From a1fc63cf965eacab9edae3535c01f033c8c71fcf293efc956b68dc855b1a334c Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 26 Nov 2024 18:43:12 +0000 Subject: [PATCH] https://www.mail-archive.com/haproxy@formilux.org/msg45435.html OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=316 --- .gitattributes | 23 + .gitignore | 1 + _service | 21 + _servicedata | 6 + haproxy-1.6.0-makefile_lib.patch | 22 + haproxy-1.6.0-sec-options.patch | 46 + haproxy-1.6.0_config_haproxy_user.patch | 101 + haproxy-3.0.2+git0.a45a8e623.tar.gz | 3 + haproxy-3.0.3+git0.95a607c4b.tar.gz | 3 + haproxy-3.0.4+git0.7a59afa93.tar.gz | 3 + haproxy-3.0.6+git0.c2c009086.tar.gz | 3 + haproxy-3.1.0+git0.f2b97918e.tar.gz | 3 + haproxy-rpmlintrc | 2 + haproxy-service.patch | 11 + haproxy-tmpfiles.conf | 1 + haproxy-user.conf | 3 + haproxy.cfg | 34 + haproxy.changes | 7575 +++++++++++++++++++++++ haproxy.init | 247 + haproxy.spec | 308 + local.usr.sbin.haproxy.apparmor | 1 + series | 4 + usr.sbin.haproxy.apparmor | 59 + 23 files changed, 8480 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 haproxy-1.6.0-makefile_lib.patch create mode 100644 haproxy-1.6.0-sec-options.patch create mode 100644 haproxy-1.6.0_config_haproxy_user.patch create mode 100644 haproxy-3.0.2+git0.a45a8e623.tar.gz create mode 100644 haproxy-3.0.3+git0.95a607c4b.tar.gz create mode 100644 haproxy-3.0.4+git0.7a59afa93.tar.gz create mode 100644 haproxy-3.0.6+git0.c2c009086.tar.gz create mode 100644 haproxy-3.1.0+git0.f2b97918e.tar.gz create mode 100644 haproxy-rpmlintrc create mode 100644 haproxy-service.patch create mode 100644 haproxy-tmpfiles.conf create mode 100644 haproxy-user.conf create mode 100644 haproxy.cfg create mode 100644 haproxy.changes create mode 100644 haproxy.init create mode 100644 haproxy.spec create mode 100644 local.usr.sbin.haproxy.apparmor create mode 100644 series create mode 100644 usr.sbin.haproxy.apparmor diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..bbc10c0 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + http://git.haproxy.org/git/haproxy-3.1.git/ + git + haproxy + @PARENT_TAG@+git@TAG_OFFSET@.%h + v(.*) + \1 + v3.1.0 + enable + + + + haproxy*.tar + gz + + + + haproxy + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..cf75821 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + http://git.haproxy.org/git/haproxy-3.1.git/ + f2b97918e80b2f4df1da751a44fe6e323c6e4b9e + + diff --git a/haproxy-1.6.0-makefile_lib.patch b/haproxy-1.6.0-makefile_lib.patch new file mode 100644 index 0000000..652f4c1 --- /dev/null +++ b/haproxy-1.6.0-makefile_lib.patch @@ -0,0 +1,22 @@ +Index: haproxy-3.0/Makefile +=================================================================== +--- haproxy-3.0.orig/Makefile ++++ haproxy-3.0/Makefile +@@ -784,7 +784,7 @@ ifneq ($(USE_PCRE:0=)$(USE_STATIC_PCRE:0 + PCREDIR := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local) + ifneq ($(PCREDIR),) + PCRE_INC := $(PCREDIR)/include +- PCRE_LIB := $(PCREDIR)/lib ++ PCRE_LIB := $(PCREDIR)/$(LIB) + endif + + PCRE_CFLAGS := $(if $(PCRE_INC),-I$(PCRE_INC)) +@@ -802,7 +802,7 @@ ifneq ($(USE_PCRE2:0=)$(USE_STATIC_PCRE2 + PCRE2DIR := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local) + ifneq ($(PCRE2DIR),) + PCRE2_INC := $(PCRE2DIR)/include +- PCRE2_LIB := $(PCRE2DIR)/lib ++ PCRE2_LIB := $(PCRE2DIR)/$(LIB) + + ifeq ($(PCRE2_WIDTH),) + PCRE2_WIDTH = 8 diff --git a/haproxy-1.6.0-sec-options.patch b/haproxy-1.6.0-sec-options.patch new file mode 100644 index 0000000..3bbbee7 --- /dev/null +++ b/haproxy-1.6.0-sec-options.patch @@ -0,0 +1,46 @@ +commit 88413472b09e2ecd4ad2b4a00992184c14d5723c +Author: Kristoffer Gronlund +Date: Mon Jun 17 13:00:08 2019 +0000 + + SUSE: Makefile sec options + +Index: haproxy-3.0/Makefile +=================================================================== +--- haproxy-3.0.orig/Makefile ++++ haproxy-3.0/Makefile +@@ -887,6 +887,35 @@ ifneq ($(TRACE),) + COPTS += -finstrument-functions + endif + ++# PIE ++ifneq ($(USE_PIE),) ++OPTIONS_CFLAGS += -DUSE_PIE ++BUILD_OPTIONS += $(call ignore_implicit,USE_PIE) ++OPTIONS_LDFLAGS += -pie ++# still need to figure out how to express this conditional in the makefile ++# %ifarch s390 s390x %sparc ++# PIEFLAGS="-fPIE" ++# %else ++# PIEFLAGS="-fpie" ++# %endif ++# PIE_FLAGS.s390 = -fPIE ++# PIE_FLAGS.i386 = -fpie ++# SEC_FLAGS += $(PIE_FLAGS.$(ARCH)) ++OPTIONS_CFLAGS += -fpie ++endif ++ ++ifneq ($(USE_STACKPROTECTOR),) ++OPTIONS_CFLAGS += -DUSE_STACKPROTECTOR ++BUILD_OPTIONS += $(call ignore_implicit,USE_STACKPROTECTOR) ++OPTIONS_CFLAGS += -fstack-protector ++endif ++ ++ifneq ($(USE_RELRO_NOW),) ++OPTIONS_CFLAGS += -DUSE_RELRO_NOW ++BUILD_OPTIONS += $(call ignore_implicit,USE_RELRO_NOW) ++OPTIONS_LDFLAGS += -Wl,-z,relro,-z,now ++endif ++ + #### Global link options + # These options are added at the end of the "ld" command line. Use LDFLAGS to + # add options at the beginning of the "ld" command line if needed. diff --git a/haproxy-1.6.0_config_haproxy_user.patch b/haproxy-1.6.0_config_haproxy_user.patch new file mode 100644 index 0000000..49d1465 --- /dev/null +++ b/haproxy-1.6.0_config_haproxy_user.patch @@ -0,0 +1,101 @@ +Index: haproxy-2.6/examples/content-sw-sample.cfg +=================================================================== +--- haproxy-2.6.orig/examples/content-sw-sample.cfg ++++ haproxy-2.6/examples/content-sw-sample.cfg +@@ -11,9 +11,9 @@ global + maxconn 10000 + stats socket /var/run/haproxy.stat mode 600 level admin + log 127.0.0.1 local0 +- uid 200 +- gid 200 +- chroot /var/empty ++ user haproxy ++ group haproxy ++ chroot /var/lib/haproxy + daemon + + # The public 'www' address in the DMZ +Index: haproxy-2.6/examples/option-http_proxy.cfg +=================================================================== +--- haproxy-2.6.orig/examples/option-http_proxy.cfg ++++ haproxy-2.6/examples/option-http_proxy.cfg +@@ -9,6 +9,9 @@ global + uid 200 + gid 200 + chroot /var/empty ++ chroot /var/lib/haproxy ++ user haproxy ++ group haproxy + daemon + + frontend test-proxy +Index: haproxy-2.6/examples/transparent_proxy.cfg +=================================================================== +--- haproxy-2.6.orig/examples/transparent_proxy.cfg ++++ haproxy-2.6/examples/transparent_proxy.cfg +@@ -6,6 +6,10 @@ + # + + global ++ chroot /var/lib/haproxy ++ user haproxy ++ group haproxy ++ + defaults + timeout client 30s + timeout server 30s +Index: haproxy-2.6/examples/basic-config-edge.cfg +=================================================================== +--- haproxy-2.6.orig/examples/basic-config-edge.cfg ++++ haproxy-2.6/examples/basic-config-edge.cfg +@@ -15,7 +15,7 @@ global + zero-warning + + # Security hardening: isolate and drop privileges +- chroot /var/empty ++ chroot /var/lib/haproxy + user haproxy + group haproxy + +Index: haproxy-2.6/examples/quick-test.cfg +=================================================================== +--- haproxy-2.6.orig/examples/quick-test.cfg ++++ haproxy-2.6/examples/quick-test.cfg +@@ -3,6 +3,9 @@ + + global + strict-limits # refuse to start if insufficient FDs/memory ++ user haproxy ++ group haproxy ++ chroot /var/lib/haproxy + # add some process-wide tuning here if required + + # A stats socket may be added to check live metrics if the load generators +Index: haproxy-2.6/examples/socks4.cfg +=================================================================== +--- haproxy-2.6.orig/examples/socks4.cfg ++++ haproxy-2.6/examples/socks4.cfg +@@ -2,6 +2,9 @@ global + log /dev/log local0 + log /dev/log local1 notice + stats timeout 30s ++ user haproxy ++ group haproxy ++ chroot /var/lib/haproxy + + defaults + log global +Index: haproxy-2.6/examples/wurfl-example.cfg +=================================================================== +--- haproxy-2.6.orig/examples/wurfl-example.cfg ++++ haproxy-2.6/examples/wurfl-example.cfg +@@ -5,6 +5,9 @@ + # + + global ++ user haproxy ++ group haproxy ++ chroot /var/lib/haproxy + + # The WURFL data file + wurfl-data-file /usr/share/wurfl/wurfl.zip diff --git a/haproxy-3.0.2+git0.a45a8e623.tar.gz b/haproxy-3.0.2+git0.a45a8e623.tar.gz new file mode 100644 index 0000000..50f3bfd --- /dev/null +++ b/haproxy-3.0.2+git0.a45a8e623.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:070870d42c1a76bc925fd0b4541a92a750c5af861014905e57db2b904f465c46 +size 4822140 diff --git a/haproxy-3.0.3+git0.95a607c4b.tar.gz b/haproxy-3.0.3+git0.95a607c4b.tar.gz new file mode 100644 index 0000000..856dae3 --- /dev/null +++ b/haproxy-3.0.3+git0.95a607c4b.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:467c8b85b0b4b1b0eeb7f4893621e1717767083156ba49fcd531cbe815e179eb +size 4824237 diff --git a/haproxy-3.0.4+git0.7a59afa93.tar.gz b/haproxy-3.0.4+git0.7a59afa93.tar.gz new file mode 100644 index 0000000..66871ab --- /dev/null +++ b/haproxy-3.0.4+git0.7a59afa93.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:34d7ba5f03b2b7f75aec659c77a75717a5f7535bb2ae70ac18c9142adb9481e1 +size 4831532 diff --git a/haproxy-3.0.6+git0.c2c009086.tar.gz b/haproxy-3.0.6+git0.c2c009086.tar.gz new file mode 100644 index 0000000..a341904 --- /dev/null +++ b/haproxy-3.0.6+git0.c2c009086.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e7db7543b2d1e6c1743a64d2b62621bf9d838a3e33cb24d548f0aad79566898a +size 4853017 diff --git a/haproxy-3.1.0+git0.f2b97918e.tar.gz b/haproxy-3.1.0+git0.f2b97918e.tar.gz new file mode 100644 index 0000000..d856546 --- /dev/null +++ b/haproxy-3.1.0+git0.f2b97918e.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c19bd74bcea4f4f6c7e1bcf16e5a7e4342ebcfabe23852ebd147c41c46c94408 +size 5036386 diff --git a/haproxy-rpmlintrc b/haproxy-rpmlintrc new file mode 100644 index 0000000..662d246 --- /dev/null +++ b/haproxy-rpmlintrc @@ -0,0 +1,2 @@ +addFilter('wrong-file-end-of-line-encoding .*/examples/errorfiles/.*\.http$') +addFilter('file-contains-current-date /usr/share/doc/packages/haproxy/examples/haproxy.spec') diff --git a/haproxy-service.patch b/haproxy-service.patch new file mode 100644 index 0000000..f4cc91a --- /dev/null +++ b/haproxy-service.patch @@ -0,0 +1,11 @@ +--- a/admin/systemd/haproxy.service.in 2024-01-18 15:32:19.000000000 +0100 ++++ b/admin/systemd/haproxy.service.in 2024-02-04 23:58:30.873980359 +0100 +@@ -6,7 +6,7 @@ + [Service] + EnvironmentFile=-/etc/default/haproxy + EnvironmentFile=-/etc/sysconfig/haproxy +-Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" ++Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/pid" "EXTRAOPTS=-S /run/haproxy/master.sock" + ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS + ExecReload=@SBINDIR@/haproxy -Ws -f $CONFIG -c $EXTRAOPTS + ExecReload=/bin/kill -USR2 $MAINPID diff --git a/haproxy-tmpfiles.conf b/haproxy-tmpfiles.conf new file mode 100644 index 0000000..c53bd36 --- /dev/null +++ b/haproxy-tmpfiles.conf @@ -0,0 +1 @@ +D /run/haproxy 0750 root haproxy diff --git a/haproxy-user.conf b/haproxy-user.conf new file mode 100644 index 0000000..1d72a75 --- /dev/null +++ b/haproxy-user.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +u haproxy - "User for haproxy" /var/lib/haproxy + diff --git a/haproxy.cfg b/haproxy.cfg new file mode 100644 index 0000000..857de94 --- /dev/null +++ b/haproxy.cfg @@ -0,0 +1,34 @@ +global + log /dev/log daemon + maxconn 32768 + chroot /var/lib/haproxy + user haproxy + group haproxy + daemon + stats socket /run/haproxy/stats.sock user haproxy group haproxy mode 0640 level operator + tune.bufsize 32768 + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH + +defaults + log global + mode http + option log-health-checks + option log-separate-errors + option dontlog-normal + option dontlognull + option httplog + option socket-stats + retries 3 + option redispatch + maxconn 10000 + timeout connect 5s + timeout client 50s + timeout server 450s + +listen stats + bind 0.0.0.0:80 + bind :::80 v6only + stats enable + stats uri / + stats refresh 5s diff --git a/haproxy.changes b/haproxy.changes new file mode 100644 index 0000000..4db5144 --- /dev/null +++ b/haproxy.changes @@ -0,0 +1,7575 @@ +------------------------------------------------------------------- +Tue Nov 26 14:57:39 UTC 2024 - mrueckert@suse.de + +- Update to version 3.1.0+git0.f2b97918e: + https://www.mail-archive.com/haproxy@formilux.org/msg45435.html + https://www.haproxy.com/blog/announcing-haproxy-3-1 + +------------------------------------------------------------------- +Thu Nov 07 18:40:53 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.6+git0.c2c009086: + * [RELEASE] Released version 3.0.6 + * MINOR: debug: move the "recover now" warn message after the optional notes + * BUILD: Missing inclusion header for ssize_t type + * BUILD: debug: also declare strlen() in __ABORT_NOW() + * DEBUG: wdt: add a stats counter "BlockedTrafficWarnings" in show info + * DEBUG: wdt: make the blocked traffic warning delay configurable + * DEBUG: cli: make it possible for "debug dev loop" to trigger warnings + * DEBUG: wdt: better detect apparently locked up threads and warn about them + * MINOR: debug: add a function to dump a stuck thread + * MINOR: wdt: move the local timers to a struct + * MINOR: debug: remove the redundant process.thread_info array from post_mortem + * MINOR: debug: also add fdtab and acitvity to struct post_mortem + * MINOR: debug: also add a pointer to struct global to post_mortem + * MINOR: debug: do not limit backtraces to stuck threads + * MINOR: debug: print gdb hints when crashing + * MINOR: connection: add new sample fetch functions fc_err_name and bc_err_name + * MINOR: rawsock: set connection error codes when returning from recv/send/splice + * MINOR: connection: add more connection error codes to cover common errno + * BUG/MINOR: stats: Fix the name for the total number of streams created + * MINOR: stream/stats: Expose the total number of streams ever created in stats + * MINOR: stream/stats: Expose the current number of streams in stats + * MINOR: cli/debug: show dev: add cmdline and version + * BUG/MINOR: quic: fix malformed probing packet building + * CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry + * DOC: config: document connection error 44 (reverse connect failure) + * BUG/MEDIUM: promex: Fix dump of extra counters + * MINOR: stream: Save last evaluated rule on invalid yield + * BUG/MINOR: http-ana: Report internal error if an action yields on a final eval + * BUG/MEDIUM: mux-h1: Fix how timeouts are applied on H1 connections + * DOC: config: add missing glitch_{cnt,rate} sample definitions + * DOC: config: add missing glitch_{cnt,rate} data types + * BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly + * BUG/MINOR: trace: stop rewriting argv with -dt + * MINOR: cli: remove non-printable characters from 'debug dev fd' + * MINOR: debug: store important pointers in post_mortem + * MINOR: debug: place the post_mortem struct in its own section. + * MINOR: debug: place a magic pattern at the beginning of post_mortem + * MINOR: pools: export the pools variable + * BUILD: debug: silence a build warning with threads disabled + * BUG/MEDIUM: server: fix race on servers_list during server deletion + * BUG/MINOR: stconn: Don't disable 0-copy FF if EOS was reported on consumer side + * BUG/MINOR: http-ana: Fix wrong client abort reports during responses forwarding + * BUG/MEDIUM: stconn: Report blocked send if sends are blocked by an error + * BUG/MINOR: server: fix dynamic server leak with check on failed init + * MINOR: activity/memprofile: show per-DSO stats + * MINOR: activity/memprofile: always return "other" bin on NULL return address + * BUG/MEDIUM: connection/http-reuse: fix address collision on unhandled address families + * BUG/MEDIUM: mux-h2: Remove H2S from send list if data are sent via 0-copy FF + * BUG/MEDIUM: stats-html: Never dump more data than expected during 0-copy FF + * BUG/MINOR: mux-quic: do not close STREAM with empty FIN if no data sent + * BUG/MINOR: mworker: fix mworker-max-reloads parser + * DOC: config: fix rfc7239 forwarded typo in desc + * BUG/MEDIUM: quic: avoid freezing 0RTT connections + * BUG/MINOR: quic: avoid leaking post handshake frames + * REGTESTS: Never reuse server connection in http-messaging/truncated.vtc + * BUG/MAJOR: filters/htx: Add a flag to state the payload is altered by a filter + * BUG/MEDIUM: stconn: Check FF data of SC to perform a shutdown in sc_notify() + * BUG/MINOR: http-ana: Don't report a server abort if response payload is invalid + * BUG/MEDIUM: stconn: Wait iobuf is empty to shut SE down during a check send + * BUG/MINOR: httpclient: return NULL when no proxy available during httpclient_new() + * BUG/MEDIUM: queue: make sure never to queue when there's no more served conns + * BUG/MEDIUM: mux-quic: ensure timeout server is active for short requests + * BUG/MEDIUM: hlua: properly handle sample func errors in hlua_run_sample_{fetch,conv}() + * BUG/MEDIUM: hlua: make hlua_ctx_renew() safe + * BUG/MEDIUM: server: server stuck in maintenance after FQDN change + * MEDIUM: debug: on panic, make the target thread automatically allocate its buf + * MINOR: debug: replace ha_thread_dump() with its two components + * MINOR: debug: make ha_thread_dump_done() take the pointer to be used + * MINOR: debug: slightly change the thread_dump_pointer signification + * MINOR: debug: split ha_thread_dump() in two parts + * MINOR: chunk: drop the global thread_dump_buffer + * MINOR: debug: make mark_tainted() return the previous value + * BUG/MINOR: http-ana: Disable fast-fwd for unfinished req waiting for upgrade + * BUG/MINOR: mux-h1: Fix condition to set EOI on SE during zero-copy forwarding + * BUG/MEDIUM: queue: always dequeue the backend when redistributing the last server + * MINOR: server: make srv_shutdown_sessions() call pendconn_redistribute() + * BUG/MINOR: queue: make sure that maintenance redispatches server queue + * BUG/MEDIUM: stream: make stream_shutdown() async-safe + * MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG + * MINOR: tools: do not attempt to use backtrace() on linux without glibc + * BUILD: tools: only include execinfo.h for the real backtrace() function + * BUG/MINOR: cfgparse-global: fix allowed args number for setenv + * BUG/MINOR: server: make sure the HMAINT state is part of MAINT + * BUG/MEDIUM: cli: Deadlock when setting frontend maxconn + * BUG/MEDIUM: cli: Be sure to catch immediate client abort + * BUG/MINOR: mux-quic: report glitches to session + * REGTESTS: shorten a bit the delay for the h1/h2 upgrade test + * REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades + * BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only + * MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state + * BUG/MINOR: h2: reject extended connect for h2c protocol + * BUG/MINOR: h1: do not forward h2c upgrade header token + * MINOR: connection: No longer include stconn type header in connection-t.h + +------------------------------------------------------------------- +Mon Sep 30 19:36:53 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.5+git0.8e879a52e: (VUL-0: CVE-2024-49214 boo#1231612) + * [RELEASE] Released version 3.0.5 + * BUG/MINOR: quic: prevent freeze after early QCS closure + * BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM + * MINOR: quic: implement function to check if STREAM is fully acked + * MINOR: quic: convert qc_stream_desc release field to flags + * BUG/MINOR: cfgparse-listen: fix option httpslog override warning message + * BUG/MEDIUM: promex: Wait to have the request before sending the response + * BUG/MEDIUM: cache/stats: Wait to have the request before sending the response + * BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous send + * DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options + * BUG/MINOR: peers: local entries updates may not be advertised after resync + * BUG/MEDIUM: queue: implement a flag to check for the dequeuing + * BUG/MINOR: clock: validate that now_offset still applies to the current date + * BUG/MINOR: clock: make time jump corrections a bit more accurate + * BUG/MINOR: polling: fix time reporting when using busy polling + * MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option + * BUG/MINOR: pattern: do not leave a leading comma on "set" error messages + * BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is established + * BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state + * BUG/MEDIUM: pattern: prevent UAF on reused pattern expr + * BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg() + * BUG/MEDIUM: clock: detect and cover jumps during execution + * REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load + * DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line + * BUG/MINOR: quic: Too short datagram during packet building failures (aws-lc only) + * BUG/MINOR: quic: Crash from trace dumping SSL eary data status (AWS-LC) + * BUG/MEDIUM: quic: always validate sender address on 0-RTT + * MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. + * MINOR: quic: Implement qc_ssl_eary_data_accepted(). + * MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) + * BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder + * MINOR: quic: Token for future connections implementation. + * MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD + * MINOR: quic: Implement quic_tls_derive_token_secret(). + * MINOR: tools: Implement ipaddrcpy(). + * BUG/MEDIUM: clock: also update the date offset on time jumps + * BUILD: quic: 32bits build broken by wrong integer conversions for printf() + * BUG/MINOR: cfgparse-global: remove tune.fast-forward from common_kw_list + * DOC: config: correct the table for option tcplog + * BUG/MINOR: pattern: pat_ref_set: return 0 if err was found + * BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity + * BUG/MINOR: h3: properly reject too long header responses + * BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails + * BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID + * REGTESTS: mcli: test the pipelined commands on master CLI + * BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI + * MINOR: channel: implement ci_insert() function + * BUG/MINOR: proto_tcp: keep error msg if listen() fails + * BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails + * BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE + * BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion + * BUG/MINOR: trace: automatically start in waiting mode with "start " + * BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() + * BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc + * BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn + * DOC: configuration: fix alphabetical ordering of {bs,fs}.aborted + * BUG/MINOR: fcgi-app: handle a possible strdup() failure + * BUG/MEDIUM: peer: Notify the applet won't consume data when it waits for sync + * BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream + * BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams + * BUG/MEDIUM: http-ana: Report error on write error waiting for the response + * BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content + * BUG/MEDIUM: ssl: 0-RTT initialized at the wrong place for AWS-LC + * BUG/MEDIUM: ssl: reactivate 0-RTT for AWS-LC + * BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect + * BUILD: mux-pt: Use the right name for the sedesc variable + * BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path + * BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set + * BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss and leak + +------------------------------------------------------------------- +Tue Sep 03 14:08:47 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.4+git0.7a59afa93: (CVE-2024-45506 boo#1229993) + * [RELEASE] Released version 3.0.4 + * BUG/MEDIUM: mux-pt: Fix condition to perform a shutdown for writes in mux_pt_shut() + * BUG/MINOR: Crash on O-RTT RX packet after dropping Initial pktns + * BUG/MINOR: quic: Too shord datagram during O-RTT handshakes (aws-lc only) + * BUG/MAJOR: mux-h2: always clear MUX_MFULL and DEM_MROOM when clearing the mbuf + * MINOR: mux-h2: try to clear DEM_MROOM and MUX_MFULL at more places + * BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered + * BUG/MINOR: quic: unexploited retransmission cases for Initial pktns. + * BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli + * BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown + * BUG/MINIR: proxy: Match on 429 status when trying to perform a L7 retry + * BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready + * BUG/MEDIUM: mux-h2: Set ES flag when necessary on 0-copy data forwarding + * MINOR: proxy: Add support of 429-Too-Many-Requests in retry-on status + * DOC: quic: fix default minimal value for max window size + * MEDIUM: log: relax some checks and emit diag warnings instead in lf_expr_postcheck() + * Revert "MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface" + * BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn + * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2) + * BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue() + * MINOR: queue: add a function to check for TOCTOU after queueing + * MEDIUM: h1: allow to preserve keep-alive on T-E + C-L + * MINOR: quic: Add information to "show quic" for CUBIC cc. + * MINOR: quic: Dump TX in flight bytes vs window values ratio. + * BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature + * BUG/MINOR: quic: Lack of precision when computing K (cubic only cc) + * MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface + * BUG/MINOR: quic: Non optimal first datagram. + * BUG/MINOR: cli: Atomically inc the global request counter between CLI commands + * BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution + * BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter + * DOC: config: improve the http-keep-alive section + * DOC: configuration: issuers-chain-path not compatible with OCSP + * BUG/MAJOR: mux-h2: force a hard error upon short read with pending error + * BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path + * DOC: install: don't reference removed CPU arg + * BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts + * BUG/MINOR: session: Eval L4/L5 rules defined in the default section + * CLEANUP: quic: rename TID affinity elements + * CLEANUP: proto: rename TID affinity callbacks + * BUG/MEDIUM: quic: prevent crash on accept queue full + * BUILD: listener: silence a build warning about unused value without threads + * MINOR: proto: extend connection thread rebind API + +------------------------------------------------------------------- +Thu Jul 11 14:57:46 UTC 2024 - Marcus Rueckert + +- refreshed patches: + haproxy-1.6.0-makefile_lib.patch + haproxy-1.6.0-sec-options.patch + +------------------------------------------------------------------- +Thu Jul 11 14:56:11 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.3+git0.95a607c4b: + * [RELEASE] Released version 3.0.3 + * BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past + * DEV: flags/quic: decode quic_conn flags + * BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread + * BUG/MEDIUM: h1: Reject empty Transfer-encoding header + * BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value + * BUG/MINOR: h1: Fail to parse empty transfer coding names + * BUG/MINOR: jwt: fix variable initialisation + * Revert "MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD" + * BUG/MEDIUM: peers: Fix crash when syncing learn state of a peer without appctx + * DOC: configuration: update maxconn description + * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD + * BUG/MINOR: jwt: don't try to load files with HMAC algorithm + * BUG/MEDIUM: server: fix race on server_atomic_sync() + * DOC: configuration: more details about the master-worker mode + * BUG/MEDIUM: hlua/cli: Fix lua CLI commands to work with applet's buffers + * BUG/MINOR: promex: Remove Help prefix repeated twice for each metric + * BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking + * BUG/MINOR: quic: fix race-condition on trace for CID retrieval + * BUG/MINOR: quic: fix race condition in qc_check_dcid() + * BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid() + * BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid + * BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid + * BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout or error + * MINOR: activity: make the memory profiling hash size configurable at build time + * BUG/MINOR: server: fix first server template name lookup UAF + * DOC: configuration: add details about crt-store in bind "crt" keyword + * BUG/MEDIUM: stick-table: Decrement the ref count inside lock to kill a session + * BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct() + * DEV: flags/show-fd-to-flags: adapt to recent versions + * BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure + * BUG/MINOR: h3: fix BUG_ON() crash on control stream alloc failure + * BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure + * BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission + * DOC: api/event_hdl: small updates, fix an example and add some precisions + * SCRIPTS: git-show-backports: do not truncate git-show output + * BUG/MAJOR: quic: fix padding with short packets + * DOC: management: document ptr lookup for table commands + * DOC: configuration: fix alphabetical order of bind options + * BUG/MEDIUM: proxy: fix email-alert invalid free + * REGTESTS: ssl: fix some regtests 'feature cmd' start condition + * DEBUG: hlua: distinguish burst timeout errors from exec timeout errors + * BUG/MINOR: log: fix broken '+bin' logformat node option + +------------------------------------------------------------------- +Sun Jun 16 06:44:56 UTC 2024 - andreas.stieger@gmx.de + +- Update to version 3.0.2+git0.a45a8e623: + * [RELEASE] Released version 3.0.2 + * DOC: management: rename show stats domain cli "dns" to "resolvers" + * DOC/MINOR: management: add -dZ option + * DOC/MINOR: management: add missed -dR and -dv options + * BUG/MINOR: quic: fix padding of INITIAL packets + * BUG/MAJOR: mux-h1: Prevent any UAF on H1 connection after draining a request + * CLEANUP: log/proxy: fix comment in proxy_free_common() + * BUG/MEDIUM: proxy: fix UAF with {tcp,http}checks logformat expressions + * MINOR: proxy: add proxy_free_common() helper function + * BUG/MINOR: promex: Skip resolvers metrics when there is no resolver section + * DOC: config: add missing context hint for new server and proxy keywords + * DOC: config: add missing section hint for "guid" proxy keyword + * DOC: config: move "hash-key" from proxy to server options + * BUG/MEDIUM: log: fix lf_expr_postcheck() behavior with default section + * BUG/MINOR: proxy: fix header_unique_id leak on deinit() + * BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit() + * BUG/MINOR: proxy: fix dyncookie_key leak on deinit() + * BUG/MINOR: proxy: fix check_{command,path} leak on deinit() + * BUG/MINOR: proxy: fix email-alert leak on deinit() + * BUG/MINOR: proxy: fix log_tag leak on deinit() + * BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit() + * MINOR: log: fix "http-send-name-header" ignore warning message + +------------------------------------------------------------------- +Mon Jun 10 14:52:46 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.1+git0.471a1b2f1: + * [RELEASE] Released version 3.0.1 + * BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE flag + * BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego + * BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts + * BUG/MINOR: quic: ensure Tx buf is always purged + * BUG/MINOR: quic: fix computed length of emitted STREAM frames + * BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL + * BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration + * BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during nego + * CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume() + * BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path + * BUG/MINOR: hlua: prevent LJMP in hlua_traceback() + * BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage + * BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP + * CLEANUP: hlua: use hlua_pusherror() where relevant + * BUG/MINOR: quic: prevent crash on qc_kill_conn() + * BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be released + * MEDIUM: stconn: Be able to unblock zero-copy data forwarding from done_fastfwd + * BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless + * BUG/MINOR: hlua: use CertCache.set() from various hlua contexts + * DOC: configuration: add an example for keywords from crt-store + * BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory + * BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser + * BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning + +------------------------------------------------------------------- +Fri May 31 12:07:48 UTC 2024 - Marcus Rueckert + +- AppArmor: allow haproxy to read the files needed for the + "p post_mortem" support + +------------------------------------------------------------------- +Wed May 29 14:00:25 UTC 2024 - mrueckert@suse.de + +- Update to version 3.0.0+git0.5590ada47: + https://www.haproxy.com/blog/announcing-haproxy-3-0 + https://www.mail-archive.com/haproxy@formilux.org/msg44993.html + +------------------------------------------------------------------- +Mon Feb 26 19:55:05 UTC 2024 - mrueckert@suse.de + +- Update to version 2.9.6+git0.9eafce5dc: + * [RELEASE] Released version 2.9.6 + * BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI + * BUG/MAJOR: promex: fix crash on deleted server + +------------------------------------------------------------------- +Mon Feb 26 19:54:49 UTC 2024 - mrueckert@suse.de + +- Update to version 2.9.5+git0.260dbb8a6: + * [RELEASE] Released version 2.9.5 + * BUG/MEDIUM: mux-h2: Don't report error on SE for closed H2 streams + * BUG/MEDIUM: mux-h2: Don't report error on SE if error is only pending on H2C + * BUG/MEDIUM: mux-h2: Only Report H2C error on read error if demux buffer is empty + * BUG/MEDIUM: mux-h2: Switch pending error to error if demux buffer is empty + * MINOR: muxes/applet: Simplify checks on options to disable zero-copy forwarding + * BUG/MAJOR: stconn: Check support for zero-copy forwarding on both sides + * MINOR: muxes: Announce support for zero-copy forwarding on consumer side + * MINOR: stconn: Add SE flag to announce zero-copy forwarding on consumer side + * MINOR: stconn: Rename SE_FL_MAY_FASTFWD and reorder bitfield + * CLEANUP: stconn: Move SE flags set by app layer at the end of the bitfield + * BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up + * BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending + * MINOR: quic: Add a counter for reordered packets + * MINOR: quic: Dynamic packet reordering threshold + * MINOR: quic: Update K CUBIC calculation (RFC 9438) + * BUG/MEDIUM: quic: Wrong K CUBIC calculation. + * BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing + * BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() + * BUILD: address a few remaining calloc(size, n) cases + * CI: Update to actions/cache@v4 + * BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs + * BUG/MINOR: vars/cli: fix missing LF after "get var" output + * DOC: internal: update missing data types in peers-v2.0.txt + * DOC: config: fix misplaced "bytes_{in,out}" + * DOC: config: fix typos for "bytes_{in,out}" + * DOC: config: fix misplaced "txn.conn_retries" + * DOC: install: recommend pcre2 + * REGTESTS: ssl: Add OCSP related tests + * REGTESTS: ssl: Fix empty line in cli command input + * BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list" + * BUG/MINOR: ssl: Destroy ckch instances before the store during deinit + * BUG/MEDIUM: ocsp: Separate refcount per instance and per store + * MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid + * BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line + * BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch + * MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT + * BUILD: debug: remove leftover parentheses in ABORT_NOW() + * MINOR: debug: make ABORT_NOW() store the caller's line number when using abort + * MINOR: debug: make sure calls to ha_crash_now() are never merged + * MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding + * MINOR: quic: Stop using 1024th of a second. + * BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation + * CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438) + * BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call + * BUILD: quic: Variable name typo inside a BUG_ON(). + * BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit. + * BUG/MINOR: diag: run the final diags before quitting when using -c + * BUG/MINOR: diag: always show the version before dumping a diag warning + +------------------------------------------------------------------- +Mon Feb 26 19:54:25 UTC 2024 - mrueckert@suse.de + +- Update to version 2.9.4+git0.4e071ad92: + * [RELEASE] Released version 2.9.4 + * BUG/MEDIUM: h1: always reject the NUL character in header values + * BUG/MINOR: h1-htx: properly initialize the err_pos field + * DOC: httpclient: add dedicated httpclient section + * BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size + * BUG/MINOR: h1: Don't support LF only at the end of chunks + * BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON + * BUG/MEDIUM: qpack: allow 6xx..9xx status codes + * BUG/MEDIUM: h3: do not crash on invalid response status code + * MINOR: h3: add traces for stream sending function + * BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions + * DOC: configuration: clarify http-request wait-for-body + * BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf + * MINOR: quic: extract qc_stream_buf free in a dedicated function + * MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT) + * CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro. + * BUG/MINOR: quic: newreno QUIC congestion control algorithm no more available + * BUG/MEDIUM: cache: Fix crash when deleting secondary entry + * BUG/MINOR: hlua: fix uninitialized var in hlua_core_get_var() + * BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs + * BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI + * MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc + * BUG/MEDIUM: mux-h2: refine connection vs stream error on headers + * DOC: configuration: fix set-dst in actions keywords matrix + * BUG/MINOR: h3: fix checking on NULL Tx buffer + +------------------------------------------------------------------- +Sun Feb 4 22:52:43 UTC 2024 - Georg Pfuetzenreuter + +- Set /run/haproxy as the default PID file and socket location + Adds haproxy-service.patch +- Allow custom stats socket names + +------------------------------------------------------------------- +Wed Jan 24 13:40:54 UTC 2024 - varkoly@suse.com + +- Update to version 2.9.3+git0.de3ab549a: + * [RELEASE] Released version 2.9.3 + * BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT) + * BUG/MINOR: mux-h2: also count streams for refused ones + * BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control + * BUILD: quic: missing include for quic_tp + * [RELEASE] Released version 2.9.2 + * DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay + * REGTESTS: add a test to ensure map-ordering is preserved + * BUG/MINOR: map: list-based matching potential ordering regression + * CLEANUP: quic: Double quic_dgram_parse() prototype declaration. + * MINOR: ssl: Update ssl_fc_curve/ssl_bc_curve to use SSL_get0_group_name + * MINOR: ot: logsrv struct becomes logger + * MINOR: mux-h2: support limiting the total number of H2 streams per connection + * BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up + * BUG/MEDIUM: stconn: Set fsb date if zero-copy forwarding is blocked during nego + * BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable + * BUG/MEDIUM: h3: fix incorrect snd_buf return value + * BUILD: quic: Missing quic_ssl.h header protection + * CLEANUP: quic: Remaining useless code into server part + * REGTESTS: check attach-srv out of order declaration + * MINOR: debug: add features and build options to "show dev" + * MINOR: global: export a way to list build options + * CI: use semantic version compare for determing "latest" OpenSSL + * BUG/MINOR: h3: disable fast-forward on buffer alloc failure + * BUG/MINOR: h3: close connection on sending alloc errors + * BUG/MINOR: h3: properly handle alloc failure on finalize + * MINOR: h3: add traces for connection init stage + * BUG/MINOR: h3: close connection on header list too big + * MINOR: h3: check connection error during sending + * BUG/MINOR: quic: Missing call to TLS message callbacks + * BUG/MINOR: quic: Wrong keylog callback setting. + * BUG/MINOR: mux-quic: disable fast-fwd if connection on error + * BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission + * DOC: fix typo for fastfwd QUIC option + * BUG/MINOR: server/event_hdl: propagate map port info through inetaddr event + * MINOR: server/event_hdl: update _srv_event_hdl_prepare_inetaddr prototype + * MINOR: server/event_hdl: add server_inetaddr struct to facilitate event data usage + * BUG/MEDIUM: stats: unhandled switching rules with TCP frontend + * MINOR: stats: store the parent proxy in stats ctx (http) + * BUG/MAJOR: stconn: Disable zero-copy forwarding if consumer is shut or in error + * BUG/MINOR: server: Use the configured address family for the initial resolution + * DOC: config: Update documentation about local haproxy response + * BUG/MINOR: resolvers: default resolvers fails when network not configured + +------------------------------------------------------------------- +Fri Dec 15 15:15:07 UTC 2023 - varkoly@suse.com + +- Update to version 2.9.1+git0.f72603ceb: + * [RELEASE] Released version 2.9.1 + * DOC: config: also add arguments to the converters in the table + * DOC: config: add arguments to sample fetch methods in the table + * BUG/MEDIUM: mux-quic: report early error on stream + * BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty + * CLEANUP: mux-h1: Fix a trace message about C-L header addition + * BUG/MEDIUM: mux-h1: Explicitly skip request's C-L header if not set originally + * BUG/MEDIUM: mux-h1: Cound data from input buf during zero-copy forwarding + * BUG/MEDIUM: stconn: Block zero-copy forwarding if EOS/ERROR on consumer side + * BUG/MEDIUM: quic: QUIC CID removed from tree without locking + * MINOR: version: mention that it's stable now + * BUG/MINOR: ext-check: cannot use without preserve-env + * BUG/MEDIUM: map/acl: pat_ref_{set,delete}_by_id regressions + * BUILD: ssl: update types in wolfssl cert selection callback + * BUG/MEDIUM: quic: Possible buffer overflow when building TLS records + * BUG/MINOR: mworker/cli: fix set severity-output support + * DOC: configuration: typo req.ssl_hello_type + * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) + * BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate + * MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback + * BUG/MINOR: ssl: Double free of OCSP Certificate ID + +------------------------------------------------------------------- +Mon Dec 11 09:20:20 UTC 2023 - Dirk Müller + +- Update to version 2.9.0+git0.fddb8c13b: + new major branch: + https://www.haproxy.com/blog/announcing-haproxy-2-9 + https://www.mail-archive.com/haproxy@formilux.org/msg44400.html + +------------------------------------------------------------------- +Thu Dec 07 14:28:36 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.5+git0.aaba8d090: + * [RELEASE] Released version 2.8.5 + * BUG/MEDIUM: proxy: always initialize the default settings after init + * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) + * BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate + * MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback + * BUG/MINOR: ssl: Double free of OCSP Certificate ID + * BUG/MINOR: quic: Packet number spaces too lately initialized + * BUG/MINOR: quic: Missing QUIC connection path member initialization + * BUG/MINOR: quic: Possible leak of TX packets under heavy load + * BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load + * BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed + * BUG/MEDIUM: peers: fix partial message decoding + * DOC: Clarify the differences between field() and word() + * BUG/MINOR: sample: Make the `word` converter compatible with `-m found` + * REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter + * DOC: config: fix monitor-fail typo + * DOC: config: add matrix entry for "max-session-srv-conns" + * DOC: config: specify supported sections for "max-session-srv-conns" + * BUG/MINOR: cfgparse-listen: fix warning being reported as an alert + * BUG/MINOR: config: Stopped parsing upon unmatched environment variables + * BUG/MINOR: quic_tp: fix preferred_address decoding + * DOC: config: fix missing characters in set-spoe-group action + * BUG/MINOR: h3: always reject PUSH_PROMISE + * BUG/MINOR: h3: fix TRAILERS encoding + * BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1 + * BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request() + * BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding + * DOC: lua: fix Proxy.get_mode() output + * DOC: lua: add sticktable class reference from Proxy.stktable + * REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY + * DOC: config: fix timeout check inheritance restrictions + * DOC: 51d: updated 51Degrees repo URL for v3.2.10 + * BUG/MINOR: server: do not leak default-server in defaults sections + * BUG/MINOR: quic: Possible RX packet memory leak under heavy load + * BUG/MEDIUM: quic: Possible crash for connections to be killed + * BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them + * BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly + * REGTESTS: http: add a test to validate chunked responses delivery + * BUG/MINOR: proxy/stktable: missing frees on proxy cleanup + * MINOR: stktable: add stktable_deinit function + * BUG/MINOR: stream/cli: report correct stream age in "show sess" + * BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover() + * BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover() + * BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover() + * BUG/MAJOR: quic: complete thread migration before tcp-rules + +------------------------------------------------------------------- +Fri Nov 24 11:31:13 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.4+git0.a4ebf9d3b: + * [RELEASE] Released version 2.8.4 + * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends + * BUG/MINOR: stconn/applet: Report send activity only if there was output data + * BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer + * BUG/MINOR: stconn: Fix streamer detection for HTX streams + * MINOR: channel: Add functions to get info on buffers and deal with HTX streams + * MINOR: htx: Use a macro for overhead induced by HTX + * BUG/MEDIUM: stconn: Update fsb date on partial sends + * BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented + * BUG/MEDIUM: mworker: set the master variable earlier + * BUG/MEDIUM: applet: Report a send activity everytime data were sent + * BUG/MEDIUM: stconn: Report a send activity everytime data were sent + * REGTESTS: http: Improve script testing abortonclose option + * BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only + * MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads + * MINOR: connection: Add a CTL flag to notify mux it should wait for reads again + * BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up + * BUG/MEDIUM: connection: report connection errors even when no mux is installed + * DOC: quic: Wrong syntax for "quic-cc-algo" keyword. + * BUG/MINOR: sink: don't learn srv port from srv addr + * BUG/MEDIUM: applet: Remove appctx from buffer wait list on release + * DOC: config: use the word 'backend' instead of 'proxy' in 'track' description + * BUG/MINOR: quic: fix retry token check inconsistency + * DOC: management: -q is quiet all the time + * BUG/MEDIUM: stconn: Don't update stream expiration date if already expired + * BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures + * BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets + * BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree + * BUG/MINOR: quic: idle timer task requeued in the past + * BUG/MEDIUM: pool: fix releasable pool calculation when overloaded + * BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period + * BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts + * BUG/MINOR: stick-table/cli: Check for invalid ipv4 key + * BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure + * BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure + * CLEANUP: htx: Properly indent htx_reserve_max_data() function + * BUG/MINOR: stconn: Sanitize report for read activity + * BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room() + * BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire + * BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range() + * BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure + * BUG/MINOR: stktable: missing free in parse_stick_table() + * BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure + * BUG/MEDIUM: ssl: segfault when cipher is NULL + * BUG/MINOR: mux-quic: fix early close if unset client timeout + * BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA + * MEDIUM: quic: count quic_conn for global sslconns + * MEDIUM: quic: count quic_conn instance for maxconn + * MINOR: frontend: implement a dedicated actconn increment function + * BUG/MINOR: ssl: use a thread-safe sslconns increment + * BUG/MINOR: quic: do not consider idle timeout on CLOSING state + * BUG/MEDIUM: server: "proto" not working for dynamic servers + * MINOR: connection: add conn_pr_mode_to_proto_mode() helper func + * DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder + * MINOR: lua: Add flags to configure logging behaviour + * BUG/MINOR: ssl: load correctly @system-ca when ca-base is define + * DOC: internal: filters: fix reference to entities.pdf + * BUG/MINOR: mux-h2: update tracked counters with req cnt/req err + * BUG/MINOR: mux-h2: commit the current stream ID even on reject + * BUG/MEDIUM: peers: Fix synchro for huge number of tables + * BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task + * BUG/MINOR: trace: fix trace parser error reporting + * BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again + * BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending + * BUG/MINOR: mux-h2: make up other blocked streams upon removal from list + * BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request + * BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash + * BUG/MINOR: mux-quic: fix free on qcs-new fail alloc + * BUG/MINOR: h3: strengthen host/authority header parsing + * BUG/MINOR: mux-quic: support initial 0 max-stream-data + * BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream + * BUG/MINOR: quic: reject packet with no frame + * BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos + * BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room() + * BUG/MINOR: hq-interop: simplify parser requirement + * BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set + * BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set + * BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried + * BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only + * MINOR: hlua: Test the hlua struct first when the lua socket is connecting + * MINOR: hlua: Save the lua socket's server in its context + * MINOR: hlua: Save the lua socket's timeout in its context + * MINOR: hlua: Don't preform operations on a not connected socket + * MINOR: hlua: Set context's appctx when the lua socket is created + * BUG/MEDIUM: http-ana: Try to handle response before handling server abort + * BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed + * BUG/MEDIUM: actions: always apply a longest match on prefix lookup + * BUG/MINOR: mux-quic: remove full demux flag on ncbuf release + * BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams + * MINOR: pattern: fix pat_{parse,match}_ip() function comments + * BUG/MINOR: server: add missing free for server->rdr_pfx + * BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers + * BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API + * BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1 + * BUG/MINOR: promex: fix backend_agg_check_status + * BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records + * BUG/MINOR: hlua/init: coroutine may not resume itself + * BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume() + * CI: musl: drop shopt in workflow invocation + * CI: musl: highlight section if there are coredumps + * Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" + * BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread + * MINOR: hlua: add hlua_stream_ctx_prepare helper function + * BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT + * BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code + * BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind + * BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help + * MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option + * MINOR: quic+openssl_compat: Do not start without "limited-quic" + * MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic" + * BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels + * DOC: quic: Add "limited-quic" new tuning setting + * MINOR: quic: Add "limited-quic" new tuning setting + * MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper. + * MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct + * MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog() + * MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper + * MINOR: quic: Export some KDF functions (QUIC-TLS) + * MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper + * MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled() + * MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method() + * MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT + * MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header + * MINOR: quic: QUIC openssl wrapper implementation + * BUG/MINOR: quic: Wrong cluster secret initialization + * BUG/MINOR: quic: Leak of frames to send. + * BUILD: bug: make BUG_ON() void to avoid a rare warning + +------------------------------------------------------------------- +Thu Sep 07 22:07:54 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.3+git0.86e043add: + * [RELEASE] Released version 2.8.3 + * CI: Update to actions/checkout@v4 + * MEDIUM: capabilities: enable support for Linux capabilities + * BUG/MINOR: hlua/action: incorrect message on E_YIELD error + * BUG/MINOR: ring/cli: Don't expect input data when showing events + * BUG/MINOR: applet: Always expect data when CLI is waiting for a new command + * NUG/MEDIUM: stconn: Always update stream's expiration date after I/O + * BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout + * BUG/MEDIUM: applet: Report an error if applet request more room on aborted SC + * BUG/MEDIUM: stconn: Report read activity when a stream is attached to front SC + * BUG/MEDIUM: applet: Fix API for function to push new data in channels buffer + * BUG/MINOR: quic: Wrong RTT computation (srtt and rrt_var) + * BUG/MINOR: quic: Wrong RTT adjusments + * MINOR: httpclient: allow to configure the timeout.connect + * MINOR: httpclient: allow to configure the retries + * DOC: configuration: update examples for req.ver + * BUG/MINOR: stream: further protect stream_dump() against incomplete sessions + * BUG/MEDIUM: h1-htx: Ensure chunked parsing with full output buffer + * BUG/MAJOR: quic: Really ignore malformed ACK frames. + * BUG/MINOR: quic: Possible skipped RTT sampling + * BUG/MEDIUM: stconn: Don't block sends if there is a pending shutdown + * BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending shutdown + * BUG/MINOR: stconn: Don't report blocked sends during connection establishment + * BUG/MEDIUM: stconn: Update stream expiration date on blocked sends + * DEBUG: applet: Properly report opposite SC expiration dates in traces + * BUG/MINOR: checks: do not queue/wake a bounced check + * DOC: config: mention uid dependency on the tune.quic.socket-owner option + * BUG/MINOR: stream: protect stream_dump() against incomplete streams + * BUG/MINOR: ssl/cli: can't find ".crt" files when replacing a certificate + * BUILD: import: guard plock.h against multiple inclusion + * BUG/MINOR: ssl_sock: fix possible memory leak on OOM + * DOC: lua: fix core.register_action typo + * BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage + * CI: fedora: fix "dnf" invocation syntax + * IMPORT: xxhash: update xxHash to version 0.8.2 + * MINOR: atomic: make sure to always relax after a failed CAS + * MINOR: threads: inline the wait function for pthread_rwlock emulation + * IMPORT: plock: also support inlining the int code + * BUILD: Makefile: add the USE_QUIC option to make help + * DOC: jwt: Add explicit list of supported algorithms + * REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3) + * SCRIPTS: git-show-backports: automatic ref and base detection with -m + * DOC: typo: fix sc-set-gpt references + * BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection + * BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection + * DEV: flags/show-sess-to-flags: properly decode fd.state + * BUG/MINOR: hlua: fix invalid use of lua_pop on error paths + * BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing + * CI: get rid of travis-ci wrapper for Coverity scan + * CI: do not use "groupinstall" for Fedora Rawhide builds +- drop 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch: + part of the version update + +------------------------------------------------------------------- +Wed Aug 30 09:04:25 UTC 2023 - Peter Varkoly + +- Apply upstream patch for the ppc64le issue: + Add patch: + 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch + Remove patch: + fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch + +------------------------------------------------------------------- +Mon Aug 21 14:38:51 UTC 2023 - Peter Varkoly + +- Build error on ppc64le: include/import/xxhash.h:4148:9: error: invalid parameter combination for AltiVec intrinsic __builtin_vec_ld + Add patch: + fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch + +------------------------------------------------------------------- +Wed Aug 09 12:31:26 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.2+git0.61a0f576a: (boo#1214102) CVE-2023-40225 + * [RELEASE] Released version 2.8.2 + * BUG/MINOR: http: skip leading zeroes in content-length values + * DOC: clarify the handling of URL fragments in requests + * REGTESTS: http-rules: verify that we block '#' by default for normalize-uri + * BUG/MINOR: h3: reject more chars from the :path pseudo header + * BUG/MINOR: h2: reject more chars from the :path pseudo header + * BUG/MINOR: h1: do not accept '#' as part of the URI component + * REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests + * MINOR: h2: pass accept-invalid-http-request down the request parser + * MINOR: http: add new function http_path_has_forbidden_char() + * MINOR: ist: add new function ist_find_range() to find a character range + * BUG/MAJOR: http: reject any empty content-length header value + * BUG/MAJOR: h3: reject header values containing invalid chars + * REORG: http: move has_forbidden_char() from h2.c to http.h + * BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value replacement + * BUILD: quic: fix wrong potential NULL dereference + * BUG/MINOR: quic: reappend rxbuf buffer on fake dgram alloc error + * BUG/MINOR: http-client: Don't forget to commit changes on HTX message + * BUG/MEDIUM: quic: consume contig space on requeue datagram + * BUG/MEDIUM: bwlim: Reset analyse expiration date when then channel analyse ends + * BUG/MEDIUM: h3: Be sure to handle fin bit on the last DATA frame + * BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full + * DOC: configuration: describe Td in Timing events + * BUG/MEDIUM: h3: Properly report a C-L header was found to the HTX start-line + * BUG/MINOR: ssl: OCSP callback only registered for first SSL_CTX + * MINOR: quic: Useless call to SSL_CTX_set_quic_method() + * MINOR: quic: Make ->set_encryption_secrets() be callable two times + * BUG/MEDIUM: listener: Acquire proxy's lock in relax_listener() if necessary + * BUG/MINOR: server-state: Avoid warning on 'file not found' + * BUG/MINOR: server-state: Ignore empty files + * BUG/MINOR: quic: Missing parentheses around PTO probe variable. + * BUG/MINOR: server: Don't warn on server resolution failure with init-addr none + * BUG/MINOR: init: set process' affinity even in foreground + * BUG/MINOR: cpuset: remove the bogus "proc" from the cpu_map struct + * BUG/MINOR: config: do not detect NUMA topology when cpu-map is configured + * MINOR: cpuset: add cpu_map_configured() to know if a cpu-map was found + * BUG/MINOR: h1-htx: Return the right reason for 302 FCGI responses + * BUG/MINOR: hlua: add check for lua_newstate + * BUILD: quic: fix warning during compilation using gcc-6.5 + * CI: explicitely highlight VTest result section if there's something + * CI: add naming convention documentation + * BUG/MINOR: http: Return the right reason for 302 + * BUG/MINOR: sample: Fix wrong overflow detection in add/sub conveters + * DOC: config: Fix fc_src description to state the source address is returned + * BUG/MEDIUM: hlua_fcn/queue: bad pop_wait sequencing + * BUG/MINOR: hlua: hlua_yieldk ctx argument should support pointers + * CLEANUP: quic: remove useless parameter 'key' from quic_packet_encrypt + * BUG/MEDIUM: quic: timestamp shared in token was using internal time clock + * BUG/MEDIUM: quic: missing check of dcid for init pkt including a token + * BUG/MINOR: quic: retry token remove one useless intermediate expand + * BUG/MEDIUM: quic: token IV was not computed using a strong secret + * BUG/MINOR: config: Remove final '\n' in error messages + * BUG/MINOR: hlua_fcn/queue: use atomic load to fetch queue size + * EXAMPLES: maintain haproxy 2.8 retrocompatibility for lua mailers script + * BUG/MINOR: sink/log: properly deinit srv in sink_new_from_logsrv() + * MINOR: hlua_fcn/mailers: handle timeout mail from mailers section + * BUG/MINOR: server: set rid default value in new_server() + * BUG/MINOR: sink: fix errors handling in cfg_post_parse_ring() + * BUG/MINOR: sink: invalid sft free in sink_deinit() + * BUG/MINOR: log: free errmsg on error in cfg_parse_log_forward() + * BUG/MINOR: log: fix multiple error paths in cfg_parse_log_forward() + * BUG/MINOR: log: fix missing name error message in cfg_parse_log_forward() + * BUG/MEDIUM: log: improper use of logsrv->maxlen for buffer targets + * MINOR: sink/api: pass explicit maxlen parameter to sink_write() + * BUG/MINOR: log: LF upsets maxlen for UDP targets + * BUG/MINOR: ring: maxlen warning reported as alert + * BUG/MINOR: ring: size warning incorrectly reported as fatal error + * BUG/MINOR: sink: missing sft free in sink_deinit() + * BUG/MINOR: http_ext: unhandled ERR_ABORT in proxy_http_parse_7239() + * BUG/MEDIUM: sink: invalid server list in sink_new_from_logsrv() + * BUG/MINOR: cache: A 'max-age=0' cache-control directive can be overriden by a s-maxage + * BUG/MINOR: tcp_sample: bc_{dst,src} return IP not INT + * DOC: ssl: Add ocsp-update troubleshooting clues and emphasize on crt-list only aspect + * DOC: ssl: Fix typo in 'ocsp-update' option + +------------------------------------------------------------------- +Mon Jul 03 14:52:58 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.1+git0.a90123aa8: + * [RELEASE] Released version 2.8.1 + * CLEANUP: quic: Remove server specific about Initial packet number space + * MINOR: quic: Reduce the maximum length of TLS secrets + * MINOR: quic: Move packet number space related functions + * MINOR: quic: Move QUIC encryption level structure definition + * BUILD: debug: avoid a build warning related to epoll_wait() in debug code + * MINOR: compression/slz: add support for a pure flush of pending bytes + * IMPORT: slz: implement a synchronous flush() operation + * BUG/MINOR: quic: Wrong endianess for version field in Retry token + * BUG/MINOR: quic: Wrong Retry paquet version field endianess + * BUG/MINOR: quic: Missing random bits in Retry packet header + * BUG/MINOR: config: fix stick table duplicate name check + * BUG/MEDIUM: quic: error checking buffer large enought to receive the retry tag + * BUG/MINOR: quic: Prevent deadlock with CID tree lock + * BUG/MINOR: mworker: leak of a socketpair during startup failure + * BUG/MINOR: http_ext: fix if-none regression in forwardfor option + * DOC: Attempt to fix dconv parsing error for tune.h2.fe.initial-window-size + * REGTESTS: h1_host_normalization : Add a barrier to not mix up log messages + * DOC: Add tune.h2.max-frame-size option to table of contents + * DOC: Add tune.h2.be.* and tune.h2.fe.* options to table of contents + * BUG/MINOR: quic: ticks comparison without ticks API use + * BUG/MEDIUM: mworker: increase maxsock with each new worker + * BUG/MINOR: quic: Possible endless loop in quic_lstnr_dghdlr() + * BUG/MINOR: quic: Possible crash in quic_conn_prx_cntrs_update() + * BUG/MINOR: quic: Missing initialization (packet number space probing) + * BUG/MINOR: namespace: missing free in netns_sig_stop() + * BUG/MINOR: server: inherit from netns in srv_settings_cpy() + * BUG/MINOR: quic: Address inversion in "show quic full" + * BUG/MINOR: quic: Wrong encryption level flags checking + * BUG/MINOR: ssl: log message non thread safe in SSL Hanshake failure + * REG-TESTS: stickiness: Delay haproxys start to properly resolv variables + * BUG/MINOR: peers: Improve detection of config errors in peers sections + * BUG/MEDIUM: hlua: Use front SC to detect EOI in HTTP applets' receive functions + * BUG/MINOR: proxy/server: free default-server on deinit + * BUG/MINOR: proxy: add missing interface bind free in free_proxy + * BUG/MINOR: cfgparse-tcp: leak when re-declaring interface from bind line + * DOC: config: fix rfc7239 converter examples (again) + * DOC: config: fix jwt_verify() example using var() + * DOC: quic: fix misspelled tune.quic.socket-owner + * BUG/MINOR: spoe: Only skip sending new frame after a receive attempt + * CONTRIB: Add vi file extensions to .gitignore + * BUG/MINOR: quic: Possible crash when SSL session init fails + * BUG/MINOR: stream: do not use client-fin/server-fin with HTX + * BUG/MINOR: stats: Fix Lua's `get_stats` function + +------------------------------------------------------------------- +Wed May 31 19:10:51 UTC 2023 - Marcus Rueckert + +- Refreshed patches to apply cleanly again: + haproxy-1.6.0-makefile_lib.patch + haproxy-1.6.0-sec-options.patch +- Updated series file: removed outdated patches + +------------------------------------------------------------------- +Wed May 31 19:07:54 UTC 2023 - mrueckert@suse.de + +- Update to version 2.8.0+git0.fdd8154ed: + https://www.mail-archive.com/haproxy@formilux.org/msg43600.html + +------------------------------------------------------------------- +Tue May 02 14:06:55 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.8+git0.58c657f26: + * [RELEASE] Released version 2.7.8 + * MINOR: listener: remove the now useless LI_F_QUIC_LISTENER flag + +------------------------------------------------------------------- +Tue May 2 10:44:33 UTC 2023 - Marcus Rueckert + +- Add handling for the new startup logs in /dev/shm in the apparmor + profile + +------------------------------------------------------------------- +Tue May 02 09:59:24 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.7+git0.feedf1414: + * [RELEASE] Released version 2.7.7 + * BUG/MINOR: tools: check libssl and libcrypto separately + * MINOR: pools: report a replaced memory allocator instead of just malloc_trim() + * BUG/MINOR: pools: restore detection of built-in allocator + * MEDIUM: tools: further relax dlopen() checks too consider grouped symbols + * MINOR: tools: relax dlopen() on malloc/free checks + * MINOR: pattern: use trim_all_pools() instead of a conditional malloc_trim() + * MINOR: pools: export trim_all_pools() + * MEDIUM: pools: move the compat code from trim_all_pools() to malloc_trim() + * MINOR: pools: intercept malloc_trim() instead of trying to plug holes + * MINOR: pools: make sure 'no-memory-trimming' is always used + * BUG/MINOR: illegal use of the malloc_trim() function if jemalloc is used + * BUG/MINOR: quic: fix race on quic_conns list during affinity rebind + * MINOR: quic: finalize affinity change as soon as possible + * MINOR: mux-quic: do not allocate Tx buf for empty STREAM frame + * MINOR: mux-quic: do not set buffer for empty STREAM frame + * BUG/MINOR: quic: prevent buggy memcpy for empty STREAM + * BUG/MEDIUM: mux-quic: improve streams fairness to prevent early timeout + * BUG/MEDIUM: mux-quic: do not emit RESET_STREAM for unknown length + * CLEANUP: quic: Rename several variables into quic_sock.c + * CLEANUP: quic: Rename variable into qc_parse_hd_form() + * CLEANUP: quic: Rename variable into quic_packet_read_long_header() + * CLEANUP: quic: Rename several variables at low level + * CLEANUP: quic: Rename quic_get_dgram_dcid() variable + * CLEANUP: quic: Make qc_build_pkt() be more readable + * CLEANUP: quic: Rename variable for several low level functions + * CLEANUP: quic: Rename variable into quic_rx_pkt_parse() + * CLEANUP: quic: Rename variable into quic_padding_check() + * CLEANUP: quic: Rename variable to in quic_generate_retry_token() + * CLEANUP: quic: Remove useless parameters passes to qc_purge_tx_buf() + * CLEANUP: quic: rename frame variables + * CLEANUP: quic: rename frame types with an explicit prefix + * BUG/MINOR: quic: Useless I/O handler task wakeups (draining, killing state) + * BUG/MINOR: quic: Useless probing retransmission in draining or killing state + * BUG/MINOR: quic: Possible leak during probing retransmissions + * BUG/MINOR: quic: Possible memory leak from TX packets + * MINOR: quic: Move traces at proto level + * BUILD: proto_tcp: export the correct names for proto_tcpv[46] + * BUILD: sock_inet: forward-declare struct receiver + * BUG/MINOR: config: fix NUMA topology detection on FreeBSD + * CI: cirrus-ci: bump FreeBSD image to 13-1 + * BUG/MINOR: cli: clarify error message about stats bind-process + * MINOR: listener: remove unneeded local accept flag + * MAJOR: quic: support thread balancing on accept + * MINOR: quic: properly finalize thread rebinding + * MEDIUM: quic: implement thread affinity rebinding + * MINOR: fd: implement fd_migrate_on() to migrate on a non-local thread + * MINOR: fd: add a lock bit with the tgid + * MINOR: fd: optimize fd_claim_tgid() for use in fd_insert() + * MINOR: quic: delay post handshake frames after accept + * MINOR: protocol: define new callback set_affinity + * MINOR: quic: do not proceed to accept for closing conn + * MEDIUM: quic: handle conn bootstrap/handshake on a random thread + * MINOR: quic: remove TID encoding in CID + * MEDIUM: quic: use a global CID trees list + * BUG/MINOR: server: don't use date when restoring last_change from state file + * BUG/MINOR: server: don't miss server stats update on server state transitions + * BUG/MINOR: server: don't miss proxy stats update on server state transitions + * MINOR: server: explicitly commit state change in srv_update_status() + * BUG/MINOR: server: incorrect report for tracking servers leaving drain + * BUG/MEDIUM: Update read expiration date on synchronous send + * BUG/MINOR: quic: consume Rx datagram even on error + * BUG/MINOR: quic: prevent crash on qc_new_conn() failure + * BUG/MINOR: h3: fix crash on h3s alloc failure + * BUG/MINOR: mux-quic: properly handle STREAM frame alloc failure + * BUG/MINOR: mux-quic: fix crash with app ops install failure + * BUG/MINOR: quic: Wrong Retry token generation timestamp computing + * BUG/MINOR: quic: Unchecked buffer length when building the token + * MINOR: quic: Do not allocate too much ack ranges + * BUG/MINOR: quic: Stop removing ACK ranges when building packets + * BUG/MINOR: cfgparse: make sure to include openssl-compat + * BUG/MEDIUM: quic: prevent crash on Retry sending + * CLEANUP: backend: Remove useless debug message in assign_server() + * BUG/MINOR: quic: transform qc_set_timer() as a reentrant function + * MINOR: quic: remove TID ref from quic_conn + * MINOR: quic: adjust quic CID derive API + * MINOR: quic: adjust Rx packet type parsing + * MINOR: quic: remove uneeded tasklet_wakeup after accept + * CLEANUP: quic: rename quic_connection_id vars + * CLEANUP: quic: remove unused qc param on stateless reset token + * CLEANUP: quic: remove unused scid_node + * CLEANUP: quic: remove unused QUIC_LOCK label + * BUG/MINOR: task: allow to use tasklet_wakeup_after with tid -1 + * BUG/MEDIUM: log: Properly handle client aborts in syslog applet + * MINOR: ssl: remove OpenSSL 1.0.2 mention into certificate loading error + * BUG/MINOR: quic: Do not use ack delay during the handshakes + * REGTESTS: fix the race conditions in log_uri.vtc + * BUG/MINOR: stream: Fix test on SE_FL_ERROR on the wrong entity + * CI: bump "actions/checkout" to v3 for cross zoo matrix + * BUG/MINOR: quic: Wrong Application encryption level selection when probing + * MINOR: quic: Remove a useless test about probing in qc_prep_pkts() + * MINOR: quic: Display the packet number space flags in traces + * BUG/MINOR: quic: SIGFPE in quic_cubic_update() + * BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit. + * BUG/MEDIUM: quic: Code sanitization about acknowledgements requirements + * MINOR: quic: Add connection flags to traces + * BUG/MINOR: quic: Ignored less than 1ms RTTs + * MINOR: quic: Add packet loss and maximum cc window to "show quic" + * BUG/MEDIUM: fd: don't wait for tmask to stabilize if we're not in it. + * BUG/MINOR: stick_table: alert when type len has incorrect characters + * MINOR: activity: add a line reporting the average CPU usage to "show activity" + * MINOR: quic: Add a trace for packet with an ACK frame + * MINOR: quic: Dump more information at proto level when building packets + * MINOR: quic: Modify qc_try_rm_hp() traces + * BUG/MINOR: quic: Wrong packet number space probing before confirmed handshake + * MINOR: quic: Trace fix in quic_pto_pktns() (handshaske status) + * BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions + * BUG/MINOR: resolvers: Wakeup DNS idle task on stopping + * BUG/MEDIUM: dns: Kill idle DNS sessions during stopping stage + * BUILD: compiler: fix __equals_1() on older compilers + * BUG/MINOR: errors: invalid use of memprintf in startup_logs_init() + * BUG/MINOR: mworker: unset more internal variables from program section + * MINOR: quic: remove address concatenation to ODCID + * MINOR: quic: remove ODCID dedicated tree + * MINOR: quic: derive first DCID from client ODCID + * BUG/MINOR: quic: Possible crashes in qc_idle_timer_task() + * BUG/MINOR: http-ana: Don't switch message to DATA when waiting for payload + * MINOR: http-ana: Add a HTTP_MSGF flag to state the Expect header was checked + * BUG/MEDIUM: hlua: prevent deadlocks with main lua lock + * MINOR: hlua: simplify lua locking + * BUG/MINOR: hlua: prevent function and table reference leaks on errors + * BUG/MINOR: hlua: fix reference leak in hlua_post_init_state() + * BUG/MINOR: hlua: fix reference leak in core.register_task() + * MINOR: hlua: add simple hlua reference handling API + * CLEANUP: hlua: fix conflicting comment in hlua_ctx_destroy() + * BUG/MINOR: hlua: enforce proper running context for register_x functions + * BUG/MINOR: hlua: hook yield does not behave as expected + * BUG/MINOR: log: free log forward proxies on deinit() + * BUG/MINOR: sink: free forward_px on deinit() + * BUG/MINOR: stats: properly handle server stats dumping resumption + * BUG/MINOR: server/del: fix srv->next pointer consistency + * MINOR: server: add SRV_F_DELETED flag + * BUG/MEDIUM: dns: Properly handle error when a response consumed + * BUG/MEDIUM: channel: Improve reports for shut in co_getblk() + * BUG/MINOR: quic: Possible wrong PTO computing + * BUILD: quic: 32bits compilation issue in cli_io_handler_dump_quic() + * BUG/MINOR: quic: Wrong idle timer expiration (during 20s) + * BUG/MINOR: quic: Unexpected connection closures upon idle timer task execution + * MINOR: quic: Add trace to debug idle timer task issues + * DOC: config: strict-sni allows to start without certificate + * MINOR: http-act: emit a warning when a header field name contains forbidden chars + * BUG/MINOR: quic: Remove useless BUG_ON() in newreno and cubic algo implementation + * BUG/MAJOR: quic: Congestion algorithms states shared between the connection + * MINOR: quic: Add missing traces in cubic algorithm implementation + * BUG/MINOR: quic: Cubic congestion control window may wrap + * BUG/MINOR: quic: Remaining useless statements in cubic slow start callback + * BUG/MINOR: quic: Wrong rtt variance computing + * MEDIUM: quic: Ack delay implementation + * MINOR: quic: Traces adjustments at proto level. + * MINOR: quic: Adjustments for generic control congestion traces + * MINOR: quic: Implement cubic state trace callback + * BUG/MINOR: quic: Missing max_idle_timeout initialization for the connection + * BUG/MINOR: quic: Wrong use of now_ms timestamps (newreno algo) + * MINOR: quic: Add recovery related information to "show quic" + * BUG/MINOR: quic: Wrong use of now_ms timestamps (cubic algo) + * BUG/MINOR: backend: make be_usable_srv() consistent when stopping + * BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop + * DOC/MINOR: reformat configuration.txt's "quoting and escaping" table + * MINOR: proxy/pool: prevent unnecessary calls to pool_gc() + * BUG/MINOR: quic: Missing padding in very short probe packets + * BUG/MEDIUM: mux-h2: Be able to detect connection error during handshake + * BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards. + * Revert "BUG/MEDIUM: stconn: Don't rearm the read expiration date if EOI was reached" + * BUG/MINOR: ssl: ssl-(min|max)-ver parameter not duplicated for bundles in crt-list + +------------------------------------------------------------------- +Tue Mar 28 10:03:07 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.6+git0.4dadaaafb: + * [RELEASE] Released version 2.7.6 + * BUG/MINOR: quic: Missing STREAM frame type updated + * BUG/MINOR: applet/new: fix sedesc freeing logic + * BUG/MEDIUM: mux-h1: Wakeup H1C on shutw if there is no I/O subscription + * DOC: config: set-var() dconv rendering issues + * BUG/MEDIUM: stats: Consume the request except when parsing the POST payload + * MINOR: mux-quic: close on frame alloc failure + * MINOR: mux-quic: close on qcs allocation failure + * MINOR: mux-quic: ensure CONNECTION_CLOSE is scheduled once per conn + * MINOR: mux-quic: interrupt qcc_recv*() operations if CC scheduled + * BUG/MINOR: mux-quic: prevent CC status to be erased by shutdown + * BUG/MINOR: h3: properly handle incomplete remote uni stream type + * MINOR: mux-quic: add flow-control info to