread - MEDIUM: h1: prevent a crash on HTTP/2 upgrade - MEDIUM: h3: do not overwrite interim with final response - MEDIUM: h3: handle interim response properly on FE side - MEDIUM: h3: properly encode response after interim one in same buf - MEDIUM: http-ana: Don't close server connection on read0 in TUNNEL mode - MEDIUM: mux-h2: make sure not to move a dead connection to idle - MEDIUM: mux-quic: adjust wakeup behavior - MEDIUM: mux-quic: ensure Early-data header is set - MEDIUM: quic: CRYPTO frame freeing without eb_delete() - MEDIUM: resolvers: make the process_resolvers() task single-threaded - MEDIUM: ssl: Crash because of dangling ckch_store reference in a ckch instance - MEDIUM: ssl: take care of second client hello - MEDIUM: stick-tables: Always return the good stksess from stktable_set_entry - MEDIUM: stick-tables: Don't forget to dec count on failure. - MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen() - MINOR: cfgparse-listen: update err_code for fatal error on proxy directive - MINOR: compression: Add OOM check for calloc() in parse_compression_options() - MINOR: config: Limit "tune.maxpollevents" parameter to 1000000 - MINOR: h1: h1_release() should return if it destroyed the connection - MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url() - MINOr: hlua: Fix receive from HTTP applet by properly accounting data - MINOR: http-ana: Reset analyse_exp date after 'wait-for-body' action - MINOR: http: fix 405,431,501 default errorfile - MINOR: init: Do not close previously created fd in stdio_quiet - MINOR: jwt: Missing "case" in switch statement - MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger() - MINOR: log: fix potential memory leak upon error in add_to_logformat_list() - MINOR mux-quic: apply correctly timeout on output pending data - MINOR: mux-quic: ensure close-spread-time is properly applied - MINOR: mux-quic/h3: properly handle too low peer fctl initial stream - MINOR: mux-quic: refactor wait-for-handshake support - MINOR: ncbmbuf: add tests as standalone mode - MINOR: ncbmbuf: define new ncbmbuf type - MINOR: ncbmbuf: implement add - MINOR: ncbmbuf: implement advance operation - MINOR: ncbmbuf: implement iterator bitmap utilities functions - MINOR: ncbmbuf: implement ncbmb_data() - MINOR: ncbuf: extract common types - MINOR: qmux: change API for snd_buf FIN transmission - MINOR: quic: check applet_putchk() for 'show quic' first line - MINOR: quic: close connection on CID alloc failure - MINOR: quic: do not set first the default QUIC curves - MINOR: quic: ensure cwnd limits are always enforced - MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames - MINOR: quic: Missing SSL session object freeing - MINOR: quic: move IP_PKTINFO on send on a dedicated function - MINOR: quic: remove ->offset qf_crypto struct field - MINOR: quic: rename min/max fields for congestion window algo - MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets - MINOR: quic: Wrong source address use on FreeBSD - MINOR: sink: retry attempt for sft server may never occur - MINOR: ssl: always clear the remains of the first hello for the second one - MINOR: ssl: Free global_ssl structure contents during deinit - MINOR: ssl: remove dead code in ssl_sock_from_buf() - MINOR: ssl: returns when SSL_CTX_new failed during init - MINOR: stick-tables: properly index string-type keys - MINOR: tools: Add OOM check for malloc() in indent_msg() - OPTIM: quic: improve slightly qc_snd_buf() internal Version-Release number of selected component (if applicable): 2.8.16 How reproducible: Always Steps to Reproduce: 1. Check haproxy changelog & see version
type: security subject: Updated haproxy packages fix bugs src: 9: core: - haproxy-2.8.18-1.mga9 description: | Haproxy has two major, few medium and few minor bugs fixed in the last upstream version 2.8.18 of branch 2.8. Fixed major bugs list: - quic: use ncbmbuf for CRYPTO handling - stream: Force channel analysis on successful synchronous send Fixed medium bugs list: - dns: bind the nameserver sockets to the initiating thread - h1: prevent a crash on HTTP/2 upgrade - h3: do not overwrite interim with final response - h3: handle interim response properly on FE side - h3: properly encode response after interim one in same buf - http-ana: Don't close server connection on read0 in TUNNEL mode - mux-quic: adjust wakeup behavior - mux-quic: ensure Early-data header is set - quic: CRYPTO frame freeing without eb_delete() - resolvers: make the process_resolvers() task single-threaded - ssl: Crash because of dangling ckch_store reference in a ckch instance - ssl: take care of second client hello - stick-tables: Always return the good stksess from stktable_set_entry - stick-tables: Don't forget to dec count on failure. references: - https://bugs.mageia.org/show_bug.cgi?id=35064 - https://www.haproxy.org/download/2.8/src/CHANGELOG
Keywords: (none) => advisory
Previous update tickets: https://bugs.mageia.org/show_bug.cgi?id=33475 https://bugs.mageia.org/show_bug.cgi?id=33593 https://bugs.mageia.org/show_bug.cgi?id=33820 https://bugs.mageia.org/show_bug.cgi?id=34105 https://bugs.mageia.org/show_bug.cgi?id=34599 https://bugs.mageia.org/show_bug.cgi?id=34673 Packages built and uploaded, advisory available. QA should just have to double check, validate update or report if there is something wrong. Packages in 9/core/updates_testing i586: haproxy-2.8.18-1.mga9.i586.rpm haproxy-noquic-2.8.18-1.mga9.i586.rpm haproxy-quic-2.8.18-1.mga9.i586.rpm haproxy-utils-2.8.18-1.mga9.i586.rpm x86_64: haproxy-2.8.18-1.mga9.x86_64.rpm haproxy-noquic-2.8.18-1.mga9.x86_64.rpm haproxy-quic-2.8.18-1.mga9.x86_64.rpm haproxy-utils-2.8.18-1.mga9.x86_64.rpm From SRPMS: haproxy-2.8.18-1.mga9
$ systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled) Active: active (running) since XXX XXXX-XX-XX XX:XX:XX CEST; X days ago Process: XXXXXX ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: XXXXXX (haproxy) Status: "Ready." Tasks: X (limit: 65000) Memory: X.XG CPU: Xh Xmin X.XXXs CGroup: /system.slice/haproxy.service ├─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─XXXXXX /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache alt-svc: h3=":443"; ma=3600 $ curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Thu, 16 Oct 2025 10:06:54 GMT content-type: text/html; charset=UTF-8 alt-svc: h3=":443"; ma=3600 $ rpm -qa | grep haproxy haproxy-quic-2.8.18-1.mga9 haproxy-2.8.18-1.mga9
