SLFO-pool/haproxy
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:main
Branches Tags
SLFO-pool:main
SLFO-pool:1.1
...
pull from: SLFO-pool:1.1
Branches Tags
SLFO-pool:1.1
SLFO-pool:main

1 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
736a26b918 Sync from SUSE:SLFO:1.1 haproxy revision 4609f6e4d9a8133f1390fe5c8314a289 2025-03-05 15:41:23 +01:00
13 changed files with 243 additions and 615 deletions
Show Stats Expand all files Collapse all files

4
_service
View File

@ -1,12 +1,12 @@
<services>
<service name="tar_scm" mode="manual">
<param name="url">http://git.haproxy.org/git/haproxy-3.1.git/</param>
<param name="url">http://git.haproxy.org/git/haproxy-2.8.git</param>
<param name="scm">git</param>
<param name="filename">haproxy</param>
<param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
<param name="revision">v3.1.3</param>
<param name="revision">v2.8.11</param>
<param name="changesgenerate">enable</param>
</service>

4
_servicedata
View File

@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">http://git.haproxy.org/git/haproxy-3.1.git/</param>
<param name="changesrevision">929bedf83c79cfb8e4eb40921539cd135f8ec818</param>
<param name="url">http://git.haproxy.org/git/haproxy-2.8.git</param>
<param name="changesrevision">01c1056a44823c5ffb8f74660b32c099d9b5355b</param>
</service>
</servicedata>

10
haproxy-1.6.0-makefile_lib.patch
View File

@ -1,8 +1,8 @@
Index: haproxy-3.0/Makefile
Index: haproxy-2.8/Makefile
===================================================================
--- haproxy-3.0.orig/Makefile
+++ haproxy-3.0/Makefile
@@ -784,7 +784,7 @@ ifneq ($(USE_PCRE:0=)$(USE_STATIC_PCRE:0
--- haproxy-2.8.orig/Makefile
+++ haproxy-2.8/Makefile
@@ -750,7 +750,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US
PCREDIR := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local)
ifneq ($(PCREDIR),)
PCRE_INC := $(PCREDIR)/include
@ -11,7 +11,7 @@ Index: haproxy-3.0/Makefile
endif
PCRE_CFLAGS := $(if $(PCRE_INC),-I$(PCRE_INC))
@@ -802,7 +802,7 @@ ifneq ($(USE_PCRE2:0=)$(USE_STATIC_PCRE2
@@ -768,7 +768,7 @@ ifneq ($(USE_PCRE2)$(USE_STATIC_PCRE2)$(
PCRE2DIR := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local)
ifneq ($(PCRE2DIR),)
PCRE2_INC := $(PCRE2DIR)/include

8
haproxy-1.6.0-sec-options.patch
View File

@ -4,11 +4,11 @@ Date: Mon Jun 17 13:00:08 2019 +0000
SUSE: Makefile sec options
Index: haproxy-3.0/Makefile
Index: haproxy-2.8/Makefile
===================================================================
--- haproxy-3.0.orig/Makefile
+++ haproxy-3.0/Makefile
@@ -887,6 +887,35 @@ ifneq ($(TRACE),)
--- haproxy-2.8.orig/Makefile
+++ haproxy-2.8/Makefile
@@ -849,6 +849,35 @@ ifneq ($(TRACE),)
COPTS += -finstrument-functions
endif

BIN
haproxy-2.8.11+git0.01c1056a4.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
haproxy-3.1.3+git0.929bedf83.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

11
haproxy-service.patch
View File

@ -1,11 +0,0 @@
--- a/admin/systemd/haproxy.service.in 2024-01-18 15:32:19.000000000 +0100
+++ b/admin/systemd/haproxy.service.in 2024-02-04 23:58:30.873980359 +0100
@@ -6,7 +6,7 @@
[Service]
EnvironmentFile=-/etc/default/haproxy
EnvironmentFile=-/etc/sysconfig/haproxy
-Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock"
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/pid" "EXTRAOPTS=-S /run/haproxy/master.sock"
ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
ExecReload=@SBINDIR@/haproxy -Ws -f $CONFIG -c $EXTRAOPTS
ExecReload=/bin/kill -USR2 $MAINPID

1
haproxy-tmpfiles.conf
View File

@ -1 +0,0 @@
D /run/haproxy 0750 root haproxy

2
haproxy.cfg
View File

@ -5,7 +5,7 @@ global
user haproxy
group haproxy
daemon
stats socket /run/haproxy/stats.sock user haproxy group haproxy mode 0640 level operator
stats socket /var/lib/haproxy/stats user haproxy group haproxy mode 0640 level operator
tune.bufsize 32768
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

740
haproxy.changes
View File

@ -1,286 +1,30 @@
-------------------------------------------------------------------
Wed Jan 29 15:41:08 UTC 2025 - mrueckert@suse.de
Thu Dec 05 11:40:44 UTC 2024 - varkoly@suse.com
- Update to version 3.1.3+git0.929bedf83:
* [RELEASE] Released version 3.1.3
* BUILD: ssl: more cleaner approach to WolfSSL without renegotiation
* BUILD: ssl: allow to build without the renegotiation API of WolfSSL
* CLEANUP: quic: remove unused prototype
* BUG/MINOR: stream: Properly handle "on-marked-up shutdown-backup-sessions"
* BUG/MINOR: ssl: put ssl_sock_load_ca under SSL_NO_GENERATE_CERTIFICATES
* BUG/MINOR: quic: do not increase congestion window if app limited
* BUG/MEDIUM: mux-h1: Properly close H1C if an error is reported before sending data
* BUILD: quic: Move an ASSUME_NONNULL() for variable which is not null
* MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount
* BUG/MINOR: quic: ensure a detached coalesced packet can't access its neighbours
* BUG/MINOR: init: set HAPROXY_STARTUP_VERSION from the variable, not the macro
* BUG/MAJOR: log/sink: possible sink collision in sink_new_from_srv()
* BUG/MAJOR: quic: reject too large CRYPTO frames
* BUG/MEDIUM: promex: Use right context pointers to dump backends extra-counters
* BUG/MEDIUM: stktable: fix missing lock on some table converters
* BUG/MINOR: quic: reject NEW_TOKEN frames from clients
* BUG/MINOR: stktable: fix big-endian compatiblity in smp_to_stkey()
-------------------------------------------------------------------
Wed Jan 29 15:40:52 UTC 2025 - mrueckert@suse.de
- Update to version 3.1.2+git0.cda631a79:
* [RELEASE] Released version 3.1.2
* BUG/MEDIUM: h1-htx: Properly handle bodyless messages
* BUG/MEDIUM: promex/resolvers: Don't dump metrics if no nameserver is defined
* BUG/MINOR: mux-quic: handle closure of uni-stream
* MINOR: mux-quic: change return value of qcs_attach_sc()
* MINOR: mux-quic: add traces on sd attach
* BUG/MINOR: mux-quic: fix wakeup on qcc_set_error()
* MINOR: config: Alert about extra arguments for errorfile and errorloc
* BUG/MINOR: log: Allow to use if/unless conditionnals for do-log action
* BUG/MEDIUM: mux-quic: do not attach on already closed stream
* BUG/MAJOR: mux-quic: properly fix BUG_ON on empty STREAM emission
* Revert "BUG/MAJOR: mux-quic: fix BUG_ON on empty STREAM emission"
* BUG/MEDIUM: mux-h2: Count copied data when looping on RX bufs in h2_rcv_buf()
* BUG/MAJOR: mux-quic: fix BUG_ON on empty STREAM emission
* DOC: config: add missing "track-sc0" in action keywords matrix
* BUG/MINOR: stats: fix segfault caused by uninitialized value in "show schema json"
* BUG/MEDIUM: queue: Make process_srv_queue return the number of streams
* MINOR: hlua: rename "tune.lua.preserve-smp-bool" to "tune.lua.bool-sample-conversion"
* BUG/MINOR: h2/rhttp: fix HTTP2 conn counters on reverse
* CLEANUP: mux-quic: remove dead err label in qcc_build_frms()
* BUG/MEDIUM: mux-quic: prevent BUG_ON() by refreshing frms on MAX_DATA
* REGTESTS: fix lua-based regtests using tune.lua.smp-preserve-bool
* MINOR: hlua: add option to preserve bool type from smp to lua
* DOC: config: add "tune.lua.burst-timeout" to the list of global parameters
* DOC: config: reorder "tune.lua.*" keywords by alphabetical order
* DOC: config: add example for server "track" keyword
* MINOR: mux-quic: hide traces when woken up on pacing only
* MINOR: trace: implement tracing disabling API
* MEDIUM: mux-quic: remove pacing specific code on qcc_io_cb
* MEDIUM/OPTIM: mux-quic: do not rebuild frms list on every send
* MINOR: mux-quic: split STREAM and RS/SS emission
* MINOR: mux-quic: extract code to build STREAM frames list
* MEDIUM/OPTIM: mux-quic: implement purg_list
* MEDIUM/OPTIM: mux-quic: define a recv_list for demux resumption
* MINOR: mux-quic: refactor wait-for-handshake support
* MINOR: quic: add traces
* CLEANUP: mux-quic: remove unused qcc member send_retry_list
* BUG/MEDIUM: mux-quic: do not mix qcc_io_send() return codes with pacing
* BUILD: debug: only dump/reset glitch counters when really defined
* BUG/MEDIUM: queues: Do not use pendconn_grab_from_px().
* BUG/MEDIUM: queues: Make sure we call process_srv_queue() when leaving
* BUG/MEDIUM: stconn: Only consider I/O timers to update stream's expiration date
* CLEANUP: quic: Rename some BBR functions in relation with bw probing
* BUG/MINOR: quic: missing Startup accelerating probing bw states
* REGTESTS: ssl: add a PEM with mix of LF and CRLF line endings
* BUG/MINOR: cli: cli_snd_buf: preserve \r\n for payload lines
* BUG/MINOR: quic: too permissive exit condition for high loss detection in Startup (BBR)
* BUG/MINOR: quic: fix the wrong tracked recovery start time value
* CLEANUP: quic: remove a wrong comment about ->app_limited (drs)
* MINOR: quic: reduce the private data size of QUIC cc algos
* BUG/MINOR: quic: reduce packet losses at least during ProbeBW_CRUISE (BBR)
* BUG/MINOR: quic: underflow issue for bbr_inflight_hi_from_lost_packet()
* BUG/MINOR: quic: remove max_bw filter from delivery rate sampling
* BUG/MINOR: quic: wrong bbr_target_inflight() implementation
* BUG/MINOR: quic: fix BBB max bandwidth oscillation issue.
* BUG/MINOR: quic: wrong logical statement in in_recovery_period() (BBR)
* MINOR: window_filter: rely on the time to update the filter samples (QUIC/BBR)
-------------------------------------------------------------------
Thu Dec 12 15:13:23 UTC 2024 - mrueckert@suse.de
- Update to version 3.1.1+git0.717960de0:
* [RELEASE] Released version 3.1.1
* BUG/MINOR: hlua_fcn: restore server pairs iterator pointer consistency
* BUG/MINOR: server-state: Fix expiration date of srvrq_check tasks
* BUG/MINOR: http-fetch: Ignore empty argument string for query()
* BUG/MEDIUM: stats/server: use watcher to track server during stats dump
* MINOR: list: define a watcher type
* BUG/MINOR: stats: decrement srv refcount on stats-file release
* BUG/MINOR: resolvers: handle a possible strdup() failure
* BUG/MINOR: ssl_crtlist: handle a possible strdup() failure
* BUG/MINOR: namespace: handle a possible strdup() failure
* BUG/MEDIUM: mworker: report status, if daemonized master fails
* BUG/MEDIUM: startup: report status if daemonized process fails
* BUG/MEDIUM: startup: don't daemonize if started with -c
* BUG/MINOR: startup: fix error path for master, if can't open pidfile
* BUG/MINOR: mworker: fix -D -W -sf/-st modes
* BUG/MINOR: mworker: don't save program PIDs in oldpids
* BUG/MINOR: mux-h2: fix expression when detecting excess of CONTINUATION frames
* MINOR: mux-h2/glitches: add a description to the H2 glitches
* CLEANUP: mux-h2/traces: reword certain ambiguous traces
* MINOR: mux-h2/traces: add a missing trace on negative initial window size
* BUILD: debug: fix build issues in COUNT_IF() with -Wunused-value
* BUG/MINOR: debug: COUNT_IF() should return true/false
* DOC: config: fix confusing init-state examples
* BUG/MINOR: config: Fix parsing of accept-invalid-http-{request,response}
* BUG/MEDIUM: mux-h2: make sure not to touch dummy streams when sending WU
* BUG/MINOR: quic: remove startup alert if GSO unsupported
* BUG/MINOR: quic: remove startup alert if conn socket-owner unsupported
* BUG/MEDIUM: mux-quic: remove pacing status when everything is sent
* BUG/MINOR: init: do not call fork_poller() for non-forked processes
* BUG/MEDIUM: init: make sure only daemonized processes change their session
* BUG/MINOR: quic: fix bbr_inflight() calls with wrong gain value
* BUG/MINOR: startup: fix pidfile creation
* BUG/MINOR: startup: close pidfd and free global.pidfile in handle_pidfile()
* BUG/MINOR: signal: register default handler for SIGINT in signal_init()
* BUILD: quic: fix a build error about an non initialized timestamp
* BUG/MINOR: h1-htx: Use default reason if not set when formatting the response
* BUG/MEDIUM: http-ana: Reset request flag about data sent to perform a L7 retry
* BUG/MEDIUM: quic: prevent stream freeze on pacing
* BUG/MEDIUM: event_hdl: fix uninitialized value in async mode when no data is provided
* BUG/MINOR: improve BBR throughput on very fast links
* BUG/MINOR: log: fix lf_text() behavior with empty string
* MINOR: proxy: Add support of 421-Misdirected-Request in retry-on status
* BUG/MEDIUM: sock: Remove FD_POLL_HUP during connect() if FD_POLL_ERR is not set
-------------------------------------------------------------------
Tue Nov 26 14:57:39 UTC 2024 - mrueckert@suse.de
- Update to version 3.1.0+git0.f2b97918e:
https://www.mail-archive.com/haproxy@formilux.org/msg45435.html
https://www.haproxy.com/blog/announcing-haproxy-3-1
-------------------------------------------------------------------
Thu Nov 07 18:40:53 UTC 2024 - mrueckert@suse.de
- Update to version 3.0.6+git0.c2c009086:
* [RELEASE] Released version 3.0.6
* MINOR: debug: move the "recover now" warn message after the optional notes
* BUILD: Missing inclusion header for ssize_t type
* BUILD: debug: also declare strlen() in __ABORT_NOW()
* DEBUG: wdt: add a stats counter "BlockedTrafficWarnings" in show info
* DEBUG: wdt: make the blocked traffic warning delay configurable
* DEBUG: cli: make it possible for "debug dev loop" to trigger warnings
* DEBUG: wdt: better detect apparently locked up threads and warn about them
* MINOR: debug: add a function to dump a stuck thread
* MINOR: wdt: move the local timers to a struct
* MINOR: debug: remove the redundant process.thread_info array from post_mortem
* MINOR: debug: also add fdtab and acitvity to struct post_mortem
* MINOR: debug: also add a pointer to struct global to post_mortem
* MINOR: debug: do not limit backtraces to stuck threads
* MINOR: debug: print gdb hints when crashing
* MINOR: connection: add new sample fetch functions fc_err_name and bc_err_name
* MINOR: rawsock: set connection error codes when returning from recv/send/splice
* MINOR: connection: add more connection error codes to cover common errno
* BUG/MINOR: stats: Fix the name for the total number of streams created
* MINOR: stream/stats: Expose the total number of streams ever created in stats
* MINOR: stream/stats: Expose the current number of streams in stats
* MINOR: cli/debug: show dev: add cmdline and version
* BUG/MINOR: quic: fix malformed probing packet building
* CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry
* DOC: config: document connection error 44 (reverse connect failure)
* BUG/MEDIUM: promex: Fix dump of extra counters
* MINOR: stream: Save last evaluated rule on invalid yield
* BUG/MINOR: http-ana: Report internal error if an action yields on a final eval
* BUG/MEDIUM: mux-h1: Fix how timeouts are applied on H1 connections
* DOC: config: add missing glitch_{cnt,rate} sample definitions
* DOC: config: add missing glitch_{cnt,rate} data types
* BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly
* BUG/MINOR: trace: stop rewriting argv with -dt
* MINOR: cli: remove non-printable characters from 'debug dev fd'
* MINOR: debug: store important pointers in post_mortem
* MINOR: debug: place the post_mortem struct in its own section.
* MINOR: debug: place a magic pattern at the beginning of post_mortem
* MINOR: pools: export the pools variable
* BUILD: debug: silence a build warning with threads disabled
* BUG/MEDIUM: server: fix race on servers_list during server deletion
* BUG/MINOR: stconn: Don't disable 0-copy FF if EOS was reported on consumer side
* BUG/MINOR: http-ana: Fix wrong client abort reports during responses forwarding
* BUG/MEDIUM: stconn: Report blocked send if sends are blocked by an error
* BUG/MINOR: server: fix dynamic server leak with check on failed init
* MINOR: activity/memprofile: show per-DSO stats
* MINOR: activity/memprofile: always return "other" bin on NULL return address
* BUG/MEDIUM: connection/http-reuse: fix address collision on unhandled address families
* BUG/MEDIUM: mux-h2: Remove H2S from send list if data are sent via 0-copy FF
* BUG/MEDIUM: stats-html: Never dump more data than expected during 0-copy FF
* BUG/MINOR: mux-quic: do not close STREAM with empty FIN if no data sent
* BUG/MINOR: mworker: fix mworker-max-reloads parser
* DOC: config: fix rfc7239 forwarded typo in desc
* BUG/MEDIUM: quic: avoid freezing 0RTT connections
* BUG/MINOR: quic: avoid leaking post handshake frames
* REGTESTS: Never reuse server connection in http-messaging/truncated.vtc
* BUG/MAJOR: filters/htx: Add a flag to state the payload is altered by a filter
* BUG/MEDIUM: stconn: Check FF data of SC to perform a shutdown in sc_notify()
* BUG/MINOR: http-ana: Don't report a server abort if response payload is invalid
* BUG/MEDIUM: stconn: Wait iobuf is empty to shut SE down during a check send
* BUG/MINOR: httpclient: return NULL when no proxy available during httpclient_new()
* BUG/MEDIUM: queue: make sure never to queue when there's no more served conns
* BUG/MEDIUM: mux-quic: ensure timeout server is active for short requests
* BUG/MEDIUM: hlua: properly handle sample func errors in hlua_run_sample_{fetch,conv}()
* BUG/MEDIUM: hlua: make hlua_ctx_renew() safe
* BUG/MEDIUM: server: server stuck in maintenance after FQDN change
* MEDIUM: debug: on panic, make the target thread automatically allocate its buf
* MINOR: debug: replace ha_thread_dump() with its two components
* MINOR: debug: make ha_thread_dump_done() take the pointer to be used
* MINOR: debug: slightly change the thread_dump_pointer signification
* MINOR: debug: split ha_thread_dump() in two parts
* MINOR: chunk: drop the global thread_dump_buffer
* MINOR: debug: make mark_tainted() return the previous value
* BUG/MINOR: http-ana: Disable fast-fwd for unfinished req waiting for upgrade
* BUG/MINOR: mux-h1: Fix condition to set EOI on SE during zero-copy forwarding
* BUG/MEDIUM: queue: always dequeue the backend when redistributing the last server
* MINOR: server: make srv_shutdown_sessions() call pendconn_redistribute()
* BUG/MINOR: queue: make sure that maintenance redispatches server queue
* BUG/MEDIUM: stream: make stream_shutdown() async-safe
* MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG
* MINOR: tools: do not attempt to use backtrace() on linux without glibc
* BUILD: tools: only include execinfo.h for the real backtrace() function
* BUG/MINOR: cfgparse-global: fix allowed args number for setenv
* BUG/MINOR: server: make sure the HMAINT state is part of MAINT
* BUG/MEDIUM: cli: Deadlock when setting frontend maxconn
* BUG/MEDIUM: cli: Be sure to catch immediate client abort
* BUG/MINOR: mux-quic: report glitches to session
* REGTESTS: shorten a bit the delay for the h1/h2 upgrade test
* REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades
* BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only
* MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state
* BUG/MINOR: h2: reject extended connect for h2c protocol
* BUG/MINOR: h1: do not forward h2c upgrade header token
* MINOR: connection: No longer include stconn type header in connection-t.h
-------------------------------------------------------------------
Mon Sep 30 19:36:53 UTC 2024 - mrueckert@suse.de
- Update to version 3.0.5+git0.8e879a52e: (VUL-0: CVE-2024-49214 boo#1231612)
* [RELEASE] Released version 3.0.5
* BUG/MINOR: quic: prevent freeze after early QCS closure
* BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM
* MINOR: quic: implement function to check if STREAM is fully acked
* MINOR: quic: convert qc_stream_desc release field to flags
- Update to version 2.8.11+git0.01c1056a4:
VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server
(bsc#1233973)
* [RELEASE] Released version 2.8.11
* BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
* BUG/MEDIUM: promex: Wait to have the request before sending the response
* BUG/MEDIUM: cache/stats: Wait to have the request before sending the response
* BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous send
* DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options
* BUG/MINOR: peers: local entries updates may not be advertised after resync
* BUG/MEDIUM: queue: implement a flag to check for the dequeuing
* BUG/MINOR: clock: validate that now_offset still applies to the current date
* BUG/MINOR: clock: make time jump corrections a bit more accurate
* BUG/MINOR: polling: fix time reporting when using busy polling
* MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option
* BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
* BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is established
* BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
* BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
* BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()
* BUG/MEDIUM: clock: detect and cover jumps during execution
* REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
* DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line
* BUG/MINOR: quic: Too short datagram during packet building failures (aws-lc only)
* BUG/MINOR: quic: Crash from trace dumping SSL eary data status (AWS-LC)
* BUG/MEDIUM: quic: always validate sender address on 0-RTT
* MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event.
* MINOR: quic: Implement qc_ssl_eary_data_accepted().
* MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct)
* BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder
* MINOR: quic: Token for future connections implementation.
* MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD
* MINOR: quic: Implement quic_tls_derive_token_secret().
* MINOR: tools: Implement ipaddrcpy().
* BUG/MEDIUM: clock: also update the date offset on time jumps
* BUILD: quic: 32bits build broken by wrong integer conversions for printf()
* BUG/MINOR: cfgparse-global: remove tune.fast-forward from common_kw_list
* DOC: config: correct the table for option tcplog
* BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
* BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
* BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
* BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full
* BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path
* BUG/MEDIUM: clock: also update the date offset on time jumps
* DOC: config: correct the table for option tcplog
* BUG/MINOR: h3: properly reject too long header responses
* BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
* BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
@ -295,164 +39,71 @@ Mon Sep 30 19:36:53 UTC 2024 - mrueckert@suse.de
* BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()
* BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
* BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
* DOC: configuration: fix alphabetical ordering of {bs,fs}.aborted
* BUG/MINOR: fcgi-app: handle a possible strdup() failure
* BUG/MEDIUM: peer: Notify the applet won't consume data when it waits for sync
* BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream
* BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
* BUG/MEDIUM: http-ana: Report error on write error waiting for the response
* BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
* BUG/MEDIUM: ssl: 0-RTT initialized at the wrong place for AWS-LC
* BUG/MEDIUM: ssl: reactivate 0-RTT for AWS-LC
* BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect
* BUILD: mux-pt: Use the right name for the sedesc variable
* BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path
* BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set
* BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss and leak
-------------------------------------------------------------------
Tue Sep 03 14:08:47 UTC 2024 - mrueckert@suse.de
- Update to version 3.0.4+git0.7a59afa93: (CVE-2024-45506 boo#1229993)
* [RELEASE] Released version 3.0.4
* BUG/MEDIUM: mux-pt: Fix condition to perform a shutdown for writes in mux_pt_shut()
* BUG/MINOR: Crash on O-RTT RX packet after dropping Initial pktns
* BUG/MINOR: quic: Too shord datagram during O-RTT handshakes (aws-lc only)
* BUG/MAJOR: mux-h2: always clear MUX_MFULL and DEM_MROOM when clearing the mbuf
* MINOR: mux-h2: try to clear DEM_MROOM and MUX_MFULL at more places
* BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered
* BUG/MINOR: quic: unexploited retransmission cases for Initial pktns.
* BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli
* BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown
* BUG/MINIR: proxy: Match on 429 status when trying to perform a L7 retry
* BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready
* BUG/MEDIUM: mux-h2: Set ES flag when necessary on 0-copy data forwarding
* MINOR: proxy: Add support of 429-Too-Many-Requests in retry-on status
* DOC: quic: fix default minimal value for max window size
* MEDIUM: log: relax some checks and emit diag warnings instead in lf_expr_postcheck()
* Revert "MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface"
* BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
* MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
* BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
* MINOR: queue: add a function to check for TOCTOU after queueing
* MEDIUM: h1: allow to preserve keep-alive on T-E + C-L
* MINOR: quic: Add information to "show quic" for CUBIC cc.
* MINOR: quic: Dump TX in flight bytes vs window values ratio.
* BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
* BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)
* MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface
* BUG/MINOR: quic: Non optimal first datagram.
* BUG/MINOR: cli: Atomically inc the global request counter between CLI commands
* BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution
* BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
* DOC: config: improve the http-keep-alive section
* DOC: configuration: issuers-chain-path not compatible with OCSP
* BUG/MAJOR: mux-h2: force a hard error upon short read with pending error
* BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
* DOC: install: don't reference removed CPU arg
* BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts
* BUG/MINOR: session: Eval L4/L5 rules defined in the default section
* CLEANUP: quic: rename TID affinity elements
* CLEANUP: proto: rename TID affinity callbacks
* BUG/MEDIUM: quic: prevent crash on accept queue full
* BUILD: listener: silence a build warning about unused value without threads
* MINOR: proto: extend connection thread rebind API
-------------------------------------------------------------------
Thu Jul 11 14:57:46 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- refreshed patches:
haproxy-1.6.0-makefile_lib.patch
haproxy-1.6.0-sec-options.patch
-------------------------------------------------------------------
Thu Jul 11 14:56:11 UTC 2024 - mrueckert@suse.de
- Update to version 3.0.3+git0.95a607c4b:
* [RELEASE] Released version 3.0.3
* BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past
* DEV: flags/quic: decode quic_conn flags
* BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread
* BUG/MEDIUM: h1: Reject empty Transfer-encoding header
* BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
* BUG/MINOR: h1: Fail to parse empty transfer coding names
* BUG/MINOR: jwt: fix variable initialisation
* Revert "MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD"
* BUG/MEDIUM: peers: Fix crash when syncing learn state of a peer without appctx
* DOC: configuration: update maxconn description
* MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD
* BUG/MINOR: jwt: don't try to load files with HMAC algorithm
* BUG/MEDIUM: server: fix race on server_atomic_sync()
* MEDIUM: ssl: initialize the SSL stack explicitely
* DOC: configuration: more details about the master-worker mode
* BUG/MEDIUM: hlua/cli: Fix lua CLI commands to work with applet's buffers
* BUG/MINOR: promex: Remove Help prefix repeated twice for each metric
* BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking
* BUG/MINOR: quic: fix race-condition on trace for CID retrieval
* BUG/MINOR: quic: fix race condition in qc_check_dcid()
* BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()
* BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
* BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
* BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout or error
* MINOR: activity: make the memory profiling hash size configurable at build time
* BUG/MINOR: server: fix first server template name lookup UAF
* DOC: configuration: add details about crt-store in bind "crt" keyword
* BUG/MEDIUM: stick-table: Decrement the ref count inside lock to kill a session
* BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()
* DEV: flags/show-fd-to-flags: adapt to recent versions
* BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
* BUG/MINOR: h3: fix BUG_ON() crash on control stream alloc failure
* BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
* BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission
* DOC: api/event_hdl: small updates, fix an example and add some precisions
* SCRIPTS: git-show-backports: do not truncate git-show output
* BUG/MAJOR: quic: fix padding with short packets
* DOC: management: document ptr lookup for table commands
* DOC: configuration: fix alphabetical order of bind options
* BUG/MEDIUM: proxy: fix email-alert invalid free
* REGTESTS: ssl: fix some regtests 'feature cmd' start condition
* DEBUG: hlua: distinguish burst timeout errors from exec timeout errors
* BUG/MINOR: log: fix broken '+bin' logformat node option
-------------------------------------------------------------------
Sun Jun 16 06:44:56 UTC 2024 - andreas.stieger@gmx.de
- Update to version 3.0.2+git0.a45a8e623:
* [RELEASE] Released version 3.0.2
* DOC: management: rename show stats domain cli "dns" to "resolvers"
* DOC/MINOR: management: add -dZ option
* DOC/MINOR: management: add missed -dR and -dv options
* BUG/MINOR: quic: fix padding of INITIAL packets
* BUG/MAJOR: mux-h1: Prevent any UAF on H1 connection after draining a request
* CLEANUP: log/proxy: fix comment in proxy_free_common()
* BUG/MEDIUM: proxy: fix UAF with {tcp,http}checks logformat expressions
* MINOR: proxy: add proxy_free_common() helper function
* BUG/MINOR: promex: Skip resolvers metrics when there is no resolver section
* DOC: config: add missing context hint for new server and proxy keywords
* DOC: config: add missing section hint for "guid" proxy keyword
* DOC: config: move "hash-key" from proxy to server options
* BUG/MEDIUM: log: fix lf_expr_postcheck() behavior with default section
* BUG/MINOR: proxy: fix header_unique_id leak on deinit()
* BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()
* BUG/MINOR: proxy: fix dyncookie_key leak on deinit()
* BUG/MINOR: proxy: fix check_{command,path} leak on deinit()
* BUG/MINOR: proxy: fix email-alert leak on deinit()
* BUG/MINOR: proxy: fix log_tag leak on deinit()
* BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()
* MINOR: log: fix "http-send-name-header" ignore warning message
-------------------------------------------------------------------
Mon Jun 10 14:52:46 UTC 2024 - mrueckert@suse.de
- Update to version 3.0.1+git0.471a1b2f1:
* [RELEASE] Released version 3.0.1
* BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE flag
* BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego
* BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts
* BUG/MINOR: quic: ensure Tx buf is always purged
* BUG/MINOR: quic: fix computed length of emitted STREAM frames
* BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL
* [RELEASE] Released version 2.8.10
* BUG/MEDIUM: quic: don't blindly rely on unaligned accesses
* BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
* BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
* BUG/MAJOR: server: do not delete srv referenced by session
* MINOR: session: rename private conns elements
* BUG/MEDIUM: quic: fix connection freeze on post handshake
* BUG/MEDIUM: server: fix dynamic servers initial settings
* BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration
* BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during nego
* CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
* BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
* BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
@ -460,68 +111,185 @@ Mon Jun 10 14:52:46 UTC 2024 - mrueckert@suse.de
* BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
* CLEANUP: hlua: use hlua_pusherror() where relevant
* BUG/MINOR: quic: prevent crash on qc_kill_conn()
* BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be released
* MEDIUM: stconn: Be able to unblock zero-copy data forwarding from done_fastfwd
* BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless
* BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
* DOC: configuration: add an example for keywords from crt-store
* BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
* BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
* BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning
-------------------------------------------------------------------
Fri May 31 12:07:48 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- AppArmor: allow haproxy to read the files needed for the
"p post_mortem" support
-------------------------------------------------------------------
Wed May 29 14:00:25 UTC 2024 - mrueckert@suse.de
- Update to version 3.0.0+git0.5590ada47:
https://www.haproxy.com/blog/announcing-haproxy-3-0
https://www.mail-archive.com/haproxy@formilux.org/msg44993.html
-------------------------------------------------------------------
Mon Feb 26 19:55:05 UTC 2024 - mrueckert@suse.de
- Update to version 2.9.6+git0.9eafce5dc:
* [RELEASE] Released version 2.9.6
* BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
* BUG/MINOR: activity: fix Delta_calls and Delta_bytes count
* BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
* CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp
* BUILD: fd: errno is also needed without poll()
* CI: scripts: fix build of vtest regarding option -C
* REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
* DOC: config: fix incorrect section reference about custom log format
* DOC: quic: specify that connection migration is not supported
* BUG/MINOR: server: Don't reset resolver options on a new default-server line
* BUG/MINOR: http-htx: Support default path during scheme based normalization
* BUG/MINOR: quic: adjust restriction for stateless reset emission
* MEDIUM: config: prevent communication with privileged ports
* BUILD: quic: fix unused variable warning when threads are disabled
* BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
* BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305
* BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
* BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
* DOC: configuration: update the crt-list documentation
* CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
* BUG/MINOR: stats: Don't state the 303 redirect response is chunked
* BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header
* BUG/MEDIUM: fd: prevent memory waste in fdtab array
* BUILD: stick-tables: better mark the stktable_data as 32-bit aligned
* BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
* BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found
* BUG/MEDIUM: stick-tables: properly mark stktable_data as packed
* BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
* BUG/MINOR: qpack: fix error code reported on QPACK decoding failure
* BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3
* BUG/MINOR: log: smp_rgs array issues with inherited global log directives
* BUG/MINOR: log: keep the ref in dup_logger()
* MINOR: log: add dup_logsrv() helper function
* DOC: lua: fix filters.txt file location
* BUG/MINOR: haproxy: only tid 0 must not sleep if got signal
* BUILD: clock: improve check for pthread_getcpuclockid()
* BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null
* BUG/MINOR: h1: fix detection of upper bytes in the URI
* BUG/MINOR: backend: use cum_sess counters instead of cum_conn
* BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets
* BUG/MINOR: sock: handle a weird condition with connect()
* BUG/MINOR: stconn: Fix sc_mux_strm() return value
* BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding
* BUG/MINOR: server: fix slowstart behavior
* BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
* BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame
* BUG/MEDIUM: applet: Fix applet API to put input data in a buffer
* BUG/MEDIUM: evports: do not clear returned events list on signal
* BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered
* BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
* MINOR: net_helper: Add support for floats/doubles.
* CI: revert kernel addr randomization introduced in 3a0fc864
* BUG/MEDIUM: peers/trace: fix crash when listing event types
* BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
* BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
* BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection
* CLEANUP: log: lf_text_len() returns a pointer not an integer
* BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
* BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
* BUG/MINOR: log: fix lf_text_len() truncate inconsistency
* BUG/MINOR: listener: always assign distinct IDs to shards
* BUG/MINOR: cli: Report an error to user if command or payload is too big
* [RELEASE] Released version 2.8.9
* BUILD: proxy: Replace free_logformat_list() to manually release log-format
* [RELEASE] Released version 2.8.8
* BUG/MINOR: proxy: fix logformat expression leak in use_backend rules
* BUG/MINOR: backend: properly handle redispatch 0
* BUG/MINOR: server: ignore 'enabled' for dynamic servers
* BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n
* MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
* MINOR: server: allow cookie for dynamic servers
* BUG/MINOR: server: fix persistence cookie for dynamic servers
* BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities
* BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message
* BUG/MINOR: server: 'source' interface ignored from 'default-server' directive
* OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}
* BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block
* BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet
* BUG/MEDIUM: ssl: Fix crash in ocsp-update log function
* BUG/MINOR: session: ensure conn owner is set after insert into session
* BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small
* CI: temporarily adjust kernel entropy to work with ASAN/clang
* BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop
* BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout
* BUG/MINOR: listener: Don't schedule frontend without task in listener_release()
* BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release
* BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)
* MINOR: hlua: use accessors for stream hlua ctx
* DEBUG: lua: precisely identify if stream is stuck inside lua or not
* BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()
* BUG/MINOR: hlua: missing lock in hlua_filter_new()
* BUG/MINOR: hlua: segfault when loading the same filter from different contexts
* BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()
* DOC: configuration: clarify ciphersuites usage (V2)
* BUILD: solaris: fix compilation errors
* BUG/MINOR: cfgparse: report proper location for log-format-sd errors
* BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description
* CI: skip scheduled builds on forks
* BUG/MINOR: sink: fix a race condition in the TCP log forwarding code
* BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe()
* BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
* BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()
* BUG/MINOR: hlua: improper lock usage in hlua_filter_new()
* BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()
* BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load
* BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts
* BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack
* BUG/MINOR: tools: seed the statistical PRNG slightly better
* MINOR: hlua: Be able to disable logging from lua
* BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel
* BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener
* DOC: configuration: clarify ciphersuites usage
* LICENSE: http_ext: fix GPL license version
* LICENSE: event_hdl: fix GPL license version
* BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist
* BUG/MINOR: ist: only store NUL byte on succeeded alloc
* BUG/MINOR: quic: fix output of show quic
* BUG/MAJOR: server: fix stream crash due to deleted server
* BUG/MINOR: stats: drop srv refcount on early release
* BUG/MINOR: ist: allocate nul byte on istdup
* MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support
* DOC: quic: fix recommandation for bind on multiple address
* BUG/MEDIUM: quic: fix transient send error with listener socket
* BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data
* BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets
* BUG/MEDIUM: applet: Immediately free appctx on early error
* DOC: quic: Missing tuning setting in "Global parameters"
* BUG/MINOR: qpack: reject invalid dynamic table capacity
* BUG/MINOR: qpack: reject invalid increment count decoding
* BUG/MINOR: quic: reject HANDSHAKE_DONE as server
* BUG/MINOR: quic: reject unknown frame type
* BUG/MAJOR: promex: fix crash on deleted server
-------------------------------------------------------------------
Mon Feb 26 19:54:49 UTC 2024 - mrueckert@suse.de
- Update to version 2.9.5+git0.260dbb8a6:
* [RELEASE] Released version 2.9.5
* BUG/MEDIUM: mux-h2: Don't report error on SE for closed H2 streams
* BUG/MEDIUM: mux-h2: Don't report error on SE if error is only pending on H2C
* BUG/MEDIUM: mux-h2: Only Report H2C error on read error if demux buffer is empty
* BUG/MEDIUM: mux-h2: Switch pending error to error if demux buffer is empty
* MINOR: muxes/applet: Simplify checks on options to disable zero-copy forwarding
* BUG/MAJOR: stconn: Check support for zero-copy forwarding on both sides
* MINOR: muxes: Announce support for zero-copy forwarding on consumer side
* MINOR: stconn: Add SE flag to announce zero-copy forwarding on consumer side
* MINOR: stconn: Rename SE_FL_MAY_FASTFWD and reorder bitfield
* CLEANUP: stconn: Move SE flags set by app layer at the end of the bitfield
* BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up
* BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending
* MINOR: connection: add sample fetches to report per-connection glitches
* MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES
* MINOR: connection: add a new mux_ctl to report number of connection glitches
* MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection
* MINOR: mux-h2: always use h2c_report_glitch()
* MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch
* MINOR: mux-h2: count excess of CONTINUATION frames as a glitch
* BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control
* MINOR: mux-h2: add a counter of "glitches" on a connection
* [RELEASE] Released version 2.8.7
* BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
* [RELEASE] Released version 2.8.6
* DEV: makefile: fix POSIX compatibility for "range" target
* DEV: makefile: add a new "range" target to iteratively build all commits
* CI: Update to actions/cache@v4
* DOC: internal: update missing data types in peers-v2.0.txt
* DOC: install: recommend pcre2
* DOC: httpclient: add dedicated httpclient section
* DOC: configuration: clarify http-request wait-for-body
* BUILD: address a few remaining calloc(size, n) cases
* BUG/MINOR: ext-check: cannot use without preserve-env
* MINOR: ext-check: add an option to preserve environment variables
* BUG/MINOR: diag: run the final diags before quitting when using -c
* BUG/MINOR: diag: always show the version before dumping a diag warning
* MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()
* MINOR: quic: Add a counter for reordered packets
* MINOR: quic: Dynamic packet reordering threshold
* MINOR: quic: Update K CUBIC calculation (RFC 9438)
* BUG/MEDIUM: quic: Wrong K CUBIC calculation.
* MINOR: quic: Stop using 1024th of a second.
* BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation
* CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)
* BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.
* BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON
* BUG/MEDIUM: qpack: allow 6xx..9xx status codes
* BUG/MEDIUM: h3: do not crash on invalid response status code
* MINOR: h3: add traces for stream sending function
* BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf
* MINOR: quic: extract qc_stream_buf free in a dedicated function
* MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)
* CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.
* BUG/MEDIUM: mux-quic: report early error on stream
* BUG/MINOR: h3: fix checking on NULL Tx buffer
* BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
* BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()
* BUILD: address a few remaining calloc(size, n) cases
* CI: Update to actions/cache@v4
* BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
* BUG/MINOR: vars/cli: fix missing LF after "get var" output
* DOC: internal: update missing data types in peers-v2.0.txt
* DOC: config: fix misplaced "bytes_{in,out}"
* DOC: config: fix typos for "bytes_{in,out}"
* DOC: config: fix misplaced "txn.conn_retries"
* DOC: install: recommend pcre2
* REGTESTS: ssl: Add OCSP related tests
* REGTESTS: ssl: Fix empty line in cli command input
* BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"
@ -530,143 +298,54 @@ Mon Feb 26 19:54:49 UTC 2024 - mrueckert@suse.de
* MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid
* BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
* BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch
* BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
* BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
* BUG/MEDIUM: h1: always reject the NUL character in header values
* BUG/MINOR: h1-htx: properly initialize the err_pos field
* BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size
* BUG/MINOR: h1: Don't support LF only at the end of chunks
* BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up
* BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending
* BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()
* BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs
* BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
* BUG/MINOR: vars/cli: fix missing LF after "get var" output
* BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI
* REGTESTS: add a test to ensure map-ordering is preserved
* MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc
* BUG/MEDIUM: mux-h2: refine connection vs stream error on headers
* MINOR: mux-h2/traces: clarify the "rejected H2 request" event
* MINOR: mux-h2/traces: explicitly show the error/refused stream states
* MINOR: mux-h2/traces: also suggest invalid header upon parsing error
* MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT
* BUILD: debug: remove leftover parentheses in ABORT_NOW()
* MINOR: debug: make ABORT_NOW() store the caller's line number when using abort
* MINOR: debug: make sure calls to ha_crash_now() are never merged
* MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding
* MINOR: quic: Stop using 1024th of a second.
* BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation
* CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)
* BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
* BUILD: quic: Variable name typo inside a BUG_ON().
* BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.
* BUG/MINOR: diag: run the final diags before quitting when using -c
* BUG/MINOR: diag: always show the version before dumping a diag warning
-------------------------------------------------------------------
Mon Feb 26 19:54:25 UTC 2024 - mrueckert@suse.de
- Update to version 2.9.4+git0.4e071ad92:
* [RELEASE] Released version 2.9.4
* BUG/MEDIUM: h1: always reject the NUL character in header values
* BUG/MINOR: h1-htx: properly initialize the err_pos field
* DOC: httpclient: add dedicated httpclient section
* BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size
* BUG/MINOR: h1: Don't support LF only at the end of chunks
* BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON
* BUG/MEDIUM: qpack: allow 6xx..9xx status codes
* BUG/MEDIUM: h3: do not crash on invalid response status code
* MINOR: h3: add traces for stream sending function
* BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
* DOC: configuration: clarify http-request wait-for-body
* BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf
* MINOR: quic: extract qc_stream_buf free in a dedicated function
* MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)
* CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.
* BUG/MINOR: quic: newreno QUIC congestion control algorithm no more available
* BUG/MEDIUM: cache: Fix crash when deleting secondary entry
* BUG/MINOR: hlua: fix uninitialized var in hlua_core_get_var()
* BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs
* BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI
* MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc
* BUG/MEDIUM: mux-h2: refine connection vs stream error on headers
* DOC: configuration: fix set-dst in actions keywords matrix
* BUG/MINOR: h3: fix checking on NULL Tx buffer
-------------------------------------------------------------------
Sun Feb 4 22:52:43 UTC 2024 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Set /run/haproxy as the default PID file and socket location
Adds haproxy-service.patch
- Allow custom stats socket names
-------------------------------------------------------------------
Wed Jan 24 13:40:54 UTC 2024 - varkoly@suse.com
- Update to version 2.9.3+git0.de3ab549a:
* [RELEASE] Released version 2.9.3
* BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)
* BUG/MINOR: mux-h2: also count streams for refused ones
* BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control
* BUILD: quic: missing include for quic_tp
* [RELEASE] Released version 2.9.2
* DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay
* REGTESTS: add a test to ensure map-ordering is preserved
* BUG/MINOR: map: list-based matching potential ordering regression
* CLEANUP: quic: Double quic_dgram_parse() prototype declaration.
* MINOR: ssl: Update ssl_fc_curve/ssl_bc_curve to use SSL_get0_group_name
* MINOR: ot: logsrv struct becomes logger
* MINOR: mux-h2: support limiting the total number of H2 streams per connection
* BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up
* BUG/MEDIUM: stconn: Set fsb date if zero-copy forwarding is blocked during nego
* BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable
* BUG/MEDIUM: h3: fix incorrect snd_buf return value
* BUILD: quic: Missing quic_ssl.h header protection
* CLEANUP: quic: Remaining useless code into server part
* REGTESTS: check attach-srv out of order declaration
* MINOR: debug: add features and build options to "show dev"
* MINOR: global: export a way to list build options
* CI: use semantic version compare for determing "latest" OpenSSL
* BUG/MINOR: h3: disable fast-forward on buffer alloc failure
* BUG/MINOR: h3: close connection on sending alloc errors
* BUG/MINOR: h3: properly handle alloc failure on finalize
* MINOR: h3: add traces for connection init stage
* BUG/MINOR: h3: close connection on header list too big
* MINOR: h3: check connection error during sending
* BUG/MINOR: quic: Missing call to TLS message callbacks
* BUG/MINOR: quic: Wrong keylog callback setting.
* BUG/MINOR: mux-quic: disable fast-fwd if connection on error
* BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission
* DOC: fix typo for fastfwd QUIC option
* BUG/MINOR: server/event_hdl: propagate map port info through inetaddr event
* MINOR: server/event_hdl: update _srv_event_hdl_prepare_inetaddr prototype
* MINOR: server/event_hdl: add server_inetaddr struct to facilitate event data usage
* BUG/MEDIUM: stats: unhandled switching rules with TCP frontend
* MINOR: stats: store the parent proxy in stats ctx (http)
* BUG/MAJOR: stconn: Disable zero-copy forwarding if consumer is shut or in error
* BUG/MINOR: server: Use the configured address family for the initial resolution
* DOC: config: Update documentation about local haproxy response
* BUG/MINOR: resolvers: default resolvers fails when network not configured
-------------------------------------------------------------------
Fri Dec 15 15:15:07 UTC 2023 - varkoly@suse.com
- Update to version 2.9.1+git0.f72603ceb:
* [RELEASE] Released version 2.9.1
* DOC: config: also add arguments to the converters in the table
* DOC: config: add arguments to sample fetch methods in the table
* BUG/MEDIUM: mux-quic: report early error on stream
* BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty
* CLEANUP: mux-h1: Fix a trace message about C-L header addition
* BUG/MEDIUM: mux-h1: Explicitly skip request's C-L header if not set originally
* BUG/MEDIUM: mux-h1: Cound data from input buf during zero-copy forwarding
* BUG/MEDIUM: stconn: Block zero-copy forwarding if EOS/ERROR on consumer side
* BUG/MEDIUM: quic: QUIC CID removed from tree without locking
* MINOR: version: mention that it's stable now
* BUG/MINOR: ext-check: cannot use without preserve-env
* BUG/MEDIUM: map/acl: pat_ref_{set,delete}_by_id regressions
* BUILD: ssl: update types in wolfssl cert selection callback
* BUG/MEDIUM: quic: Possible buffer overflow when building TLS records
* BUG/MINOR: mworker/cli: fix set severity-output support
* DOC: configuration: typo req.ssl_hello_type
* BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
* BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
* MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
* BUG/MINOR: ssl: Double free of OCSP Certificate ID
-------------------------------------------------------------------
Mon Dec 11 09:20:20 UTC 2023 - Dirk Müller <dmueller@suse.com>
- Update to version 2.9.0+git0.fddb8c13b:
new major branch:
https://www.haproxy.com/blog/announcing-haproxy-2-9
https://www.mail-archive.com/haproxy@formilux.org/msg44400.html
-------------------------------------------------------------------
Thu Dec 07 14:28:36 UTC 2023 - mrueckert@suse.de
- Update to version 2.8.5+git0.aaba8d090:
* [RELEASE] Released version 2.8.5
* BUG/MEDIUM: proxy: always initialize the default settings after init
* BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
@ -712,11 +391,6 @@ Thu Dec 07 14:28:36 UTC 2023 - mrueckert@suse.de
* BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()
* BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()
* BUG/MAJOR: quic: complete thread migration before tcp-rules
-------------------------------------------------------------------
Fri Nov 24 11:31:13 UTC 2023 - mrueckert@suse.de
- Update to version 2.8.4+git0.a4ebf9d3b:
* [RELEASE] Released version 2.8.4
* BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends
* BUG/MINOR: stconn/applet: Report send activity only if there was output data

24
haproxy.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package haproxy
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
# Please submit bugfixes or comments via http://bugs.opensuse.org/
%bcond_with quic
%if 0%{?suse_version} >= 1230
@ -46,14 +46,12 @@
%if 0%{?suse_version} >= 1500
%bcond_without sysusers
%bcond_without tmpfiles
%else
%bcond_with sysusers
%bcond_with tmpfiles
%endif
Name: haproxy
Version: 3.1.3+git0.929bedf83
Version: 2.8.11+git0.01c1056a4
Release: 0
#
#
@ -98,11 +96,9 @@ Source2: usr.sbin.haproxy.apparmor
Source3: local.usr.sbin.haproxy.apparmor
Source4: haproxy.cfg
Source5: haproxy-user.conf
Source6: haproxy-tmpfiles.conf
Patch1: haproxy-1.6.0_config_haproxy_user.patch
Patch2: haproxy-1.6.0-makefile_lib.patch
Patch3: haproxy-1.6.0-sec-options.patch
Patch4: haproxy-service.patch
#
Source98: series
Source99: haproxy-rpmlintrc
@ -199,9 +195,6 @@ ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name}
%if %{with sysusers}
install -D -m 644 %{SOURCE5} %{buildroot}%{_sysusersdir}/haproxy-user.conf
%endif
%if %{with tmpfiles}
install -D -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/%{name}.conf
%endif
%else
install -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name}
ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name}
@ -231,11 +224,6 @@ rm examples/*init*
%if %{with apparmor} && %{with apparmor_reload}
%apparmor_reload /etc/apparmor.d/usr.sbin.haproxy
%endif
%if %{with systemd}
%if %{with tmpfiles}
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
%endif
%endif
%service_add_post %{pkg_name}.service
%preun
@ -270,7 +258,7 @@ getent passwd %{pkg_name} >/dev/null || \
%files
%defattr(-,root,root,-)
%license LICENSE
%doc CHANGELOG README.md
%doc CHANGELOG README
%doc doc/* examples/
%doc admin/netsnmp-perl/ admin/selinux/
%dir %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}
@ -280,10 +268,6 @@ getent passwd %{pkg_name} >/dev/null || \
%if %{with sysusers}
%{_sysusersdir}/haproxy-user.conf
%endif
%if %{with tmpfiles}
%{_tmpfilesdir}/%{name}.conf
%dir %ghost %{_rundir}/%{name}
%endif
%else
%config(noreplace) %{_sysconfdir}/init.d/%{pkg_name}
%endif