minimal trace level + * MINOR: mux-quic: adjust trace level for MAX_DATA/MAX_STREAM_DATA recv + * MINOR: mux-quic: complete traces for qcs emission + * BUG/MEDIUM: mux-quic: release data from conn flow-control on qcs reset + * BUG/MINOR: trace: fix hardcoded level for TRACE_PRINTF + * BUG/MINOR: quic: ignore congestion window on probing for MUX wakeup + * BUG/MINOR: quic: wake up MUX on probing only for 01RTT + * BUG/MEDIUM: applet: only set appctx->sedesc on successful allocation + * BUG/MEDIUM: mux-h1: properly destroy a partially allocated h1s + * BUG/MINOR: stconn: fix sedesc memory leak on stream allocation failure + * BUG/MEDIUM: stconn: don't set the type before allocation succeeds + * BUG/MEDIUM: mux-h2: erase h2c->wait_event.tasklet on error path + * BUG/MEDIUM: mux-h2: do not try to free an unallocated h2s->sd + * BUG/MEDIUM: stream: do not try to free a failed stream-conn + * BUG/MINOR: quic: Dysfunctional 01RTT packet number space probing + * MINOR: quic: Stop stressing the acknowledgments process (RX ACK frames) + * MINOR: proto_ux: ability to dump ABNS names in error messages + * MEDIUM: proto_ux: properly suspend named UNIX listeners + * BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume + * MINOR: listener: pause_listener() becomes suspend_listener() + * BUG/MEDIUM: resume from LI_ASSIGNED in default_resume_listener() + * BUG/MINOR: listener: fix resume_listener() resume return value handling + * BUG/MEDIUM: listener: fix pause_listener() suspend return value handling + * MINOR: listener: make sure we don't pause/resume bypassed listeners + * MINOR: listener: workaround for closing a tiny race between resume_listener() and stopping + * MINOR: listener: add relax_listener() function + * MINOR: listener/api: add lli hint to listener functions + * MINOR: proto_uxst: add resume method + +------------------------------------------------------------------- +Fri Mar 17 16:42:07 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.5+git0.8d230219e: + * [RELEASE] Released version 2.7.5 + * OPTIM: mux-h1: limit first read size to avoid wrapping + * BUG/MAJOR: qpack: fix possible read out of bounds in static table + * BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() + * BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all() + * BUG/MINOR: proto_ux: report correct error when bind_listener fails + * BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend + * BUG/MINOR: mux-h2: Fix possible null pointer deref on h2c in _h2_trace_header() + * MEDIUM: mux-h2/trace: add tracing support for headers + * MINOR: h2: add h2_phdr_to_ist() to make ISTs from pseudo headers + * MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit actions + * BUG/MEDIUM: listener: duplicate inherited FDs if needed + * BUG/MINOR: quic: Missing STREAM frame data pointer updates + * BUG/MINOR: mux-h2: set CO_SFL_STREAMER when sending lots of data + * BUG/MEDIUM: mux-h2: only restart sending when mux buffer is decongested + * MINOR: buffer: add br_single() to check if a buffer ring has more than one buf + * BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it + * BUG/MEDIUM: connection: Preserve flags when a conn is removed from an idle list + * BUG/MINOR: quic: Missing STREAM frame length updates + * BUG/MINOR: tcp_sample: fix a bug in fc_dst_port and fc_dst_is_local sample fetches + * BUG/MEDIUM: mux-h1: Don't block SE_FL_ERROR if EOS is not reported on H1C + * DEBUG: ssl-sock/show_fd: Display SSL error code + * DEBUG: cli/show_fd: Display connection error code + * BUG/MEDIUM: resolvers: Properly stop server resolutions on soft-stop + * BUG/MEDIUM: proxy: properly stop backends on soft-stop + * BUG/MINOR: mux-h1: Don't report an H1C error on client timeout + * BUG/MEDIUM: mux-pt: Set EOS on error on sending path if read0 was received + +------------------------------------------------------------------- +Sun Mar 12 12:30:54 UTC 2023 - Marcus Rueckert + +- switch to autopatch to simplify patch handling + +------------------------------------------------------------------- +Sun Mar 12 12:28:41 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.4+git0.d28541d1f: + * [RELEASE] Released version 2.7.4 + * DOC/CLEANUP: fix typos + * MINOR: quic_sock: un-statify quic_conn_sock_fd_iocb() + * BUG/MINOR: quic: Missing listener accept queue tasklet wakeups + * BUG/MINOR: mworker: use MASTER_MAXCONN as default maxconn value + * BUG/MAJOR: fd/threads: close a race on closing connections after takeover + * BUG/MINOR: thread: report thread and group counts in the correct order + * BUG/MINOR: init: properly detect NUMA bindings on large systems + * MINOR: quic: Do not stress the peer during retransmissions of lost packets + * MINOR: fd/cli: report the polling mask in "show fd" + * BUG/MINOR: quic: Wrong RETIRE_CONNECTION_ID sequence number check + * MEDIUM: quic: release closing connections on stopping + * MINOR: quic: handle new closing list in show quic + * MINOR: quic: create a global list dedicated for closing QUIC conns + * MINOR: h3: add traces on h3_init_uni_stream() error paths + * MINOR: quic: Add transport parameters to "show quic" + * MINOR: quic: Add spin bit support + * MINOR: quic: Useless TLS context allocations in qc_do_rm_hp() + * MINOR: quic: RETIRE_CONNECTION_ID frame handling (RX) + * MINOR: quic: Typo fix for ACK_ECN frame + * MINOR: quic: Store the next connection IDs sequence number in the connection + * MINOR: quic: Do not accept wrong active_connection_id_limit values + * BUG/MINOR: mux-quic: properly init STREAM frame as not duplicated + * BUG/MAJOR: fd/thread: fix race between updates and closing FD + * BUG/MEDIUM: quic: do not crash when handling STREAM on released MUX + * MINOR: quic: Send PING frames when probing Initial packet number space + * BUG/MINOR: quic: Missing detections of amplification limit reached + * BUG/MINOR: quic: Do not resend already acked frames + * BUG/MINOR: quic: Ensure not to retransmit packets with no ack-eliciting frames + * BUG/MINOR: quic: Remove force_ack for Initial,Handshake packets + * MINOR: quic: Add traces about QUIC TLS key update + * BUG/MINOR: quic: v2 Initial packets decryption failed + * BUG/MINOR: quic: Ensure to be able to build datagrams to be retransmitted + * MINOR: quic: Add a BUG_ON_HOT() call for too small datagrams + * BUG/MINOR: quic: Do not send too small datagrams (with Initial packets) + * BUG/MINOR: cli: fix CLI handler "set anon global-key" call + * BUG/MEDIUM: quic: properly handle duplicated STREAM frames + * BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords + * MINOR: ssl: rename confusing ssl_bind_kws + * BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback + * BUG/MINOR: mxu-h1: Report a parsing error on abort with pending data + * BUG/MINOR: http-ana: Do a L7 retry on read error if there is no response + * BUG/MINOR: http-ana: Don't increment conn_retries counter before the L7 retry + * MINOR: quic: notify on send ready + * MEDIUM: quic: implement poller subscribe on sendto error + * MINOR: quic: purge txbuf before preparing new packets + * MINOR: quic: implement qc_notify_send() + * MINOR: quic: simplify return path in send functions + * BUG/MINOR: http-check: Skip C-L header for empty body when it's not mandatory + * BUG/MINOR: http-check: Don't set HTX_SL_F_BODYLESS flag with a log-format body + * BUG/MINOR: mux-h1: Don't report an error on an early response close + * BUG/MEDIUM: connection: Clear flags when a conn is removed from an idle list + * MINOR: quic: consider EBADF as critical on send() + * MEDIUM: quic: improve fatal error handling on send + * CLEANUP: listener: only store conn counts for local threads + * BUG/MEDIUM: fd: make fd_delete() support being called from a different group + * BUG/MINOR: fd: used the update list from the fd's group instead of tgid + * DOC: config: Clarify the meaning of 'hold' in the 'resolvers' section + * BUG/MEDIUM: h1-htx: Never copy more than the max data allowed during parsing + * BUG/MEDIUM: fd: avoid infinite loops in fd_add_to_fd_list and fd_rm_from_fd_list + * BUILD: thead: Fix several 32 bits compilation issues with uint64_t variables + * BUG/MINOR: ring: do not realign ring contents on resize + * BUILD: quic: 32-bits compilation issue with %zu in quic_rx_pkts_del() + * BUG/MINOR: cache: Check cache entry is complete in case of Vary + * BUG/MINOR: cache: Cache response even if request has "no-cache" directive + * REGTESTS: Fix ssl_errors.vtc script to wait for connections close + * DOC: config: Add the missing tune.fail-alloc option from global listing + * DOC: config: Fix description of options about HTTP connection modes + * BUG/MEDIUM: quic: Missing TX buffer draining from qc_send_ppkts() + * MINOR: mux-h2/traces: add a missing TRACE_LEAVE() in h2s_frt_handle_headers() + * MINOR: mux-h2/traces: do not log h2s pointer for dummy streams + * MEDIUM: quic: trigger fast connection closing on process stopping + * MINOR: quic: mark quic-conn as jobs on socket allocation + * MEDIUM: mux-quic: properly implement soft-stop + * MINOR: mux-quic: implement client-fin timeout + * MINOR: mux-quic: define qc_process() + * MINOR: mux-quic: define qc_shutdown() + * MEDIUM: h3: enforce GOAWAY by resetting higher unhandled stream + * BUG/MINOR: h3: prevent hypothetical demux failure on int overflow + * BUG/MINOR: quic: acknowledge STREAM frame even if MUX is released + * BUG/MINOR: quic: also send RESET_STREAM if MUX released + * MINOR: quic: adjust request reject when MUX is already freed + * BUG/MINOR: quic: Missing padding for short packets + * BUG/MINOR: quic: Do not drop too small datagrams with Initial packets + * BUG/MINOR: quic: Wrong initialization for io_cb_wakeup boolean + * BUG/MINOR: quic: Do not probe with too little Initial packets + * MINOR: quic: Add to the traces + * MINOR: quic: Add a trace to identify connections which sent Initial packet. + * BUG/MINOR: quic: Missing call to task_queue() in qc_idle_timer_do_rearm() + * MINOR: quic: Make qc_dgrams_retransmit() return a status. + * MINOR: quic: Add traces to qc_kill_conn() + * MINOR: quic: Kill the connections on ICMP (port unreachable) packet receipt + * MINOR: quic: Simplication for qc_set_timer() + * BUG/MINOR: quic: Really cancel the connection timer from qc_set_timer() + * MINOR: quic: Move code to wakeup the timer task to avoid anti-amplication deadlock + * MINOR: quic: Add new traces about by connection RX buffer handling + * BUG/MINOR: quic: Possible unexpected counter incrementation on send*() errors + * MINOR: h3: add traces on decode_qcs callback + * BUG/MINOR: mworker: prevent incorrect values in uptime + * BUG/MINOR: mux-quic: transfer FIN on empty STREAM frame + * MINOR: h3/hq-interop: handle no data in decode_qcs() with FIN set + * BUG/MEDIUM: sched: allow a bit more TASK_HEAVY to be processed when needed + * BUG/MINOR: sched: properly report long_rq when tasks remain in the queue + * BUG/MEDIUM: wdt: fix wrong thread being checked for sleeping + * BUG/MEDIUM: stconn: Don't rearm the read expiration date if EOI was reached + * BUG/MEDIUM: httpclient/lua: fix a race between lua GC and hlua_ctx_destroy + * BUG/MINOR: lua/httpclient: missing free in hlua_httpclient_send() + * MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start + * BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong + * BUG/MEDIUM: mworker: prevent inconsistent reload when upgrading from old versions + * BUG/MINOR: mworker: stop doing strtok directly from the env + +------------------------------------------------------------------- +Tue Feb 14 16:32:41 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.3+git0.1065b1000: (boo#1208132 CVE-2023-25725) + * [RELEASE] Released version 2.7.3 + * BUG/CRITICAL: http: properly reject empty http header field names + * BUG/MINOR: quic: Wrong datagram dispatch because of qc_check_dcid() + * DOC: proxy-protocol: fix wrong byte in provided example + * BUG/MEDIUM: quic: Buffer overflow when looking through QUIC CLI keyword list + * BUG/MINOR: clock/stats: also use start_time not start_date in HTML info + * BUG/MINOR: mworker: fix uptime for master process + * BUG/MINOR: quic: fix type bug on "show quic" for 32-bits arch + * BUG/MINOR: quic: fix filtering of closing connections on "show quic" + * MINOR: quic: filter closing conn on "show quic" + * MINOR: quic: display Tx stream info on "show quic" + * MINOR: quic: display infos about various encryption level on "show quic" + * MINOR: quic: display socket info on "show quic" + * MINOR: quic: display CIDs and state in "show quic" + * MINOR: quic: implement a basic "show quic" CLI handler + * BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend + * BUG/MEDIUM: stconn: Schedule a shutw on shutr if data must be sent first + * BUG/MINOR: server/add: ensure minconn/maxconn consistency when adding server + * MINOR: cfgparse/server: move (min/max)conn postparsing logic into dedicated function + * BUG/MINOR: h3: fix crash due to h3 traces + * DOC: config: 'http-send-name-header' option may be used in default section + * DOC: config: fix option spop-check proxy compatibility + * BUG/MEDIUM: cache: use the correct time reference when comparing dates + * BUG/MINOR: clock: do not mix wall-clock and monotonic time in uptime calculation + * BUG/MEDIUM: stick-table: do not leave entries in end of window during purge + * BUG/MINOR: ssl/crt-list: warn when a line is malformated + * MINOR: quic: Update version_information transport parameter to draft-14 + * BUG/MEDIUM: quic: do not split STREAM frames if no space + * BUG/MINOR: quic: Unchecked source connection ID + * MEDIUM: quic: Remove qc_conn_finalize() from the ClientHello TLS callbacks + * BUG/MAJOR: quic: Possible crash when processing 1-RTT during 0-RTT session + * MINOR: quic: When probing Handshake packet number space, also probe the Initial one + * BUG/MINOR: quic: Do not ignore coalesced packets in qc_prep_fast_retrans() + * MINOR: quic: Add a trace about variable states in qc_prep_fast_retrans() + * BUG/MINOR: quic: Too big PTO during handshakes + * BUG/MINOR: quic: Possible stream truncations under heavy loss + * CLEANUP: quic: no need for atomics on packet refcnt + * MINOR: quic: add config for retransmit limit + * MEDIUM: quic: implement a retransmit limit per frame + * MINOR: quic: refactor frame deallocation + * MINOR: quic: define new functions for frame alloc + * MINOR: quic: ensure offset is properly set for STREAM frames + * MINOR: quic: remove fin from quic_stream frame type + * BUG/MINOR: stats: Prevent HTTP "other sessions" counter underflows + * MINOR: stats: add by HTTP version cumulated number of sessions and requests + * BUG/MINOR: stats: fix STAT_STARTED behavior with full htx + * BUG/MINOR: stats: fix show stats field ctx for servers + * BUG/MINOR: stats: fix ctx->field update in stats_dump_proxy_to_buffer() + * BUG/MEDIUM: stats: fix resolvers dump + * BUG/MINOR: stats: fix source buffer size for http dump + * BUG/MINOR: stats: use proper buffer size for http dump + * BUG/MINOR: h3: fix crash due to h3 traces + * BUG/MEDIUM: ssl: wrong eviction from the session cache tree + * MINOR: h3: add missing traces on closure + * BUG/MINOR: h3: reject RESET_STREAM received for control stream + * BUG/MEDIUM: h3: handle STOP_SENDING on control stream + * MINOR: mux-quic/h3: define stream close callback + * OPTIM: h3: skip buf realign if no trailer to encode + * BUG/MEDIUM: h3: do not crash if no buf space for trailers + * BUG/MINOR: fcgi-app: prevent 'use-fcgi-app' in default section + * MINOR: trace: add the long awaited TRACE_PRINTF() + * MINOR: trace: add a trace_no_cb() dummy callback for when to use no callback + * MINOR: trace: add a TRACE_ENABLED() macro to determine if a trace is active + * DEV: hpack: fix `trash` build regression + * BUG/MINOR: sink: free the forwarding task on exit + * BUG/MINOR: ring: release the backing store name on exit + * BUG/MINOR: log: release global log servers on exit + * BUG/MEDIUM: hpack: fix incorrect huffman decoding of some control chars + * BUG/MEDIUM: mux-quic: fix crash on H3 SETTINGS emission + * BUG/MINOR: h3: fix GOAWAY emission + * MINOR: mux-quic/h3: send SETTINGS as soon as transport is ready + * MINOR: connection: add a BUG_ON() to detect destroying connection in idle list + * DEV: haring: add a new option "-r" to automatically repair broken files + * BUG/MINOR: sink: make sure to always properly unmap a file-backed ring + * MEDIUM: quic-sock: fix udp source address for send on listener socket + * BUG/MINOR: quic: Do not request h3 clients to close its unidirection streams + * BUG/MINOR: jwt: Wrong return value checked + +------------------------------------------------------------------- +Tue Feb 14 16:32:26 UTC 2023 - mrueckert@suse.de + +- Update to version 2.7.2+git0.7e295dd2c: + * [RELEASE] Released version 2.7.2 + * BUILD: hpack: include global.h for the trash that is needed in debug mode + * BUG/MINOR: mux-h2: add missing traces on failed headers decoding + * BUG/MINOR: mux-h2: make sure to produce a log on invalid requests + * MINOR: h3: implement TRAILERS decoding + * MINOR: h3: implement TRAILERS encoding + * MINOR: h3: extend function for QUIC varint encoding + * BUG/MINOR: h3: properly handle connection headers + * BUG/MINOR: bwlim: Fix parameters check for set-bandwidth-limit actions + * BUG/MINOR: bwlim: Check scope for period expr for set-bandwitdh-limit actions + * BUG/MEDIUM: debug/thread: make the debug handler not wait for !rdv_requests + * MINOR: threads: add a thread_harmless_end() version that doesn't wait + * BUG/MINOR: thread: always reload threads_enabled in loops + * BUG/MEDIUM: fd/threads: fix again incorrect thread selection in wakeup broadcast + * BUG/MINOR: listener: close tiny race between resume_listener() and stopping + * BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing ECDSA_SIG_set0) + * BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) + * DOC: config: fix "Address formats" chapter syntax + * BUG/MINOR: mux-fcgi: Correctly set pathinfo + * MINOR: quic: Replace v2 draft definitions by those of the final 2 version + * MINOR: sample: Add "quic_enabled" sample fetch + * MINOR: quic: Add "no-quic" global option + * MINOR: quic: Disable the active connection migrations + * MINOR: quic: Useless test about datagram destination addresses + * BUG/MEDIUM: stconn: also consider SE_FL_EOI to switch to SE_FL_ERROR + * CLEANUP: stconn: always use se_fl_set_error() to set the pending error + * MINOR: listener: also support "quic+" as an address prefix + * DOC: config: mention the missing "quic4@" and "quic6@" in protocol prefixes + * DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@" + * DOC: config: fix wrong section number for "protocol prefixes" + * BUG/MINOR: listeners: fix suspend/resume of inherited FDs + * BUG/MINOR: http-ana: make set-status also update txn->status + * BUG/MEDIUM: mux-h2: Don't send CANCEL on shutw when response length is unkown + * BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state + * BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request body + * BUG/MINOR: promex: Don't forget to consume the request on error + * BUG/MEDIUM: peers: make "show peers" more careful about partial initialization + * DEV: tcploop: add minimal support for unix sockets + * BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action + * BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the doc + * BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses + * MINOR: mux-quic: use send-list for immediate sending retry + * MINOR: mux-quic: use send-list for STOP_SENDING/RESET_STREAM emission + * MEDIUM: h3: send SETTINGS before STREAM frames + * MAJOR: mux-quic: rework stream sending priorization + * MINOR: mux-quic: add traces for flow-control limit reach + * BUG/MINOR: mux-quic: fix transfer of empty HTTP response + * DOC: management: add details about @system-ca in "show ssl ca-file" + * DOC: management: add details on "Used" status + * DOC: config: added optional rst-ttl argument to silent-drop in action lists + * CLEANUP: htx: fix a typo in an error message of http_str_to_htx + * BUG/MINOR: http: Memory leak of http redirect rules' format string + * BUG/MINOR: fd: avoid bad tgid assertion in fd_delete() from deinit() + * REGTEST: fix the race conditions in hmac.vtc + * REGTEST: fix the race conditions in digest.vtc + * REGTEST: fix the race conditions in add_item.vtc + * REGTEST: fix the race conditions in json_query.vtc + * BUG/MINOR: proxy: free orgto_hdr_name in free_proxy() + * DOC: config: remove duplicated "http-response sc-set-gpt0" directive + * DOC: config: fix alphabetical ordering of http-after-response rules + * BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned + * BUG/MINOR: http-fetch: Only fill txn status during prefetch if not already set + * MINOR: config: add environment variables for default log format + * CI: Reformat `matrix.py` using `black` + * CI: Explicitly check environment variable against `None` in matrix.py + * CI: Unify the `GITHUB_TOKEN` name across matrix.py and vtest.yml + * CI: Use proper `if` blocks instead of conditional expressions in matrix.py + * CI: Add in-memory cache for the latest OpenSSL/LibreSSL + * CI: Improve headline in matrix.py + * BUG/MINOR: stick-table: report the correct action name in error message + * MINOR: cfgparse-ssl: avoid a possible crash on OOM in ssl_bind_parse_npn() + * BUG/MINOR: debug: don't mask the TH_FL_STUCK flag before dumping threads + * BUILD: makefile: make sure to also ignore SSL_INC when using wolfssl + * BUILD: makefile: clean the wolfssl include and lib generation rules + * BUILD: makefile: sort the features list + * BUILD: makefile: build the features list dynamically + * CI: github: use the GITHUB_TOKEN instead of a manually generated token + * BUG/MINOR: mux-quic: ignore remote unidirectional stream close + * CI: github: enable github api authentication for OpenSSL tags read + * MINOR: h3: use stream error when needed instead of connection + * MEDIUM: mux-quic: implement STOP_SENDING emission + * MINOR: mux-quic: handle RESET_STREAM reception + * MINOR: mux-quic: do not count stream flow-control if already closed + * MEDIUM: mux-quic: implement shutw + * MINOR: httpclient: don't add body when istlen is empty + * BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats + * BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set + * BUG/MINOR: quic: do not allocate more rxbufs than necessary + * BUG/MEDIUM: quic: properly take shards into account on bind lines + * BUG/MEDIUM: mux-quic: fix double delete from qcc.opening_list + * REGTESTS: ssl: enable the ssl_reuse.vtc test for WolfSSL + * OPTIM: pool: split the read_mostly from read_write parts in pool_head + +------------------------------------------------------------------- +Sun Dec 25 06:01:14 UTC 2022 - mrueckert@suse.de + +- Update to version 2.7.1+git0.3e4af0ed7: + * [RELEASE] Released version 2.7.1 + * BUG/MEDIUM: stats: Rely on a local trash buffer to dump the stats + * BUG/MINOR:: mux-h1: Never handle error at mux level for running connection + * BUG/MINOR: mux-h1: Report EOS on parsing/internal error for not running stream + * BUG/MEDIUM: tests: use tmpdir to create UNIX socket + * REGTESTS: startup: disable automatic_maxconn.vtc + * BUG/MINOR: quic: fix crash on PTO rearm if anti-amplification reset + * BUG/MINOR: stats: fix show stat json buffer limitation + * MINOR: stats: introduce stats field ctx + * MINOR: stats: provide ctx for dumping functions + * BUG/MINOR: ssl: Fix memory leak of find_chain in ssl_sock_load_cert_chain + * MINOR: h3: check return values of htx_add_* on headers parsing + * BUG/MINOR: h3: fix memleak on HEADERS parsing failure + * BUG/MEDIUM: h3: fix cookie header parsing + * BUG/MINOR: mux-h1: Fix test instead a BUG_ON() in h1_send_error() + * BUG/MEDIUM: mux-h1: Don't release H1 stream upgraded from TCP on error + * LICENSE: wurfl: clarify the dummy library license. + * BUG/MINOR: mux-quic: handle properly alloc error in qcs_new() + * BUG/MINOR: mux-quic: remove qcs from opening-list on free + * CLEANUP: mux-quic: remove unused attribute on qcs_is_close_remote() + * BUG/MINOR: quic: handle alloc failure on qc_new_conn() for owned socket + * BUG/MINOR: quic: properly handle alloc failure in qc_new_conn() + * BUG/MINOR: quic: fix fd leak on startup check quic-conn owned socket + * MINOR: quic: reconnect quic-conn socket on address migration + * MEDIUM: quic: requeue datagrams received on wrong socket + * MINOR: mux-quic: rename duplicate function names + * MEDIUM: quic: move receive out of FD handler to quic-conn io-cb + * MEDIUM: quic: use quic-conn socket for reception + * MINOR: quic: use connection socket for emission + * MINOR: quic: allocate a socket per quic-conn + * MINOR: quic: define config option for socket per conn + * MINOR: quic: test IP_PKTINFO support for quic-conn owned socket + * MINOR: quic: startup detect for quic-conn owned socket support + * MINOR: quic: ignore address migration during handshake + * MINOR: quic: detect connection migration + * MINOR: tools: add port for ipcmp as optional criteria + * MINOR: quic: extract datagram parsing code + * MINOR: quic: complete traces in qc_rx_pkt_handle() + * MINOR: quic: remove qc from quic_rx_packet + * BUILD: peers: peers-t.h depends on stick-table-t.h + * CI: github: split matrix for development and stable branches + * CI: github: remove redundant ASAN loop + * MINOR: debug: add a balance of alloc - free at the end of the memstats dump + * MINOR: debug: support pool filtering on "debug dev memstats" + * BUG/MEDIUM: h3: parse content-length and reject invalid messages + * MINOR: http: extract content-length parsing from H2 + * BUG/MEDIUM: h3: reject request with invalid pseudo header + * BUG/MEDIUM: h3: reject request with invalid header name + * REGTESTS: startup: add alternatives values in automatic_maxconn.vtc + * BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout + * BUG/MEDIUM: freq-ctr: Don't compute overshoot value for empty counters + * CLEANUP: ssl: remove check on srv->proxy + * REGTESTS: startup: activate automatic_maxconn.vtc + * CI: github: set ulimit -n to a greater value + * REGTESTS: startup: change the expected maxconn to 11000 + * BUG/MINOR: startup: don't use internal proxies to compute the maxconn + * REGTESTS: startup: check maxconn computation + * REGTESTS: fix the race conditions in iff.vtc + * BUG/MAJOR: fcgi: Fix uninitialized reserved bytes + * DOC: promex: Add missing backend metrics + * MINOR: promex: introduce haproxy_backend_agg_check_status + * BUG/MINOR: promex: create haproxy_backend_agg_server_status + * MINOR: pools: make DEBUG_UAF a runtime setting + * DEBUG: pool: show a few examples in -dMhelp + * CLEANUP: pools: get rid of CONFIG_HAP_POOLS + * REORG: pool: move all the OS specific code to pool-os.h + * CLEANUP: pool: only include pool-os from pool.c not pool.h + * CLEANUP: pools: move the write before free to the uaf-only function + * BUG/MEDIUM: httpclient/lua: double LIST_DELETE on end of lua task + * BUILD: makefile/da: also clean Os/ in Device Atlas dummy lib dir + * BUILD: atomic: atomic.h may need compiler.h on ARMv8.2-a + * BUG/MINOR: init/threads: continue to limit default thread count to max per group + * BUG/MINOR: checks: restore legacy on-error fastinter behavior + * BUG/MEDIUM: mworker: create the mcli_reload socketpairs in case of upgrade + * BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers + * MINOR: mworker: display an alert upon a wait-mode exit + * BUG/MINOR: checks: make sure fastinter is used even on forced transitions + * BUG/MEDIUM: checks: do not reschedule a possibly running task on state change + * CI: github: split ssl lib selection based on git branch + * CI: github: reintroduce openssl 1.1.1 + * BUG/MEDIIM: stconn: Flush output data before forwarding close to write side + * BUG/MINOR: ssl: initialize WolfSSL before parsing + * BUG/MINOR: ssl: initialize SSL error before parsing + +------------------------------------------------------------------- +Thu Dec 01 15:25:38 UTC 2022 - mrueckert@suse.de + +- Update to version 2.7.0+git0.437fd289f: + https://www.haproxy.com/blog/announcing-haproxy-2-7/ + https://www.mail-archive.com/haproxy@formilux.org/msg42914.html + +------------------------------------------------------------------- +Tue Nov 22 13:13:45 UTC 2022 - Marcus Rueckert + +- reenable the pcre jit after the last change + +------------------------------------------------------------------- +Fri Oct 14 11:20:34 UTC 2022 - Stephan Kulow + +- Switch from unmaintained pcre 8.45 to pcre2 10 + +------------------------------------------------------------------- +Mon Sep 26 13:19:38 UTC 2022 - mrueckert@suse.de + +- Update to version 2.6.6+git0.274d1a4df: + * [RELEASE] Released version 2.6.6 + * BUG/MINOR: log: improper behavior when escaping log data + * REGTESTS: ssl: fix grep invocation to use extended regex in ssl_generate_certificate.vtc + * REGTESTS: ssl: adopt tests to OpenSSL-3.0.N + * REGTESTS: ssl: adopt tests to OpenSSL-3.0.N + * BUG/MEDIUM: mux-quic: properly trim HTX buffer on snd_buf reset + * MINOR: mux-quic: refactor snd_buf + * REORG: mux-quic: export HTTP related function in a dedicated file + * REORG: mux-quic: extract traces in a dedicated source file + * BUG/MINOR: mux-quic: do not keep detached qcs with empty Tx buffers + * BUG/MEDIUM: mux-quic: fix nb_hreq decrement + * SCRIPTS: announce-release: update some URLs to https + * BUILD: fd: fix a build warning on the DWCAS + * BUG/MEDIUM: captures: free() an error capture out of the proxy lock + * CLEANUP: quic,ssl: fix tiny typos in C comments + * BUG/MEDIUM: server: segv when adding server with hostname from CLI + * BUG/MINOR: mux-quic: do not remotely close stream too early + * CLEANUP: mux-quic: remove stconn usage in h3/hq + * BUG/MEDIUM: mux-quic: fix crash on early app-ops release + * MEDIUM: quic: separate path for rx and tx with set_encryption_secrets + * DOC: fix TOC in starter guide for subsection 3.3.8. Statistics + * REGTESTS: ssl/log: test the log-forward with SSL + * BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring. + * REGTESTS: log: test the log-forward feature + * BUG/MINOR: listener: null pointer dereference suspected by coverity + * CLEANUP: listener: function comment typo in stop_listener() + * REGTESTS: healthcheckmail: Relax matching on the healthcheck log message + * BUG/MINOR: mux-h1: Increment open_streams counter when H1 stream is created + * CLEANUP: pollers: remove dead code in the polling loop + * BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN' + * MINOR: proxy/listener: support for additional PAUSED state + * MINOR: listener: small API change + * BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK + * DEV: flags: add missing CO_FL_FDLESS connection flag + * DEV: flags: fix usage message to reflect available options + * CI: cirrus-ci: bump FreeBSD image to 13-1 + * BUG/MINOR: signals/poller: ensure wakeup from signals + * MINOR: h3: Send the h3 settings with others streams (requests) + * MINOR: h3: Missing connection argument for a TRACE_LEAVE() argument + * MINOR: h3: Add the quic_conn object to h3 traces + * BUG/MINOR: h3: Crash when h3 trace verbosity is "minimal" + * BUG/MINOR: quic: Trace fix about packet number space information. + * BUG/MINOR: quic: Speed up the handshake completion only one time + * BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals + * BUG/MINOR: stream/sched: take into account CPU profiling for the last call + * MINOR: sched: store the current profile entry in the thread context + * BUG/MINOR: sched: properly account for the CPU time of dying tasks + * BUG/MINOR: task: Fix detection of tasks profiling in tasklet_wakeup_after() + * CLEANUP: task: rename ->call_date to ->wake_date + * MINOR: task: permanently enable latency measurement on tasklets + * BUG/MINOR: task: make task_instant_wakeup() work on a task not a tasklet + * BUG/MINOR: task: always reset a new tasklet's call date + * BUG/MINOR: quic: Wrong connection ID to thread ID association + * MINOR: quic: No TRACE_LEAVE() in retrieve_qc_conn_from_cid() + * MINOR: quic: Add traces about sent or resent TX frames + * MINOR: quic: add QUIC support when no client_hello_cb + * BUILD: quic: fix the #ifdef in ssl_quic_initial_ctx() + * BUILD: ssl: fix the ifdef mess in ssl_sock_initial_ctx + * BUILD: quic: enable early data only with >= openssl 1.1.1 + * BUILD: quic: temporarly ignore chacha20_poly1305 for libressl + * BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb + * BUILD: quic: add some ifdef around the SSL_ERROR_* for libressl + * BUG/MINOR: quic: Possible crash when verifying certificates + * BUG/MINOR: h1: Support headers case adjustment for TCP proxies + * BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines + * BUG/MINOR: quic: Retransmitted frames marked as acknowledged + * BUILD: makefile: enable crypt(3) for NetBSD + * MINOR: Revert part of clarifying samples support per os commit + * MEDIUM: peers: limit the number of updates sent at once + +------------------------------------------------------------------- +Sat Sep 17 16:50:03 UTC 2022 - dmueller@suse.com + +- Update to version 2.6.5+git0.987a4e248: + * [RELEASE] Released version 2.6.5 + * BUG/MINOR: http-act: initialize http fmt head earlier + * MINOR: debug: report applet pointer and handler in crashes when known + * DEBUG: stream: minor rearrangement of a few fields in struct stream. + * BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber + * BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber + * BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber + * BUG/MINOR: httpclient: keep-alive was accidentely disabled + * BUG/MEDIUM: httpclient: always detach the caller before self-killing + * BUG/MINOR: h2: properly set the direction flag on HTX response + * BUG/MINOR: quic: Frames leak during retransmissions + * MINOR: quic: Trace typo fix in qc_release_frm() + * MINOR: quic: Add TX frames addresses to traces to several trace events + * BUG/MINOR: quic: Do not ack when probing + * MINOR: backend: always satisfy the first req reuse rule with l7 retries + * BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools + * REGTESTS: http_request_buffer: Add a barrier to not mix up log messages + * BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support + * BUILD: debug: make sure debug macros are never empty + * CLEANUP: exclude haring with .gitignore + * DEV: haring: support remapping LF in contents with CR VT + * DEV: haring: add a simple utility to read file-backed rings + * MINOR: sink/ring: rotate non-empty file-backed contents only + * MINOR: ring: archive a previous file-backed ring on startup + * BUILD: sink: replace S_IRUSR, S_IWUSR with their octal value + * MINOR: ring: add support for a backing-file + * MINOR: ring: support creating a ring from a linear area + * BUILD: ring: forward-declare struct appctx to avoid a build warning + * BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free() v2 + * BUG/MINOR: quic: TX frames memleak + * MINOR: quic: Move traces about RX/TX bytes from QUIC_EV_CONN_PRSAFRM event + * MINOR: quic: Add a trace to distinguish the datagram from the packets inside + * BUG/MINOR: quic: Missing header protection AES cipher context initialisations (draft-v2) + * BUG/MINOR: quic: Frames added to packets even if not built. + * BUG/MINOR: quic: Null packet dereferencing from qc_dup_pkt_frms() trace + * Revert "MINOR: quic: Remove useless traces about references to TX packets" + * MINOR: quic: Remove useless traces about references to TX packets + * CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv() + * CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet) + * BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup) + * BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets + * Revert "BUG/MINOR: quix: Memleak for non in flight TX packets" + * MINOR: quic: Replace MT_LISTs by LISTs for RX packets. + * BUG/MINOR: quic: Safer QUIC frame builders + * BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt() + * BUG/MINOR: quix: Memleak for non in flight TX packets + * BUG/MINOR: mux-quic: Fix memleak on QUIC stream buffer for unacknowledged data + * MINOR: quic: Add reusable cipher contexts for header protection + * MINOR: quic: Trace fix in qc_release_frm() + * MINOR: quic: Add the QUIC connection to mux traces + * BUG/MINOR: quic: Wrong splitted duplicated frames handling + * MINOR: quic: Add frame addresses to QUIC_EV_CONN_PRSAFRM event traces + * BUG/MINOR: quic: Possible crashes when dereferencing ->pkt quic_frame struct member + * MEDIUM: h3: concatenate multiple cookie headers + * REGTESTS: add test for HTTP/2 cookies concatenation + * REORG: h2: extract cookies concat function in http_htx + * BUG/MEDIUM: quic: fix crash on MUX send notification + * BUG/MINOR: quic: Missing initializations for ducplicated frames. + * BUG/MINOR: quic: do not notify MUX on frame retransmit + * MINOR: quic: refactor application send + * MINOR: mux-quic: add missing args on some traces + * MINOR: mux-quic: adjust traces on stream init + * BUG/MEDIUM: mux-quic: reject uni stream ID exceeding flow control + * MINOR: qpack: report error on enc/dec stream close + * MINOR: h3: report error on control stream close + * MINOR: quic: adjust quic_frame flag manipulation + * BUG/MINOR: quic: Wrong status returned by qc_pkt_decrypt() + * BUG/MINOR: quic: MIssing check when building TX packets + * BUG/MINOR: mux-quic: fix crash with traces in qc_detach() + * BUG/MEDIUM: quic: Wrong use of in qc_lsntr_pkt_rcv() + * BUG/MEDIUM: quic: Possible use of uninitialized variable in qc_lstnr_params_init() + * BUG/MEDIUM: mux-quic: fix crash due to invalid trace arg + * MINOR: mux-quic: define new traces + * CLEANUP: mux-quic: adjust traces level + * MINOR: mux-quic: define protocol error traces + * MINOR: mux-quic: adjust enter/leave traces + * CLEANUP: quic: Remove trailing spaces + * MINOR: quic: Remove useless lock for RX packets + * MEDIUM: quic: xprt traces rework + * BUG/MINOR: quic: fix crash on handshake io-cb for null next enc level + * BUG/MINOR: mux-quic: open stream on STOP_SENDING + * MINOR: quic: skip sending if no frame to send in io-cb + * MINOR: quic: refactor datagram commit in Tx buffer + * MINOR: quic: release Tx buffer on each send + * MINOR: quic: replace custom buf on Tx by default struct buffer + * MINOR: quic: Replace pool_zalloc() by pool_malloc() for fake datagrams + * BUG/MINOR: quic: adjust errno handling on sendto + * MINOR: quic: Add two new stats counters for sendto() errors + * MEDIUM: mux-quic: implement http-request timeout + * MINOR: mux-quic: refactor refresh timeout function + * MINOR: mux-quic: refresh timeout on frame decoding + * MINOR: h3: support HTTP request framing state + * MEDIUM: mux-quic: implement http-keep-alive timeout + * MINOR: mux-quic: count in-progress requests + * MEDIUM: mux-quic: adjust timeout refresh + * MINOR: mux-quic: use timeout server for backend conns + * MINOR: mux-quic: save proxy instance into qcc + * MINOR: h3: implement graceful shutdown with GOAWAY + * MINOR: h3: store control stream in h3c + * MINOR: mux-quic: send one last time before release + * CLEANUP: mux-quic: move qc_release() + * MEDIUM: quic: send CONNECTION_CLOSE on released MUX + * MINOR: mux-quic/h3: prepare CONNECTION_CLOSE on release + * MINOR: mux-quic: support app graceful shutdown + * MINOR: quic: define a generic QUIC error type + * CLEANUP: quic: clean up include on quic_frame-t.h + * MEDIUM: mux-quic: implement STOP_SENDING handling + * MEDIUM: mux-quic: implement RESET_STREAM emission + * MINOR: mux-quic: use stream states to mark as detached + * MINOR: mux-quic: define basic stream states + * MINOR: mux-quic: support stream opening via MAX_STREAM_DATA + * MINOR: mux-quic: do not ack STREAM frames on unrecoverable error + * MINOR: mux-quic: filter send/receive-only streams on frame parsing + * MINOR: mux-quic: implement qcs_alert() + * MINOR: mux-quic: add traces on frame parsing functions + * MINOR: mux-quic: rename stream purge function + * REORG: mux-quic: rename stream initialization function + * MINOR: mux-quic: emit FINAL_SIZE_ERROR on invalid STREAM size + * MINOR: mux-quic: rename qcs flag FIN_RECV to SIZE_KNOWN + * MEDIUM: mux-quic: refactor streams opening + * MINOR: mux-quic: implement accessor for sedesc + * REORG: mux-quic: reorganize flow-control fields + * CLEANUP: mux-quic: do not export qc_get_ncbuf + * CLEANUP: mux-quic: adjust comment on qcs_consume() + * BUG/MINOR: qpack: abort on dynamic index field line decoding + * BUG/MINOR: qpack: fix build with QPACK_DEBUG + * CLEANUP: pool/quic: remove suffix "_pool" from certain pool names + * MINOR: quic: Dump version_information transport parameter + * BUG/MINOR: qpack: abort on dynamic index field line decoding + * BUILD: quic: Wrong HKDF label constant variable initializations + * CLEANUP: quic: Remove any reference to boringssl + * MEDIUM: quic: Compatible version negotiation implementation (draft-08) + * MINOR: quic: Released QUIC TLS extension for QUIC v2 draft + * MEDIUM: quic: Add QUIC v2 draft support + * CLEANUP: quid: QUIC draft-28 no more supported + * MINOR: quic: Parse long packet version from qc_parse_hd_form() + * MINOR: quic: Add several nonce and key definitions for Retry tag + * MINOR: qpack: improve decoding function + * MINOR: qpack: add ABORT_NOW on unimplemented decoding + * MINOR: qpack: reduce dependencies on other modules + * CLEANUP: quic: use task_new_on() for single-threaded tasks + * MINOR: mux-quic: complete BUG_ON on TX flow-control enforcing + * BUG/MEDIUM: h3: fix SETTINGS parsing + * BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing + * BUG/MINOR: h3: fix return value on decode_qcs on error + * MINOR: mux-quic/h3: adjust demuxing function return values + * MINOR: mux-quic: simplify decode_qcs API + * CLEANUP: Re-apply xalloc_size.cocci (2) + * MINOR: connection: support HTTP/3.0 for smp_*_http_major fetch + * BUG/MINOR: dev/udp: properly preset the rx address size + * BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input + * BUG/MINOR: ssl: revert two wrong fixes with ckhi_link + * MINOR: quic: Revert recent QUIC commits + * BUG/MEDIUM: ssl: Fix a UAF when old ckch instances are released + * BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free() + * BUG/MINOR: ssl: fix deinit of the ca-file tree + * BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule) + * MINOR: quic: Add a trace to distinguish the datagram from the packets inside + * BUG/MINOR: applet: make the call_rate only count the no-progress calls + * BUG/MEDIUM: applet: fix incorrect check for abnormal return condition from handler + * MINOR: quic: Replace MT_LISTs by LISTs for RX packets. + * BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets + * BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date + * BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress + * BUG/MEDIUM: peers: Add connect and server timeut to peers proxy + * BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode + * BUG/MINOR: quic: Frames added to packets even if not built. + * DOC: configuration.txt: do-resolve must use host_only to remove its port. + * BUG/MINOR: httpclient: fix resolution with port + * MINOR: sample: add the host_only and port_only converters + * DOC: configuration: do-resolve doesn't work with a port in the string + * CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv() + * CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet) + * BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup) + * BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets + * MINOR: resolvers: shut the warning when "default" resolvers is implicit + * REGTESTS: Fix prometheus script to perform HTTP health-checks + * BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect + * BUG/MINOR: mworker: does not create the "default" resolvers in wait mode + * BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config() + * BUILD: tcp_sample: fix build of get_tcp_info() on OpenBSD + * BUG/MINOR: quic: Safer QUIC frame builders + * BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt() + +------------------------------------------------------------------- +Mon Aug 22 13:29:50 UTC 2022 - mrueckert@suse.de + +- Update to version 2.6.4+git0.2a2078cba: + * [RELEASE] Released version 2.6.4 + * BUG/MAJOR: mworker: fix infinite loop on master with no proxies. + * BUG/MINOR: ssl/cli: error when the ca-file is empty + +------------------------------------------------------------------- +Fri Aug 19 16:09:19 UTC 2022 - mrueckert@suse.de + +- Update to version 2.6.3+git0.76f187b36: + * [RELEASE] Released version 2.6.3 + * BUG/MAJOR: log-forward: Fix ssl layer not initialized on bind even if configured + * BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized + * BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle + * BUG/MEDIUM: cli: always reset the service context between commands + * MINOR: applet: add a function to reset the svcctx of an applet + * BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names + * MINOR: stick-table: Add table_expire() and table_idle() new converters + * BUG/MINOR: quic: memleak on wrong datagram receipt + * BUG/MEDIUM: ring: fix too lax 'size' parser + * BUG/MINOR: quic: Possible infinite loop in quic_build_post_handshake_frames() + * BUILD: debug: silence warning on gcc-5 + * BUILD: stconn: fix build warning at -O3 about possible null sc + * BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq() + * BUG/MEDIUM: poller: use fd_delete() to release the poller pipes + * BUG/MEDIUM: quic: always remove the connection from the accept list on close + * CLEANUP: mux-quic: remove loop on sending frames + * BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection + * MINOR: quic: Too much useless traces in qc_build_frms() + * BUG/MEDIUM: quic: Wrong packet length check in qc_do_rm_hp() + * BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h + * CLEANUP: assorted typo fixes in the code and comments + * BUG/MEDIUM: quic: break out of the loop in quic_lstnr_dghdlr + * MINOR: quic: explicitely ignore sendto error + * BUG/MINOR: quic: Missing Initial packet dropping case + * BUG/MINOR: quic: do not reject datagrams matching minimum permitted size + * BUG/MINOR: sink: fix a race condition between the writer and the reader + * BUG/MEDIUM: sink: Set the sink ref for forwarders created during ring parsing + * BUG/MINOR: ring/cli: fix a race condition between the writer and the reader + * BUG/MINOR: quic: Avoid sending truncated datagrams + * BUILD: http: silence an uninitialized warning affecting gcc-5 + * BUG/MEDIUM: quic: Floating point exception in cubic_root() + * BUG/MINOR: quic: Missing in flight ack eliciting packet counter decrement + * MINOR: peers: Add a warning about incompatible SSL config for the local peer + * BUG/MEDIUM: proxy: Perform a custom copy for default server settings + * REORG: server: Export srv_settings_cpy() function + * MINOR: server: Constify source server to copy its settings + * BUG/MINOR: backend: Don't increment conn_retries counter too early + * BUG/MEDIUM: dns: Properly initialize new DNS session + * BUG/MINOR: peers: Use right channel flag to consider the peer as connected + * BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload + * MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer + * BUG/MINOR: mux-quic: do not free conn if attached streams + * CLEANUP: mux-quic: remove useless app_ops is_active callback + * BUG/MINOR: mux-quic: prevent crash if conn released during IO callback + * BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions + * MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups + * BUG/MEDIUM: queue/threads: limit the number of entries dequeued at once + * MINOR: quic: Send packets as much as possible from qc_send_app_pkts() + * BUG/MAJOR: quic: Useless resource intensive loop qc_ackrng_pkts() + * MINOR: quic: Stop looking for packet loss asap + * BUG/MINOR: quic: loss time limit variable computed but not used + * MINOR: quic: New "quic-cc-algo" bind keyword + * MEDIUM: quic: Cubic congestion control algorithm implementation + * MINOR: quic: Congestion control architecture refactoring + * BUG/MEDIUM: mux-quic: fix missing EOI flag to prevent streams leaks + * BUG/MINOR: mworker: PROC_O_LEAVING used but not updated + * MEDIUM: resolvers: continue startup if network is unavailable + * DEBUG: fd: split the fd check + * Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" + * BUG/MINOR: sockpair: wrong return value for fd_send_uxst() + +------------------------------------------------------------------- +Thu Jul 28 20:04:58 UTC 2022 - dmueller@suse.com + +- Update to version 2.6.2+git0.16a3646fd: + * [RELEASE] Released version 2.6.2 + * BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible + * BUILD: quic: fix anonymous union for gcc-4.4 + * BUG/MEDIUM: stconn: Only reset connect expiration when processing backend side + * BUILD: add detection for unsupported compiler models + * BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload + * BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap + * BUG/MINOR: mworker/cli: relative pid prefix not validated anymore + * BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake + * BUG/MINOR: tools: fix statistical_prng_range()'s output range + * BUG/MINOR: ssl: allow duplicate certificates in ca-file directories + * BUG/MINOR: resolvers: shut off the warning for the default resolvers + * MINOR: resolvers: resolvers_destroy() deinit and free a resolver + * BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2) + * BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX + * BUG/MEDIUM: tools: avoid calling dlsym() in static builds + * BUG/MINOR: debug: enter ha_panic() only once + * BUG/MEDIUM: cli/threads: make "show threads" more robust on applets + * BUG/MINOR: quic: fix closing state on NO_ERROR code sent + * BUG/MEDIUM: mux-quic: fix server chunked encoding response + * CLEANUP: h2: Typo fix in h2_unsubcribe() traces + * MINOR: qpack: properly handle invalid dynamic table references + * MINOR: h3: handle errors on HEADERS parsing/QPACK decoding + * MINOR: h3: add h3c pointer into h3s instance + * BUG/MINOR: mux-quic: do not signal FIN if gap in buffer + * MINOR: ncbuf: implement ncb_is_fragmented() + * MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb) + * MINOR: quic: Improvements for the datagrams receipt + * MINOR: task: Add tasklet_wakeup_after() + * MINOR: quic: Duplicated QUIC_RX_BUFSZ definition + * MINOR: quic: Add new stats counter to diagnose RX buffer overrun + * BUG/MINOR: quic: Dropped packets not counted (with RX buffers full) + * BUILD: quic+h3: 32-bit compilation errors fixes + * BUG/MAJOR: quic: Big RX dgrams leak with POST requests + * BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer + * BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer + * BUG/MINOR: quic: Missing acknowledgments for trailing packets + * MEDIUM: mworker: set the iocb of the socketpair without using fd_insert() + * BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send + * BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state + * BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer + * REGTEESTS: filters: Fix CONNECT request in random-forwarding script + * BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream + * MINOR: http-htx: Use new HTTP functions for the scheme based normalization + * BUG/MEDIUM: h1: Improve authority validation for CONNCET request + * MINOR: http: Add function to detect default port + * MINOR: http: Add function to get port part of a host + * BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo + * BUG/MINOR: peers: fix possible NULL dereferences at config parsing + * BUG/MINOR: http-act: Properly generate 103 responses when several rules are used + * BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule + * BUG/MINOR: peers/config: always fill the bind_conf's argument + * MINOR: fd: Add BUG_ON checks on fd_insert() + * CI: re-enable gcc asan builds + * BUILD: Makefile: Add Lua 5.4 autodetect + * BUG/MEDIUM: ssl/fd: unexpected fd close using async engine + * MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD + * BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch + * BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created + * BUG/MINOR: ssl: Do not look for key in extra files if already in pem + * MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames +- drop lua54.patch (upstream) + +------------------------------------------------------------------- +Sat Jul 09 20:13:15 UTC 2022 - elimat@opensuse.org + +- Update to version 2.6.1+git0.f6ca66d44: + * [RELEASE] Released version 2.6.1 + * REGTESTS: ssl: add the same cert for client/server + * BUG/MEDIUM: mworker: use default maxconn in wait mode + * BUG/MINOR: quic: Acknowledgement must be forced during handshake + * BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list + * BUG/MINOR: quic: free rejected Rx packets + * BUG/MINOR: quic: purge conn Rx packet list on release + * BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name + * BUG/MINOR: quic: Unexpected half open connection counter wrapping + * BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option + * MINOR: stream: Rely on stconn flags to abort stream destructive upgrade + * BUG/MEDIUM: stream: Properly handle destructive client connection upgrades + * BUG/MINOR: task: fix thread assignment in tasklet_kill() + * BUG/MINOR: quic: Wrong PTO calculation + * BUG/MINOR: quic: Stop hardcoding Retry packet Version field + * BUG/BUILD: h3: fix wrong label name + * BUG/MINOR: h3/qpack: deal with too many headers + * MINOR: qpack: add comments and remove a useless trace + * BUG/MINOR: qpack: support header litteral name decoding + * BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup + * BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing + * BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data + * BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration + * BUG/MINOR: mux-quic: fix memleak on frames rejected by transport + * BUG/MEDIUM: mux-quic: fix flow control connection Tx level + * BUG/MINOR: cli/stats: add missing trailing LF after "show info json" + * BUG/MINOR: server: do not enable DNS resolution on disabled proxies + * BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs + * BUG/MINOR: h3: fix frame type definition + * REGTESTS: healthcheckmail: Relax health-check failure condition + * REGTESTS: healthcheckmail: Update the test to be functionnal again + * BUG/MINOR: checks: Properly handle email alerts in trace messages + * BUG/MINOR: trace: Test server existence for health-checks to get proxy + * BUG/MEDIUM: mailers: Set the object type for check attached to an email alert + * BUILD: compiler: implement unreachable for older compilers too + * REGTESTS: restrict_req_hdr_names: Extend supported versions + * REGTESTS: http_abortonclose: Extend supported versions + * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler + * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler + * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler + * BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd + * BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield + * BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield + * BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield + * BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx + * REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients + * REGTESTS: abortonclose: Add a barrier to not mix up log messages + * MEDIUM: httpclient: Don't close CLI applet at the end of a response + * MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs + * BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases + * BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them + * BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases + * BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases + * BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases + * BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry + * BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry + * BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified + * BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified + * BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails + * BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails + +------------------------------------------------------------------- +Tue May 31 15:54:35 UTC 2022 - mrueckert@suse.de + +- Update to version 2.6.0+git0.a1efc048b: + https://www.mail-archive.com/haproxy@formilux.org/msg42371.html +- refreshed patches + - haproxy-1.6.0-makefile_lib.patch + - haproxy-1.6.0-sec-options.patch + - haproxy-1.6.0_config_haproxy_user.patch + - lua54.patch + +------------------------------------------------------------------- +Fri May 13 14:54:15 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.7+git0.2ef551d02: + * [RELEASE] Released version 2.5.7 + * CLEANUP: mux-h1: Fix comments and error messages for global options + * MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests + * BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized + * CLEANUP: applet: make appctx_new() initialize the whole appctx + * BUG/MINOR: conn_stream: do not confirm a connection from the frontend path + * DOC/MINOR: fix typos in the lua-api document + * BUG/MEDIUM: lua: fix argument handling in data removal functions + * BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes). + * DOC: install: update gcc version requirements + * BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-( + * BUILD: listener: shut report of possible null-deref in listener_accept() + * BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings + * BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation + * BUG/MINOR: ssl: Fix typos in crl-file related CLI commands + * CI: dynamically determine actual version of h2spec + * DOC: fix typo "ant" for "and" in INSTALL + * BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts + * BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts + * BUG/MINOR: ssl/cli: fix "show ssl ca-file " not to mix cli+ssl contexts + * BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts + * BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail + * BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init + * BUG/MINOR: map/cli: protect the backref list during "show map" errors + * BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend" + * BUG/MEDIUM: cli: make "show cli sockets" really yield + * BUG/MEDIUM: resolvers: make "show resolvers" properly yield + * BUG/MINOR: startup: usage() when no -cc arguments + * BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port] + * DOC: config: Update doc for PR/PH session states to warn about rewrite failures + * MINOR: mux-h2: report a trace event when failing to create a new stream + * BUG/MINOR: mux-h2: mark the stream as open before processing it not after + * BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket + * BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified + * BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message + * SCRIPTS: announce-release: add URL of dev packages + * CI: github actions: update LibreSSL to 3.5.2 + * BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel + * MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord" + * BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all() + * BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit() + * BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option + * MINOR: connection: Add way to disable active connection closing during soft-stop + * BUILD: compiler: properly distinguish weak and global symbols + +------------------------------------------------------------------- +Tue Apr 26 21:59:04 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.6+git0.ba44b4312: + * [RELEASE] Released version 2.5.6 + * REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc + * BUG/MINOR: connection: "connection:close" header added despite 'close-spread-time' + * BUG/MINOR: sample: add missing use_backend/use-server contexts in smp_resolve_args + * Revert "CI: github actions: disable -Wno-deprecated" + * BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments + * BUG/MEDIUM: rules: Be able to use captures defined in defaults section + * BUG/MINOR: rules: Forbid captures in defaults section if used by a backend + * DOC: remove my name from the config doc + * MEDIUM: queue: use tasklet_instant_wakeup() to wake tasks + * MINOR: task: add a new task_instant_wakeup() function + * BUG/MAJOR: connection: Never remove connection from idle lists outside the lock + * BUG/MINOR: cache: Disable cache if applet creation fails + * BUILD: calltrace: fix wrong include when building with TRACE=1 + * SCRIPTS: announce-release: add shortened links to pending issues + * DOC: lua: update a few doc URLs + * SCRIPTS: announce-release: update the doc's URL + * BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags + * BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be added + * BUG/MEDIUM: stream: do not abort connection setup too early + * BUILD: compiler: use a more portable set of asm(".weak") statements + * BUILD: sched: workaround crazy and dangerous warning in Clang 14 + * BUG/MEDIUM: mux-h1: Don't request more room on partial trailers + * BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive + * BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side + * BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak + * BUG/MINOR: cache: do not display expired entries in "show cache" + * BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent + * CI: cirrus: switch to FreeBSD-13.0 + * CI: github actions: disable -Wno-deprecated + * BUG/MINOR: stats: define the description' background color in dark color scheme + * CI: Update to actions/cache@v3 + * CI: Update to actions/checkout@v3 + * MEDIUM: global: Add a "close-spread-time" option to spread soft-stop on time window + * Revert "BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time" + * MAJOR: opentracing: reenable usage of vars to transmit opentracing context + * DEBUG: opentracing: display the contents of the err variable after setting + * CLEANUP: opentracing: added FLT_OT_PARSE_INVALID_enum enum + * DEBUG: opentracing: show return values of all functions in the debug output + * MINOR: opentracing: improved normalization of context variable names + * CLEANUP: opentracing: added variable to store variable length + * CLEANUP: opentracing: added flt_ot_smp_init() function + * MINOR: opentracing: only takes the variables lock on shared entries + * Revert "MINOR: opentracing: change the scope of the variable 'ot.uuid' from 'sess' to 'txn'" + * CLEANUP: opentracing: removed unused function flt_ot_var_get() + * CLEANUP: opentracing: removed unused function flt_ot_var_unset() + * DOC: opentracing: corrected comments in function descriptions + * EXAMPLES: opentracing: refined shell scripts for testing filter performance + * BUG/BUILD: opentracing: fixed OT_DEFINE variable setting + * BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set() + * BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid + * BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples + * BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached + * BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message + * BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet + * BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message + * BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests + * BUG/MINOR: httpclient: end callback in applet release + * BUG/MINOR: ssl/cli: Remove empty lines from CLI output + * CI: github actions: update OpenSSL to 3.0.2 + * DOC: remove double blanks in configuration.txt + * BUG/MAJOR: mux_pt: always report the connection error to the conn_stream + * BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads + * BUG/MINOR: samples: add missing context names for sample fetch functions + * REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check + * BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing + * BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing + * DOC: reflect H2 timeout changes + * BUG/MINOR: tools: url2sa reads too far when no port nor path + * DOC: config: Explictly add supported MQTT versions + * MEDIUM: mqtt: support mqtt_is_valid and mqtt_field_value converters for MQTTv3.1 + * BUG/MINOR: rules: Initialize the list element when allocating a new rule + * BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts + * MEDIUM: mux-h2: slightly relax timeout management rules + * BUG/MEDIUM: trace: avoid race condition when retrieving session from conn->owner + * BUG/MEDIUM: stream-int: do not rely on the connection error once established + * BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf + * CI: github actions: switch to LibreSSL-3.5.1 + * BUG/MINOR: httpclient: CF_SHUTW_NOW should be tested with channel_is_empty() + * BUG/MINOR: httpclient: process the response when received before the end of the request + * BUG/MINOR: httpclient: only check co_data() instead of HTTP_MSG_DATA + * BUG/MINOR: server/ssl: free the SNI sample expression + * BUILD: httpclient: fix build without SSL + * BUG/MINOR: httpclient: send the SNI using the host header + * MINOR: server: export server_parse_sni_expr() function + * BUG/MINOR: httpclient/lua: stuck when closing without data + * BUG/MINOR: tools: fix url2sa return value with IPv4 + +------------------------------------------------------------------- +Mon Mar 14 17:11:09 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.5+git0.384c5c59a: + * [RELEASE] Released version 2.5.5 + * REGTESTS: fix the race conditions in be2hex.vtc + * BUG/MEDIUM: httpclient: must manipulate head, not first + * BUG/MINOR: httpclient: remove the UNUSED block when parsing headers + * BUG/MINOR: httpclient: consume partly the blocks when necessary + * CLEANUP: htx: remove unused co_htx_remove_blk() + * BUG/MEDIUM: httpclient: don't consume data before it was analyzed + * BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd() + * BUG/MAJOR: mux-pt: Always destroy the backend connection on detach + * DEBUG: stream: Fix stream trace message to print response buffer state + * DEBUG: stream: Add the missing descriptions for stream trace events + * BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing + * DEBUG: cache: Update underlying buffer when loading HTX message in cache applet + * BUG/MEDIUM: stream: Use the front analyzers for new listener-less streams + * BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request + * BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request + * BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request + * BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request + * BUG/MINOR: httpclient: Set conn-stream/channel EOI flags at the end of request + * BUG/MINOR: cli: shows correct mode in "show sess" + * BUG/MINOR: add missing modes in proxy_mode_str() + * BUILD: fix recent build breakage of freebsd caused by kFreeBSD build fix + * BUILD: pools: fix backport of no-memory-trimming on non-linux OS + * MINOR: stats: Add dark mode support for socket rows + * MINOR: pools: add a new global option "no-memory-trimming" + * BUILD: fix kFreeBSD build. + * BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed + * BUG/MINOR: pool: always align pool_heads to 64 bytes + * BUG/MEDIUM: httpclient/lua: infinite appctx loop with POST + * REGTESTS: fix the race conditions in secure_memcmp.vtc + * REGTESTS: fix the race conditions in normalize_uri.vtc + * BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks() + * BUG/MEDIUM: mux-fcgi: Don't rely on SI src/dst addresses for FCGI health-checks + * BUILD: tree-wide: mark a few numeric constants as explicitly long long + * BUILD: atomic: make the old HA_ATOMIC_LOAD() support const pointers + * CI: Consistently use actions/checkout@v2 + * CI: github actions: use cache for SSL libs + * CI: refactor OpenTracing build script + * CI: github actions: use cache for OpenTracing + * CI: github actions: add the output of $CC -dM -E- + +------------------------------------------------------------------- +Fri Feb 25 16:21:33 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.4+git0.e55ab4208: + * [RELEASE] Released version 2.5.4 + * BUG/MEDIUM: stream: Abort processing if response buffer allocation fails + * CI: github: enable pool debugging by default + * REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks + * BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy() + * DOC: Fix usage/examples of deprecated ACLs + * BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer + * BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer + * BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message + +------------------------------------------------------------------- +Thu Feb 24 18:16:09 UTC 2022 - Marcus Rueckert + +- apparmor: profile now needs access to /sys/devices/system/node/ + +------------------------------------------------------------------- +Fri Feb 18 21:45:27 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.3+git0.abf078b15: + * [RELEASE] Released version 2.5.3 + * DEBUG: buffer: check in __b_put_blk() whether the buffer room is respected + * BUG/MEDIUM: httpclient: limit transfers to the maximum available room + * BUG/MINOR: tools: url2sa reads ipv4 too far + * CLEANUP: httpclient/cli: fix indentation alignment of the help message + * BUG/MINOR: ssl: Missing return value check in ssl_ocsp_response_print + * BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command + * BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print + * BUG/MINOR: mailers: negotiate SMTP, not ESMTP + * BUG/MINOR: httpclient: reinit flags in httpclient_start() + * MINOR: httpclient: Don't limit data transfer to 1024 bytes + * BUG/MAJOR: compiler: relax alignment constraints on certain structures + * BUG/MEDIUM: fd: always align fdtab[] to 64 bytes + * BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names + * BUG/MINOR: sink: Use the right field in appctx context in release callback + * BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload + * BUG/MEDIUM: mworker: close unused transferred FDs on load failure + * MINOR: sock: move the unused socket cleaning code into its own function + +------------------------------------------------------------------- +Fri Feb 18 21:44:43 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.2+git0.042feec44: (CVE-2022-0711 boo#1196408) + * [RELEASE] Released version 2.5.2 + * BUG/MINOR: mux-h2: update the session's idle delay before creating the stream + * BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change + * REGTESTS: peers: leave a bit more time to peers to synchronize + * REGTESTS: server: close an occasional race on dynamic_server_ssl.vtc + * BUG/MAJOR: spoe: properly detach all agents when releasing the applet + * BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies + * BUG/MINOR: httpclient/cli: display junk characters in vsn + * BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls + * BUG/MINOR: jwt: Missing pkey free during cleanup + * BUG/MINOR: jwt: Double free in deinit function + * BUG/MINOR: ssl: Remove empty lines from "show ssl ocsp-response " output + * BUG/MEDIUM: httpclient: Xfer the request when the stream is created + * BUG/MINOR: httpclient: Revisit HC request and response buffers allocation + * BUG/MEDIUM: listener: read-lock the listener during accept() + * MINOR: listener: replace the listener's spinlock with an rwlock + * DEBUG: fd: make sure we never try to insert/delete an impossible FD number + * BUG/MINOR: mworker: does not erase the pidfile upon reload + * BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks + * DEBUG: pools: replace the link pointer with the caller's address on pool_free() + * DEBUG: pools: let's add reverse mapping from cache heads to thread and pool + * DEBUG: pools: add extra sanity checks when picking objects from a local cache + * BUG/MINOR: pools: always flush pools about to be destroyed + * BUG/MINOR: mworker: does not add the -sf in wait mode + * BUG/MEDIUM: mworker: don't lose the stats socket on failed reload + * REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2 + * DEBUG: pools: add new build option DEBUG_POOL_INTEGRITY + * BUILD: debug/cli: condition test of O_ASYNC to its existence + * DEBUG: cli: add a new "debug dev fd" expert command + * BUG/MINOR: stream: make the call_rate only count the no-progress calls + * BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them + * BUG/MEDIUM: mcli: do not try to parse empty buffers + * BUG/MEDIUM: cli: Never wait for more data on client shutdown + * MEDIUM: h2/hpack: emit a Dynamic Table Size Update after settings change + * BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands + * MINOR: channel: add new function co_getdelim() to support multiple delimiters + * MEDIUM: cli: yield between each pipelined command + * DOC: management: mark "set server ssl" as deprecated + * BUG/MEDIUM: server: avoid changing healthcheck ctx with set server ssl + * BUILD/MINOR: fix solaris build with clang. + * BUG/MINOR: httpclient/lua: don't pop the lua stack when getting headers + * BUG/MINOR: httpclient: set default Accept and User-Agent headers + * BUG/MINOR: httpclient: don't send an empty body + * BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer + * BUG/MEDIUM: connection: properly leave stopping list on error + +------------------------------------------------------------------- +Fri Feb 4 10:13:35 UTC 2022 - Callum Farmer + +- Add now working CONFIG parameter to sysusers generator + +------------------------------------------------------------------- +Tue Jan 11 17:20:22 UTC 2022 - mrueckert@suse.de + +- Update to version 2.5.1+git0.86b093a51: + * [RELEASE] Released version 2.5.1 + * CI: github actions: clean default step conditions + * BUILD: cpuset: fix build issue on macos introduced by previous change + * BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data + * BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error + * BUG/MEDIUM: mworker: don't use _getsocks in wait mode + * BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry + * BUG/MINOR: cli: fix _getsocks with musl libc + * BUILD/MINOR: tools: solaris build fix on dladdr. + * CI: github actions: update OpenSSL to 3.0.1 + * BUILD/MINOR: cpuset FreeBSD 14 build fix. + * REGTESTS: ssl: update of a crt with server deletion + * BUG/MEDIUM: ssl: free the ckch instance linked to a server + * BUG/MINOR: ssl: free the fields in srv->ssl_ctx + * CI: Github Actions: do not show VTest failures if build failed + * BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning + * MINOR: cpuset: switch to sched_setaffinity for FreeBSD 14 and above. + * MINOR: proxy: add option idle-close-on-response + * MINOR: debug: add support for -dL to dump library names at boot + * MINOR: debug: add ability to dump loaded shared libraries + * MINOR: compat: detect support for dl_iterate_phdr() + * REGTESTS: ssl: fix ssl_default_server.vtc + * BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server + * BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time + * DEBUG: ssl: make sure we never change a servername on established connections + * DOC: fix misspelled keyword "resolve_retries" in resolvers + * BUILD: ssl: unbreak the build with newer libressl + * BUG/MINOR: mux-h1: Fix splicing for messages with unknown length + * BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message + * BUG/MEDIUM: peers: properly skip conn_cur from incoming messages + * BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch + * MINOR: pools: work around possibly slow malloc_trim() during gc + * MINOR: ssl: Remove empty lines from "show ssl ocsp-response" output + * BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode + * DOC: config: fix error-log-format example + * DOC: config: retry-on list is space-delimited + * DOC: config: Specify %Ta is only available in HTTP mode + * DOC: spoe: Clarify use of the event directive in spoe-message section + * BUG/MINOR: cli/server: Don't crash when a server is added with a custom id + * MINOR: http-rules: Add capture action to http-after-response ruleset + * IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode + * BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types + * MINOR: cli: "show version" displays the current process version + * BUG/MEDIUM: sample: Fix memory leak in sample_conv_jwt_member_query + * BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH + * MINOR: mux-h1: Improve H1 traces by adding info about http parsers + * BUG/MINOR: mworker: deinit of thread poller was called when not initialized + * BUG/MEDIUM: mworker: FD leak of the eventpoll in wait mode + * BUG/MEDIUM: h1: Properly reset h1m flags when headers parsing is restarted + * BUG/MAJOR: segfault using multiple log forward sections. + * BUG/MEDIUM: resolvers: Detach query item on response error + * BUG/MINOR: server: Don't rely on last default-server to init server SSL context + * BUG/MINOR: vars: Fix the set-var and unset-var converters + * BUILD: evports: remove a leftover from the dead_fd cleanup + * BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time + * BUG/MINOR: lua: remove loop initial declarations + * BUG/MINOR: lua: don't expose internal proxies + * BUG/MINOR: httpclient: allow to replace the host header + * BUG/MINOR: cache: Fix loop on cache entries in "show cache" + +------------------------------------------------------------------- +Tue Nov 23 15:17:02 UTC 2021 - mrueckert@suse.de + +- Update to version 2.5.0+git0.f2e0833f1: + https://www.mail-archive.com/haproxy@formilux.org/msg41508.html +- refreshed patches to apply cleanly again + haproxy-1.6.0-sec-options.patch + haproxy-1.6.0_config_haproxy_user.patch + lua54.patch + +------------------------------------------------------------------- +Wed Nov 03 16:31:38 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.8+git0.d1f8d41e0: + * [RELEASE] Released version 2.4.8 + * SCRIPTS: git-show-backports: re-enable file-based filtering + * DOC/peers: some grammar fixes for peers 2.1 spec + * MINOR: stream: Improve dump of bogus streams + * BUILD/MINOR: cpuset freebsd build fix + * DOC: config: Fix alphabetical order of fc_* samples + * BUG/MINOR: sample: fix backend direction flags consecutive to last fix + * BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags + * BUG/MEDIUM: stream-int: Block reads if channel cannot receive more data + * BUG/MINOR: http: Authorization value can have multiple spaces after the scheme + * BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration + * MINOR: halog: Add support for extracting captures using -hdr + * BUG/MINOR: halog: Add missing newlines in die() messages + * CLEANUP: halog: Use consistent indentation in help() + * MINOR: halog: Rename -qry to -query + * DOC: halog: Move the `-qry` parameter into the correct section