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, mageiaAssignee: bugsquad => qa-bugs
RH x86_64 LC_ALL=C urpmi haproxy haproxy-utils In order to satisfy the 'haproxy-server[== 2.8.18-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.18-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.18-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.18 1.mga9 x86_64 haproxy-noquic 2.8.18 1.mga9 x86_64 haproxy-utils 2.8.18 1.mga9 x86_64 5MB of additional disk space will be used. 1.6MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y installing haproxy-utils-2.8.18-1.mga9.x86_64.rpm haproxy-noquic-2.8.18-1.mga9.x86_64.rpm haproxy-2.8.18-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################### 1/3: haproxy ################################################################################################### .+..+...+....+...+......+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...+...+....+...+........+..........+........+..........+.....+......+...+......+..........+..+.......+...+.....+............+......+....+.....+............+...+.+......+.........+.....+......+.........+......+.............+...+.........+...........+...+.+...+......+..+...+.+...+..+.........+......+.+..+.+.....+......+...............+.+................................+.......+...+......+..+...+....+...+..+.............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .+......+...+......+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+....+...+......+.....+......+.+..............+.............+...........+.+.............................+.+..................+......+...........+....+.................+.......+.....+.+..+...+.+........+.+...........+......+....+...+..+..........+......+.....+.........+.+...+.............................+............+.+..+......+......+.+..+.+..+...+.+......+.........+..............+.........+...+............+...............+...+...+.+...+.................+...+......+.+....................+......+...+....+......+......+...+..+....+.....+...................+..+....+.....+.+...........+.........+.+..+..........+..................+..+...+.............+.....+....+...+...+..+....+...+..+.........+.......+..+......+.+..............+......+.+.....+.......+...+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- 2/3: haproxy-noquic ################################################################################################### 3/3: haproxy-utils ################################################################################################### ---------------------------------------------------------------------- More information on package haproxy-2.8.18-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8000, 8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Sun 2026-01-25 14:15:06 CST; 7s ago Process: 94320 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 94326 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 21.3M CPU: 359ms CGroup: /system.slice/haproxy.service ├─94326 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─94329 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws ene 25 14:15:06 jgrey.phoenix systemd[1]: Starting haproxy.service... ene 25 14:15:06 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sun, 25 Jan 2026 20:23:28 GMT server: Apache/2.4.66 (Mageia) OpenSSL/3.0.18 last-modified: Mon, 21 Mar 2022 09:24:20 GMT etag: "83-5dab70fa69900" accept-ranges: bytes content-length: 131 content-type: text/html; charset=UTF-8 Looks OK, going to test with quic
LC_ALL=C urpmi haproxy haproxy-utils In order to satisfy the 'haproxy-server[== 2.8.18-1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.18-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.18-1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 2 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.18 1.mga9 x86_64 haproxy-quic 2.8.18 1.mga9 x86_64 haproxy-utils 2.8.18 1.mga9 x86_64 (medium "Core Updates (distrib3)") lib64quictls81.3 3.0.18 1.mga9 x86_64 12MB of additional disk space will be used. 3.9MB of packages will be retrieved. Proceed with the installation of the 4 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.18-1.mga9.x86_64.rpm installing //home/katnatek/qa-testing/x86_64/haproxy-2.8.18-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64quictls81.3-3.0.18-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-quic-2.8.18-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/haproxy-utils-2.8.18-1.mga9.x86_64.rpm Preparing... ################################################################################################### 1/4: lib64quictls81.3 ################################################################################################### 2/4: haproxy-quic ################################################################################################### 3/4: haproxy ################################################################################################### 4/4: haproxy-utils ################################################################################################### ---------------------------------------------------------------------- More information on package haproxy-2.8.18-1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8000, 8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl status haproxy.service ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Sun 2026-01-25 14:36:54 CST; 5s ago Process: 121603 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 121608 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.7M CPU: 97ms CGroup: /system.slice/haproxy.service ├─121608 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─121610 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws ene 25 14:36:54 jgrey.phoenix systemd[1]: Starting haproxy.service... ene 25 14:36:54 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Sun, 25 Jan 2026 20:38:09 GMT server: Apache/2.4.66 (Mageia) OpenSSL/3.0.18 last-modified: Mon, 21 Mar 2022 09:24:20 GMT etag: "83-5dab70fa69900" accept-ranges: bytes content-length: 131 content-type: text/html; charset=UTF-8
Flags: (none) => test_passed_mga9_64+
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0019.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED