From 10fb8562e66accbc6e6e726cbe8d44c9f54c6fc865cb19889763e2ada21f147c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 20 Mar 2025 19:18:18 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main haproxy revision 28379d9b4a73c00e20072dcb0725d48c --- _service | 4 +- _servicedata | 4 +- haproxy-1.6.0-makefile_lib.patch | 10 +- haproxy-1.6.0-sec-options.patch | 8 +- haproxy-2.8.11+git0.01c1056a4.tar.gz | 3 - haproxy-3.1.5+git0.076df0292.tar.gz | 3 + haproxy-service.patch | 11 + haproxy-tmpfiles.conf | 1 + haproxy.cfg | 2 +- haproxy.changes | 831 ++++++++++++++++++++------- haproxy.spec | 24 +- series | 1 + usr.sbin.haproxy.apparmor | 24 +- 13 files changed, 683 insertions(+), 243 deletions(-) delete mode 100644 haproxy-2.8.11+git0.01c1056a4.tar.gz create mode 100644 haproxy-3.1.5+git0.076df0292.tar.gz create mode 100644 haproxy-service.patch create mode 100644 haproxy-tmpfiles.conf diff --git a/_service b/_service index e8d58eb..c2f63bc 100644 --- a/_service +++ b/_service @@ -1,12 +1,12 @@ - http://git.haproxy.org/git/haproxy-2.8.git + http://git.haproxy.org/git/haproxy-3.1.git/ git haproxy @PARENT_TAG@+git@TAG_OFFSET@.%h v(.*) \1 - v2.8.11 + v3.1.5 enable diff --git a/_servicedata b/_servicedata index 45b0045..941697d 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ - http://git.haproxy.org/git/haproxy-2.8.git - 01c1056a44823c5ffb8f74660b32c099d9b5355b + http://git.haproxy.org/git/haproxy-3.1.git/ + 076df02923212eb5631dc58681d387d034090792 \ No newline at end of file diff --git a/haproxy-1.6.0-makefile_lib.patch b/haproxy-1.6.0-makefile_lib.patch index 28c0e55..652f4c1 100644 --- a/haproxy-1.6.0-makefile_lib.patch +++ b/haproxy-1.6.0-makefile_lib.patch @@ -1,8 +1,8 @@ -Index: haproxy-2.8/Makefile +Index: haproxy-3.0/Makefile =================================================================== ---- haproxy-2.8.orig/Makefile -+++ haproxy-2.8/Makefile -@@ -750,7 +750,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US +--- haproxy-3.0.orig/Makefile ++++ haproxy-3.0/Makefile +@@ -784,7 +784,7 @@ ifneq ($(USE_PCRE:0=)$(USE_STATIC_PCRE:0 PCREDIR := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local) ifneq ($(PCREDIR),) PCRE_INC := $(PCREDIR)/include @@ -11,7 +11,7 @@ Index: haproxy-2.8/Makefile endif PCRE_CFLAGS := $(if $(PCRE_INC),-I$(PCRE_INC)) -@@ -768,7 +768,7 @@ ifneq ($(USE_PCRE2)$(USE_STATIC_PCRE2)$( +@@ -802,7 +802,7 @@ ifneq ($(USE_PCRE2:0=)$(USE_STATIC_PCRE2 PCRE2DIR := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local) ifneq ($(PCRE2DIR),) PCRE2_INC := $(PCRE2DIR)/include diff --git a/haproxy-1.6.0-sec-options.patch b/haproxy-1.6.0-sec-options.patch index ca494a9..3bbbee7 100644 --- a/haproxy-1.6.0-sec-options.patch +++ b/haproxy-1.6.0-sec-options.patch @@ -4,11 +4,11 @@ Date: Mon Jun 17 13:00:08 2019 +0000 SUSE: Makefile sec options -Index: haproxy-2.8/Makefile +Index: haproxy-3.0/Makefile =================================================================== ---- haproxy-2.8.orig/Makefile -+++ haproxy-2.8/Makefile -@@ -849,6 +849,35 @@ ifneq ($(TRACE),) +--- haproxy-3.0.orig/Makefile ++++ haproxy-3.0/Makefile +@@ -887,6 +887,35 @@ ifneq ($(TRACE),) COPTS += -finstrument-functions endif diff --git a/haproxy-2.8.11+git0.01c1056a4.tar.gz b/haproxy-2.8.11+git0.01c1056a4.tar.gz deleted file mode 100644 index 026b4c7..0000000 --- a/haproxy-2.8.11+git0.01c1056a4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:baf717b07b1676e41edc1c8da84a04346e1e4df2b0ded4f94fee9fd02c95db9b -size 4536478 diff --git a/haproxy-3.1.5+git0.076df0292.tar.gz b/haproxy-3.1.5+git0.076df0292.tar.gz new file mode 100644 index 0000000..17c87b4 --- /dev/null +++ b/haproxy-3.1.5+git0.076df0292.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2502f22ba6bb0f4d40c119c0ddbb3563ba3d884e4b8d47aea342671ebaf1372 +size 5050772 diff --git a/haproxy-service.patch b/haproxy-service.patch new file mode 100644 index 0000000..f4cc91a --- /dev/null +++ b/haproxy-service.patch @@ -0,0 +1,11 @@ +--- a/admin/systemd/haproxy.service.in 2024-01-18 15:32:19.000000000 +0100 ++++ b/admin/systemd/haproxy.service.in 2024-02-04 23:58:30.873980359 +0100 +@@ -6,7 +6,7 @@ + [Service] + EnvironmentFile=-/etc/default/haproxy + EnvironmentFile=-/etc/sysconfig/haproxy +-Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" ++Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/pid" "EXTRAOPTS=-S /run/haproxy/master.sock" + ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS + ExecReload=@SBINDIR@/haproxy -Ws -f $CONFIG -c $EXTRAOPTS + ExecReload=/bin/kill -USR2 $MAINPID diff --git a/haproxy-tmpfiles.conf b/haproxy-tmpfiles.conf new file mode 100644 index 0000000..c53bd36 --- /dev/null +++ b/haproxy-tmpfiles.conf @@ -0,0 +1 @@ +D /run/haproxy 0750 root haproxy diff --git a/haproxy.cfg b/haproxy.cfg index 4468995..857de94 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -5,7 +5,7 @@ global user haproxy group haproxy daemon - stats socket /var/lib/haproxy/stats user haproxy group haproxy mode 0640 level operator + stats socket /run/haproxy/stats.sock user haproxy group haproxy mode 0640 level operator tune.bufsize 32768 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH diff --git a/haproxy.changes b/haproxy.changes index bea59f9..7f350f2 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,30 +1,351 @@ ------------------------------------------------------------------- -Thu Dec 05 11:40:44 UTC 2024 - varkoly@suse.com +Thu Mar 13 23:12:51 UTC 2025 - mrueckert@suse.de -- Update to version 2.8.11+git0.01c1056a4: - VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server - (bsc#1233973) - * [RELEASE] Released version 2.8.11 +- Update to version 3.1.5+git0.076df0292: + * [RELEASE] Released version 3.1.5 + * BUG/MEDIUM: spoe/mux-spop: Introduce an NOOP action to deal with empty ACK + * BUG/MEDIUM: applet: Don't handle EOI/EOS/ERROR is applet is waiting for room + * [RELEASE] Released version 3.1.4 + * DOC: option redispatch should mention persist options + * BUG/MINOR: stats-json: Define JSON_INT_MAX as a signed integer + * BUG/MINOR: flt-trace: Support only one name option + * BUG/MINOR: auth: Fix a leak on error path when parsing user's groups + * BUG/MINOR: config/userlist: Support one 'users' option for 'group' directive + * BUG/MINOR: cli: Fix a possible infinite loop in _getsocks() + * BUG/MINOR: cli: Fix memory leak on error for _getsocks command + * BUG/MINOR: cli: Don't set SE flags from the cli applet + * MINOR: mux-spop: Set SPOP_CF_ERROR flag on connection error only + * MINOR: mux-spop: Report EOI on the SE when a ACK is received for a stream + * MINOR: flt-spoe: Report end of input immediately after applet init + * BUG/MEDIUM: flt-spoe: Properly handle end of stream from the SPOE applet + * BUG/MEDIUM: applet: Don't pretend to have more data to handle EOI/EOS/ERROR + * BUG/MEDIUM: flt-spoe: Set/test applet flags instead of SE flags from I/O handler + * BUG/MINOR: http-check: Don't pretend a C-L heeader is set before adding it + * BUG/MINOR: tcp-rules: Don't forward close during tcp-response content rules eval + * BUG/MEDIUM: mux-fcgi: Properly handle read0 on partial records + * DOC: htx: clarify parameter for htx_xfer_blks() + * BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks() + * MEDIUM: epoll: skip reports of stale file descriptors + * DEBUG: epoll: store and compare the FD's generation count with reported event + * MINOR: fd: add a generation number to file descriptors + * DEBUG: fd: add a counter of takeovers of an FD since it was last opened + * BUG/MEDIUM: chunk: make sure to flush the trash pool before resizing + * MINOR: epoll: permit to mask certain specific events + * MINOR: quic: adapt credit based pacing to BBR + * MINOR: quic: remove unused pacing burst in bind_conf/quic_cc_path + * MEDIUM: quic: use dynamic credit for pacing + * MEDIUM: mux-quic: reduce pacing CPU usage with passive wait + * MEDIUM: quic: implement credit based pacing + * MINOR: mux-quic: increment pacing retry counter on expired + * MINOR: quic: rename pacing_rate cb to pacing_inter + * BUG/MINOR: stktable: invalid use of stkctr_set_entry() with mixed table types + * BUG/MINOR: mux-h2: Properly handle full or truncated HTX messages on shut + * REGTESTS: Fix truncated.vtc to send 0-CRLF + * BUG/MINOR: mux-quic: prevent crash after MUX init failure + * BUG/MINOR: quic: prevent crash on conn access after MUX init failure + * BUG/MINOR: fcgi: Don't set the status to 302 if it is already set + * BUG/MEDIUM: filters: Handle filters registered on data with no payload callback + * BUG/MINOR: cli: Wait for the last ACK when FDs are xferred from the old worker + * BUG/MEDIUM: cli: Be sure to drop all input data in END state + * BUG/MINOR: ssl/cli: "show ssl crt-list" lacks sigals + * BUG/MINOR: ssl/cli: "show ssl crt-list" lacks client-sigals + * BUG/MEDIUM: fd: mark FD transferred to another process as FD_CLONED + * BUG/MINOR: mworker: post_section_parser for the last section in discovery + * BUG/MINOR: mworker: section ignored in discovery after a post_section_parser + * BUG/MINOR: quic: fix CRYPTO payload size calcul for encoding + * BUG/MINOR: quic: reserve length field for long header encoding + * BUG/MEDIUM: debug: close a possible race between thread dump and panic() + * BUG/MEDIUM: ssl: chosing correct certificate using RSA-PSS with TLSv1.3 + +------------------------------------------------------------------- +Thu Mar 13 23:11:31 UTC 2025 - Marcus Rueckert + +- apparmor: fix debug output when running in a vm (/sys paths + differ from hardware) + +------------------------------------------------------------------- +Wed Jan 29 15:41:08 UTC 2025 - mrueckert@suse.de + +- Update to version 3.1.3+git0.929bedf83: + * [RELEASE] Released version 3.1.3 + * BUILD: ssl: more cleaner approach to WolfSSL without renegotiation + * BUILD: ssl: allow to build without the renegotiation API of WolfSSL + * CLEANUP: quic: remove unused prototype + * BUG/MINOR: stream: Properly handle "on-marked-up shutdown-backup-sessions" + * BUG/MINOR: ssl: put ssl_sock_load_ca under SSL_NO_GENERATE_CERTIFICATES + * BUG/MINOR: quic: do not increase congestion window if app limited + * BUG/MEDIUM: mux-h1: Properly close H1C if an error is reported before sending data + * BUILD: quic: Move an ASSUME_NONNULL() for variable which is not null + * MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount + * BUG/MINOR: quic: ensure a detached coalesced packet can't access its neighbours + * BUG/MINOR: init: set HAPROXY_STARTUP_VERSION from the variable, not the macro + * BUG/MAJOR: log/sink: possible sink collision in sink_new_from_srv() + * BUG/MAJOR: quic: reject too large CRYPTO frames + * BUG/MEDIUM: promex: Use right context pointers to dump backends extra-counters + * BUG/MEDIUM: stktable: fix missing lock on some table converters + * BUG/MINOR: quic: reject NEW_TOKEN frames from clients + * BUG/MINOR: stktable: fix big-endian compatiblity in smp_to_stkey() + +------------------------------------------------------------------- +Wed Jan 29 15:40:52 UTC 2025 - mrueckert@suse.de + +- Update to version 3.1.2+git0.cda631a79: + * [RELEASE] Released version 3.1.2 + * BUG/MEDIUM: h1-htx: Properly handle bodyless messages + * BUG/MEDIUM: promex/resolvers: Don't dump metrics if no nameserver is defined + * BUG/MINOR: mux-quic: handle closure of uni-stream + * MINOR: mux-quic: change return value of qcs_attach_sc() + * MINOR: mux-quic: add traces on sd attach + * BUG/MINOR: mux-quic: fix wakeup on qcc_set_error() + * MINOR: config: Alert about extra arguments for errorfile and errorloc + * BUG/MINOR: log: Allow to use if/unless conditionnals for do-log action + * BUG/MEDIUM: mux-quic: do not attach on already closed stream + * BUG/MAJOR: mux-quic: properly fix BUG_ON on empty STREAM emission + * Revert "BUG/MAJOR: mux-quic: fix BUG_ON on empty STREAM emission" + * BUG/MEDIUM: mux-h2: Count copied data when looping on RX bufs in h2_rcv_buf() + * BUG/MAJOR: mux-quic: fix BUG_ON on empty STREAM emission + * DOC: config: add missing "track-sc0" in action keywords matrix + * BUG/MINOR: stats: fix segfault caused by uninitialized value in "show schema json" + * BUG/MEDIUM: queue: Make process_srv_queue return the number of streams + * MINOR: hlua: rename "tune.lua.preserve-smp-bool" to "tune.lua.bool-sample-conversion" + * BUG/MINOR: h2/rhttp: fix HTTP2 conn counters on reverse + * CLEANUP: mux-quic: remove dead err label in qcc_build_frms() + * BUG/MEDIUM: mux-quic: prevent BUG_ON() by refreshing frms on MAX_DATA + * REGTESTS: fix lua-based regtests using tune.lua.smp-preserve-bool + * MINOR: hlua: add option to preserve bool type from smp to lua + * DOC: config: add "tune.lua.burst-timeout" to the list of global parameters + * DOC: config: reorder "tune.lua.*" keywords by alphabetical order + * DOC: config: add example for server "track" keyword + * MINOR: mux-quic: hide traces when woken up on pacing only + * MINOR: trace: implement tracing disabling API + * MEDIUM: mux-quic: remove pacing specific code on qcc_io_cb + * MEDIUM/OPTIM: mux-quic: do not rebuild frms list on every send + * MINOR: mux-quic: split STREAM and RS/SS emission + * MINOR: mux-quic: extract code to build STREAM frames list + * MEDIUM/OPTIM: mux-quic: implement purg_list + * MEDIUM/OPTIM: mux-quic: define a recv_list for demux resumption + * MINOR: mux-quic: refactor wait-for-handshake support + * MINOR: quic: add traces + * CLEANUP: mux-quic: remove unused qcc member send_retry_list + * BUG/MEDIUM: mux-quic: do not mix qcc_io_send() return codes with pacing + * BUILD: debug: only dump/reset glitch counters when really defined + * BUG/MEDIUM: queues: Do not use pendconn_grab_from_px(). + * BUG/MEDIUM: queues: Make sure we call process_srv_queue() when leaving + * BUG/MEDIUM: stconn: Only consider I/O timers to update stream's expiration date + * CLEANUP: quic: Rename some BBR functions in relation with bw probing + * BUG/MINOR: quic: missing Startup accelerating probing bw states + * REGTESTS: ssl: add a PEM with mix of LF and CRLF line endings + * BUG/MINOR: cli: cli_snd_buf: preserve \r\n for payload lines + * BUG/MINOR: quic: too permissive exit condition for high loss detection in Startup (BBR) + * BUG/MINOR: quic: fix the wrong tracked recovery start time value + * CLEANUP: quic: remove a wrong comment about ->app_limited (drs) + * MINOR: quic: reduce the private data size of QUIC cc algos + * BUG/MINOR: quic: reduce packet losses at least during ProbeBW_CRUISE (BBR) + * BUG/MINOR: quic: underflow issue for bbr_inflight_hi_from_lost_packet() + * BUG/MINOR: quic: remove max_bw filter from delivery rate sampling + * BUG/MINOR: quic: wrong bbr_target_inflight() implementation + * BUG/MINOR: quic: fix BBB max bandwidth oscillation issue. + * BUG/MINOR: quic: wrong logical statement in in_recovery_period() (BBR) + * MINOR: window_filter: rely on the time to update the filter samples (QUIC/BBR) + +------------------------------------------------------------------- +Thu Dec 12 15:13:23 UTC 2024 - mrueckert@suse.de + +- Update to version 3.1.1+git0.717960de0: + * [RELEASE] Released version 3.1.1 + * BUG/MINOR: hlua_fcn: restore server pairs iterator pointer consistency + * BUG/MINOR: server-state: Fix expiration date of srvrq_check tasks + * BUG/MINOR: http-fetch: Ignore empty argument string for query() + * BUG/MEDIUM: stats/server: use watcher to track server during stats dump + * MINOR: list: define a watcher type + * BUG/MINOR: stats: decrement srv refcount on stats-file release + * BUG/MINOR: resolvers: handle a possible strdup() failure + * BUG/MINOR: ssl_crtlist: handle a possible strdup() failure + * BUG/MINOR: namespace: handle a possible strdup() failure + * BUG/MEDIUM: mworker: report status, if daemonized master fails + * BUG/MEDIUM: startup: report status if daemonized process fails + * BUG/MEDIUM: startup: don't daemonize if started with -c + * BUG/MINOR: startup: fix error path for master, if can't open pidfile + * BUG/MINOR: mworker: fix -D -W -sf/-st modes + * BUG/MINOR: mworker: don't save program PIDs in oldpids + * BUG/MINOR: mux-h2: fix expression when detecting excess of CONTINUATION frames + * MINOR: mux-h2/glitches: add a description to the H2 glitches + * CLEANUP: mux-h2/traces: reword certain ambiguous traces + * MINOR: mux-h2/traces: add a missing trace on negative initial window size + * BUILD: debug: fix build issues in COUNT_IF() with -Wunused-value + * BUG/MINOR: debug: COUNT_IF() should return true/false + * DOC: config: fix confusing init-state examples + * BUG/MINOR: config: Fix parsing of accept-invalid-http-{request,response} + * BUG/MEDIUM: mux-h2: make sure not to touch dummy streams when sending WU + * BUG/MINOR: quic: remove startup alert if GSO unsupported + * BUG/MINOR: quic: remove startup alert if conn socket-owner unsupported + * BUG/MEDIUM: mux-quic: remove pacing status when everything is sent + * BUG/MINOR: init: do not call fork_poller() for non-forked processes + * BUG/MEDIUM: init: make sure only daemonized processes change their session + * BUG/MINOR: quic: fix bbr_inflight() calls with wrong gain value + * BUG/MINOR: startup: fix pidfile creation + * BUG/MINOR: startup: close pidfd and free global.pidfile in handle_pidfile() + * BUG/MINOR: signal: register default handler for SIGINT in signal_init() + * BUILD: quic: fix a build error about an non initialized timestamp + * BUG/MINOR: h1-htx: Use default reason if not set when formatting the response + * BUG/MEDIUM: http-ana: Reset request flag about data sent to perform a L7 retry + * BUG/MEDIUM: quic: prevent stream freeze on pacing + * BUG/MEDIUM: event_hdl: fix uninitialized value in async mode when no data is provided + * BUG/MINOR: improve BBR throughput on very fast links + * BUG/MINOR: log: fix lf_text() behavior with empty string + * MINOR: proxy: Add support of 421-Misdirected-Request in retry-on status + * BUG/MEDIUM: sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set + +------------------------------------------------------------------- +Tue Nov 26 14:57:39 UTC 2024 - mrueckert@suse.de + +- Update to version 3.1.0+git0.f2b97918e: + https://www.mail-archive.com/haproxy@formilux.org/msg45435.html + https://www.haproxy.com/blog/announcing-haproxy-3-1 + +------------------------------------------------------------------- +Thu Nov 07 18:40:53 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.6+git0.c2c009086: + * [RELEASE] Released version 3.0.6 + * MINOR: debug: move the "recover now" warn message after the optional notes + * BUILD: Missing inclusion header for ssize_t type + * BUILD: debug: also declare strlen() in __ABORT_NOW() + * DEBUG: wdt: add a stats counter "BlockedTrafficWarnings" in show info + * DEBUG: wdt: make the blocked traffic warning delay configurable + * DEBUG: cli: make it possible for "debug dev loop" to trigger warnings + * DEBUG: wdt: better detect apparently locked up threads and warn about them + * MINOR: debug: add a function to dump a stuck thread + * MINOR: wdt: move the local timers to a struct + * MINOR: debug: remove the redundant process.thread_info array from post_mortem + * MINOR: debug: also add fdtab and acitvity to struct post_mortem + * MINOR: debug: also add a pointer to struct global to post_mortem + * MINOR: debug: do not limit backtraces to stuck threads + * MINOR: debug: print gdb hints when crashing + * MINOR: connection: add new sample fetch functions fc_err_name and bc_err_name + * MINOR: rawsock: set connection error codes when returning from recv/send/splice + * MINOR: connection: add more connection error codes to cover common errno + * BUG/MINOR: stats: Fix the name for the total number of streams created + * MINOR: stream/stats: Expose the total number of streams ever created in stats + * MINOR: stream/stats: Expose the current number of streams in stats + * MINOR: cli/debug: show dev: add cmdline and version + * BUG/MINOR: quic: fix malformed probing packet building + * CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry + * DOC: config: document connection error 44 (reverse connect failure) + * BUG/MEDIUM: promex: Fix dump of extra counters + * MINOR: stream: Save last evaluated rule on invalid yield + * BUG/MINOR: http-ana: Report internal error if an action yields on a final eval + * BUG/MEDIUM: mux-h1: Fix how timeouts are applied on H1 connections + * DOC: config: add missing glitch_{cnt,rate} sample definitions + * DOC: config: add missing glitch_{cnt,rate} data types + * BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly + * BUG/MINOR: trace: stop rewriting argv with -dt + * MINOR: cli: remove non-printable characters from 'debug dev fd' + * MINOR: debug: store important pointers in post_mortem + * MINOR: debug: place the post_mortem struct in its own section. + * MINOR: debug: place a magic pattern at the beginning of post_mortem + * MINOR: pools: export the pools variable + * BUILD: debug: silence a build warning with threads disabled + * BUG/MEDIUM: server: fix race on servers_list during server deletion + * BUG/MINOR: stconn: Don't disable 0-copy FF if EOS was reported on consumer side + * BUG/MINOR: http-ana: Fix wrong client abort reports during responses forwarding + * BUG/MEDIUM: stconn: Report blocked send if sends are blocked by an error + * BUG/MINOR: server: fix dynamic server leak with check on failed init + * MINOR: activity/memprofile: show per-DSO stats + * MINOR: activity/memprofile: always return "other" bin on NULL return address + * BUG/MEDIUM: connection/http-reuse: fix address collision on unhandled address families + * BUG/MEDIUM: mux-h2: Remove H2S from send list if data are sent via 0-copy FF + * BUG/MEDIUM: stats-html: Never dump more data than expected during 0-copy FF + * BUG/MINOR: mux-quic: do not close STREAM with empty FIN if no data sent + * BUG/MINOR: mworker: fix mworker-max-reloads parser + * DOC: config: fix rfc7239 forwarded typo in desc + * BUG/MEDIUM: quic: avoid freezing 0RTT connections + * BUG/MINOR: quic: avoid leaking post handshake frames + * REGTESTS: Never reuse server connection in http-messaging/truncated.vtc + * BUG/MAJOR: filters/htx: Add a flag to state the payload is altered by a filter + * BUG/MEDIUM: stconn: Check FF data of SC to perform a shutdown in sc_notify() + * BUG/MINOR: http-ana: Don't report a server abort if response payload is invalid + * BUG/MEDIUM: stconn: Wait iobuf is empty to shut SE down during a check send + * BUG/MINOR: httpclient: return NULL when no proxy available during httpclient_new() + * BUG/MEDIUM: queue: make sure never to queue when there's no more served conns + * BUG/MEDIUM: mux-quic: ensure timeout server is active for short requests + * BUG/MEDIUM: hlua: properly handle sample func errors in hlua_run_sample_{fetch,conv}() + * BUG/MEDIUM: hlua: make hlua_ctx_renew() safe + * BUG/MEDIUM: server: server stuck in maintenance after FQDN change + * MEDIUM: debug: on panic, make the target thread automatically allocate its buf + * MINOR: debug: replace ha_thread_dump() with its two components + * MINOR: debug: make ha_thread_dump_done() take the pointer to be used + * MINOR: debug: slightly change the thread_dump_pointer signification + * MINOR: debug: split ha_thread_dump() in two parts + * MINOR: chunk: drop the global thread_dump_buffer + * MINOR: debug: make mark_tainted() return the previous value + * BUG/MINOR: http-ana: Disable fast-fwd for unfinished req waiting for upgrade + * BUG/MINOR: mux-h1: Fix condition to set EOI on SE during zero-copy forwarding + * BUG/MEDIUM: queue: always dequeue the backend when redistributing the last server + * MINOR: server: make srv_shutdown_sessions() call pendconn_redistribute() + * BUG/MINOR: queue: make sure that maintenance redispatches server queue + * BUG/MEDIUM: stream: make stream_shutdown() async-safe + * MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG + * MINOR: tools: do not attempt to use backtrace() on linux without glibc + * BUILD: tools: only include execinfo.h for the real backtrace() function + * BUG/MINOR: cfgparse-global: fix allowed args number for setenv + * BUG/MINOR: server: make sure the HMAINT state is part of MAINT + * BUG/MEDIUM: cli: Deadlock when setting frontend maxconn + * BUG/MEDIUM: cli: Be sure to catch immediate client abort + * BUG/MINOR: mux-quic: report glitches to session + * REGTESTS: shorten a bit the delay for the h1/h2 upgrade test + * REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades + * BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only + * MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state + * BUG/MINOR: h2: reject extended connect for h2c protocol + * BUG/MINOR: h1: do not forward h2c upgrade header token + * MINOR: connection: No longer include stconn type header in connection-t.h + +------------------------------------------------------------------- +Mon Sep 30 19:36:53 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.5+git0.8e879a52e: (VUL-0: CVE-2024-49214 boo#1231612) + * [RELEASE] Released version 3.0.5 + * BUG/MINOR: quic: prevent freeze after early QCS closure + * BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM + * MINOR: quic: implement function to check if STREAM is fully acked + * MINOR: quic: convert qc_stream_desc release field to flags * BUG/MINOR: cfgparse-listen: fix option httpslog override warning message * BUG/MEDIUM: promex: Wait to have the request before sending the response * BUG/MEDIUM: cache/stats: Wait to have the request before sending the response + * BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous send + * DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options + * BUG/MINOR: peers: local entries updates may not be advertised after resync * BUG/MEDIUM: queue: implement a flag to check for the dequeuing * BUG/MINOR: clock: validate that now_offset still applies to the current date * BUG/MINOR: clock: make time jump corrections a bit more accurate * BUG/MINOR: polling: fix time reporting when using busy polling + * MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option + * BUG/MINOR: pattern: do not leave a leading comma on "set" error messages + * BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is established * BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state * BUG/MEDIUM: pattern: prevent UAF on reused pattern expr * BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg() * BUG/MEDIUM: clock: detect and cover jumps during execution * REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load * DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line - * BUG/MINOR: pattern: do not leave a leading comma on "set" error messages + * BUG/MINOR: quic: Too short datagram during packet building failures (aws-lc only) + * BUG/MINOR: quic: Crash from trace dumping SSL eary data status (AWS-LC) + * BUG/MEDIUM: quic: always validate sender address on 0-RTT + * MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. + * MINOR: quic: Implement qc_ssl_eary_data_accepted(). + * MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) + * BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder + * MINOR: quic: Token for future connections implementation. + * MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD + * MINOR: quic: Implement quic_tls_derive_token_secret(). + * MINOR: tools: Implement ipaddrcpy(). + * BUG/MEDIUM: clock: also update the date offset on time jumps + * BUILD: quic: 32bits build broken by wrong integer conversions for printf() + * BUG/MINOR: cfgparse-global: remove tune.fast-forward from common_kw_list + * DOC: config: correct the table for option tcplog * BUG/MINOR: pattern: pat_ref_set: return 0 if err was found * BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity - * BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full - * BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path - * BUG/MEDIUM: clock: also update the date offset on time jumps - * DOC: config: correct the table for option tcplog * BUG/MINOR: h3: properly reject too long header responses * BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails * BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID @@ -39,71 +360,164 @@ Thu Dec 05 11:40:44 UTC 2024 - varkoly@suse.com * BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() * BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc * BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn + * DOC: configuration: fix alphabetical ordering of {bs,fs}.aborted * BUG/MINOR: fcgi-app: handle a possible strdup() failure + * BUG/MEDIUM: peer: Notify the applet won't consume data when it waits for sync * BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream * BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams * BUG/MEDIUM: http-ana: Report error on write error waiting for the response * BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content + * BUG/MEDIUM: ssl: 0-RTT initialized at the wrong place for AWS-LC + * BUG/MEDIUM: ssl: reactivate 0-RTT for AWS-LC + * BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect + * BUILD: mux-pt: Use the right name for the sedesc variable + * BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path * BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set + * BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss and leak + +------------------------------------------------------------------- +Tue Sep 03 14:08:47 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.4+git0.7a59afa93: (CVE-2024-45506 boo#1229993) + * [RELEASE] Released version 3.0.4 + * BUG/MEDIUM: mux-pt: Fix condition to perform a shutdown for writes in mux_pt_shut() + * BUG/MINOR: Crash on O-RTT RX packet after dropping Initial pktns + * BUG/MINOR: quic: Too shord datagram during O-RTT handshakes (aws-lc only) + * BUG/MAJOR: mux-h2: always clear MUX_MFULL and DEM_MROOM when clearing the mbuf + * MINOR: mux-h2: try to clear DEM_MROOM and MUX_MFULL at more places * BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered + * BUG/MINOR: quic: unexploited retransmission cases for Initial pktns. * BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli + * BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown + * BUG/MINIR: proxy: Match on 429 status when trying to perform a L7 retry * BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready + * BUG/MEDIUM: mux-h2: Set ES flag when necessary on 0-copy data forwarding + * MINOR: proxy: Add support of 429-Too-Many-Requests in retry-on status + * DOC: quic: fix default minimal value for max window size + * MEDIUM: log: relax some checks and emit diag warnings instead in lf_expr_postcheck() + * Revert "MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface" * BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2) * BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue() * MINOR: queue: add a function to check for TOCTOU after queueing + * MEDIUM: h1: allow to preserve keep-alive on T-E + C-L + * MINOR: quic: Add information to "show quic" for CUBIC cc. + * MINOR: quic: Dump TX in flight bytes vs window values ratio. * BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature * BUG/MINOR: quic: Lack of precision when computing K (cubic only cc) + * MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface + * BUG/MINOR: quic: Non optimal first datagram. * BUG/MINOR: cli: Atomically inc the global request counter between CLI commands * BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution * BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter * DOC: config: improve the http-keep-alive section * DOC: configuration: issuers-chain-path not compatible with OCSP + * BUG/MAJOR: mux-h2: force a hard error upon short read with pending error * BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path + * DOC: install: don't reference removed CPU arg * BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts * BUG/MINOR: session: Eval L4/L5 rules defined in the default section + * CLEANUP: quic: rename TID affinity elements + * CLEANUP: proto: rename TID affinity callbacks + * BUG/MEDIUM: quic: prevent crash on accept queue full + * BUILD: listener: silence a build warning about unused value without threads + * MINOR: proto: extend connection thread rebind API + +------------------------------------------------------------------- +Thu Jul 11 14:57:46 UTC 2024 - Marcus Rueckert + +- refreshed patches: + haproxy-1.6.0-makefile_lib.patch + haproxy-1.6.0-sec-options.patch + +------------------------------------------------------------------- +Thu Jul 11 14:56:11 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.3+git0.95a607c4b: + * [RELEASE] Released version 3.0.3 * BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past + * DEV: flags/quic: decode quic_conn flags * BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread * BUG/MEDIUM: h1: Reject empty Transfer-encoding header * BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value * BUG/MINOR: h1: Fail to parse empty transfer coding names * BUG/MINOR: jwt: fix variable initialisation + * Revert "MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD" + * BUG/MEDIUM: peers: Fix crash when syncing learn state of a peer without appctx * DOC: configuration: update maxconn description + * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD * BUG/MINOR: jwt: don't try to load files with HMAC algorithm - * MEDIUM: ssl: initialize the SSL stack explicitely + * BUG/MEDIUM: server: fix race on server_atomic_sync() * DOC: configuration: more details about the master-worker mode + * BUG/MEDIUM: hlua/cli: Fix lua CLI commands to work with applet's buffers + * BUG/MINOR: promex: Remove Help prefix repeated twice for each metric * BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking * BUG/MINOR: quic: fix race-condition on trace for CID retrieval * BUG/MINOR: quic: fix race condition in qc_check_dcid() * BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid() * BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid * BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid + * BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout or error * MINOR: activity: make the memory profiling hash size configurable at build time + * BUG/MINOR: server: fix first server template name lookup UAF + * DOC: configuration: add details about crt-store in bind "crt" keyword + * BUG/MEDIUM: stick-table: Decrement the ref count inside lock to kill a session * BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct() + * DEV: flags/show-fd-to-flags: adapt to recent versions * BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure + * BUG/MINOR: h3: fix BUG_ON() crash on control stream alloc failure * BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure * BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission * DOC: api/event_hdl: small updates, fix an example and add some precisions * SCRIPTS: git-show-backports: do not truncate git-show output + * BUG/MAJOR: quic: fix padding with short packets + * DOC: management: document ptr lookup for table commands * DOC: configuration: fix alphabetical order of bind options + * BUG/MEDIUM: proxy: fix email-alert invalid free + * REGTESTS: ssl: fix some regtests 