in help text + * MINOR: halog: Add -qry parameter allowing to preserve the query string in -uX + * BUG/MEDIUM: resolvers: Track api calls with a counter to free resolutions + * BUG/MEDIUM: resolvers: Don't recursively perform requester unlink + * MEDIUM: resolvers: remove the last occurrences of the "safe" argument + * MEDIUM: resolvers: use a kill list to preserve the list consistency + * CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT + * CLEANUP: resolvers: simplify resolv_link_resolution() regarding requesters + * CLEANUP: always initialize the answer_list + * CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records() + * BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released + * BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed + * BUILD: atomic: fix build on mac/arm64 + * BUG/MINOR: backend: fix improper insert in avail tree for always reuse + * BUILD: fix compilation on NetBSD + * MINOR: memprof: add one pointer size to the size of allocations + * MINOR: memprof: report the delta between alloc and free on realloc() + * BUG/MEDIUM: lua: fix memory leaks with realloc() on non-glibc systems + * BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame + * BUG/MINOR: task: do not set TASK_F_USR1 for no reason + * BUG/MAJOR: buf: fix varint API post- vs pre- increment + * BUG/MEDIUM: resolvers: always check a valid item in query_list + * BUILD: resolvers: avoid a possible warning on null-deref + * BUG/MAJOR: resolvers: add other missing references during resolution removal + * MINOR: resolvers: merge address and target into a union "data" + * BUG/MEDIUM: resolvers: use correct storage for the target address + * BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix + * MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero + * BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records + * BUG/MEDIUM: resolver: make sure to always use the correct hostname length + * MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero + * BUG/MAJOR: dns: attempt to lock globaly for msg waiter list instead of use barrier + * BUG/MAJOR: dns: tcp session can remain attached to a list after a free + * BUG/MEDIUM: tcpcheck: Properly catch early HTTP parsing errors + * Revert "CLEANUP: server: always include the storage for SSL settings" + * BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error + * BUG/MEDIUM: cpuset: fix cpuset size for FreeBSD + * BUG/MINOR: sample: Fix 'fix_tag_value' sample when waiting for more data + * BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back + * MINOR: initcall: Rename __GLOBL and __GLOBL1. + * DOC: configuration: add clarification on escaping in keyword arguments + * BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames + * BUG/MEDIUM: sample: properly verify that variables cast to sample + * MINOR: sample: provide a generic var-to-sample conversion function + * CLEANUP: sample: uninline sample_conv_var2smp_str() + * CLEANUP: sample: rename sample_conv_var2smp() to *_sint + * CLEANUP: server: always include the storage for SSL settings + +------------------------------------------------------------------- +Mon Oct 04 13:15:48 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.7+git0.b5e51a5e2: + * [RELEASE] Released version 2.4.7 + * BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule + +------------------------------------------------------------------- +Mon Oct 04 09:56:29 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.6+git0.d83fd76a1: + * [RELEASE] Released version 2.4.6 + * BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release + +------------------------------------------------------------------- +Fri Oct 01 16:45:18 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.5+git0.e74a1b34b: + * [RELEASE] Released version 2.4.5 + * MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue() + * BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input + * BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing + * MINOR: arg: Be able to forbid unresolved args when building an argument list + * BUG/MAJOR: lua: use task_wakeup() to properly run a task once + * BUG/MEDIUM: lua: fix wakeup condition from sleep() + * MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options + * DOC: peers: fix doc "enable" statement on "peers" sections + * BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers" + * MINOR: stream-int: Notify mux when the buffer is not stuck when calling rcv_buf + * BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary + * MINOR: htx: Add a function to know if the free space wraps + * MINOR: htx: Add an HTX flag to know when a message is fragmented + * MINOR: stream-int: Set CO_RFL transient/persistent flags apart in si_cs_rcv() + * BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM + * BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data + * BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer + * BUG/MINOR: stats: use refcount to protect dynamic server on dump + * MINOR: server: return the next srv instance on free_server + * BUG/MINOR: server: do not use refcount in free_server in stopping mode + * MINOR: global: define MODE_STOPPING + * MINOR: server: implement a refcount for dynamic servers + * BUG/MINOR: http-ana: increment internal_errors counter on response error + * BUG/MINOR: h1-htx: Fix a typo when request parser is reset + * BUG/MEDIUM: leastconn: fix rare possibility of divide by zero + * BUG/MINOR: server: allow 'enable health' only if check configured + * BUILD: threads: fix -Wundef for _POSIX_PRIORITY_SCHEDULING on libmusl + * BUILD: halog: fix a -Wundef warning on non-glibc systems + * BUILD: compiler: fixed a missing test on defined(__GNUC__) + * BUILD: fix dragonfly build again on __read_mostly + * BUG/MINOR: vars: do not talk about global section in CLI errors for set-var + * BUG/MINOR: vars: truncate the variable name in error reports about scope. + * BUG/MINOR: vars: properly set the argument parsing context in the expression + * MINOR: sample: add missing ARGC_ entries + * BUG/MINOR: vars: improve accuracy of the rules used to check expression validity + * BUILD: tools: properly guard __GLIBC__ with defined() + * BUILD: ssl: fix two remaining occurrences of #if USE_OPENSSL + * BUILD: ssl: next round of build warnings on LIBRESSL_VERSION_NUMBER + * BUILD/MINOR: regex: avoid a build warning on USE_PCRE2 with -Wundef + * IMPORT: slz: silence a build warning with -Wundef + * BUILD/MINOR: ssl: avoid a build warning on LIBRESSL_VERSION with -Wundef + * BUILD/MINOR: defaults: eliminate warning on MAXHOSTNAMELEN with -Wundef + * BUILD: activity: use #ifdef not #if on USE_MEMORY_PROFILING + * MINOR: proc: setting the process to produce a core dump on FreeBSD. + * MINOR: tools: add FreeBSD support to get_exec_path() + * BUILD: tools: get the absolute path of the current binary on NetBSD. + * BUG/MINOR: flt-trace: fix an infinite loop when random-parsing is set + * BUG/MINOR: cli/payload: do not search for args inside payload + * BUILD: ist: prevent gcc11 maybe-uninitialized warning on istalloc + * BUG/MINOR: connection: prevent null deref on mux cleanup task allocation + * DOC: management: certificate files must be sanitized before injection + * BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check + * BUG/MAJOR: mux-h1: Don't eval input data if an error was reported + * MINOR: pools: use mallinfo2() when available instead of mallinfo() + * MINOR: pools: automatically disable malloc_trim() with external allocators + * CLEANUP: pools: factor all malloc_trim() calls into trim_all_pools() + * BUG/MINOR: compat: make sure __WORDSIZE is always defined + * BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached + * CLEANUP: mux-h1: Remove condition rejecting upgrade requests with payload + * MINOR: htx: Skip headers with no value when adding a header list to a message + * BUG/MEDIUM: mux-h1: Remove "Upgrade:" header for requests with payload + * BUG/MINOR: systemd: ExecStartPre must use -Ws + * BUG/MINOR: filters: Set right FLT_END analyser depending on channel + * BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set + * BUG/MEDIUM: http-ana: Reset channels analysers when returning an error + * BUG/MINOR: stream: Don't release a stream if FLT_END is still registered + * BUG/MINOR: lua: Don't yield in channel.append() and channel.set() + * BUG/MINOR: lua: Yield in channel functions only if lua context can yield + * MINOR: lua: Add a flag on lua context to know the yield capability at run time + +------------------------------------------------------------------- +Tue Sep 07 15:43:22 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.4+git0.acb1d0bea: CVE-2021-40346 (boo#1189877) + * [RELEASE] Released version 2.4.4 + * Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive" + * BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer + * CLEANUP: htx: remove comments about "must be < 256 MB" + * BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB + * DOC: configuration: remove wrong tcp-request examples in tcp-response + * BUG/MINOR: vars: fix set-var/unset-var exclusivity in the keyword parser + * CLEANUP: Add missing include guard to signal.h + * BUG/MINOR: tools: Fix loop condition in dump_text() + * BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time + * BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long + * MINOR: time: add report_idle() to report process-wide idle time + * BUG/MINOR: time: fix idle time computation for long sleeps + * BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords + * MINOR: compiler: implement an ONLY_ONCE() macro + * BUG/MINOR: base64: base64urldec() ignores padding in output size check + * BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec} + * BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions + * MINOR: hlua: take the global Lua lock inside a global function + * REGTESTS: abortonclose: after retries, 503 is expected, not close + * REGTESTS: http_upgrade: fix incorrect expectation on TCP->H1->H2 + * BUG/MEDIUM: h2: match absolute-path not path-absolute for :path + +------------------------------------------------------------------- +Tue Aug 17 15:50:01 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.3+git0.4dd5a5a6c: + CVE-2021-39240 CVE-2021-39241 CVE-2021-39242 + (boo#1189366 boo#1189548 boo#1189549) + * [RELEASE] Released version 2.4.3 + * REGTESTS: add a test to prevent h2 desync attacks + * BUG/MEDIUM: h2: give :authority precedence over Host + * BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header + * BUG/MAJOR: h2: verify that :path starts with a '/' before concatenating it + * BUG/MAJOR: h2: verify early that non-http/https schemes match the valid syntax + * MINOR: http: add a new function http_validate_scheme() to validate a scheme + * DOC/MINOR: fix typo in management document + * CLEANUP: assorted typo fixes in the code and comments + * BUG/MEDIUM: cfgcheck: verify existing log-forward listeners during config check + * BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued + * DOC: config: Fix 'http-response send-spoe-group' documentation + * DOC: Improve the lua documentation + * BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer + * BUG/MINOR: buffer: fix buffer_dump() formatting + * BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released + * MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure + * ADMIN: dyncookie: implement a simple dynamic cookie calculator + * MINOR: server: unmark deprecated on enable health/agent cli + * BUG/MINOR: server: update last_change on maint->ready transitions too + * BUG/MINOR: server: remove srv from px list on CLI 'add server' error + * BUILD: opentracing: fixed build when using pkg-config utility + * DOC: internals: document the FD takeover process + * BUG/MINOR: fd: protect fd state harder against a concurrent takeover + * BUG/MINOR: pollers: always program an update for migrated FDs + * BUG/MINOR: poll: fix abnormally high skip_fd counter + * BUG/MINOR: select: fix excess number of dead/skip reported + * BUG/MEDIUM: pollers: clear the sleeping bit after waking up, not before + * BUG/MEDIUM: connection: close a rare race between idle conn close and takeover + * BUG/MINOR: connection: Add missing error labels to conn_err_code_str + * BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames + * BUG/MINOR: mux-h1: Be sure to swap H1C to splice mode when rcv_pipe() is called + * BUG/MINOR: mux-h2: Obey dontlognull option during the preface + * BUG/MINOR: mux-h1: Obey dontlognull option for empty requests + * BUG/MINOR: systemd: must check the configuration using -Ws + * BUG/MINOR: resolvers: Use a null-terminated string to lookup in servers tree + * BUG/MINOR: check: fix the condition to validate a port-less server + * BUG/MINOR: stats: Add missing agent stats on servers + * BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request + * BUILD/MINOR: memprof fix macOs build. + * BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs + * BUG/MEDIUM: mworker: do not register an exit handler if exit is expected + * BUILD: lua: silence a build warning with TCC + * BUILD: add detection of missing important CFLAGS + * BUG/MINOR: ssl: Default-server configuration ignored by server + * MINOR: mux_h2: define config to disable h2 websocket support + * BUILD: http_htx: fix ci compilation error with isdigit for Windows + +------------------------------------------------------------------- +Wed Jul 07 23:30:56 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.2+git0.553dee326: + * [RELEASE] Released version 2.4.2 + * REGTESTS: add http scheme-based normalization test + * MEDIUM: h2: apply scheme-based normalization on h2 requests + * MEDIUM: h1-htx: apply scheme-based normalization on h1 requests + * MEDIUM: http: implement scheme-based normalization + * MINOR: http: implement http_get_scheme + * Revert "MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules" + * BUG/MINOR: cli: fix server name output in "show fd" + * BUG/MEDIUM: sock: make sure to never miss early connection failures + * DOC: stick-table: add missing documentation about gpt0 stored type + * BUG/MINOR: peers: fix data_type bit computation more than 32 data_types + * BUG/MINOR: stick-table: fix several printf sign errors dumping tables + * DOC: config: use CREATE USER for mysql-check + * BUG/MEDIUM: resolvers: Make 1st server of a template take part to SRV resolution + * BUG/MINOR: mqtt: Support empty client ID in CONNECT message + * BUG/MINOR: mqtt: Fix parser for string with more than 127 characters + * BUG/MINOR: tcpcheck: Fix numbering of implicit HTTP send/expect rules + * BUILD: Makefile: fix linkage for Haiku. + * BUG/MINOR: checks: return correct error code for srv_parse_agent_check + * MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response() + * BUG/MINOR: resolvers: Reset server IP when no ip is found in the response + * BUG/MINOR: resolvers: Always attach server on matching record on resolution + * CLEANUP: dns: Remove a forgotten debug message + * DOC: config: Add missing actions in "tcp-request session" documentation + * MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules + * REGTESTS: fix maxconn update with agent-check + * BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check + * BUG/MINOR: cache: Correctly handle existing-but-empty 'accept-encoding' header + * BUG/MINOR: server/cli: Fix locking in function processing "set server" command + * BUG/MINOR: resolvers: Use resolver's lock in resolv_srvrq_expire_task() + * BUG/MEDIUM: resolvers: Add a task on servers to check SRV resolution status + * MINOR: resolvers: Remove server from named_servers tree when removing a SRV item + * MINOR: resolvers: Clean server in a dedicated function when removing a SRV item + * BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI + * BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled + * BUG/MINOR: server-state: load SRV resolution only if params match the config + +------------------------------------------------------------------- +Thu Jun 17 16:38:50 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.1+git0.1ce7d4925: + * [RELEASE] Released version 2.4.1 + * BUG/MINOR: mux-h2/traces: bring back the lost "sent H2 REQ/RES" traces + * BUG/MINOR: mux-h2/traces: bring back the lost "rcvd H2 REQ" trace + * MINOR: mux-h2: obey http-ignore-probes during the preface + * BUG/MINOR: stats: make "show stat typed desc" work again + * CLEANUP: mux-h2/traces: better align user messages + * MINOR: mux-h2/trace: report a few connection-level info during h2_init() + * MINOR: connection: add helper conn_append_debug_info() + * BUG/MINOR: server: explicitly set "none" init-addr for dynamic servers + * BUG/MINOR: mux-h1: do not skip the error response on bad requests + * MINOR: backend: only skip LB when there are actual connections + * BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue + * CLEANUP: global: remove unused definition of stopping_task[] + * BUG/MINOR: mworker: fix typo in chroot error message + * BUG/MINOR: ssl: use atomic ops to update global shctx stats + * BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE + * BUG/MEDIUM: server: do not auto insert a dynamic server in px addr_node + * BUG/MINOR: server: do not keep an invalid dynamic server in px ids tree + * BUG/MEDIUM: server: do not forget to generate the dynamic servers ids + * BUG/MEDIUM: server: clear dynamic srv on delete from proxy id/name trees + * BUG/MEDIUM: server: extend thread-isolate over much of CLI 'add server' + * BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id + * DOC: lua: Add a warning about buffers modification in HTTP + * BUG/MAJOR: resolvers: segfault using server template without SRV RECORDs + * MEDIUM: resolvers: add a ref between servers and srv request or used SRV record + * MEDIUM: resolvers: add a ref on server to the used A/AAAA answer item + * BUG/MINOR: resolvers: answser item list was randomly purged or errors + * CLEANUP: l7-retries: do not test the buffer before calling b_alloc() + * BUG/MINOR: mux-fcgi: Expose SERVER_SOFTWARE parameter by default + * BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded + * CLEANUP: pools: remove now unused seq and pool_free_list + * BUG/MAJOR: pools: fix possible race with free() in the lockless variant + * MEDIUM: pools: use a single pool_gc() function for locked and lockless + * MINOR: pools: call malloc_trim() under thread isolation + * MINOR: pools: do not maintain the lock during pool_flush() + * BUG/MINOR: pools: make DEBUG_UAF always write to the to-be-freed location + * BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush() + * BUG/MEDIUM: compression: Add a flag to know the filter is still processing data + * BUG/MEDIUM: compression: Properly get the next block to iterate on payload + * BUG/MEDIUM: compression: Fix loop skipping unused blocks to get the next block + * BUG/MEDIUM: opentracing: initialization before establishing daemon and/or chroot mode + * Revert "BUG/MINOR: opentracing: initialization after establishing daemon mode" + * BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future + * BUILD: make tune.ssl.keylog available again + * DOC: use the req.ssl_sni in examples + * MINOR: errors: allow empty va_args for diag variadic macro + * BUG/MAJOR: stream-int: Release SI endpoint on server side ASAP on retry + * DOC/MINOR: move uuid in the configuration to the right alphabetical order + * BUG/MINOR: vars: Be sure to have a session to get checks variables + * CLEANUP: http-ana: Remove useless if statement about L7 retries + * BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree + * BUG/MINOR: http: Missing calloc return value check in make_arg_list + * BUG/MINOR: http: Missing calloc return value check while parsing redirect rule + * BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list + * BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo + * BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule + * BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response + * BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy + * BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare + * BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture + * BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine + * BUG/MINOR: peers: Missing calloc return value check in peers_register_table + * BUG/MINOR: server: Missing calloc return value check in srv_parse_source + * DOC: intro: Fix typo in starter guide + * MINOR: cfgparse: Fail when encountering extra arguments in macro + * MINOR: http-ana: Perform L7 retries because of status codes in response analyser + * BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts + * BUG/MINOR: http-ana: Send the right error if max retries is reached on L7 retry + * Revert "MEDIUM: http-ana: Deal with L7 retries in HTTP analysers" + * BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response + * BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter + * BUILD/MINOR: opentracing: fixed build when using clang + * BUG/MAJOR: server: prevent deadlock when using 'set maxconn server' + * BUG/MEDIUM: ebtree: Invalid read when looking for dup entry + +------------------------------------------------------------------- +Fri May 14 08:31:04 UTC 2021 - mrueckert@suse.de + +- Update to version 2.4.0+git0.6cbbecf09: + https://www.haproxy.com/blog/announcing-haproxy-2-4/ + + for all the details see /usr/share/doc/packages/haproxy/CHANGELOG +- refreshed patches to apply cleanly again + haproxy-1.6.0-makefile_lib.patch + haproxy-1.6.0-sec-options.patch + lua54.patch + +------------------------------------------------------------------- +Fri Apr 23 20:35:49 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.10+git0.4764f0e4e: + * [RELEASE] Released version 2.3.10 + * BUG/MEDIUM: peers: re-work refcnt on table to protect against flush + * BUG/MEDIUM: peers: re-work connection to new process during reload. + * BUG/MINOR: peers: remove useless table check if initial resync is finished + * BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data + * BUG/MINOR: mworker: don't use oldpids[] anymore for reload + * BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases + * BUG/MEDIUM: config: fix cpu-map notation with both process and threads + * BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames + * BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers + * BUG/MINOR: server: free srv.lb_nodes in free_server + * BUG/MINOR: mux-h1: Release idle server H1 connection if data are received + * BUG/MINOR: logs: Report the true number of retries if there was no connection + * BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function + * BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded + * BUG/MINOR: ssl-samples: Fix ssl_bc_* samples when called from a health-check + * MINOR: connection: Make bc_http_major compatible with tcp-checks + * BUG/MINOR: connection: Fix fc_http_major and bc_http_major for TCP connections + * MINOR: logs: Add support of checks as session origin to format lf strings + * BUG/MINOR: checks: Set missing id to the dummy checks frontend + * BUG/MEDIUM: threads: Ignore current thread to end its harmless period + * DOC: ssl: Certificate hot update only works on fronted certificates + * BUG/MEDIUM: sample: Fix adjusting size in field converter + * MINOR: No longer rely on deprecated sample fetches for predefined ACLs + * DOC: clarify that compression works for HTTP/2 + * BUG/MINOR: tools: fix parsing "us" unit for timers + * CONTRIB: halog: fix issue with array of type char + * REGTESTS: ssl: mark set_ssl_cert_bundle.vtc as broken + * DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options + * REGTESTS: ssl: "set ssl cert" and multi-certificates bundle + * BUG/MINOR: ssl: Add missing free on SSL_CTX in ckch_inst_free + * BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields + * BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one + * BUG/MINOR: ssl: Fix update of default certificate + * BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS + * BUG/MINOR: tcp: fix silent-drop workaround for IPv6 + +------------------------------------------------------------------- +Tue Mar 30 17:35:22 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.9+git1.afb63bc04: + * BUILD: backend: fix build breakage in idle conn locking fix + * [RELEASE] Released version 2.3.9 + * BUG/MEDIUM: time: make sure to always initialize the global tick + * BUG/MINOR: stats: Apply proper styles in HTML status page. + * BUG/MINOR: payload: Wait for more data if buffer is empty in payload/payload_lv + * MEDIUM: backend: use a trylock to grab a connection on high FD counts as well + * BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent + +------------------------------------------------------------------- +Thu Mar 25 15:51:22 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.8+git0.e572195c7: + * [RELEASE] Released version 2.3.8 + * BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters + * MINOR: tools: make url2ipv4 return the exact number of bytes parsed + * BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless + * BUG/MEDIUM: fd: Take the fd_mig_lock when closing if no DWCAS is available. + * CLEANUP: fd: remove unused fd_set_running_excl() + * BUG/MEDIUM: fd: do not wait on FD removal in fd_delete() + * MINOR: fd: remove the unneeded running bit from fd_insert() + * MINOR: fd: make fd_clr_running() return the remaining running mask + * BUG/MEDIUM: lua: Always init the lua stack before referencing the context + * BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback + * MINOR: lua: Slightly improve function dumping the lua traceback + * BUILD: ssl: guard ecdh functions with SSL_CTX_set_tmp_ecdh macro + * BUG/MINOR: ssl: Prevent disk access when using "add ssl crt-list" + * BUG/MEDIUM: debug/lua: Don't dump the lua stack if not dumpable + * MEDIUM: lua: Use a per-thread counter to track some non-reentrant parts of lua + * MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket + * BUG/MINOR: protocol: add missing support of dgram unix socket. + * BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable + * MINOR: time: also provide a global, monotonic global_now_ms timer + * BUG/MEDIUM: mux-fcgi: Fix locking of idle_conns lock in the FCGI I/O callback + * BUG/MINOR: freq_ctr/threads: make use of the last updated global time + * MINOR: time: export the global_now variable + +------------------------------------------------------------------- +Tue Mar 16 15:21:00 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.7+git0.2d39ce334: + * [RELEASE] Released version 2.3.7 + * BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames + * MINOR: resolvers: Don't try to match immediatly renewed ADD items + * MINOR: resolvers: Use milliseconds for cached items in resolver responses + * BUG/MEDIUM: resolvers: Skip DNS resolution at startup if SRV resolution is set + * BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks + * MINOR: resolvers: Directly call srvrq_update_srv_state() when possible + * MINOR: resolvers: Add function to change the srv status based on SRV resolution + * MINOR: resolvers: Purge answer items when a SRV resolution triggers an error + * MINOR: resolvers: Use a function to remove answers attached to a resolution + * BUG/MEDIUM: resolvers: Trigger a DNS resolution if an ADD item is obsolete + * BUG/MINOR; resolvers: Ignore DNS resolution for expired SRV item + * MINOR: resolvers: new function find_srvrq_answer_record() + * BUG/MEDIUM: resolvers: Fix the loop looking for an existing ADD item + * BUG/MEDIUM: resolvers: Don't set an address-less server as UP + * BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution + * BUG/MINOR: resolvers: Reset server address on DNS error only on status change + * BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error + * Revert "BUG/MINOR: resolvers: Only renew TTL for SRV records with an additional record" + * CLEANUP: tcp-rules: add missing actions in the tcp-request error message + * BUG/MINOR: tcpcheck: Fix double free on error path when parsing tcp/http-check + * BUG/MINOR: session: Add some forgotten tests on session's listener + * BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters + * BUG/MINOR: tcpcheck: Update .health threshold of agent inside an agent-check + * BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached + * BUILD: atomic/arm64: force the register pairs to use in __ha_cas_dw() + * BUG/MEDIUM: stick-tables: fix ref counter in table entry using multiple http tracksc. + * OPTIM: task: automatically adjust the default runqueue-depth to the threads + * MINOR: task: give the scheduler a bit more flexibility in the runqueue size + * MEDIUM: task: remove the tasks_run_queue counter and have one per thread + * MEDIUM: ssl: implement xprt_set_used and xprt_set_idle to relax context checks + * MINOR: xprt: add new xprt_set_idle and xprt_set_used methods + * MEDIUM: muxes: mark idle conns tasklets with TASK_F_USR1 + * MINOR: task: add an application specific flag to the state: TASK_F_USR1 + * BUG/MEDIUM: ssl: properly remove the TASK_HEAVY flag at end of handshake + * MINOR: ssl: mark the SSL handshake tasklet as heavy + * MINOR: task: limit the number of subsequent heavy tasks with flag TASK_HEAVY + * MEDIUM: backend: use a trylock when trying to grab an idle connection + * MINOR: pools: double the local pool cache size to 1 MB + * MEDIUM: pools: add CONFIG_HAP_NO_GLOBAL_POOLS and CONFIG_HAP_GLOBAL_POOLS + * MEDIUM: streams: do not use the streams lock anymore + * MINOR: streams: use one list per stream instead of a global one + * MINOR: cli/streams: make "show sess" dump all streams till the new epoch + * MINOR: stream: add an "epoch" to figure which streams appeared when + * MINOR: dynbuf: pass offer_buffers() the number of buffers instead of a threshold + * MINOR: dynbuf: use regular lists instead of mt_lists for buffer_wait + * MINOR: dynbuf: make the buffer wait queue per thread + * OPTIM: lb-leastconn: do not unlink the server if it did not change + * OPTIM: lb-leastconn: do not take the server lock on take_conn/drop_conn + * OPTIM: lb-first: do not take the server lock on take_conn/drop_conn + * MINOR: lb/api: let callers of take_conn/drop_conn tell if they have the lock + * MINOR: server: move actconns to the per-thread structure + * OPTIM: server: switch the actconn list to an mt-list + * MINOR: listener: refine the default MAX_ACCEPT from 64 to 4 + * MINOR: tasks: refine the default run queue depth + * BUG/MEDIUM: session: NULL dereference possible when accessing the listener + * MINOR: atomic: implement a more efficient arm64 __ha_cas_dw() using pairs + * MINOR: atomic: add armv8.1-a atomics variant for cas-dw + * BUG/MINOR: mt-list: always perform a cpu_relax call on failure + * REORG: atomic: reimplement pl_cpu_relax() from atomic-ops.h + * BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode + * BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring() + * BUG/MINOR: backend: fix condition for reuse on mode HTTP + +------------------------------------------------------------------- +Wed Mar 03 15:17:18 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.6+git0.7851701ed: + * [RELEASE] Released version 2.3.6 + * BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout + * BUG/MINOR: mux-h2: Fix typo in scheme adjustment + * DOC: spoe: Add a note about fragmentation support in HAProxy + * BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1 + * BUG/MINOR: connection: Use the client's dst family for adressless servers + * BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule + * BUG/MINOR: http-ana: Only consider dst address to process originalto option + * BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf() + * BUG/MINOR: stats: fix compare of no-maint url suffix + * CLEANUP: muxes: Remove useless if condition in show_fd function + * BUG/MINOR: ssl: potential null pointer dereference in ckchs_dup() + * BUG/MEDIUM: resolvers: Reset address for unresolved servers + * BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records + * BUG/MINOR: resolvers: new callback to properly handle SRV record errors + * BUG/MINOR: resolvers: Only renew TTL for SRV records with an additional record + * BUG/MINOR: resolvers: Fix condition to release received ARs if not assigned + * BUG/MINOR: fd: properly wait for !running_mask in fd_set_running_excl() + * BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal + * BUG/MEDIUM: cli/shutdown sessions: make it thread-safe + * BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop + * BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe + * BUG/MINOR: sample: secure convs that accept base64 string and var name as args + * MINOR: Configure the `cpp` userdiff driver for *.[ch] in .gitattributes + * BUG/MINOR: ssl/cli: potential null pointer dereference in "set ssl cert" + * BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok + * BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line + * BUG/MINOR: server: Init params before parsing a new server-state line + * BUG/MINOR: http-rules: Always replace the response status on a return action + * BUG/MEDIUM: spoe: Resolve the sink if a SPOE logs in a ring buffer + * BUG/MEDIUM: lists: Avoid an infinite loop in MT_LIST_TRY_ADDQ(). + * DOC: explain the relation between pool-low-conn and tune.idle-pool.shared + * BUILD: ssl: introduce fine guard for OpenSSL specific SCTL functions + * BUG/MINOR: sample: Always consider zero size string samples as unsafe + * BUG/MEDIUM: checks: don't needlessly take the server lock in health_adjust() + * BUG/MINOR: checks: properly handle wrapping time in __health_adjust() + * BUG/MINOR: session: atomically increment the tracked sessions counter + * BUG/MINOR: server: Remove RMAINT from admin state when loading server state + * CLEANUP: channel: fix comment in ci_putblk. + * DOC: tune: explain the origin of block size for ssl.cachesize + * BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL + * BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines + * BUG/MINOR: stats: revert the change on ST_CONVDONE + * BUG/MEDIUM: config: don't pick unset values from last defaults section + * CLEANUP: deinit: release global and per-proxy server-state variables on deinit + * BUG/MINOR: server: Fix server-state-file-name directive + * BUG/MINOR: backend: hold correctly lock when killing idle conn + * BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints() + * BUG/MINOR: server: re-align state file fields number + * BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state + * BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors + * BUG/MINOR: intops: fix mul32hi()'s off-by-one + * BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro + * BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro + * BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro + * MINOR: check: do not ignore a connection header for http-check send + +------------------------------------------------------------------- +Sat Feb 06 16:29:34 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.5+git0.5902ad99b: + * [RELEASE] Released version 2.3.5 + * MINOR: config: Deprecate and ignore tune.chksize global option + * BUG/MINOR: sock: Unclosed fd in case of connection allocation failure + * BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED + * BUG/MEDIUM: mux-h2: handle remaining read0 cases + * BUILD: Makefile: move REGTESTST_TYPE default setting + * MINOR: cli/show_fd: report local and report ports when known + * BUILD: ssl: fix build breakage with last commit + * BUG/MINOR: ssl: do not try to use early data if not configured + * BUG/MINOR: xxhash: make sure armv6 uses memcpy() + * BUG/MINOR: mux_h2: fix incorrect stat titles + * BUG/MEDIUM: ssl: check a connection's status before computing a handshake + * BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store + * BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list + * DOC: management: fix "show resolvers" alphabetical ordering + * MINOR: h1: Raise the chunk size limit up to (2^52 - 1) + * MINOR: mux-h1/show_fd: report as suspicious an entry with too many calls + * MINOR: mux-h2/show_fd: report as suspicious an entry with too many calls + * MINOR: ssl/show_fd: report some FDs as suspicious when possible + * MINOR: cli/show_fd: report some easily detectable suspicious states + * MINOR: cli: give the show_fd helpers the ability to report a suspicious entry + * MINOR: mux-fcgi: make the "show fd" helper also decode the fstrm subscriber when known + * MINOR: mux-h1: make the "show fd" helper also decode the h1s subscriber when known + * MINOR: mux-h2: make the "show fd" helper also decode the h2s subscriber when known + * MINOR: xprt/mux: export all *_io_cb functions so that "show fd" resolves them + * MINOR: ssl: provide a "show fd" helper to report important SSL information + * MINOR: xprt: add a new show_fd() helper to complete some "show fd" dumps. + * MINOR: cli: make "show fd" also report the xprt and xprt_ctx + * CLEANUP: cli: make "show fd" use a const connection to access other fields + * CLEANUP: tools: make resolve_sym_name() take a const pointer + * MINOR: contrib: Make the wireshark peers dissector compile for more distribs. + * BUG/MINOR: backend: check available list allocation for reuse + * BUG/MEDIUM: backend: never reuse a connection for tcp mode + * REORG: backend: simplify conn_backend_get + * BUG/MEDIUM: session: only retrieve ready idle conn from session + * BUG/MINOR: ssl: init tmp chunk correctly in ssl_sock_load_sctl_from_file() + * BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name + * BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown + * DOC: Improve documentation of the various hdr() fetches + * BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX + * BUG/MEDIUM: mux-h2: fix read0 handling on partial frames + * BUG/MEDIUM: tcpcheck: Don't destroy connection in the wake callback context + * BUG/MINOR: mworker: define _GNU_SOURCE for strsignal() + * BUG/MINOR: mux_h2: missing space between "st" and ".flg" in the "show fd" helper + * BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command. + * MINOR: build: discard echoing in help target + * BUG/MINOR: peers: Possible appctx pointer dereference. + * BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition + * BUILD: peers: fix build warning about unused variable + * BUG/MINOR: dns: SRV records ignores duplicated AR records (v2) + * MINOR: peers: Add traces for peer control messages. + * BUG/MINOR: threads: Fixes the number of possible cpus report for Mac. + * MINOR: server: Forbid server definitions in frontend sections + * MINOR: config: Add failifnotcap() to emit an alert on proxy capabilities + * BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable + +------------------------------------------------------------------- +Wed Jan 27 16:19:26 UTC 2021 - Callum Farmer + +- Add lua54.patch to fix building with lua 5.4 + +------------------------------------------------------------------- +Wed Jan 13 16:02:43 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.4+git0.10189c965: + * [RELEASE] Released version 2.3.4 + * MINOR: contrib/prometheus-exporter: use fill_info for process dump + * MINOR: contrib/prometheus-exporter: avoid connection close header + * BUG/MINOR: init: enforce strict-limits when using master-worker + * BUG/MINOR: check: Don't perform any check on servers defined in a frontend + * BUG/MINOR: sample: Memory leak of sample_expr structure in case of error + * Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records" + * MINOR: reg-tests: add base prometheus test + * BUG/MINOR: reg-tests: fix service dependency script + * BUG/MINOR: sample: check alloc_trash_chunk return value in concat() + * MINOR: reg-tests: add a way to add service dependency + +------------------------------------------------------------------- +Fri Jan 08 21:10:38 UTC 2021 - mrueckert@suse.de + +- Update to version 2.3.3+git0.9233c2143: + * [RELEASE] Released version 2.3.3 + * BUG/MINOR: sample: fix concat() converter's corruption with non-string variables + * DOC: Add maintainers for the Prometheus exporter + * SCRIPTS: announce-release: fix typo in help message + * DOC: fix some spelling issues over multiple files + * MINOR: contrib/prometheus-exporter: export build_info + * CLEANUP: cfgparse: replace "realloc" with "my_realloc2" to fix to memory leak on error + * BUILD: Makefile: exclude broken tests by default + * MINOR: converter: adding support for url_enc + * BUG/MINOR: srv: do not cleanup idle conns if pool max is null + * BUG/MINOR: srv: do not init address if backend is disabled + * SCRIPTS: make announce release support preparing announces before tag exists + * SCRIPTS: improve announce-release to support different tag and versions + * BUG/MINOR: stats: Make stat_l variable used to dump a stat line thread local + * DOC: Improve the message printed when running `make` w/o `TARGET` + * BUG/MINOR: tcpcheck: Report a L7OK if the last evaluated rule is a send rule + * BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails + * BUG/MINOR: sink: Return an allocation failure in __sink_new if strdup() fails + * MINOR: atomic: don't use ; to separate instruction on aarch64. + * BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h + * BUG/MEDIUM: mux_h2: Add missing braces in h2_snd_buf()around trace+wakeup + * DOC: fix "smp_size" vs "sample_size" in "log" directive arguments + * BUG/MINOR: dns: SRV records ignores duplicated AR records + * BUILD: ssl: fine guard for SSL_CTX_get0_privatekey call + * BUILD: plock: remove dead code that causes a warning in gcc 11 + * CONTRIB: debug: address "poll" utility build on non-linux platforms + * CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps + * CONTRIB: halog: mark the has_zero* functions unused + * CONTRIB: halog: fix build issue caused by %L printf format + * BUG/MEDIUM: mux-h1: Handle h1_process() failures on a pipelined request + * BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode + * BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests + * BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well + * BUILD: SSL: fine guard for SSL_CTX_add_server_custom_ext call + * REGTESTS: make use of HAPROXY_ARGS and pass -dM by default + * BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert" + * BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight + * BUG/MINOR: tools: Reject size format not starting by a digit + * BUG/MINOR: tools: make parse_time_err() more strict on the timer validity + * MINOR: tcpcheck: Only wait for more payload data on HTTP expect rules + * BUG/MINOR: tcpcheck: Don't rearm the check timeout on each read + * BUG/MINOR: http-check: Use right condition to consider HTX message as full + * DOC: email change of the DeviceAtlas maintainer + * BUG/MEDIUM: spoa/python: Fixing references to None + * BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments + * BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails + * BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations + * DOC: spoa/python: Fixing typos in comments + * DOC: spoa/python: Rephrasing memory related error messages + * DOC: spoa/python: Fixing typo in IP related error messages + * BUG/MAJOR: spoa/python: Fixing return None + * MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1 + * MINOR: listener: now use a generic add_listener() function + * MINOR: listener: automatically set the port when creating listeners + * MINOR: protocol: add a ->set_port() helper to address families + * BUG/MINOR: mux-h1: Handle keep-alive timeout for idle frontend connections + * BUG/MINOR: listener: use sockaddr_in6 for IPv6 + * DOC/MINOR: Fix formatting in Management Guide + * BUILD/MINOR: haproxy DragonFlyBSD affinity build update. + * BUG/MAJOR: ring: tcp forward on ring can break the reader counter. + * BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times + * MINOR: cli: add a function to look up a CLI service description + * MINOR: actions: add a function returning a service pointer from its name + * MINOR: actions: Export actions lookup functions + * BUG/MINOR: lua: Some lua init operation are processed unsafe + * BUG/MINOR: lua: Post init register function are not executed beyond the first one + * BUG/MINOR: lua: lua-load doesn't check its parameters + * BUG/MINOR: lua: missing "\n" in error message + * BUG/MINOR: mux-h2/stats: not all GOAWAY frames are errors + * BUG/MINOR: mux-h2/stats: make stream/connection proto errors more accurate + * BUG/MEDIUM: local log format regression. + * BUG/MEDIUM: task: close a possible data race condition on a tasklet's list link + * MINOR: task: remove __tasklet_remove_from_tasklet_list() + * BUG/MEDIUM: lists: Lock the element while we check if it is in a list. + * MINOR: plock: use an ARMv8 instruction barrier for the pause instruction + +------------------------------------------------------------------- +Mon Nov 30 16:59:46 UTC 2020 - mrueckert@suse.de + +- Update to version 2.3.2+git0.d522db763: + * [RELEASE] Released version 2.3.2 + * BUG/MINOR: http-fetch: Fix smp_fetch_body() when called from a health-check + * DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section + * BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer pool + * MINOR: tcpcheck: Don't handle anymore in-progress send rules in tcpcheck_main + * BUG/MINOR: tcpcheck: Don't forget to reset tcp-check flags on new kind of check + * DOC: Clarify %HP description in log-format + * DOC: better document the config file format and escaping/quoting rules + * BUG/MAJOR: peers: fix partial message decoding + * BUG/MEDIUM: http_act: Restore init of log-format list + * BUILD: Show the value of DEBUG= in haproxy -vv + * BUILD: Make DEBUG part of .build_opts + * MINOR: http_act: Add -m flag for del-header name matching method + * REGTESTS: converter: add url_dec test + * REGTESTS: Add sample_fetches/cook.vtc + * DOC: cache: Add new caching limitation information + * MEDIUM: cache: Change caching conditions + * BUG/MAJOR: filters: Always keep all offsets up to date during data filtering + * DOC: better describes how to configure a fallback crt + * BUG/MINOR: http_htx: Fix searching headers by substring + * BUG/MAJOR: connection: reset conn->owner when detaching from session list + * CLEANUP: connection: do not use conn->owner when the session is known + * DOC: clarify how to create a fallback crt + * BUILD: makefile: enable crypt(3) for OpenBSD + * BUG/MEDIUM: ssl/crt-list: fix error when no file found + * BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated + * BUG/MEDIUM: ssl: error when no certificate are found + * BUG/MEDIUM: ssl/crt-list: bundle support broken in crt-list + * BUG/MEDIUM: http-ana: Don't eval http-after-response ruleset on empty messages + * BUG/MINOR: ssl: segv on startup when AKID but no keyid + * DOC: add missing 3.10 in the summary + * BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests + * BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering + * CLEANUP: cfgparse: remove duplicate registration for transparent build options + * BUILD: http-htx: fix build warning regarding long type in printf + +------------------------------------------------------------------- +Fri Nov 13 22:14:25 UTC 2020 - mrueckert@suse.de + +- Update to version 2.3.1+git0.bdd7178b8: + * [RELEASE] Released version 2.3.1 + * REGTEST: make ssl_client_samples and ssl_server_samples require to 2.2 + * MINOR: peers: Add traces to peer_treat_updatemsg(). + * REGTEST: ssl: mark reg-tests/ssl/ssl_crt-list_filters.vtc as broken + * REGTEST: ssl: test wildcard and multi-type + exclusions + * MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error. + * MINOR: config/mux-h2: Return ERR_ flags from init_h2() instead of a status + * MINOR: init: Fix the prototype for per-thread free callbacks + * BUG/MINOR: tcpcheck: Don't warn on unused rules if check option is after + * MINOR: spoe: Don't close connection in sync mode on processing timeout + * BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet + * BUG/MINOR: http-htx: Handle warnings when parsing http-error and http-errors + * MINOR: check: report error on incompatible connect proto + * MINOR: check: report error on incompatible proto + * BUG/MEDIUM: check: reuse srv proto only if using same mode + * BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches + * BUG/MINOR: http-fetch: Extract cookie value even when no cookie name + * BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages + * BUG/MINOR: peers: Missing TX cache entries reset. + * BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries. + * BUG/MINOR: stats: free dynamically stats fields/lines on shutdown + * BUG/MINOR: lua: set buffer size during map lookups + * BUG/MINOR: pattern: a sample marked as const could be written + +------------------------------------------------------------------- +Fri Nov 06 16:14:26 UTC 2020 - mrueckert@suse.de + +- Update to version 2.3.0+git4.689d98154: + * BUG/MEDIUM: ssl/crt-list: correctly insert crt-list line if crt already loaded + +------------------------------------------------------------------- +Fri Nov 06 13:10:28 UTC 2020 - mrueckert@suse.de + +- Update to version 2.3.0+git3.7a50763d1: + * DOC: config: Fix a typo on ssl_c_chain_der + * MINOR: http-htx: Add understandable errors for the errorfiles parsing + * BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher + +------------------------------------------------------------------- +Thu Nov 5 18:56:00 UTC 2020 - Marcus Rueckert + +- apparmor: do not limit to tcp sockets. haproxy can do udp as + well. + +------------------------------------------------------------------- +Thu Nov 05 16:43:01 UTC 2020 - mrueckert@suse.de + +- Update to version 2.3.0+git0.1c0a722a8: + https://www.haproxy.com/blog/announcing-haproxy-2-3/ + + for all the details see + /usr/share/doc/packages/haproxy/CHANGELOG + +------------------------------------------------------------------- +Thu Nov 05 14:49:02 UTC 2020 - mrueckert@suse.de + +- Update to version 2.2.5+git0.34b2b1066: + * [RELEASE] Released version 2.2.5 + * BUG/MEDIUM: server: make it possible to kill last idle connections + * CLEANUP: mux-h2: Remove the h1 parser state from the h2 stream + * BUG/MEDIUM: stick-table: limit the time spent purging old entries + * BUG/MINOR: filters: Skip disabled proxies during startup only + * BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade + * MINOR: server: Copy configuration file and line for server templates + * BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup + * BUG/MINOR: checks: Report a socket error before any connection attempt + * BUG/MINOR: proxy/server: Skip per-proxy/server post-check for disabled proxies + * BUG/MEDIUM: filters: Don't try to init filters for disabled proxies + * BUG/MINOR: cache: Inverted variables in http_calc_maxage function + * BUG/MINOR: cache: Manage multiple values in cache-control header value + * MINOR: ist: Add a case insensitive istmatch function + * BUG/MINOR: lua: initialize sample before using it + * BUG/MINOR: server: fix down_time report for stats + * BUG/MINOR: server: fix srv downtime calcul on starting + * BUG/MINOR: log: fix risk of null deref on error path + * BUG/MINOR: log: fix memory leak on logsrv parse error + * BUG/MINOR: extcheck: add missing checks on extchk_setenv() + * BUG/MEDIUM: ssl: OCSP must work with BoringSSL + * Revert "MINOR: ssl: 'ssl-load-extra-del-ext' removes the certificate extension" + * BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible + * BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests + * BUG/MEDIUM: server: support changing the slowstart value from state-file + * BUG/MINOR: queue: properly report redistributed connections + * MINOR: ssl: 'ssl-load-extra-del-ext' removes the certificate extension + * BUILD: ssl: make BoringSSL use its own version numbers + * BUG/MINOR: disable dynamic OCSP load with BoringSSL + * BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions. + * DOC: fix typo in MAX_SESS_STKCTR + * BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn + * BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages + * BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided + * BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once + * BUG/MINOR: connection: fix loop iter on connection takeover + * MINOR: fd: report an error message when failing initial allocations + * BUG/MINOR: mux-h2: do not stop outgoing connections on stopping + * BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited + * BUILD: connection: fix build on clang after the VAR_ARRAY cleanup + * CLEANUP: tree-wide: use VAR_ARRAY instead of [0] in various definitions + * BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses + * BUG/MINOR: http: Fix content-length of the default 500 error + * DOC: Fix typos in configuration.txt + * BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams + * BUG/MEDIUM: mux-fcgi: Don't handle pending read0 too early on streams + * DOC: Add missing stats fields in the management doc + * DOC: fix a confusing typo on a regsub example + * BUG/MINOR: mux-h1: Always set the session on frontend h1 stream + * BUG/MINOR: mux-h1: Be sure to only set CO_RFL_READ_ONCE for the first read + * BUG/MINOR: peers: Inconsistency when dumping peer status codes. + * MINOR: hlua: Display debug messages on stderr only in debug mode + * BUG/MINOR: stats: fix validity of the json schema + * MINOR: counters: fix a typo in comment + * MINOR: ssl: Add warning if a crt-list might be truncated + * BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe + * BUG/MINOR: tcpcheck: Set socks4 and send-proxy flags before the connect call + * DOC: tcp-rules: Refresh details about L7 matching for tcp-request content rules + * BUG/MINOR: Fix several leaks of 'log_tag' in init(). + * MINOR: ssl: Add error if a crt-list might be truncated + * BUILD: makefile: Fix building with closefrom() support enabled + * BUILD: ssl_crtlist: work around another bogus gcc-9.3 warning + +------------------------------------------------------------------- +Mon Nov 2 13:15:38 UTC 2020 - Marcus Rueckert + +- apparmor profile: + - we need net_admin capability for non local bind and setting + "source" for server entries. + +------------------------------------------------------------------- +Sat Oct 24 01:18:29 UTC 2020 - Marcus Rueckert + +- apparmor profile fixes: + - include abstractions that give access to the openssl config, + ssl certs and ssl keys + - include local configs only with "if exists" so they do not have + to exist. +- move local files to %ghost + +------------------------------------------------------------------- +Fri Oct 2 14:38:51 UTC 2020 - Marcus Rueckert + +- use parallel build + +------------------------------------------------------------------- +Fri Oct 02 14:37:00 UTC 2020 - mrueckert@suse.de + +- Update to version 2.2.4+git0.de456726d: + * [RELEASE] Released version 2.2.4 + * REGTEST: make map_regm_with_backref require 1.7 + * REGTEST: make abns_socket.vtc require 1.8 + * REGTEST: make agent-check.vtc require 1.8 + * REGTEST: fix host part in balance-uri-path-only.vtc + * BUG/MINOR: ssl/crt-list: exit on warning out of crtlist_parse_line() + * DOC: agent-check: fix typo in "fail" word expected reply + * REGTESTS: use "command" instead of "which" for better POSIX compatibility + * BUILD: trace: include tools.h + * BUG/MEDIUM: listeners: do not pause foreign listeners + * REGTESTS: add a few load balancing tests + * MINOR: backend: add a new "path-only" option to "balance uri" + * MINOR: backend: make the "whole" option of balance uri take only one bit + * MINOR: h2/trace: also display the remaining frame length in traces + * BUG/MINOR: Fix memory leaks cfg_parse_peers + * BUG/MEDIUM: h2: report frame bits only for handled types + * BUG/MINOR: config: Fix memory leak on config parse listen + * BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch + * BUG/MINOR: h2/trace: do not display "stream error" after a frame ACK + * BUG/MINOR: ssl/crt-list: crt-list could end without a \n + * BUG/MEDIUM: ssl: Don't call ssl_sock_io_cb() directly. + * BUG/MINOR: server: report correct error message for invalid port on "socks4" + * BUG/MINOR: ssl: verifyhost is case sensitive + * BUG/MINOR: Fix type passed of sizeof() for calloc() + * BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned + * BUILD: threads: better workaround for late loading of libgcc_s + +------------------------------------------------------------------- +Tue Sep 08 15:02:38 UTC 2020 - mrueckert@suse.de + +- Update to version 2.2.3+git0.0e58a340d: + * [RELEASE] Released version 2.2.3 + * BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections + * BUG/MINOR: auth: report valid crypto(3) support depending on build options + * DOC: ssl-load-extra-files only applies to certificates on bind lines + * MINOR: server: Improve log message sent when server address is updated + * BUG/MEDIUM: dns: Be sure to renew IP address for already known servers + * BUG/MEDIUM: dns: Don't store additional records in a linked-list + * CLEANUP: dns: remove 45 "return" statements from dns_validate_dns_response() + * CLEANUP: Update .gitignore + * MINOR: Commit .gitattributes + * BUILD: thread: limit the libgcc_s workaround to glibc only + * BUG/MINOR: threads: work around a libgcc_s issue with chrooting + * BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate + * MINOR: arg: Use chunk_destroy() to release string arguments + * BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp() + * REGTEST: Add a test for request path manipulations, with and without the QS + * MINOR: http-fetch: Add pathq sample fetch + * MINOR: http-rules: Add set-pathq and replace-pathq actions + * BUG/MEDIUM: doc: Fix replace-path action description + * Revert "BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action" + * BUG/MINOR: startup: haproxy -s cause 100% cpu + * BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address + * BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure + * BUG/MINOR: contrib/spoa-server: Do not free reference to NULL + * BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed + * BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak + * BUILD: task: work around a bogus warning in gcc 4.7/4.8 at -O1 + * BUILD: tools: include auxv a bit later + * MINOR: cache: Reject duplicate cache names + * DOC: cache: Use '' instead of '' in error message + * BUG/MEDIUM: ssl: crt-list negative filters don't work + * BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action + * MINOR: http-htx: Add an option to eval query-string when the path is replaced + * BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers + * BUG/MINOR: reload: do not fail when no socket is sent + * BUG/MEDIUM: ssl: fix ssl_bind_conf double free w/ wildcards + * BUG/MEDIUM: ssl: never generates the chain from the verify store + * BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction + * BUG/MINOR: stats: use strncmp() instead of memcmp() on health states + * BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2 + * BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option + * BUG/MINOR: snapshots: leak of snapshots on deinit() + * MEDIUM: lua: Don't filter exported fetches and converters + * BUG/MINOR: lua: Duplicate lua strings in sample fetches/converters arg array + * MINOR: hlua: Don't needlessly copy lua strings in trash during args validation + * BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation + * BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation + * BUG/MINOR: arg: Fix leaks during arguments validation for fetches/converters + * BUG/MINOR: lua: Duplicate map name to load it when a new Map object is created + * BUG/MINOR: converters: Store the sink in an arg pointer for debug() converter + * MINOR: arg: Add an argument type to keep a reference on opaque data + * BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime + * BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free() + * BUG/MINOR: ssl: fix memory leak at OCSP loading + * DOC: spoa-server: fix false friends `actually` + * BUG/MINOR: spoa-server: fix size_t format printing + * BUG/MAJOR: dns: disabled servers through SRV records never recover + * CLEANUP: dns: typo in reported error message + * BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send + * SCRIPTS: git-show-backports: emit the shell command to backport a commit + * SCRIPTS: git-show-backports: make -m most only show the left branch + +------------------------------------------------------------------- +Fri Jul 31 10:56:54 UTC 2020 - mrueckert@suse.de + +- Update to version 2.2.2+git0.b8a2763d5: + * [RELEASE] Released version 2.2.2 + * BUG/MEDIUM: tcp-checks: always attach the transport before installing the mux + * BUG/MEDIUM: backend: always attach the transport before installing the mux + * SCRIPTS: announce-release: add the link to the wiki in the announce messages + * MINOR: stream-int: Be sure to have a mux to do sends and receives + * MINOR: connection: Preinstall the mux for non-ssl connect + * BUG/MEDIUM: connection: Be sure to always install a mux for sync connect + * BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields + * BUG/MINOR: tcp-rules: Preserve the right filter analyser on content eval abort + * BUG/MINOR: lua: Abort execution of actions that yield on a final evaluation + * BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation + * MEDIUM: lua: Add support for the Lua 5.4 + * BUG/MAJOR: dns: don't treat Authority records as an error + * BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status + * BUG/MINOR: debug: Don't dump the lua stack if it is not initialized + * BUILD: tools: fix build with static only toolchains + * BUG/MINOR: mux-fcgi: Don't url-decode the QUERY_STRING parameter anymore + +------------------------------------------------------------------- +Thu Jul 23 15:00:50 UTC 2020 - mrueckert@suse.de + +- Update to version 2.2.1+git0.0ef71a557: + * [RELEASE] Released version 2.2.1 + * BUG/MEDIUM: http-ana: Only set CF_EXPECT_MORE flag on data filtering + * BUG/MEDIUM: stream-int: Don't set MSG_MORE flag if no more data are expected + * BUG/MINOR: htx: add two missing HTX_FL_EOI and remove an unexpected one + * MEDIUM: htx: Add a flag on a HTX message when no more data are expected + * BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed + * BUG/MAJOR: dns: Make the do-resolve action thread-safe + * BUG/MAJOR: tasks: don't requeue global tasks into the local queue + * BUG/MEDIUM: resolve: fix init resolving for ring and peers section. + * BUG/MEDIUM: arg: empty args list must be dropped + * DOC: ssl: req_ssl_sni needs implicit TLS + * BUILD: config: fix again bugs gcc warnings on calloc + * BUG/MAJOR: tasks: make sure to always lock the shared wait queue if needed + * BUILD: config: address build warning on raspbian+rpi4 + * BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked + * BUG/MEDIUM: server: fix possibly uninitialized state file on close + * BUG/MEDIUM: server: resolve state file handle leak on reload + * BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers + * BUG/MEDIUM: log: issue mixing sampled to not sampled log servers. + * BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty FCGI_STDOUT + * BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record padding + * BUG/MINOR: mux-fcgi: Handle empty STDERR record + * BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode + * BUG/MEDIUM: mux-fcgi: Don't add private connections in available connection list + * BUG/MEDIUM: mux-h2: Don't add private connections in available connection list + * CONTRIB: da: fix memory leak in dummy function da_atlas_open() + * BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ + * BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD() + * BUG/MINOR: sample: Free str.area in smp_check_const_meth + * BUG/MINOR: sample: Free str.area in smp_check_const_bool + +------------------------------------------------------------------- +Tue Jul 07 15:13:34 UTC 2020 - mrueckert@suse.de + +- Update to version 2.2.0+git0.3a00c915f: + https://www.haproxy.com/blog/announcing-haproxy-2-2/ + + * [RELEASE] Released version 2.2.0 + * MINOR: version: mention that it's an LTS release now + * DOC: minor update to coding style file + * DOC: update INSTALL with new compiler versions + * CLEANUP: ssl: remove unrelevant comment in smp_fetch_ssl_x_keylog() + * DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x + * BUG/MINOR: connection: See new connection as available only on reuse always + * BUG/MEDIUM: connection: Don't consider new private connections as available + * BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server + * MINOR: mux-h1: Improve traces about the splicing +- refreshed patches to apply cleanly again: + haproxy-1.6.0-makefile_lib.patch + haproxy-1.6.0-sec-options.patch +- track series file in source rpm + +------------------------------------------------------------------- +Tue Jun 09 20:27:50 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.7+git0.8bebf80fb: + * [RELEASE] Released version 2.1.7 + +------------------------------------------------------------------- +Mon Jun 08 22:04:10 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.6+git1.661c88907: + * BUG/MAJOR: http-htx: Don't forget to copy error messages from defaults sections + +------------------------------------------------------------------- +Mon Jun 08 21:58:40 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.6+git0.34db76106: + * [RELEASE] Released version 2.1.6 + * BUG/MINOR: mworker: fix a memleak when execvp() failed + * BUG/MINOR: ssl: fix a trash buffer leak in some error cases + * BUG/MEDIUM: mworker: fix the reload with an -- option + * BUG/MINOR: init: -S can have a parameter starting with a dash + * BUG/MINOR: init: -x can have a parameter starting with a dash + * BUG/MEDIUM: mworker: fix the copy of options in copy_argv() + * BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics + * BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations + * BUG/MEDIUM: http-htx: Duplicate error messages as raw data instead of string + * BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action + * BUG/MINOR: peers: fix internal/network key type mapping. + * SCRIPTS: publish-release: pass -n to gzip to remove timestamp + * Revert "BUG/MEDIUM: connections: force connections cleanup on server changes" + +------------------------------------------------------------------- +Fri May 29 11:28:18 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.5+git0.36e14bd31: + * [RELEASE] Released version 2.1.5 + * BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf + * BUG/MINOR: lua: Add missing string length for lua sticktable lookup + * BUG/MEDIUM: logs: fix trailing zeros on log message. + * REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used + * BUG/MINOR: logs: prevent double line returns in some events. + * DOC: SPOE is no longer experimental + * DOC/MINOR: halog: Add long help info for ic flag + * DOC: retry-on can only be used with mode http + * BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable + * BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified + * BUG/MEDIUM: ring: write-lock the ring while attaching/detaching + * BUG/MAJOR: mux-fcgi: Stop sending loop if FCGI stream is blocked for any reason + * BUG/MINOR: cache: Don't needlessly test "cache" keyword in parse_cache_flt() + * BUG/MEDIUM: stream: Only allow L7 retries when using HTTP. + * BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry. + * BUILD: select: only declare existing local labels to appease clang + * BUG/MINOR: soft-stop: always wake up waiting threads on stopping + * BUG/MINOR: pollers: remove uneeded free in global init + * BUG/MINOR: pools: use %u not %d to report pool stats in "show pools" + * BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered + * BUG/MEDIUM: http_ana: make the detection of NTLM variants safer + * BUG/MINOR: http-ana: fix NTLM response parsing again + * BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur + * BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT + * BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}() + * BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS() + * BUG/MINOR: sample: Set the correct type when a binary is converted to a string + * CLEANUP: connections: align function declaration + * BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id() + * BUG/MEDIUM: h1: Don't compare host and authority if only h1 headers are parsed + * BUG/MEDIUM: connections: force connections cleanup on server changes + * BUG/MEDIUM: mux-fcgi: Fix wrong test on FCGI_CF_KEEP_CONN in fcgi_detach() + * BUG/MEDIUM: mux_fcgi: Free the FCGI connection at the end of fcgi_release() + * BUG/MINOR: checks: Remove a warning about http health checks + * BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks + * BUG/MINOR: checks/server: use_ssl member must be signed + * Revert "BUG/MINOR: connection: make sure to correctly tag local PROXY connections" + * Revert "BUG/MINOR: connection: always send address-less LOCAL PROXY connections" + * REGTEST: http-rules: Require PCRE or PCRE2 option to run map_redirect script + * REGTEST: ssl: test the client certificate authentication + * BUILD: Makefile: add linux-musl to TARGET + * BUILD: tools: rely on __ELF__ not USE_DL to enable use of dladdr() + * BUILD: tools: unbreak resolve_sym_name() on non-GNU platforms + * MINOR: debug: dump the whole trace if we can't spot the starting point + * MINOR: debug: use our own backtrace function on clang+x86_64 + * MINOR: debug: improve backtrace() on aarch64 and possibly other systems + * MINOR: debug: report the number of entries in the backtrace + * MINOR: wdt: do not depend on USE_THREAD + * BUILD: Makefile: include librt before libpthread + * MINOR: debug: call backtrace() once upon startup + * MEDIUM: debug: add support for dumping backtraces of stuck threads + * MINOR: cli: make "show fd" rely on resolve_sym_name() + * MINOR: debug: use resolve_sym_name() to dump task handlers + * MINOR: tools: add resolve_sym_name() to resolve function pointers + * MINOR: tools: add new function dump_addr_and_bytes() + * MINOR: haproxy: export run_poll_loop + * MINOR: stream: report the list of active filters on stream crashes + * BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock + * BUG/MEDIUM: shctx: really check the lock's value while waiting + * BUG/MINOR: debug: properly use long long instead of long for the thread ID + * MINOR: threads: export the POSIX thread ID in panic dumps + * BUG/MEDIUM: listener: mark the thread as not stuck inside the loop + * BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream + * BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam + * BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam + * BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream + * BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream + * BUG/MINOR: mux-fcgi: Be sure to have a connection as session's origin to use it + * BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function + * BUG/MINOR: checks: chained expect will not properly wait for enough data + * BUG/MEDIUM: server/checks: Init server check during config validity check + * BUG/MINOR: checks: Respect the no-check-ssl option + * MINOR: checks: Add a way to send custom headers and payload during http chekcs + * BUG/MINOR: check: Update server address and port to execute an external check + * MINOR: contrib: make the peers wireshark dissector a plugin + * MEDIUM: memory: make pool_gc() run under thread isolation + * DOC: option logasap does not depend on mode + * BUG/MINOR: http: make url_decode() optionally convert '+' to SP + * BUG/MINOR: tools: fix the i386 version of the div64_32 function + * BUG/MEDIUM: http-ana: Handle NTLM messages correctly. + * BUG/MINOR: ssl: default settings for ssl server options are not used + * DOC: Improve documentation on http-request set-src + * MINOR: version: Show uname output in display_version() + * DOC: hashing: update link to hashing functions + * BUG/MINOR: peers: Incomplete peers sections should be validated. + * BUG/MINOR: connection: always send address-less LOCAL PROXY connections + * BUG/MINOR: ssl: memleak of the struct cert_key_and_chain + * BUG/MINOR: ssl/cli: memory leak in 'set ssl cert' + * MINOR: ssl: improve the errors when a crt can't be open + * BUG/MINOR: protocol_buffer: Wrong maximum shifting. + +------------------------------------------------------------------- +Wed Apr 15 23:10:28 UTC 2020 - Marcus Rueckert + +- use the "profile profilename /path/to/binary" syntax to make + "ps aufxZ" more readable + +------------------------------------------------------------------- +Thu Apr 2 13:24:34 UTC 2020 - Marcus Rueckert + +- Update to version 2.1.4+git0.3cfc2f1d9: (boo#1168023) CVE-2020-11100 + - SCRIPTS: make announce-release executable again + - BUG/MINOR: namespace: avoid closing fd when socket failed in + my_socketat + - BUG/MEDIUM: muxes: Use the right argument when calling the + destroy method. + - BUG/MINOR: mux-fcgi: Forbid special characters when matching + PATH_INFO param + - MINOR: mux-fcgi: Make the capture of the path-info optional in + pathinfo regex + - SCRIPTS: announce-release: use mutt -H instead of -i to include + the draft + - MINOR: http-htx: Add a function to retrieve the headers size of + an HTX message + - MINOR: filters: Forward data only if the last filter forwards + something + - BUG/MINOR: filters: Count HTTP headers as filtered data but + don't forward them + - BUG/MINOR: http-htx: Don't return error if authority is updated + without changes + - BUG/MINOR: http-ana: Matching on monitor-uri should be + case-sensitive + - MINOR: http-ana: Match on the path if the monitor-uri starts by + a / + - BUG/MAJOR: http-ana: Always abort the request when a tarpit is + triggered + - MINOR: ist: add an iststop() function + - BUG/MINOR: http: http-request replace-path duplicates the query + string + - BUG/MEDIUM: shctx: make sure to keep all blocks aligned + - MINOR: compiler: move CPU capabilities definition from config.h + and complete them + - BUG/MEDIUM: ebtree: don't set attribute packed without + unaligned access support + - BUILD: fix recent build failure on unaligned archs + - CLEANUP: cfgparse: Fix type of second calloc() parameter + - BUG/MINOR: sample: fix the json converter's endian-sensitivity + - BUG/MEDIUM: ssl: fix several bad pointer aliases in a few + sample fetch functions + - BUG/MINOR: connection: make sure to correctly tag local PROXY + connections + - MINOR: compiler: add new alignment macros + - BUILD: ebtree: improve architecture-specific alignment + - BUG/MINOR: h2: reject again empty :path pseudo-headers + - BUG/MINOR: sample: Make sure to return stable IDs in the + unique-id fetch + - BUG/MINOR: dns: ignore trailing dot + - BUG/MINOR: http-htx: Do case-insensive comparisons on Host + header name + - MINOR: contrib/prometheus-exporter: Add heathcheck status/code + in server metrics + - MINOR: contrib/prometheus-exporter: Add the last heathcheck + duration metric + - BUG/MEDIUM: random: initialize the random pool a bit better + - MINOR: tools: add 64-bit rotate operators + - BUG/MEDIUM: random: implement a thread-safe and process-safe + PRNG + - MINOR: backend: use a single call to ha_random32() for the + random LB algo + - BUG/MINOR: checks/threads: use ha_random() and not rand() + - BUG/MAJOR: list: fix invalid element address calculation + - MINOR: debug: report the task handler's pointer relative to + main + - BUG/MEDIUM: debug: make the debug_handler check for the thread + in threads_to_dump + - MINOR: haproxy: export main to ease access from debugger + - BUILD: tools: remove obsolete and conflicting trace() from + standard.c + - BUG/MINOR: wdt: do not return an error when the watchdog + couldn't be enabled + - DOC: fix incorrect indentation of http_auth_* + - OPTIM: startup: fast unique_id allocation for acl. + - BUG/MINOR: pattern: Do not pass len = 0 to calloc() + - DOC: configuration.txt: fix various typos + - DOC: assorted typo fixes in the documentation and Makefile + - BUG/MINOR: init: make the automatic maxconn consider the max of + soft/hard limits + - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths + - REGTEST: make the PROXY TLV validation depend on version 2.2 + - BUG/MINOR: filters: Use filter offset to decude the amount of + forwarded data + - BUG/MINOR: filters: Forward everything if no data filters are + called + - MINOR: htx: Add a function to return a block at a specific + offset + - BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the + response payload + - BUG/MEDIUM: compression/filters: Fix loop on HTX blocks + compressing the payload + - BUG/MINOR: http-ana: Reset request analysers on a response side + error + - BUG/MINOR: lua: Ignore the reserve to know if a channel is full + or not + - BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject + action + - BUG/MINOR: http-rules: Fix a typo in the reject action function + - BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop + action + - BUG/MINOR: rules: Increment be_counters if backend is assigned + for a silent-drop + - DOC: fix typo about no-tls-tickets + - DOC: improve description of no-tls-tickets + - DOC: assorted typo fixes in the documentation + - DOC: ssl: clarify security implications of TLS tickets + - BUILD: wdt: only test for SI_TKILL when compiled with thread + support + - BUG/MEDIUM: mt_lists: Make sure we set the deleted element to + NULL; + - MINOR: mt_lists: Appease gcc. + - BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 + - BUG/MEDIUM: pools: Always update free_list in pool_gc(). + - BUG/MINOR: haproxy: always initialize sleeping_thread_mask + - BUG/MINOR: listener/mq: do not dispatch connections to remote + threads when stopping + - BUG/MINOR: haproxy/threads: try to make all threads leave + together + - DOC: proxy_protocol: Reserve TLV type 0x05 as + PP2_TYPE_UNIQUE_ID + - DOC: correct typo in alert message about rspirep + - BUILD: on ARM, must be linked to libatomic. + - BUILD: makefile: fix regex syntax in ARM platform detection + - BUILD: makefile: fix expression again to detect ARM platform + - BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong + cases. + - DOC: assorted typo fixes in the documentation + - MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into + types/signal.h. + - BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in + __signal_process_queue(). + - MINOR: memory: Change the flush_lock to a spinlock, and don't + get it in alloc. + - BUG/MINOR: connections: Make sure we free the connection on + failure. + - REGTESTS: use "command -v" instead of "which" + - REGTEST: increase timeouts on the seamless-reload test + - BUG/MINOR: haproxy/threads: close a possible race in soft-stop + detection + - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized + - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL + - BUG/MINOR: peers: Use after free of "peers" section. + - MINOR: listener: add so_name sample fetch + - BUILD: ssl: only pass unsigned chars to isspace() + - BUG/MINOR: stats: Fix color of draining servers on stats page + - DOC: internals: Fix spelling errors in filters.txt + - MINOR: http-rules: Add a flag on redirect rules to know the + rule direction + - BUG/MINOR: http_ana: make sure redirect flags don't have + overlapping bits + - MINOR: http-rules: Handle the rule direction when a redirect is + evaluated + - BUG/MINOR: http-ana: Reset request analysers on error when + waiting for response + - BUG/CRITICAL: hpack: never index a header into the headroom + after wrapping + +------------------------------------------------------------------- +Fri Feb 14 13:23:23 UTC 2020 - Thorsten Kukuk + +- Remove unsupported options from example haproxy.cfg +- Make haproxy useable for containers + - Use sysusers.d to create users. + - Use systemd_ordering instead of requiring systemd. + - Own vim syntax directory instead of requiring vim. This also + solves the problem the directory got never removed if vim is + updated before haproxy. + +------------------------------------------------------------------- +Wed Feb 12 15:42:26 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.3+git0.5c020bbdd: + * [RELEASE] Released version 2.1.3 + * BUG/MINOR: tcp: don't try to set defaultmss when value is negative + * BUG/MINOR: http-ana: Set HTX_FL_PROXY_RESP flag if a server perform a redirect + * BUG/MINOR: http-ana: Don't overwrite outgoing data when an error is reported + * MINOR: htx/channel: Add a function to copy an HTX message in a channel's buffer + * MINOR: htx: Add a function to append an HTX message to another one + * DOC: word converter ignores delimiters at the start or end of input string + * MINOR: build: add aix72-gcc build TARGET and power{8,9} CPUs + * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener + * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init + * BUG/MEDIUM: listener: only consider running threads when resuming listeners + * BUG/MINOR: dns: allow 63 char in hostname + * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit + * DOC: schematic of the SSL certificates architecture + * BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init + * SCRIPTS: announce-release: allow the user to force to overwrite old files + * SCRIPTS: announce-release: place the send command in the mail's header + * CONTRIB: debug: also support reading values from stdin + * MINOR: acl: Warn when an ACL is named 'or' + * CONTRIB: debug: support reporting multiple values at once + * CONTRIB: debug: add the possibility to decode the value as certain types only + * CONTRIB: debug: add missing flags SF_HTX and SF_MUX + * BUG/MINOR: ssl: clear the SSL errors on DH loading failure + * BUG/MINOR: ssl: we may only ignore the first 64 errors + * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. + * BUG/MEDIUM: memory: Add a rwlock before freeing memory. + * MINOR: memory: Only init the pool spinlock once. + * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). + * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. + * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 + * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. + * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error + * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack + * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. + * MINOR: lua: Add HLUA_PREPEND_C?PATH build option + * MINOR: lua: Add lua-prepend-path configuration option + * MINOR: lua: Add hlua_prepend_path function + * BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines + * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" + * BUG/MINOR: stktable: report the current proxy name in error messages + * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. + * BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" + * BUG/MINOR: ssl: typo in previous patch + * BUG/MINOR: ssl: memory leak w/ the ocsp_issuer + * BUG/MINOR: ssl: increment issuer refcount if in chain + * CLEANUP: stats: shut up a wrong null-deref warning from gcc 9.2 + * BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded + * BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent + * BUG/MEDIUM: netscaler: Don't forget to allocate storage for conn->src/dst. + * BUG/MINOR: http_act: don't check capture id in backend + * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive + * BUG/MINOR: ssl: ssl_sock_load_sctl_from_file memory leak + * BUG/MINOR: ssl: ssl_sock_load_issuer_file_into_ckch memory leak + * BUG/MINOR: ssl: ssl_sock_load_ocsp_response_from_file memory leak + * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing + * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing + * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules + * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters + * BUILD: pattern: include errno.h + * BUG/MINOR: 51d: Fix bug when HTX is enabled + * BUG/MINOR: dns: Make dns_query_id_seed unsigned + * BUG/MINOR: cache: Fix leak of cache name in error path + * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns + * BUG/MEDIUM: connection: add a mux flag to indicate splice usability + * BUG/MINOR: stream: don't mistake match rules for store-request rules + * BUG/MEDIUM: cli: _getsocks must send the peers sockets + * REGTEST: add sample_fetches/hashes.vtc to validate hashes + * BUG/MAJOR: hashes: fix the signedness of the hash inputs + * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). + * BUG/MEDIUM: mworker: remain in mworker mode during reload + * REGTEST: mcli/mcli_start_progs: start 2 programs + * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs + * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary + * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch + * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() + * BUG/MEDIUM: tasks: Use the MT macros in tasklet_free(). + * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached + * BUG/MEDIUM: session: do not report a failure when rejecting a session + * BUG/MINOR: channel: inject output data at the end of output + * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied + * BUG/MINOR: proxy: Fix input data copy when an error is captured + * BUG/MINOR: h1: Report the right error position when a header value is invalid + * MINOR: ssl: Remove unused variable "need_out". + * MINOR: config: disable busy polling on old processes + * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. + * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. + * BUG/MINOR: checks: refine which errno values are really errors. + +------------------------------------------------------------------- +Fri Feb 07 12:48:02 UTC 2020 - mrueckert@suse.de + +- Update to version 2.1.2+git0.d5b6759b5: + * [RELEASE] Released version 2.1.2 + * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility + * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream + * BUG/MINOR: state-file: do not leak memory on parse errors + * BUG/MINOR: state-file: do not store duplicates in the global tree + * BUG/MEDIUM: state-file: do not allocate a full buffer for each server entry + * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines + * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd + * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute + * BUG/MEDIUM: ssl: Revamp the way early data are handled. + * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing + * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task + * MINOR: http: add a new "replace-path" action + * MINOR: debug: support logging to various sinks + * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. + * MINOR: sample: Validate the number of bits for the sha2 converter + * BUG/MINOR: sample: always check converters' arguments + * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter + * DOC: clarify the fact that replace-uri works on a full URI + +------------------------------------------------------------------- +Fri Feb 7 12:46:02 UTC 2020 - Marcus Rueckert + +- drop the udev buildrequires completely + +------------------------------------------------------------------- +Thu Jan 23 13:10:03 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(udev) instead of udev: allow OBS to + shortcut through the -mini flavors. + +------------------------------------------------------------------- +Wed Dec 11 17:07:41 UTC 2019 - mrueckert@suse.de + +- Update to version 2.1.1+git0.4ae521379: + * [RELEASE] Released version 2.1.1 + * BUILD/MINOR: unix sockets: silence an absurd gcc warning about strncpy() + * BUG/MINOR: listener: fix off-by-one in state name check + * BUG/MINOR: server: make "agent-addr" work on default-server line + * BUG/MINOR: listener: do not immediately resume on transient error + * BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers + * BUG/MINOR: log: fix minor resource leaks on logformat error path + * DOC: remove references to the outdated architecture.txt + * DOC: proxies: HAProxy only supports 3 connection modes + * BUG/MINOR: tasks: only requeue a task if it was already in the queue + * DOC: listeners: add a few missing transitions + +------------------------------------------------------------------- +Tue Dec 10 19:29:31 UTC 2019 - mrueckert@suse.de + +- Update to version 2.1.0+git33.8e4a62508: + * BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive. + * BUG/MAJOR: dns: add minimalist error processing on the Rx path + * BUG/MEDIUM: kqueue: Make sure we report read events even when no data. + * DOC: document the listener state transitions + * BUG/MEDIUM: listener/threads: fix a remaining race in the listener's accept() + * BUG/MINOR: listener: also clear the error flag on a paused listener + * BUG/MINOR: listener/threads: always use atomic ops to clear the FD events + * BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state + * BUG/MEDIUM: mux-fcgi: Handle cases where the HTX EOM block cannot be inserted + * BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be added + +------------------------------------------------------------------- +Fri Dec 06 15:30:10 UTC 2019 - mrueckert@suse.de + +- Update to version 2.1.0+git23.e77b108cd: + * BUG/MEDIUM: checks: Make sure we set the task affinity just before connecting. + * BUG/MEDIUM: tasks: Make sure we switch wait queues in task_set_affinity(). + +------------------------------------------------------------------- +Thu Dec 05 15:46:01 UTC 2019 - mrueckert@suse.de + +- Update to version 2.1.0+git21.67ff2112b: + * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data + * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN + * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending + * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 + * BUG/MEDIUM: listener/thread: fix a race when pausing a listener + * BUG/MINOR: ssl/cli: don't overwrite the filters variable + * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible + * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data + * DOC: move the "group" keyword at the right place + * DOC: Fix ordered list in summary + +------------------------------------------------------------------- +Thu Dec 5 15:46:00 UTC 2019 - Marcus Rueckert + +- switch to the 2.1 branch + https://www.haproxy.com/blog/haproxy-2-1/ + https://www.mail-archive.com/haproxy@formilux.org/msg35491.html + +------------------------------------------------------------------- +Thu Dec 05 15:37:44 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.10+git14.7caf150a: + * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data + * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN + * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending + * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 + * BUG/MEDIUM: listener/thread: fix a race when pausing a listener + * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible + * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data + * DOC: move the "group" keyword at the right place + * DOC: clarify matching strings on binary fetches + * DOC: Clarify behavior of server maxconn in HTTP mode + +------------------------------------------------------------------- +Fri Nov 29 13:44:19 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.10+git4.6d9a455d: + * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty + +------------------------------------------------------------------- +Thu Nov 28 15:45:58 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.10+git3.200c6215: + * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only + +------------------------------------------------------------------- +Wed Nov 27 11:52:45 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.10+git2.3a00e5fc: + * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones + * BUG/MINOR: stream: init variables when the list is empty + +------------------------------------------------------------------- +Mon Nov 25 20:11:36 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.10+git0.ac198b92: (bsc#1157712) (bsc#1157714) + * [RELEASE] Released version 2.0.10 + * SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands + * SCRIPTS: create-release: show the correct origin name in suggested commands + * BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state + * BUG/MAJOR: h2: make header field name filtering stronger + * BUG/MAJOR: h2: reject header values containing invalid chars + * MINOR: ist: add ist_find_ctl() + * BUG/MINOR: ssl: fix curve setup with LibreSSL + * BUG/MINOR: cli: fix out of bounds in -S parser + * DOC: Add documentation about the use-service action + * DOC: Add missing stats fields in the management manual + * BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a message + * BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser() + * MEDIUM: mux-h1: Add the support of headers adjustment for bogus HTTP/1 apps + * REGTEST: vtest can now enable mcli with its own flag + * MINOR: stats: Report max times in addition of the averages for sessions + * BUG/MINOR: stream-int: Fix si_cs_recv() return value + * MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance + * MINOR: contrib/prometheus-exporter: filter exported metrics by scope + * MINOR: contrib/prometheus-exporter: report the number of idle conns per server + * BUG/MINOR: contrib/prometheus-exporter: Rename some metrics + * MINOR: contrib/prometheus-exporter: Report metrics about max times for sessions + * MINOR: counters: Add fields to store the max observed for {q,c,d,t}_time + * MINOR: stream: Remove the lock on the proxy to update time stats + * MINOR: freq_ctr: Make the sliding window sums thread-safe + * BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding + * BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path + * BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests + * BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported + * BUILD/MINOR: ssl: fix compiler warning about useless statement + * BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. + * BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec + +------------------------------------------------------------------- +Tue Nov 19 14:16:54 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.9+git6.26b7b800: + * BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 + * BUG/MINOR: peers: Wrong null "server_name" data field handling. + * MINOR: peers: Add debugging information to "show peers". + * MINOR: peers: Add TX/RX heartbeat counters. + * MINOR: peers: Alway show the table info for disconnected peers. + +------------------------------------------------------------------- +Tue Nov 19 13:55:05 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.9+git1.caf02113: + * BUG/MINOR: init: fix set-dumpable when using uid/gid + +------------------------------------------------------------------- +Tue Nov 19 13:54:57 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.9+git0.efac87ee (bsc#1154980) (CVE-2019-18277): + * [RELEASE] Released version 2.0.9 + * BUG/MINOR: mux-h1: Don't set CS_FL_EOS on a read0 when receiving data to pipe + * BUG/MEDIUM: filters: Don't call TCP callbacks for HTX streams + * BUG/MINOR: log: limit the size of the startup-logs + * BUILD: contrib/da: remove an "unused" warning + * MINOR: memory: also poison the area on freeing + * CLEANUP: session: slightly simplify idle connection cleanup logic + * BUG/MEDIUM: Make sure we leave the session list in session_free(). + * BUG/MEDIUM: listeners: always pause a listener on out-of-resource condition + * BUG/MINOR: queue/threads: make the queue unlinking atomic + * DOC: management: fix typo on "cache_lookups" stats output + * DOC: management: document cache_hits and cache_lookups in the CSV format + * DOC: management: document reuse and connect counters in the CSV format + * BUG: dns: timeout resolve not applied for valid resolutions + * BUG/MINOR: action: do-resolve now use cached response + * BUG/MEDIUM: stream: Be sure to release allocated captures for TCP streams + * MINOR: doc: http-reuse connection pool fix + * BUG/MEDIUM: stream: Be sure to support splicing at the mux level to enable it + * BUG/MEDIUM: mux-h1: Disable splicing for chunked messages + * BUG/MEDIUM: mux-h2: immediately report connection errors on streams + * BUG/MEDIUM: mux-h2: immediately remove a failed connection from the idle list + * BUG/MEDIUM: mux-h2: report no available stream on a connection having errors + * BUG/MINOR: config: Update cookie domain warn to RFC6265 + * BUG/MEDIUM: servers: Only set SF_SRV_REUSED if the connection if fully ready. + * BUG/MEDIUM: stream_interface: Only use SI_ST_RDY when the mux is ready. + * MINOR: mux: Add a new method to get informations about a mux. + * BUG/MINOR: spoe: fix off-by-one length in UUID format string + * BUG/MAJOR: stream-int: Don't receive data from mux until SI_ST_EST is reached + * BUG/MINOR: mux-h2: Don't pretend mux buffers aren't full anymore if nothing sent + * BUG/MINOR: cli: don't call the kw->io_release if kw->parse failed + * MINOR: tcp: avoid confusion in time parsing init + * BUG/MINOR: mux-h2: do not emit logs on backend connections + * MINOR: config: warn on presence of "\n" in header values/replacements + +------------------------------------------------------------------- +Tue Nov 19 13:54:51 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.8+git0.60e6020c: + * [RELEASE] Released version 2.0.8 + * BUG/MEDIUM: pattern: make the pattern LRU cache thread-local and lockless + * BUG/MINOR: stick-table: fix an incorrect 32 to 64 bit key conversion + * BUG/MINOR: ssl: fix memcpy overlap without consequences. + * BUG/MEDIUM: http: unbreak redirects in legacy mode + * BUG/MINOR: mux-h2: also make sure blocked legacy connections may expire + * BUG/MINOR: sample: Make the `field` converter compatible with `-m found` + * BUG/MINOR: cache: alloc shctx after check config + * BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr + * BUG/MINOR: ssl: Fix fd leak on error path when a TLS ticket keys file is parsed + * BUG/MINOR: mworker/cli: reload fail with inherited FD + * BUG/MEDIUM: ssl: 'tune.ssl.default-dh-param' value ignored with openssl > 1.1.1 + * CLEANUP: bind: handle warning label on bind keywords parsing. + * CLEANUP: ssl: make ssl_sock_load_dh_params handle errcode/warn + * CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn + * CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes + * REGTEST: mcli/mcli_show_info: launch a 'show info' on the master CLI + * BUG/MEDIUM: mux_pt: Only call the wake emthod if nobody subscribed to receive. + * BUG/MEDIUM: mux_pt: Don't destroy the connection if we have a stream attached. + * Revert e8826ded5fea3593d89da2be5c2d81c522070995. + * BUG/MAJOR: idle conns: schedule the cleanup task on the correct threads + * BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream before freeing. + * BUG/MINOR: tcp: Don't alter counters returned by tcp info fetchers + * BUG/MINOR: mworker/ssl: close openssl FDs unconditionally + * BUG/MINOR: http-htx: Properly set htx flags on error files to support keep-alive + * MINOR: version: make the version strings variables, not constants + * BUG/MINOR: WURFL: fix send_log() function arguments + * BUG/MINOR: mux-h1: Capture ignored parsing errors + * BUG/MINOR: mux-h1: Mark the output buffer as full when the xfer is interrupted + * BUG/MINOR: chunk: Fix tests on the chunk size in functions copying data + * BUG/MEDIUM: htx: Catch chunk_memcat() failures when HTX data are formatted to h1 + * BUILD: ssl: wrong #ifdef for SSL engines code + * BUG/MINOR: ssl: abort on sni_keytypes allocation failure + * BUG/MINOR: ssl: free the sni_keytype nodes + * BUG/MINOR: ssl: abort on sni allocation failure + * BUG/MEDIUM: applet: always check a fast running applet's activity before killing + * MINOR: stats: mention in the help message support for "json" and "typed" + * DOC: fix typo in Prometheus exporter doc + * DOC: clarify some points around http-send-name-header's behavior + * BUG/MEDIUM: cache: make sure not to cache requests with absolute-uri + * BUG/MINOR: peers: crash on reload without local peer. + * BUG/MEDIUM: mux-h2: do not enforce timeout on long connections + * BUILD: ebtree: make eb_is_empty() and eb_is_dup() take a const + * MINOR: mux-h2: add a per-connection list of blocked streams + * BUG/MINOR: action: do-resolve does not yield on requests with body + * BUG/MEDIUM: lua: Store stick tables into the sample's `t` field + * BUG/MINOR: lua: Properly initialize the buffer's fields for string samples in hlua_lua2(smp|arg) + * BUG/MINOR: stats: Add a missing break in a switch statement + +------------------------------------------------------------------- +Mon Oct 07 08:05:46 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.7+git0.1909aa1e: + * [RELEASE] Released version 2.0.7 + * BUG/MEDIUM: namespace: fix fd leak in master-worker mode + * DOC: Fix documentation about the cli command to get resolver stats + * BUG/MINOR: contrib/prometheus-exporter: Return the time averages in seconds + * MINOR: stats: Add the support of float fields in stats + * MINOR: spoe: Support the async mode with several threads + * MINOR: spoe: Improve generation of the engine-id + * BUG/MEDIUM: spoe: Use a different engine-id per process + * BUG/MINOR: mux-h1: Do h2 upgrade only on the first request + * BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped frames + * BUG/MINOR: mux-h2: Use the dummy error when decoding headers for a closed stream + * BUG/MEDIUM: mux-h2: don't reject valid frames on closed streams + * BUG/MEDIUM: namespace: close open namespaces during soft shutdown + * BUG/MINOR: mux-h2: do not wake up blocked streams before the mux is ready + * BUG/MEDIUM: checks: make sure the connection is ready before trying to recv + * BUG/MEDIUM: stream-int: Process connection/CS errors during synchronous sends + * BUG/MINOR: stream-int: Process connection/CS errors first in si_cs_send() + * BUG/MEDIUM: check/threads: make external checks run exclusively on thread 1 + * BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM frame + * BUG/MINOR: mux-h2: Be sure to have a connection to unsubcribe + * BUG/MEDIUM: stick-table: Properly handle "show table" with a data type argument + +------------------------------------------------------------------- +Tue Sep 17 15:41:39 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.6+git0.58706ab4: + * [RELEASE] Released version 2.0.6 + * MINOR: sample: Add UUID-fetch + * BUG/MINOR: Missing stat_field_names (since f21d17bb) + * BUG/MINOR: backend: Fix a possible null pointer dereference + * BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed + * BUG/MINOR: filters: Properly set the HTTP status code on analysis error + * BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding + * BUG/MINOR: ssl: always check for ssl connection before getting its XPRT context + * BUG/MINOR: listener: Fix a possible null pointer dereference + * MINOR: stats: report the number of idle connections for each server + * BUG/MEDIUM: connection: don't keep more idle connections than ever needed + * BUG/MAJOR: ssl: ssl_sock was not fully initialized. + * BUG/MINOR: lb/leastconn: ignore the server weights for empty servers + * MINOR: contrib/prometheus-exporter: Report DRAIN/MAINT/NOLB status for servers + * BUG/MINOR: checks: do not uselessly poll for reads before the connection is up + * BUG/MINOR: checks: make __event_chk_srv_r() report success before closing + * BUG/MINOR: checks: start sending the request right after connect() + * BUG/MINOR: checks: stop polling for write when we have nothing left to send + * BUG/MEDIUM: cache: Don't cache objects if the size of headers is too big + * BUG/MEDIUM: cache: Properly copy headers splitted on several shctx blocks + * BUG/MINOR: mux-h1: Be sure to update the count before adding EOM after trailers + * BUG/MINOR: mux-h1: Don't stop anymore input processing when the max is reached + * BUG/MINOR: mux-h1: Fix size evaluation of HTX messages after headers parsing + * BUG/MINOR: h1: Properly reset h1m when parsing is restarted + * BUG/MINOR: http-ana: Reset response flags when 1xx messages are handled + * BUG/MEDIUM: peers: local peer socket not bound. + * BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data + * BUG/MEDIUM: url32 does not take the path part into account in the returned hash. + * BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in delete_listener() + * BUG/MINOR: mworker: disable SIGPROF on re-exec + * DOC: fixed typo in management.txt + * BUG/MEDIUM: mux-h1: do not report errors on transfers ending on buffer full + * BUG/MEDIUM: mux-h1: do not truncate trailing 0CRLF on buffer boundary + * MEDIUM: debug: make the thread dump code show Lua backtraces + * MINOR: lua: export applet and task handlers + * MINOR: tools: add append_prefixed_str() + * MINOR: debug: indicate the applet name when the task is task_run_applet() + +------------------------------------------------------------------- +Thu Aug 22 11:23:04 CEST 2019 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] +- Recommend apparmor, it's not required to work (make haproxy + useable in a container) + +------------------------------------------------------------------- +Tue Aug 20 15:05:47 UTC 2019 - Marcus Rueckert + +- enable prometheus exporter + +------------------------------------------------------------------- +Tue Aug 20 14:05:47 UTC 2019 - Marcus Rueckert + +- enable verbose make output + +------------------------------------------------------------------- +Tue Aug 20 14:01:33 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.5+git0.d905f49a: + * [RELEASE] Released version 2.0.5 + * BUG/MEDIUM: mux_pt: Don't call unsubscribe if we did not subscribe. + * MINOR: fd: make sure to mark the thread as not stuck in fd_update_events() + * BUG/MINOR: stats: Wait the body before processing POST requests + * BUG/MEDIUM: lua: Fix test on the direction to set the channel exp timeout + * BUG/MEDIUM: mux_h1: Don't bother subscribing in recv if we're not connected. + * BUG/MINOR: Fix prometheus '# TYPE' and '# HELP' headers + * BUG/MINOR: lua: fix setting netfilter mark + * BUG/MEDIUM: proxy: Don't use cs_destroy() when freeing the conn_stream. + * BUG/MEDIUM: proxy: Don't forget the SF_HTX flag when upgrading TCP=>H1+HTX. + * BUG/MINOR: buffers/threads: always clear a buffer's head before releasing it + * MINOR: ssl: ssl_fc_has_early should work for BoringSSL + * BUG/MINOR: ssl: fix 0-RTT for BoringSSL + * BUG/MEDIUM: stick-table: Wrong stick-table backends parsing. + * [RELEASE] Released version 2.0.4 + * BUG/MEDIUM: checks: make sure to close nicely when we're the last to speak + * BUG/MINOR: mux-h2: always reset rcvd_s when switching to a new frame + * BUG/MINOR: mux-h2: always send stream window update before connection's + * BUG/MEDIUM: mux-h2: do not recheck a frame type after a state transition + * BUG/MINOR: mux-h2: do not send REFUSED_STREAM on aborted uploads + * BUG/MINOR: mux-h2: use CANCEL, not STREAM_CLOSED in h2c_frt_handle_data() + * BUG/MINOR: mux-h2: don't refrain from sending an RST_STREAM after another one + * BUG/MEDIUM: fd: Always reset the polled_mask bits in fd_dodelete(). + * BUG/MEDIUM: proxy: Make sure to destroy the stream on upgrade from TCP to H2 + * BUG/MEDIUM: mux-h2: split the stream's and connection's window sizes + * BUG/MEDIUM: mux-h2: unbreak receipt of large DATA frames + * BUG/MINOR: stream-int: also update analysers timeouts on activity + * BUG/MAJOR: http/sample: use a static buffer for raw -> htx conversion + * BUG/MEDIUM: lb-chash: Ensure the tree integrity when server weight is increased + * MINOR: wdt: also consider that waiting in the thread dumper is normal + * BUG/MINOR: debug: fix a small race in the thread dumping code + +------------------------------------------------------------------- +Tue Jul 30 13:16:56 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.3+git14.0ff395c1 (bsc#1142529) (CVE-2019-14241): + * BUG/MAJOR: queue/threads: avoid an AB/BA locking issue in process_srv_queue() + * BUG/MINOR: htx: Fix free space addresses calculation during a block expansion + * BUG/MINOR: hlua: Only execute functions of HTTP class if the txn is HTTP ready + * MINOR: hlua: Add a flag on the lua txn to know in which context it can be used + * MINOR: hlua: Don't set request analyzers on response channel for lua actions + * BUG/MEDIUM: hlua: Check the calling direction in lua functions of the HTTP class + * BUG/MINOR: hlua/htx: Reset channels analyzers when txn:done() is called + * DOC: improve the wording in CONTRIBUTING about how to document a bug fix + * BUG/MINOR: log: make sure writev() is not interrupted on a file output + * BUG/MEDIUM: streams: Don't switch the SI to SI_ST_DIS if we have data to send. + * BUG/MEDIUM: lb-chash: Fix the realloc() when the number of nodes is increased + * BUILD: threads: add the definition of PROTO_LOCK + * BUG/MINOR: proxy: always lock stop_proxy() + * BUG/MEDIUM: protocols: add a global lock for the init/deinit stuff + * [RELEASE] Released version 2.0.3 + * BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by a delimiter + * BUG/MINOR: http_htx: Support empty errorfiles + * BUG/MINOR: http_ana: Be sure to have an allocated buffer to generate an error + * BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream + * BUG/MINOR: mux-h1: Close server connection if input data remains in h1_detach() + * BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction + * BUG/MINOR: checks: do not exit tcp-checks from the middle of the loop + * BUG/MINOR: session: Send a default HTTP error if accept fails for a H1 socket + * BUG/MINOR: session: Emit an HTTP error if accept fails only for H1 connection + * BUG/MINOR: debug: Remove flags CO_FL_SOCK_WR_ENA/CO_FL_SOCK_RD_ENA + * DOC: htx: Update comments in HTX files + * BUG/MINOR: hlua: Make the function txn:done() HTX aware + * BUG/MINOR: cache/htx: Make maxage calculation HTX aware + * BUG/MINOR: http_htx: Initialize HTX error messages for TCP proxies + * BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP rules + * BUG/MINOR: backend: do not try to install a mux when the connection failed + * BUG/MEDIUM: http/htx: unbreak option http_proxy + * BUG/MEDIUM: checks: Don't attempt to receive data if we already subscribed. + * BUG/MINOR: dns: remove irrelevant dependency on a client connection + * [RELEASE] Released version 2.0.2 + * BUG/MEDIUM: threads: cpu-map designating a single thread/process are ignored + * BUG/MEDIUM: tcp-check: unbreak multiple connect rules again + * BUG/MINOR: mux-pt: do not pretend there's more data after a read0 + * BUG/MEDIUM: streams: Don't redispatch with L7 retries if redispatch isn't set. + * BUG/MEDIUM: streams: Don't give up if we couldn't send the request. + * BUG/MINOR: mux-h1: Correctly report Ti timer when HTX and keepalives are used + * BUG/MEDIUM: mux-h1: Don't release h1 connection if there is still data to send + * BUG/MAJOR: listener: fix thread safety in resume_listener() + * MINOR: task: introduce work lists + * BUG/MEDIUM: servers: Fix a race condition with idle connections. + * DOC: Fix typos and grammer in configuration.txt + * BUG/MEDIUM: da: cast the chunk to string. + * BUG/MEDIUM: checks: Don't attempt to read if we destroyed the connection. + * BUG/MINOR: server: Be really able to keep "pool-max-conn" idle connections + * BUG/MEDIUM: fd/threads: fix excessive CPU usage on multi-thread accept + +------------------------------------------------------------------- +Tue Jul 09 11:48:41 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.1+git27.5db881ff: + * BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2 + * BUG/MEDIUM: servers: Don't forget to set srv_cs to NULL if we can't reuse it. + * BUG/MEDIUM: stream-int: Don't rely on CF_WRITE_PARTIAL to unblock opposite si + * MINOR: stream-int: Factorize processing done after sending data in si_cs_send() + * BUG/MINOR: mux-h1: Don't process input or ouput if an error occurred + * BUG/MEDIUM: mux-h1: Handle TUNNEL state when outgoing messages are formatted + * BUG/MEDIUM: lb_fas: Don't test the server's lb_tree from outside the lock + * BUG/MEDIUM: http/applet: Finish request processing when a service is registered + * MINOR: action: Add the return code ACT_RET_DONE for actions + * BUG/MINOR: contrib/prometheus-exporter: Don't try to add empty data blocks + * MINOR: server: Add "no-tfo" option. + * BUG/MEDIUM: sessions: Don't keep an extra idle connection in sessions. + * BUG/MEDIUM: servers: Authorize tfo in default-server. + * BUG/MEDIUM: connections: Make sure we're unsubscribe before upgrading the mux. + * BUG/MINOR: contrib/prometheus-exporter: Respect the reserve when data are sent + * BUG/MINOR: hlua/htx: Respect the reserve when HTX data are sent + * BUG/MEDIUM: channel/htx: Use the total HTX size in channel_htx_recv_limit() + * BUG/MINOR: hlua: Don't use channel_htx_recv_max() + * BUG/MINOR: contrib/prometheus-exporter: Don't use channel_htx_recv_max() + * BUG/MEDIUM: checks: Make sure the tasklet won't run if the connection is closed. + * BUG/MEDIUM: connections: Always call shutdown, with no linger. + * BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses + * BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages + * BUG/MEDIUM: checks: unblock signals in external checks + * BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported + * BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. + * BUG/MINOR: mworker/cli: don't output a \n before the response + * BUG/MINOR: mux-h1: Make format errors during output formatting fatal + * BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages + * BUG/MEDIUM: proto_htx: Don't add EOM on 1xx informational messages + * BUG/MINOR: log: Detect missing sampling ranges in config + * BUG/MINOR: memory: Set objects size for pools in the per-thread cache + * BUG/MAJOR: mux-h1: Don't crush trash chunk area when outgoing message is formatted + * BUG/MINOR: htx: Save hdrs_bytes when the HTX start-line is replaced + * BUG/MEDIUM: ssl: Don't do anything in ssl_subscribe if we have no ctx. + * BUG/MEDIUM: connections: Always add the xprt handshake if needed. + * BUG/MEDIUM: stream_interface: Don't add SI_FL_ERR the state is < SI_ST_CON. + * BUG/MINOR: spoe: Fix memory leak if failing to allocate memory + * BUG/MEDIUM: mworker/cli: command pipelining doesn't work anymore + * BUG/MEDIUM: mworker: don't call the thread and fdtab deinit + * BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse + * BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL condition. + * BUG/MEDIUM: lb_fwlc: Don't test the server's lb_tree from outside the lock + * BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked + * BUG/MEDIUM: mux-h2: Reset padlen when several frames are demux + +------------------------------------------------------------------- +Sun Jun 30 10:24:18 UTC 2019 - Jan Engelhardt + +- Correct version line, which should be 2.0.0+git6. + +------------------------------------------------------------------- +Tue Jun 18 12:09:15 UTC 2019 - Marcus Rueckert + +- allow the new master socket path in the apparmor profile + +------------------------------------------------------------------- +Tue Jun 18 12:04:20 UTC 2019 - mrueckert@suse.de + +- Update to version 2.0.0~git6.41dc8432: + * BUG/MEDIUM: htx: Fully update HTX message when the block value is changed + * MINOR: htx: Add the function htx_change_blk_value_len() + * BUG/MEDIUM: compression: Set Vary: Accept-Encoding for compressed responses + * BUG/MINOR: mux-h1: Add the header connection in lower case in outgoing messages + * BUG/MINOR: lua/htx: Make txn.req_req_* and txn.res_rep_* HTX aware + * BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built + +------------------------------------------------------------------- +Mon Jun 17 12:33:47 UTC 2019 - kgronlund@suse.com + +- Update to version 2.0.0~git0.ba23630a: + - new internal native HTTP representation called HTX, was already in 1.9 + and is now enabled by default in 2.0 ; + + - end-to-end HTTP/2 support including trailers and continuation frames, + as needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using + the H2 preface; + + - server connection pooling and more advanced reuse, with ALPN protocol + negotiation (already in 1.9) ; + + - layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers + as well as on the frontend ; + + - much more scalable multi-threading, which is even enabled by default on + platforms where it was successfully tested ; by default, as many threads + are started as the number of CPUs haproxy is allowed to run on. This + removes a lot of configuration burden in VMs and containers ; + + - automatic maxconn setting for the process and the frontends, directly + based on the number of available FDs (easier configuration in containers + and with systemd) ; + + - logging to stdout for use in containers and systemd (already in 1.9). + Logs can now provide micro-second resolution for some events ; + + - peers now support SSL, declaration of multiple stick-tables directly in + the peers section, and synchronization of server names, not just IDs ; + + - In master-worker mode, the master process now exposes its own CLI and + can communicate with all other processes (including the stopping ones), + even allowing to connect to their CLI and check their state. It is also + possible to start some sidecar programs and monitor them from the master, + and the master can automatically kill old processes that survived too + many reloads ; + + - the incoming connections are load-balanced between all threads depending + on their load to minimize the processing time and maximize the capacity + (already in 1.9) ; + + - the SPOE connection load-balancing was significantly improved in order + to reduce high percentiles of SPOA response time (already in 1.9) ; + + - the "random" load balancing algorithm and a power-of-two-choices variant + were introduced ; + + - statistics improvements with per-thread counters for certain things, and + a prometheus exporter for all our statistics; + + - lots of debugging help, it's easier to produce a core dump, there are + new commands on the CLI to control various things, there is a watchdog + to fail cleanly when a thread deadlock or a spinning task are detected, + so overall it should provide a better experience in field and less + round trips between users and developers (hence less stress during an + incident). + + - all 3 device detection engines are now compatible with multi-threading + and can be build-tested without any external dependencies ; + + - "do-resolve" http-request