1
series
View File

@ -1,4 +1,3 @@
haproxy-1.6.0_config_haproxy_user.patch
haproxy-1.6.0-makefile_lib.patch
haproxy-1.6.0-sec-options.patch
haproxy-service.patch

21
usr.sbin.haproxy.apparmor
View File

@ -28,30 +28,13 @@ profile haproxy /usr/sbin/haproxy {
/dev/shm/haproxy_startup_logs_* rwlk,
# old stats socket location, for compatibility
/var/lib/haproxy/stats rwl,
/var/lib/haproxy/stats.*.bak rwl,
/var/lib/haproxy/stats.*.tmp rwl,
# new stats socket location
/run/haproxy/stats*.sock{,*.{bak,tmp}} rwl,
/{,var/}run/haproxy.pid rw,
/{,var/}run/haproxy-master.sock* rwlk,
/{,var/}run/haproxy/pid rw,
/{,var/}run/haproxy/master.sock* rwlk,
# This is for the additional debug output in haproxy >= 2.9
# can be accessed with "p post_mortem" in gdb
/sys/devices/system/node/ r,
/sys/devices/system/node/*/cpumap r,
/sys/devices/system/cpu/online r,
/sys/class/dmi/id/sys_vendor r,
/sys/class/dmi/id/product_family r,
/sys/class/dmi/id/product_name r,
/sys/class/dmi/id/board_vendor r,
/sys/firmware/devicetree/base/model r,
/sys/class/dmi/id/board_name r,
/proc/2/status r,
/proc/cpuinfo r,
# end of debug.c files
# Site-specific additions and overrides. See local/README for details.
#include if exists <local/haproxy>