'feature cmd' start condition + * DEBUG: hlua: distinguish burst timeout errors from exec timeout errors + * BUG/MINOR: log: fix broken '+bin' logformat node option + +------------------------------------------------------------------- +Sun Jun 16 06:44:56 UTC 2024 - andreas.stieger@gmx.de + +- Update to version 3.0.2+git0.a45a8e623: + * [RELEASE] Released version 3.0.2 * DOC: management: rename show stats domain cli "dns" to "resolvers" + * DOC/MINOR: management: add -dZ option * DOC/MINOR: management: add missed -dR and -dv options + * BUG/MINOR: quic: fix padding of INITIAL packets + * BUG/MAJOR: mux-h1: Prevent any UAF on H1 connection after draining a request + * CLEANUP: log/proxy: fix comment in proxy_free_common() + * BUG/MEDIUM: proxy: fix UAF with {tcp,http}checks logformat expressions + * MINOR: proxy: add proxy_free_common() helper function + * BUG/MINOR: promex: Skip resolvers metrics when there is no resolver section + * DOC: config: add missing context hint for new server and proxy keywords + * DOC: config: add missing section hint for "guid" proxy keyword + * DOC: config: move "hash-key" from proxy to server options + * BUG/MEDIUM: log: fix lf_expr_postcheck() behavior with default section * BUG/MINOR: proxy: fix header_unique_id leak on deinit() * BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit() * BUG/MINOR: proxy: fix dyncookie_key leak on deinit() * BUG/MINOR: proxy: fix check_{command,path} leak on deinit() + * BUG/MINOR: proxy: fix email-alert leak on deinit() * BUG/MINOR: proxy: fix log_tag leak on deinit() * BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit() + * MINOR: log: fix "http-send-name-header" ignore warning message + +------------------------------------------------------------------- +Mon Jun 10 14:52:46 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.1+git0.471a1b2f1: + * [RELEASE] Released version 3.0.1 + * BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE flag + * BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego + * BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts + * BUG/MINOR: quic: ensure Tx buf is always purged * BUG/MINOR: quic: fix computed length of emitted STREAM frames - * [RELEASE] Released version 2.8.10 - * BUG/MEDIUM: quic: don't blindly rely on unaligned accesses - * BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe - * BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1 - * BUG/MAJOR: server: do not delete srv referenced by session - * MINOR: session: rename private conns elements - * BUG/MEDIUM: quic: fix connection freeze on post handshake - * BUG/MEDIUM: server: fix dynamic servers initial settings + * BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL * BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration + * BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during nego * CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume() * BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path * BUG/MINOR: hlua: prevent LJMP in hlua_traceback() @@ -111,185 +525,68 @@ Thu Dec 05 11:40:44 UTC 2024 - varkoly@suse.com * BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP * CLEANUP: hlua: use hlua_pusherror() where relevant * BUG/MINOR: quic: prevent crash on qc_kill_conn() + * BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be released + * MEDIUM: stconn: Be able to unblock zero-copy data forwarding from done_fastfwd + * BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless * BUG/MINOR: hlua: use CertCache.set() from various hlua contexts + * DOC: configuration: add an example for keywords from crt-store * BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory * BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser * BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning - * BUG/MINOR: activity: fix Delta_calls and Delta_bytes count - * BUG/MINOR: ssl/ocsp: init callback func ptr as NULL - * CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp - * BUILD: fd: errno is also needed without poll() - * CI: scripts: fix build of vtest regarding option -C - * REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs - * DOC: config: fix incorrect section reference about custom log format - * DOC: quic: specify that connection migration is not supported - * BUG/MINOR: server: Don't reset resolver options on a new default-server line - * BUG/MINOR: http-htx: Support default path during scheme based normalization - * BUG/MINOR: quic: adjust restriction for stateless reset emission - * MEDIUM: config: prevent communication with privileged ports - * BUILD: quic: fix unused variable warning when threads are disabled - * BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream - * BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305 - * BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only) - * BUG/MINOR: connection: parse PROXY TLV for LOCAL mode - * DOC: configuration: update the crt-list documentation - * CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf - * BUG/MINOR: stats: Don't state the 303 redirect response is chunked - * BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header - * BUG/MEDIUM: fd: prevent memory waste in fdtab array - * BUILD: stick-tables: better mark the stktable_data as 32-bit aligned - * BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme - * BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found - * BUG/MEDIUM: stick-tables: properly mark stktable_data as packed - * BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned - * BUG/MINOR: qpack: fix error code reported on QPACK decoding failure - * BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3 - * BUG/MINOR: log: smp_rgs array issues with inherited global log directives - * BUG/MINOR: log: keep the ref in dup_logger() - * MINOR: log: add dup_logsrv() helper function - * DOC: lua: fix filters.txt file location - * BUG/MINOR: haproxy: only tid 0 must not sleep if got signal - * BUILD: clock: improve check for pthread_getcpuclockid() - * BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null - * BUG/MINOR: h1: fix detection of upper bytes in the URI - * BUG/MINOR: backend: use cum_sess counters instead of cum_conn - * BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets - * BUG/MINOR: sock: handle a weird condition with connect() - * BUG/MINOR: stconn: Fix sc_mux_strm() return value - * BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding - * BUG/MINOR: server: fix slowstart behavior - * BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached - * BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame - * BUG/MEDIUM: applet: Fix applet API to put input data in a buffer - * BUG/MEDIUM: evports: do not clear returned events list on signal - * BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered - * BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses - * MINOR: net_helper: Add support for floats/doubles. - * CI: revert kernel addr randomization introduced in 3a0fc864 - * BUG/MEDIUM: peers/trace: fix crash when listing event types - * BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented - * BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values - * BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection - * CLEANUP: log: lf_text_len() returns a pointer not an integer - * BUG/MINOR: log: invalid snprintf() usage in sess_build_logline() - * BUG/MINOR: tools/log: invalid encode_{chunk,string} usage - * BUG/MINOR: log: fix lf_text_len() truncate inconsistency - * BUG/MINOR: listener: always assign distinct IDs to shards - * BUG/MINOR: cli: Report an error to user if command or payload is too big - * [RELEASE] Released version 2.8.9 - * BUILD: proxy: Replace free_logformat_list() to manually release log-format - * [RELEASE] Released version 2.8.8 - * BUG/MINOR: proxy: fix logformat expression leak in use_backend rules - * BUG/MINOR: backend: properly handle redispatch 0 - * BUG/MINOR: server: ignore 'enabled' for dynamic servers - * BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n - * MINOR: cli: Remove useless loop on commands to find unescaped semi-colon - * MINOR: server: allow cookie for dynamic servers - * BUG/MINOR: server: fix persistence cookie for dynamic servers - * BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities - * BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message - * BUG/MINOR: server: 'source' interface ignored from 'default-server' directive - * OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6} - * BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block - * BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet - * BUG/MEDIUM: ssl: Fix crash in ocsp-update log function - * BUG/MINOR: session: ensure conn owner is set after insert into session - * BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small - * CI: temporarily adjust kernel entropy to work with ASAN/clang - * BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop - * BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout - * BUG/MINOR: listener: Don't schedule frontend without task in listener_release() - * BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release - * BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) - * MINOR: hlua: use accessors for stream hlua ctx - * DEBUG: lua: precisely identify if stream is stuck inside lua or not - * BUG/MINOR: hlua: fix missing lock in hlua_filter_delete() - * BUG/MINOR: hlua: missing lock in hlua_filter_new() - * BUG/MINOR: hlua: segfault when loading the same filter from different contexts - * BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm() - * DOC: configuration: clarify ciphersuites usage (V2) - * BUILD: solaris: fix compilation errors - * BUG/MINOR: cfgparse: report proper location for log-format-sd errors - * BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description - * CI: skip scheduled builds on forks - * BUG/MINOR: sink: fix a race condition in the TCP log forwarding code - * BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe() - * BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume() - * BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP() - * BUG/MINOR: hlua: improper lock usage in hlua_filter_new() - * BUG/MINOR: hlua: improper lock usage in hlua_filter_callback() - * BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load - * BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts - * BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack - * BUG/MINOR: tools: seed the statistical PRNG slightly better - * MINOR: hlua: Be able to disable logging from lua - * BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel - * BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener - * DOC: configuration: clarify ciphersuites usage - * LICENSE: http_ext: fix GPL license version - * LICENSE: event_hdl: fix GPL license version - * BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist - * BUG/MINOR: ist: only store NUL byte on succeeded alloc - * BUG/MINOR: quic: fix output of show quic - * BUG/MAJOR: server: fix stream crash due to deleted server - * BUG/MINOR: stats: drop srv refcount on early release - * BUG/MINOR: ist: allocate nul byte on istdup - * MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support - * DOC: quic: fix recommandation for bind on multiple address - * BUG/MEDIUM: quic: fix transient send error with listener socket - * BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data - * BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets - * BUG/MEDIUM: applet: Immediately free appctx on early error - * DOC: quic: Missing tuning setting in "Global parameters" - * BUG/MINOR: qpack: reject invalid dynamic table capacity - * BUG/MINOR: qpack: reject invalid increment count decoding - * BUG/MINOR: quic: reject HANDSHAKE_DONE as server - * BUG/MINOR: quic: reject unknown frame type - * BUG/MAJOR: promex: fix crash on deleted server - * MINOR: connection: add sample fetches to report per-connection glitches - * MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES - * MINOR: connection: add a new mux_ctl to report number of connection glitches - * MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection - * MINOR: mux-h2: always use h2c_report_glitch() - * MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch - * MINOR: mux-h2: count excess of CONTINUATION frames as a glitch - * BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control - * MINOR: mux-h2: add a counter of "glitches" on a connection - * [RELEASE] Released version 2.8.7 + +------------------------------------------------------------------- +Fri May 31 12:07:48 UTC 2024 - Marcus Rueckert + +- AppArmor: allow haproxy to read the files needed for the + "p post_mortem" support + +------------------------------------------------------------------- +Wed May 29 14:00:25 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.0+git0.5590ada47: + https://www.haproxy.com/blog/announcing-haproxy-3-0 + https://www.mail-archive.com/haproxy@formilux.org/msg44993.html + +------------------------------------------------------------------- +Mon Feb 26 19:55:05 UTC 2024 - mrueckert@suse.de + +- Update to version 2.9.6+git0.9eafce5dc: + * [RELEASE] Released version 2.9.6 * BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI - * [RELEASE] Released version 2.8.6 - * DEV: makefile: fix POSIX compatibility for "range" target - * DEV: makefile: add a new "range" target to iteratively build all commits - * CI: Update to actions/cache@v4 - * DOC: internal: update missing data types in peers-v2.0.txt - * DOC: install: recommend pcre2 - * DOC: httpclient: add dedicated httpclient section - * DOC: configuration: clarify http-request wait-for-body - * BUILD: address a few remaining calloc(size, n) cases - * BUG/MINOR: ext-check: cannot use without preserve-env - * MINOR: ext-check: add an option to preserve environment variables - * BUG/MINOR: diag: run the final diags before quitting when using -c - * BUG/MINOR: diag: always show the version before dumping a diag warning - * MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path() + * BUG/MAJOR: promex: fix crash on deleted server + +------------------------------------------------------------------- +Mon Feb 26 19:54:49 UTC 2024 - mrueckert@suse.de + +- Update to version 2.9.5+git0.260dbb8a6: + * [RELEASE] Released version 2.9.5 + * BUG/MEDIUM: mux-h2: Don't report error on SE for closed H2 streams + * BUG/MEDIUM: mux-h2: Don't report error on SE if error is only pending on H2C + * BUG/MEDIUM: mux-h2: Only Report H2C error on read error if demux buffer is empty + * BUG/MEDIUM: mux-h2: Switch pending error to error if demux buffer is empty + * MINOR: muxes/applet: Simplify checks on options to disable zero-copy forwarding + * BUG/MAJOR: stconn: Check support for zero-copy forwarding on both sides + * MINOR: muxes: Announce support for zero-copy forwarding on consumer side + * MINOR: stconn: Add SE flag to announce zero-copy forwarding on consumer side + * MINOR: stconn: Rename SE_FL_MAY_FASTFWD and reorder bitfield + * CLEANUP: stconn: Move SE flags set by app layer at the end of the bitfield + * BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up + * BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending * MINOR: quic: Add a counter for reordered packets * MINOR: quic: Dynamic packet reordering threshold * MINOR: quic: Update K CUBIC calculation (RFC 9438) * BUG/MEDIUM: quic: Wrong K CUBIC calculation. - * MINOR: quic: Stop using 1024th of a second. - * BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation - * CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438) - * BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit. - * BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON - * BUG/MEDIUM: qpack: allow 6xx..9xx status codes - * BUG/MEDIUM: h3: do not crash on invalid response status code - * MINOR: h3: add traces for stream sending function - * BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf - * MINOR: quic: extract qc_stream_buf free in a dedicated function - * MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT) - * CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro. - * BUG/MEDIUM: mux-quic: report early error on stream - * BUG/MINOR: h3: fix checking on NULL Tx buffer * BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing + * BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() + * BUILD: address a few remaining calloc(size, n) cases + * CI: Update to actions/cache@v4 + * BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs + * BUG/MINOR: vars/cli: fix missing LF after "get var" output + * DOC: internal: update missing data types in peers-v2.0.txt + * DOC: config: fix misplaced "bytes_{in,out}" + * DOC: config: fix typos for "bytes_{in,out}" + * DOC: config: fix misplaced "txn.conn_retries" + * DOC: install: recommend pcre2 * REGTESTS: ssl: Add OCSP related tests * REGTESTS: ssl: Fix empty line in cli command input * BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list" @@ -298,54 +595,143 @@ Thu Dec 05 11:40:44 UTC 2024 - varkoly@suse.com * MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid * BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line * BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch - * BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call - * BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions - * BUG/MEDIUM: h1: always reject the NUL character in header values - * BUG/MINOR: h1-htx: properly initialize the err_pos field - * BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size - * BUG/MINOR: h1: Don't support LF only at the end of chunks - * BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up - * BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending - * BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() - * BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs - * BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs - * BUG/MINOR: vars/cli: fix missing LF after "get var" output - * BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI - * REGTESTS: add a test to ensure map-ordering is preserved - * MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc - * BUG/MEDIUM: mux-h2: refine connection vs stream error on headers - * MINOR: mux-h2/traces: clarify the "rejected H2 request" event - * MINOR: mux-h2/traces: explicitly show the error/refused stream states - * MINOR: mux-h2/traces: also suggest invalid header upon parsing error * MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT + * BUILD: debug: remove leftover parentheses in ABORT_NOW() * MINOR: debug: make ABORT_NOW() store the caller's line number when using abort * MINOR: debug: make sure calls to ha_crash_now() are never merged * MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding + * MINOR: quic: Stop using 1024th of a second. + * BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation + * CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438) + * BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call + * BUILD: quic: Variable name typo inside a BUG_ON(). + * BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit. + * BUG/MINOR: diag: run the final diags before quitting when using -c + * BUG/MINOR: diag: always show the version before dumping a diag warning + +------------------------------------------------------------------- +Mon Feb 26 19:54:25 UTC 2024 - mrueckert@suse.de + +- Update to version 2.9.4+git0.4e071ad92: + * [RELEASE] Released version 2.9.4 + * BUG/MEDIUM: h1: always reject the NUL character in header values + * BUG/MINOR: h1-htx: properly initialize the err_pos field + * DOC: httpclient: add dedicated httpclient section + * BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size + * BUG/MINOR: h1: Don't support LF only at the end of chunks + * BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON + * BUG/MEDIUM: qpack: allow 6xx..9xx status codes + * BUG/MEDIUM: h3: do not crash on invalid response status code + * MINOR: h3: add traces for stream sending function + * BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions + * DOC: configuration: clarify http-request wait-for-body + * BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf + * MINOR: quic: extract qc_stream_buf free in a dedicated function + * MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT) + * CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro. + * BUG/MINOR: quic: newreno QUIC congestion control algorithm no more available + * BUG/MEDIUM: cache: Fix crash when deleting secondary entry + * BUG/MINOR: hlua: fix uninitialized var in hlua_core_get_var() + * BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs + * BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI + * MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc + * BUG/MEDIUM: mux-h2: refine connection vs stream error on headers + * DOC: configuration: fix set-dst in actions keywords matrix + * BUG/MINOR: h3: fix checking on NULL Tx buffer + +------------------------------------------------------------------- +Sun Feb 4 22:52:43 UTC 2024 - Georg Pfuetzenreuter + +- Set /run/haproxy as the default PID file and socket location + Adds haproxy-service.patch +- Allow custom stats socket names + +------------------------------------------------------------------- +Wed Jan 24 13:40:54 UTC 2024 - varkoly@suse.com + +- Update to version 2.9.3+git0.de3ab549a: + * [RELEASE] Released version 2.9.3 * BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT) * BUG/MINOR: mux-h2: also count streams for refused ones * BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control + * BUILD: quic: missing include for quic_tp + * [RELEASE] Released version 2.9.2 * DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay + * REGTESTS: add a test to ensure map-ordering is preserved + * BUG/MINOR: map: list-based matching potential ordering regression + * CLEANUP: quic: Double quic_dgram_parse() prototype declaration. + * MINOR: ssl: Update ssl_fc_curve/ssl_bc_curve to use SSL_get0_group_name + * MINOR: ot: logsrv struct becomes logger * MINOR: mux-h2: support limiting the total number of H2 streams per connection * BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up + * BUG/MEDIUM: stconn: Set fsb date if zero-copy forwarding is blocked during nego * BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable * BUG/MEDIUM: h3: fix incorrect snd_buf return value + * BUILD: quic: Missing quic_ssl.h header protection * CLEANUP: quic: Remaining useless code into server part + * REGTESTS: check attach-srv out of order declaration + * MINOR: debug: add features and build options to "show dev" + * MINOR: global: export a way to list build options + * CI: use semantic version compare for determing "latest" OpenSSL + * BUG/MINOR: h3: disable fast-forward on buffer alloc failure * BUG/MINOR: h3: close connection on sending alloc errors * BUG/MINOR: h3: properly handle alloc failure on finalize + * MINOR: h3: add traces for connection init stage * BUG/MINOR: h3: close connection on header list too big * MINOR: h3: check connection error during sending * BUG/MINOR: quic: Missing call to TLS message callbacks * BUG/MINOR: quic: Wrong keylog callback setting. + * BUG/MINOR: mux-quic: disable fast-fwd if connection on error * BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission + * DOC: fix typo for fastfwd QUIC option + * BUG/MINOR: server/event_hdl: propagate map port info through inetaddr event + * MINOR: server/event_hdl: update _srv_event_hdl_prepare_inetaddr prototype + * MINOR: server/event_hdl: add server_inetaddr struct to facilitate event data usage * BUG/MEDIUM: stats: unhandled switching rules with TCP frontend * MINOR: stats: store the parent proxy in stats ctx (http) + * BUG/MAJOR: stconn: Disable zero-copy forwarding if consumer is shut or in error + * BUG/MINOR: server: Use the configured address family for the initial resolution * DOC: config: Update documentation about local haproxy response * BUG/MINOR: resolvers: default resolvers fails when network not configured + +------------------------------------------------------------------- +Fri Dec 15 15:15:07 UTC 2023 - varkoly@suse.com + +- Update to version 2.9.1+git0.f72603ceb: + * [RELEASE] Released version 2.9.1 + * DOC: config: also add arguments to the converters in the table + * DOC: config: add arguments to sample fetch methods in the table + * BUG/MEDIUM: mux-quic: report early error on stream * BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty + * CLEANUP: mux-h1: Fix a trace message about C-L header addition + * BUG/MEDIUM: mux-h1: Explicitly skip request's C-L header if not set originally + * BUG/MEDIUM: mux-h1: Cound data from input buf during zero-copy forwarding + * BUG/MEDIUM: stconn: Block zero-copy forwarding if EOS/ERROR on consumer side * BUG/MEDIUM: quic: QUIC CID removed from tree without locking + * MINOR: version: mention that it's stable now + * BUG/MINOR: ext-check: cannot use without preserve-env + * BUG/MEDIUM: map/acl: pat_ref_{set,delete}_by_id regressions + * BUILD: ssl: update types in wolfssl cert selection callback * BUG/MEDIUM: quic: Possible buffer overflow when building TLS records * BUG/MINOR: mworker/cli: fix set severity-output support * DOC: configuration: typo req.ssl_hello_type + * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) + * BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate + * MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback + * BUG/MINOR: ssl: Double free of OCSP Certificate ID + +------------------------------------------------------------------- +Mon Dec 11 09:20:20 UTC 2023 - Dirk Müller + +- Update to version 2.9.0+git0.fddb8c13b: + new major branch: + https://www.haproxy.com/blog/announcing-haproxy-2-9 + https://www.mail-archive.com/haproxy@formilux.org/msg44400.html + +------------------------------------------------------------------- +Thu Dec 07 14:28:36 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.5+git0.aaba8d090: * [RELEASE] Released version 2.8.5 * BUG/MEDIUM: proxy: always initialize the default settings after init * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) @@ -391,6 +777,11 @@ Thu Dec 05 11:40:44 UTC 2024 - varkoly@suse.com * BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover() * BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover() * BUG/MAJOR: quic: complete thread migration before tcp-rules + +------------------------------------------------------------------- +Fri Nov 24 11:31:13 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.4+git0.a4ebf9d3b: * [RELEASE] Released version 2.8.4 * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends * BUG/MINOR: stconn/applet: Report send activity only if there was output data @@ -581,7 +972,7 @@ Wed Aug 30 09:04:25 UTC 2023 - Peter Varkoly - Apply upstream patch for the ppc64le issue: Add patch: - 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch + 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch Remove patch: fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch @@ -1391,7 +1782,7 @@ Thu Dec 01 15:25:38 UTC 2022 - mrueckert@suse.de ------------------------------------------------------------------- Tue Nov 22 13:13:45 UTC 2022 - Marcus Rueckert -- reenable the pcre jit after the last change +- reenable the pcre jit after the last change ------------------------------------------------------------------- Fri Oct 14 11:20:34 UTC 2022 - Stephan Kulow @@ -2596,7 +2987,7 @@ Fri May 14 08:31:04 UTC 2021 - mrueckert@suse.de - Update to version 2.4.0+git0.6cbbecf09: https://www.haproxy.com/blog/announcing-haproxy-2-4/ - + for all the details see /usr/share/doc/packages/haproxy/CHANGELOG - refreshed patches to apply cleanly again haproxy-1.6.0-makefile_lib.patch @@ -3158,7 +3549,7 @@ Sat Oct 24 01:18:29 UTC 2020 - Marcus Rueckert ------------------------------------------------------------------- Fri Oct 2 14:38:51 UTC 2020 - Marcus Rueckert -- use parallel build +- use parallel build ------------------------------------------------------------------- Fri Oct 02 14:37:00 UTC 2020 - mrueckert@suse.de @@ -4833,7 +5224,7 @@ Sun Mar 4 08:36:21 UTC 2018 - jengelh@inai.de ------------------------------------------------------------------- Fri Mar 2 16:37:25 UTC 2018 - kgronlund@suse.com -- Ensure haproxy home directory is not world readable (bsc#1077716) +- Ensure haproxy home directory is not world readable (bsc#1077716) ------------------------------------------------------------------- Thu Feb 08 13:15:17 UTC 2018 - kgronlund@suse.com @@ -4892,7 +5283,7 @@ Thu Feb 08 13:15:17 UTC 2018 - kgronlund@suse.com ------------------------------------------------------------------- Thu Feb 8 07:21:58 UTC 2018 - kgronlund@suse.com -- Add dependency on apparmor-profiles (bsc#1079985) +- Add dependency on apparmor-profiles (bsc#1079985) ------------------------------------------------------------------- Sun Dec 31 02:26:13 UTC 2017 - mrueckert@suse.de @@ -5019,7 +5410,7 @@ Mon Dec 04 10:33:40 UTC 2017 - kgronlund@suse.com ------------------------------------------------------------------- Tue Nov 28 13:54:07 UTC 2017 - kgronlund@suse.com -- License is now GPL-3.0+ and LGPL-2.1+ +- License is now GPL-3.0+ and LGPL-2.1+ ------------------------------------------------------------------- Mon Nov 27 13:40:32 UTC 2017 - mrueckert@suse.de @@ -6226,7 +6617,7 @@ Wed Nov 26 11:50:42 UTC 2014 - mrueckert@suse.de - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch - - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch + - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch ------------------------------------------------------------------- Thu Nov 20 06:56:23 UTC 2014 - kgronlund@suse.com @@ -6244,7 +6635,7 @@ Thu Nov 20 06:56:23 UTC 2014 - kgronlund@suse.com - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch - - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch + - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch ------------------------------------------------------------------- Sun Nov 09 21:52:00 UTC 2014 - Led @@ -6335,7 +6726,7 @@ Thu Oct 9 14:14:35 UTC 2014 - kgronlund@suse.com - BUG/MEDIUM: systemd: set KillMode to 'mixed' - Add patch: - - 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch + - 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch ------------------------------------------------------------------- Wed Oct 8 12:53:41 UTC 2014 - kgronlund@suse.com @@ -6383,7 +6774,7 @@ Mon Oct 6 09:09:58 UTC 2014 - kgronlund@suse.com - 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch - 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch - 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch - + ------------------------------------------------------------------- Thu Sep 25 16:10:08 UTC 2014 - kgronlund@suse.com @@ -6619,12 +7010,12 @@ Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de ------------------------------------------------------------------- Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com -- Install vim file to a more appropriate location +- Install vim file to a more appropriate location ------------------------------------------------------------------- Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com -- added pre macro for systemd service file +- added pre macro for systemd service file ------------------------------------------------------------------- Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com diff --git a/haproxy.spec b/haproxy.spec index f2b1fb4..38ebd85 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -1,7 +1,7 @@ # # spec file for package haproxy # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ %bcond_with quic %if 0%{?suse_version} >= 1230 @@ -46,12 +46,14 @@ %if 0%{?suse_version} >= 1500 %bcond_without sysusers +%bcond_without tmpfiles %else %bcond_with sysusers +%bcond_with tmpfiles %endif Name: haproxy -Version: 2.8.11+git0.01c1056a4 +Version: 3.1.5+git0.076df0292 Release: 0 # # @@ -96,9 +98,11 @@ Source2: usr.sbin.haproxy.apparmor Source3: local.usr.sbin.haproxy.apparmor Source4: haproxy.cfg Source5: haproxy-user.conf +Source6: haproxy-tmpfiles.conf Patch1: haproxy-1.6.0_config_haproxy_user.patch Patch2: haproxy-1.6.0-makefile_lib.patch Patch3: haproxy-1.6.0-sec-options.patch +Patch4: haproxy-service.patch # Source98: series Source99: haproxy-rpmlintrc @@ -195,6 +199,9 @@ ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} %if %{with sysusers} install -D -m 644 %{SOURCE5} %{buildroot}%{_sysusersdir}/haproxy-user.conf %endif +%if %{with tmpfiles} +install -D -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/%{name}.conf +%endif %else install -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} @@ -224,6 +231,11 @@ rm examples/*init* %if %{with apparmor} && %{with apparmor_reload} %apparmor_reload /etc/apparmor.d/usr.sbin.haproxy %endif +%if %{with systemd} +%if %{with tmpfiles} +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%endif +%endif %service_add_post %{pkg_name}.service %preun @@ -258,7 +270,7 @@ getent passwd %{pkg_name} >/dev/null || \ %files %defattr(-,root,root,-) %license LICENSE -%doc CHANGELOG README +%doc CHANGELOG README.md %doc doc/* examples/ %doc admin/netsnmp-perl/ admin/selinux/ %dir %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name} @@ -268,6 +280,10 @@ getent passwd %{pkg_name} >/dev/null || \ %if %{with sysusers} %{_sysusersdir}/haproxy-user.conf %endif +%if %{with tmpfiles} +%{_tmpfilesdir}/%{name}.conf +%dir %ghost %{_rundir}/%{name} +%endif %else %config(noreplace) %{_sysconfdir}/init.d/%{pkg_name} %endif diff --git a/series b/series index 67324f1..8ead05e 100644 --- a/series +++ b/series @@ -1,3 +1,4 @@ haproxy-1.6.0_config_haproxy_user.patch haproxy-1.6.0-makefile_lib.patch haproxy-1.6.0-sec-options.patch +haproxy-service.patch diff --git a/usr.sbin.haproxy.apparmor b/usr.sbin.haproxy.apparmor index dc3402a..900faa1 100644 --- a/usr.sbin.haproxy.apparmor +++ b/usr.sbin.haproxy.apparmor @@ -28,13 +28,33 @@ profile haproxy /usr/sbin/haproxy { /dev/shm/haproxy_startup_logs_* rwlk, + # old stats socket location, for compatibility /var/lib/haproxy/stats rwl, /var/lib/haproxy/stats.*.bak rwl, /var/lib/haproxy/stats.*.tmp rwl, - /{,var/}run/haproxy.pid rw, - /{,var/}run/haproxy-master.sock* rwlk, + # new stats socket location + /run/haproxy/stats*.sock{,*.{bak,tmp}} rwl, + /{,var/}run/haproxy/pid rw, + /{,var/}run/haproxy/master.sock* rwlk, + + # This is for the additional debug output in haproxy >= 2.9 + # can be accessed with "p post_mortem" in gdb /sys/devices/system/node/ r, + /sys/devices/system/node/*/cpumap r, + /sys/devices/system/cpu/online r, + /sys/class/dmi/id/sys_vendor r, + /sys/devices/virtual/dmi/id/sys_vendor r, + /sys/class/dmi/id/product_family r, + /sys/devices/virtual/dmi/id/product_family r, + /sys/class/dmi/id/product_name r, + /sys/devices/virtual/dmi/id/product_name r, + /sys/class/dmi/id/board_vendor r, + /sys/firmware/devicetree/base/model r, + /sys/class/dmi/id/board_name r, + /proc/2/status r, + /proc/cpuinfo r, + # end of debug.c files # Site-specific additions and overrides. See local/README for details. #include if exists