action to perform a DNS resolution on any, + sample, and resolvers now support relying on /etc/resolv.conf to match + the local resolver ; + + - log sampling and balancing : it's now possible to send 1 log every 10 + to a server, or to spread the logging load over multiple log servers; + + - a new SPOA agent (spoa_server) allows to interface haproxy with Python + and Lua programs ; + + - support for Solaris' event ports (equivalent of kqueue or epoll) which + will significantly improve the performance there when dealing with + numerous connections ; + + - some warnings are now reported for some deprecated options that will + be removed in 2.1. Since 2.0 is long term supported, there's no + emergency to convert them, however if you see these warnings, you + need to understand that you're among their extremely rare users and + just because of this you may be taking risks by keeping them ; + + - A new SOCKS4 server-side layer was provided ; it allows outgoing + connections to be forwarded through a SOCKS4 proxy (such as ssh -D). + + - priority- and latency- aware server queues : it is possible now to + assign priorities to certain requests and/or to give them a time + bonus or penalty to refine control of the traffic and be able to + engage on SLAs. + + - internally the architecture was significantly redesigned to allow to + further improve performance and make it easier to implement protocols + that span over multiple layers (such as QUIC). This work started in + 1.9 and will continue with 2.1. + + - the I/O, applets and tasks now share the same multi-threaded scheduler, + giving a much better responsiveness and fairness between all tasks as + is visible with the CLI which always responds instantly even under + extreme loads (started in 1.9) ; + + - the internal buffers were redesigned to ease zero-copy operations, so + that it is possible to sustain a high bandwidth even when forwarding + HTTP/1 to/from HTTP/2 (already in 1.9) ; + +------------------------------------------------------------------- +Fri May 03 12:56:13 UTC 2019 - kgronlund@suse.com + +- Update to version 1.8.20~git0.6fb9fadc: + * [RELEASE] Released version 1.8.20 + * BUG/MINOR: spoe: Don't systematically wakeup SPOE stream in the applet handler + * BUG/MINOR: da: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST() + * BUG/MINOR: 51d: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST() + * BUG/MEDIUM: thread/http: Add missing locks in set-map and add-acl HTTP rules + * BUG/MINOR: acl: properly detect pattern type SMP_T_ADDR + * BUG/MEDIUM: maps: only try to parse the default value when it's present + * BUG/MAJOR: http_fetch: Get the channel depending on the keyword used + * MINOR: skip get_gmtime where tm is unused + * BUILD/MINOR: listener: Silent a few signedness warnings. + * BUG/MEDIUM: listener: make sure the listener never accepts too many conns + * BUG/MEDIUM: listener: use a self-locked list for the dequeue lists + * MAJOR: listener: do not hold the listener lock in listener_accept() + * BUG/MEDIUM: list: fix incorrect pointer unlocking in LIST_DEL_LOCKED() + * BUG/MEDIUM: list: fix again LIST_ADDQ_LOCKED + * BUG/MEDIUM: list: correct fix for LIST_POP_LOCKED's removal of last element + * MINOR: list: make the delete and pop operations idempotent + * BUG/MEDIUM: list: add missing store barriers when updating elements and head + * BUG/MEDIUM: list: fix LIST_POP_LOCKED's removal of the last pointer + * BUG/MEDIUM: list: fix the rollback on addq in the locked liss + * BUG/MEDIUM: lists: Properly handle the case we're removing the first elt. + * MINOR: lists: Implement locked variations. + * BUG/MINOR: threads: fix the process range of thread masks + * BUG/MEDIUM: spoe: Return an error if nothing is encoded for fragmented messages + * BUG/MEDIUM: spoe: Queue message only if no SPOE applet is attached to the stream + * BUG/MEDIUM: pattern: assign pattern IDs after checking the config validity + * BUILD: connection: fix naming of ip_v field + * BUILD: use inttypes.h instead of stdint.h + * BUG/MEDIUM: peers: fix a case where peer session is not cleanly reset on release. + * MINOR: cli: start addresses by a prefix in 'show cli sockets' + * BUG/MINOR: cli: correctly handle abns in 'show cli sockets' + * BUILD: Makefile: disable shared cache on AIX 5.1 + * BUILD: makefile: add _LINUX_SOURCE_COMPAT to build on AIX-51 + * BUILD: makefile: fix build of IPv6 header on aix51 + * MINOR: tools: make memvprintf() never pass a NULL target to vsnprintf() + * BUILD: makefile: work around an old bug in GNU make-3.80 + * BUG/MAJOR: checks: segfault during tcpcheck_main + * DOC: The option httplog is no longer valid in a backend. + * BUG/MEDIUM: ssl: ability to set TLS 1.3 ciphers using ssl-default-server-ciphersuites + * BUG/MINOR: http/counters: fix missing increment of fe->srv_aborts + * BUG/MAJOR: stats: Fix how huge POST data are read from the channel + * BUG/MAJOR: spoe: Fix initialization of thread-dependent fields + * BUG/MEDIUM: threads/fd: do not forget to take into account epoll_fd/pipes + * MEDIUM: threads: Use __ATOMIC_SEQ_CST when using the newer atomic API. + * BUG/MINOR: ssl: fix warning about ssl-min/max-ver support + * BUG/MEDIUM: 51d: fix possible segfault on deinit_51degrees() + * BUG/MEDIUM: logs: Only attempt to free startup_logs once. + * BUG/MINOR: listener: keep accept rate counters accurate under saturation + * BUG/MAJOR: listener: Make sure the listener exist before using it. + +------------------------------------------------------------------- +Mon Feb 11 15:16:38 UTC 2019 - kgronlund@suse.com + +- Update to version 1.8.19~git0.ebf033b4: + * [RELEASE] Released version 1.8.19 + * BUG/MINOR: config: Reinforce validity check when a process number is parsed + * BUG/MAJOR: stream: avoid double free on unique_id + * BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck + * BUG/MEDIUM: server: initialize the idle conns list after parsing the config + * BUG/MEDIUM: spoe: initialization depending on nbthread must be done last + * BUG/MINOR: lua: initialize the correct idle conn lists for the SSL sockets + * BUG/MINOR: spoe: do not assume agent->rt is valid on exit + * DOC: ssl: Stop documenting ciphers example to use + * DOC: ssl: Clarify when pre TLSv1.3 cipher can be used + * [RELEASE] Released version 1.8.18 + * BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules + * BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes + * BUG/MAJOR: config: verify that targets of track-sc and stick rules are present + * BUG/MINOR: config: fix bind line thread mask validation + * BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). + * BUG/MEDIUM: mux-h2: do not close the connection on aborted streams + * MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection + * MINOR: stream-int: add a new flag to mention that we want the connection to be killed + * MINOR: stream-int: expand the flags to 32-bit + * BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection + * BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams + * BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions + * BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update + * MINOR: xref: Add missing barriers. + * BUG/MINOR: stream: don't close the front connection when facing a backend error + * SCRIPTS: add the issue tracker URL to the announce script + * SCRIPTS: add the slack channel URL to the announce script + * BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit + * BUG/MINOR: spoe: corrected fragmentation string size + * DOC: nbthread is no longer experimental. + * BUG/MINOR: hpack: return a compression error on invalid table size updates + * BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream + * BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error + * BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY + * MINOR: h2: declare new sets of frame types + * MINOR: h2: add a bit-based frame type representation + * DOC: mention the effect of nf_conntrack_tcp_loose on src/dst + * BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages + * BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() + * BUG/MINOR: server: don't always trust srv_check_health when loading a server state + * BUG/MINOR: stick_table: Prevent conn_cur from underflowing + * BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit + * BUG/MINOR: backend: balance uri specific options were lost across defaults + * BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH + * BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file + * DOC: Be a bit more explicit about allow-0rtt security implications. + * BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. + * BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key + * DOC: http-request cache-use / http-response cache-store expects cache name + +------------------------------------------------------------------- +Thu Jan 10 08:42:33 UTC 2019 - kgronlund@suse.com + +- Update to version 1.8.17~git0.e89d25b2 (bsc#1121283) (CVE-2018-20615): + * BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used + * BUG/MEDIUM: lua: dead lock when Lua tasks are trigerred + * BUG/MINOR: lua: bad args are returned for Lua actions + * BUG/MINOR: lua: Return an error if a legacy HTTP applet doesn't send anything + * BUG/MEDIUM: cli: make "show sess" really thread-safe + * MINOR: stream/cli: report more info about the HTTP messages on "show sess all" + * MINOR: stream/cli: fix the location of the waiting flag in "show sess all" + * MINOR: lb: allow redispatch when using consistent hash + * BUG/MEDIUM: server: Also copy "check-sni" for server templates. + * BUG/MEDIUM: mux-h2: mark that we have too many CS once we have more than the max + * MINOR: mux-h2: only increase the connection window with the first update + * BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() + * BUG/MEDIUM: dns: overflowed dns name start position causing invalid dns error + * BUG/MEDIUM: dns: Don't prevent reading the last byte of the payload in dns_validate_response() + * BUG/MINOR: logs: leave startup-logs global and not per-thread + +------------------------------------------------------------------- +Mon Dec 17 09:42:18 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.15~git0.6b6a350a: (bsc#1119419) (CVE-2018-20103) (VUL-0) (bsc#1119368) (CVE-2018-20102) + * DOC: Update configuration doc about the maximum number of stick counters. + * BUG: dns: Fix off-by-one write in dns_validate_dns_response() + * BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response() + * BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response() + * BUG: dns: Prevent out-of-bounds read in dns_read_name() + * BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name + * DOC: refer to check-sni in the documentation of sni + * DOC: clarify that check-sni needs an argument. + * MINOR: servers: Free [idle|safe|priv]_conns on exit. + * MINOR: stats: report the number of active jobs and listeners in "show info" + * BUG/MINOR: mux-h2: advertise a larger connection window size + * BUG/MINOR: mux-h2: refrain from muxing during the preface + * BUG/MINOR: hpack: fix off-by-one in header name encoding length calculation + * BUG/MEDIUM: sample: Don't treat SMP_T_METH as SMP_T_STR. + * BUG/MINOR: lb-map: fix unprotected update to server's score + * BUG/MINOR: cfgparse: Fix the call to post parser of the last sections parsed + * BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name + * BUG/MINOR: ssl: ssl_sock_parse_clienthello ignores session id + * BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field + * BUG/MINOR: config: Copy default error messages when parsing of a backend starts + * BUG/MEDIUM: Make sure stksess is properly aligned. + * BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn + * BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe + * BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer + * BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic + * BUG/MINOR: only mark connections private if NTLM is detected + * DOC: cache: Missing information about "total-max-size" + * BUG/MINOR: ssl: Wrong usage of shctx_init(). + * BUG/MINOR: cache: Wrong usage of shctx_init(). + * BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB). + * BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent. + * BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF. + * DOC: fix reference to map files in MAINTAINERS + * MINOR: peers: use defines instead of enums to appease clang. + * MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80. + * MINOR: server: Use memcpy() instead of strncpy(). + * CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause + * MINOR: lua: all functions calling lua_yieldk() may return + * BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile + * BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point + * BUG/MEDIUM: stream: don't crash on out-of-memory + * BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM. + * BUG/MINOR: checks: queues null-deref + * BUG/MEDIUM: Cur/CumSslConns counters not threadsafe. + * MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 + * BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2. + * BUG/MINOR: backend: check that the mux installed properly + * BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2 + * DOC: clarify force-private-cache is an option + * MINOR: threads: Make sure threads_sync_pipe is initialized before using it. + +------------------------------------------------------------------- +Thu Sep 20 13:03:31 UTC 2018 - Marcus Rueckert + +- also fix the systemd case for the apparmor_reload change + +------------------------------------------------------------------- +Thu Sep 20 12:50:35 UTC 2018 - Marcus Rueckert + +- only reload the apparmor profile on newer distros, seems older + distros do not have apparmor-rpm-macros yet + +------------------------------------------------------------------- +Thu Sep 20 12:45:57 UTC 2018 - Marcus Rueckert + +- only use network namespaces on 12.x and newer, failed to build on + sle11 + +------------------------------------------------------------------- +Thu Sep 20 12:39:42 UTC 2018 - Marcus Rueckert + +- guard all parts referring to systemd to fix build on sle 11 + +------------------------------------------------------------------- +Thu Sep 20 12:34:47 UTC 2018 - mrueckert@suse.de + +- Update to version 1.8.14~git0.52e4d43b: (bsc#1108683) (CVE-2018-14645) + * [RELEASE] Released version 1.8.14 + * BUG/CRITICAL: hpack: fix improper sign check on the header index value + * BUG/MINOR: cli: make sure the "getsock" command is only called on connections + * BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4 + * BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list + * DOC: Fix typos in lua documentation + * BUG/MINOR: server: Crash when setting FQDN via CLI. + * BUG/MAJOR: kqueue: Don't reset the changes number by accident. + * BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors + * BUG/MINOR: http/threads: atomically increment the error snapshot ID + * BUG/MINOR: dns: check and link servers' resolvers right after config parsing + * BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames + * BUG/MEDIUM: session: fix reporting of handshake processing time in the logs + * BUG/MINOR: stream: use atomic increments for the request counter + * MINOR: thread: implement HA_ATOMIC_XADD() + * BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 + * BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file + * BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0. + * BUG/MAJOR: thread: lua: Wrong SSL context initialization. + * BUG/MEDIUM: hlua: Make sure we drain the output buffer when done. + * BUG/MEDIUM: lua: reset lua transaction between http requests + * BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake() + * BUG/MINOR: lua: Bad HTTP client request duration. + * BUG/MEDIUM: unix: provide a ->drain() function + * DOC: Fix spelling error in configuration doc + * BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations + * BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates + * BUG/MEDIUM: lua: socket timeouts are not applied + * DOC: ssl: Use consistent naming for TLS protocols + * DOC: dns: explain set server ... fqdn requires resolver + * BUG/MINOR: map: fix map_regm with backref + * BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. + * BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. + * BUG/MINOR: ssl: empty connections reported as errors. + * BUG/MEDIUM: cli: make "show fd" thread-safe + * MEDIUM: hathreads: implement a more flexible rendez-vous point + * BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point + * MINOR: threads: add more consistency between certain variables in no-thread case + * BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7 + * MINOR: threads: Introduce double-width CAS on x86_64 and arm. + * BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers + +------------------------------------------------------------------- +Fri Aug 17 11:41:35 UTC 2018 - kgronlund@suse.com + +- Require apparmor-abstractions to reduce dependencies (bsc#1100787) + +------------------------------------------------------------------- +Thu Aug 16 07:08:12 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.13~git4.c1bfcd00: + * MINOR: dns: new DNS options to allow/prevent IP address duplication + * MINOR: dns: fix wrong score computation in dns_get_ip_from_response + * BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections + * BUG/MEDIUM: servers: check the queues once enabling a server + * MEDIUM: proxy_protocol: Convert IPs to v6 when protocols are mixed + * BUG/MEDIUM: threads: unbreak "bind" referencing an incorrect thread number + * MINOR: threads: move "nbthread" parsing to hathreads.c + * BUG/MEDIUM: threads: properly fix nbthreads == MAX_THREADS + * BUG/MINOR: threads: Handle nbthread == MAX_THREADS. + * BUG/MINOR: config: stick-table is not supported in defaults section + * BUG/MEDIUM: h2: prevent orphaned streams from blocking a connection forever + * BUG/MEDIUM: threads/sync: use sched_yield when available + * BUG/MINOR: servers: Don't make "server" in a frontend fatal. + * BUG/MEDIUM: stats: don't ask for more data as long as we're responding + * BUG/MEDIUM: stream-int: don't immediately enable reading when the buffer was reportedly full + * MINOR: h2: add the error code and the max/last stream IDs to "show fd" + * BUG/MEDIUM: threads: Fix the exit condition of the thread barrier + * MINOR: debug: Add checks for conn_stream flags + * MINOR: debug: Add check for CO_FL_WILL_UPDATE + * BUG/MINOR: http: Set brackets for the unlikely macro at the right place + * BUG/MEDIUM: h2: make sure the last stream closes the connection after a timeout + * BUG/MEDIUM: h2: never leave pending data in the output buffer on close + * BUG/MEDIUM: h2: don't accept new streams if conn_streams are still in excess + * MINOR: h2: add the mux and demux buffer lengths on "show fd" + * MINOR: h2: keep a count of the number of conn_streams attached to the mux + * BUG/MINOR: h2: remove accidental debug code introduced with show_fd function + * MINOR: h2: implement a basic "show_fd" function + * MINOR: mux: add a "show_fd" function to dump debugging information for "show fd" + * BUG/MINOR: ssl: properly ref-count the tls_keys entries + * MINOR: systemd: consider exit status 143 as successful + +------------------------------------------------------------------- +Wed Jun 27 17:33:49 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.12~git0.8a200c71: + * MINOR: stick-tables: make stktable_release() do nothing on NULL + * BUG/MAJOR: stick_table: Complete incomplete SEGV fix + +------------------------------------------------------------------- +Wed Jun 27 08:36:29 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.11~git0.1d6ef58d: + * BUG/BUILD: threads: unbreak build without threads + * BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table + +------------------------------------------------------------------- +Mon Jun 25 05:16:57 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.10~git0.ec17d7a9: + * MINOR: threads: Be sure to remove threads from all_threads_mask on exit + * BUG/MEDIUM: threads: Use the sync point to check active jobs and exit + * BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete(). + * BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot + * BUG/MAJOR: ssl: Random crash with cipherlist capture + * BUG/MINOR: lua: Segfaults with wrong usage of types. + * BUG/MAJOR: map: fix a segfault when using http-request set-map + * MINOR: lua: Increase debug information + * BUG/MINOR: signals: ha_sigmask macro for multithreading + * BUG/MINOR: don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing + * BUG/MEDIUM: threads: handle signal queue only in thread 0 + * BUG/MINOR: unix: Make sure we can transfer abns sockets on seamless reload. + * BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame + * BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame + * BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect + * BUG/MINOR: contrib/mod_defender: Don't reset the status code during disconnect + * BUG/MINOR: contrib/spoa_example: Don't reset the status code during disconnect + * MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0 + * BUG/MEDIUM: lua/socket: Buffer error, may segfault + * BUG/MEDIUM: lua/socket: Sheduling error on write: may dead-lock + * BUG/MEDIUM: lua/socket: Notification error + * BUG/MAJOR: lua: Dead lock with sockets + * BUG/MEDIUM: lua/socket: wrong scheduling for sockets + * MINOR: task/notification: Is notifications registered ? + * BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in sync mode + * BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters + * BUG/MEDIUM: lua/socket: Length required read doesn't work + * BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file + * BUG/MEDIUM: fd: Only check update_mask against all_threads_mask. + +------------------------------------------------------------------- +Tue May 29 07:09:26 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.9~git9.6d82e611: + * BUG/MEDIUM: cache: don't cache when an Authorization header is present (VUL-1) (bsc#1094846) (CVE-2018-11469) + * BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check failure. + * BUG/MINOR: ssl/lua: prevent lua from affecting automatic maxconn computation + * BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags + * BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags + * BUG/MEDIUM: spoe: Flags are not encoded in network order + * BUG/MINOR: lua: Socket.send threw runtime error: 'close' needs 1 arguments. + * BUG/MINOR: spoe: Mistake in error message about SPOE configuration + * BUG/MEDIUM: ssl: properly protect SSL cert generation + * BUG/MEDIUM: pollers: Use a global list for fd shared between threads. + * BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR + * BUG/MINOR: lua: ensure large proxy IDs can be represented + * BUG/MINOR: lua: schedule socket task upon lua connect() + * BUG/MEDIUM: task: Don't free a task that is about to be run. + * BUG/MINOR: map: correctly track reference to the last ref_elt being dumped + * DOC/MINOR: clean up LUA documentation re: servers & array/table. + * BUG/MINOR: lua: Put tasks to sleep when waiting for data + * BUG/MEDIUM: threads: Fix the sync point for more than 32 threads + * BUG/MINOR: checks: Fix check->health computation for flapping servers + * BUG/MINOR: config: disable http-reuse on TCP proxies + * BUG/MINOR: lua/threads: Make lua's tasks sticky to the current thread + * BUG/MEDIUM: h2: implement missing support for chunked encoded uploads + * MINOR: h2: detect presence of CONNECT and/or content-length + * BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits + * BUG/MINOR: log: t_idle (%Ti) is not set for some requests + * BUG/MAJOR: channel: Fix crash when trying to read from a closed socket + * BUG/MINOR: pattern: Add a missing HA_SPIN_INIT() in pat_ref_newid() + +------------------------------------------------------------------- +Mon May 07 12:57:54 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.8: + * BUG/CRITICAL: h2: fix incorrect frame length check (VUL-0) (bsc#1089837) + * MINOR: cli: Ensure the CLI always outputs an error when it should + * BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE + * BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors. + * BUG/MINOR: http: Return an error in proxy mode when url2sa fails + * BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). + * BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes + +------------------------------------------------------------------- +Sat Apr 07 00:15:13 UTC 2018 - mrueckert@suse.de + +- Update to version 1.8.7: + * [RELEASE] Released version 1.8.7 + * MINOR: servers: Support alphanumeric characters for the server templates names + * BUG/MAJOR: cache: always initialize newly created objects + * [RELEASE] Released version 1.8.6 + * BUG/MINOR: spoe: Don't release the context buffer in .check_timeouts callbaclk + * BUG/MINOR: spoe: Initialize variables used during conf parsing before any check + * BUG/MAJOR: cache: fix random crashes caused by incorrect delete() on non-first blocks + * BUG/MINOR: fd: Don't clear the update_mask in fd_insert. + * BUG/MINOR: cache: fix "show cache" output + * BUG/MINOR: email-alert: Set the mailer port during alert initialization + * BUG/MINOR: checks: check the conn_stream's readiness and not the connection + * BUG/MEDIUM: h2: always add a stream to the send or fctl list when blocked + * BUILD/MINOR: threads: always export thread_sync_io_handler() + * BUG/MEDIUM: h2: don't consider pending data on detach if connection is in error + * BUG/MEDIUM: h2/threads: never release the task outside of the task handler + * MINOR: h2: fuse h2s_detach() and h2s_free() into h2s_destroy() + * MINOR: h2: always call h2s_detach() in h2_detach() + * BUG/MAJOR: h2: remove orphaned streams from the send list before closing + * MINOR: h2: provide and use h2s_detach() and h2s_free() + * CLEANUP: h2: rename misleading h2c_stream_close() to h2s_close() + * BUG/MINOR: hpack: fix harmless use of uninitialized value in hpack_dht_insert + * BUILD/MINOR: cli: fix a build warning introduced by last commit + * MINOR: cli: make "show fd" report the mux and mux_ctx pointers when available + * MINOR: cli/threads: make "show fd" report thread_sync_io_handler instead of "unknown" + * BUILD/MINOR: fix build when USE_THREAD is not defined + * BUG/MINOR: lua funtion hlua_socket_settimeout don't check negative values + * BUG/MINOR: lua: the function returns anything + +------------------------------------------------------------------- +Mon Mar 26 06:53:19 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.5: + * BUG/MINOR: listener: Don't decrease actconn twice when a new session is rejected + * BUG/MINOR: h2: ensure we can never send an RST_STREAM in response to an RST_STREAM + * BUG/MEDIUM: h2: properly account for DATA padding in flow control + * DOC: don't suggest using http-server-close + * DOC: log: more than 2 log servers are allowed + * BUILD/BUG: enable -fno-strict-overflow by default + * MINOR: log: stop emitting alerts when it's not possible to write on the socket + * BUG/MEDIUM: threads/queue: wake up other threads upon dequeue + * BUG/MINOR: tcp-check: use the server's service port as a fallback + * BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers + * BUG/MINOR: lua: return bad error messages + * BUG/MINOR: spoa-example: unexpected behavior for more than 127 args + * BUG/MINOR: cli: Fix a crash when sending a command with too many arguments + * BUG/MINOR: seemless reload: Fix crash when an interface is specified. + * BUG/MINOR: dns: don't downgrade DNS accepted payload size automatically + * BUG/MAJOR: threads/queue: Fix thread-safety issues on the queues management + * BUG/MEDIUM: threads/unix: Fix a deadlock when a listener is temporarily disabled + * BUG/MEDIUM: spoe: Remove idle applets from idle list when HAProxy is stopping + * BUG/MINOR: force-persist and ignore-persist only apply to backends + * BUG/MEDIUM: fix a 100% cpu usage with cpu-map and nbthread/nbproc + * BUG/MINOR: cli: Fix a typo in the 'set rate-limit' usage + * BUG/MINOR: cli: Fix a crash when passing a negative or too large value to "show fd" + * BUG/MEDIUM: h2: also arm the h2 timeout when sending + * BUG/MINOR: unix: Don't mess up when removing the socket from the xfer_sock_list. + * BUG/MINOR: session: Fix tcp-request session failure if handshake. + * MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file + * MINOR: systemd: Add SystemD's Protect*= options to the unit file + * MINOR: systemd: Add section for SystemD sandboxing to unit file + * BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk + * BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk + * BUG/MEDIUM: h2: always consume any trailing data after end of output buffers + * MINOR: stats: display the number of threads in the statistics. + * BUG/MINOR: h2: Set the target of dbuf_wait to h2c + * MINOR: debug/pools: make DEBUG_UAF also detect underflows + * BUG/MINOR: debug/pools: properly handle out-of-memory when building with DEBUG_UAF + * DOC: cfgparse: Warn on option (tcp|http)log in backend + * DOC: lua: new prototype for function "register_action()" + * BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. + * BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier as possible + * BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe + * BUG/MINOR: init: Add missing brackets in the code parsing -sf/-st + * BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL + * BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. + * BUG/MINOR: threads: fix missing thread lock labels for 1.8 + +------------------------------------------------------------------- +Thu Mar 8 19:19:06 UTC 2018 - mrueckert@suse.de + +- if we lock down the permissions the home directory has to be + owned by haproxy (bsc#1077716) + +------------------------------------------------------------------- +Sun Mar 4 08:36:21 UTC 2018 - jengelh@inai.de + +- Avoid %__-type macro indirections. Remove redundant %clean + section. Do not ignore errors from useradd. + +------------------------------------------------------------------- +Fri Mar 2 16:37:25 UTC 2018 - kgronlund@suse.com + +- Ensure haproxy home directory is not world readable (bsc#1077716) + +------------------------------------------------------------------- +Thu Feb 08 13:15:17 UTC 2018 - kgronlund@suse.com + +- Update to version 1.8.4 (bsc#1080069): + * BUG/MINOR: config: don't emit a warning when global stats is incompletely configured + * DOC: Mention -Ws in the list of available options + * DOC: Describe routing impact of using interface keyword on bind lines + * MINOR: init: emit warning when -sf/-sd cannot parse argument + * BUG/MEDIUM: standard: Fix memory leak in str2ip2() + * BUG/MINOR: time/threads: ensure the adjusted time is always correct + * BUG/MEDIUM: spoe: Allow producer to read and to forward shutdown on request side + * BUG/MEDIUM: spoe: Always try to receive or send the frame to detect shutdowns + * BUG/MINOR: epoll/threads: only call epoll_ctl(DEL) on polled FDs + * BUG/MINOR: threads: Update labels array because of changes in lock_label enum + * BUG/MINOR: cli: use global.maxsock and not maxfd to list all FDs + * CLEANUP: Fix typo in ARGT_MSK6 comment + * BUG/MINOR: sample: Fix output type of c_ipv62ip + * CLEANUP: sample: Fix outdated comment about sample casts functions + * CLEANUP: sample: Fix comment encoding of sample.c + * BUILD: kqueue/threads: Add test on MAX_THREADS to avoid warnings when complied without threads + * BUILD: epoll/threads: Add test on MAX_THREADS to avoid warnings when complied without threads + * MINOR: threads: Use __decl_hathreads instead of #ifdef/#endif + * BUG/MINOR: kqueue/threads: Don't forget to close kqueue_fd[tid] on each thread + * BUG/MEDIUM: checks: Don't try to release undefined conn_stream when a check is freed + * BUG/MEDIUM: threads/server: Fix deadlock in srv_set_stopping/srv_set_admin_flag + * BUG/MINOR: threads: always set an owner to the thread_sync pipe + * MINOR: threads: Fix build when we're not compiling with threads. + * BUG/MINOR: mworker: only write to pidfile if it exists + * BUG/MEDIUM: threads/mworker: fix a race on startup + * BUG/MEDIUM: kqueue/threads: use one kqueue_fd per thread + * BUG/MEDIUM: epoll/threads: use one epoll_fd per thread + * MINOR: fd: add a bitmask to indicate that an FD is known by the poller + * BUG/MEDIUM: fd: maintain a per-thread update mask + * BUG/MEDIUM: threads/polling: Use fd_cache_mask instead of fd_cache_num + * MINOR: threads/fd: Use a bitfield to know if there are FDs for a thread in the FD cache + * MINOR: global: add some global activity counters to help debugging + * MINOR: threads: add a MAX_THREADS define instead of LONGBITS + * MINOR: global/threads: move cpu_map at the end of the global struct + * MINOR: servers: Don't report duplicate dyncookies for disabled servers. + * BUG/MEDIUM: peers: fix expire date wasn't updated if entry is modified remotely. + * BUG/MINOR: poll: too large size allocation for FD events + * CONTRIB: debug: fix a few flags definitions + * DOC: clarify the scope of ssl_fc_is_resumed + * BUG/MEDIUM: stream: properly handle client aborts during redispatch + * BUILD/MINOR: ancient gcc versions atomic fix + * BUG/MEDIUM: mworker: execvp failure depending on argv[0] + * MINOR: dns: Handle SRV record weight correctly. + * BUG/MINOR: lua: Fix return value of Socket.settimeout + * BUG/MEDIUM: lua: Fix IPv6 with separate port support for Socket.connect + * DOC: lua: Fix typos in comments of hlua_socket_receive + * BUG/MINOR: lua: Fix default value for pattern in Socket.receive + * BUG/MEDIUM: ssl: cache doesn't release shctx blocks + * BUG/MEDIUM: h2: properly handle the END_STREAM flag on empty DATA frames + +------------------------------------------------------------------- +Thu Feb 8 07:21:58 UTC 2018 - kgronlund@suse.com + +- Add dependency on apparmor-profiles (bsc#1079985) + +------------------------------------------------------------------- +Sun Dec 31 02:26:13 UTC 2017 - mrueckert@suse.de + +- Update to version 1.8.3: + * [RELEASE] Released version 1.8.3 + * MEDIUM: h2: prepare a graceful shutdown when the frontend is stopped + * BUG/MAJOR: hpack: don't return direct references to the dynamic headers table + * BUG/MEDIUM: http: don't automatically forward request close + * MINOR: don't close stdio anymore + * BUG/MEDIUM: mworker: don't close stdio several time + * BUG/MEDIUM: h2: ensure we always know the stream before sending a reset + * DOC/MINOR: configuration: typo, formatting fixes + * BUG/MEDIUM: h2: improve handling of frames received on closed streams + * BUG/MEDIUM: h2: properly handle and report some stream errors + +------------------------------------------------------------------- +Sun Dec 24 23:30:31 UTC 2017 - mrueckert@suse.de + +- Update to version 1.8.2: + * [RELEASE] Released version 1.8.2 + * BUG/MEDIUM: checks: properly set servers to stopping state on 404 + * BUG/MAJOR: connection: refine the situations where we don't send shutw() + * BUG/MEDIUM: cache: don't cache the response on no-cache="set-cookie" + * BUG/MEDIUM: cache: respect the request cache-control header + * BUG/MEDIUM: cache: replace old object on store + * BUG/MEDIUM: cache: do not try to retrieve host-less requests from the cache + * MINOR: http: add a function to check request's cache-control header field + * BUG/MINOR: cache: do not force the TX_CACHEABLE flag before checking cacheability + * BUG/MINOR: http: properly detect max-age=0 and s-maxage=0 in responses + * BUG/MINOR: http: do not ignore cache-control: public + * MINOR: http: start to compute the transaction's cacheability from the request + * MINOR: http: update the list of cacheable status codes as per RFC7231 + * MINOR: http: adjust the list of supposedly cacheable methods + * BUG/MEDIUM: lua: fix crash when using bogus mode in register_service() + * BUG/MEDIUM: checks: a server passed in maint state was not forced down. + * MEDIUM: netscaler: add support for standard NetScaler CIP protocol + * MEDIUM: netscaler: do not analyze original IP packet size + * MINOR: netscaler: check in one-shot if buffer is large enough for IP and TCP header + * BUG/MEDIUM: stream: don't consider abortonclose on muxes which close cleanly + * MINOR: stream-int: set flag SI_FL_CLEAN_ABRT when mux supports clean aborts + * MINOR: mux: add flags to describe a mux's capabilities + * BUG/MINOR: h2: properly report a stream error on RST_STREAM + * CONTRIB: halog: Fix compiler warnings in halog.c + * CONTRIB: iprange: Fix compiler warning in iprange.c + * BUG/MAJOR: netscaler: address truncated CIP header detection + * BUG/MEDIUM: netscaler: use the appropriate IPv6 header size + * MINOR: netscaler: rename cip_len to clarify its uage + * MINOR: netscaler: remove the use of cip_magic only used once + * MINOR: netscaler: respect syntax + * DOC/MINOR: intro: typo, wording, formatting fixes + * BUG/MEDIUM: mworker: Set FD_CLOEXEC flag on log fd + * BUILD/MINOR: Makefile : enabling USE_CPU_AFFINITY + * BUG: MINOR: http: don't check http-request capture id when len is provided + * BUG: MAJOR: lb_map: server map calculation broken + * BUG/MINOR: stream-int: don't try to receive again after receiving an EOS + * BUG/MEDIUM: h2: fix stream limit enforcement + * BUG/MEDIUM: http: don't disable lingering on requests with tunnelled responses + * BUG/MEDIUM: h2: don't close after the first DATA frame on tunnelled responses + * BUG/MEDIUM: h2: don't switch the state to HREM before end of DATA frame + * MINOR: h2: don't demand that a DATA frame is complete before processing it + * BUG/MEDIUM: h2: support uploading partial DATA frames + * MINOR: h2: store the demux padding length in the h2c struct + * BUG/MEDIUM: h2: debug incoming traffic in h2_wake() + * BUG/MEDIUM: h2: work around a connection API limitation + * BUG/MEDIUM: h2: enable recv polling whenever demuxing is possible + * BUG/MEDIUM: h2: automatically set CS_FL_RCV_MORE when the output buffer is full + * BUG/MEDIUM: stream-int: always set SI_FL_WAIT_ROOM on CS_FL_RCV_MORE + * MINOR: conn_stream: add new flag CS_FL_RCV_MORE to indicate pending data + * BUG/MEDIUM: lua/notification: memory leak + * DOC: notifications: add precisions about thread usage + * MINOR: systemd: remove comment about HAPROXY_STATS_SOCKET + * BUG/MEDIUM: threads/vars: Fix deadlock in register_name + * BUG/MEDIUM: email-alert: don't set server check status from a email-alert task + * CONTRIB: halog: Add help text for -s switch in halog program + * MINOR: mworker: Improve wording in `void mworker_wait()` + * MINOR: mworker: Update messages referencing exit-on-failure + * BUG/MEDIUM: h2: fix handling of end of stream again + * BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface + * BUG/MEDIUM: checks: a down server going to maint remains definitely stucked on down state. + * BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. + * BUG/MEDIUM: mworker: also close peers sockets in the master + * BUG/MINOR: ssl: support tune.ssl.cachesize 0 again + * BUG/MAJOR: hpack: don't pretend large headers fit in empty table + * BUG/MINOR: action: Don't check http capture rules when no id is defined + +------------------------------------------------------------------- +Mon Dec 04 10:33:40 UTC 2017 - kgronlund@suse.com + +- Update to version 1.8.1 (bsc#1069954): + * BUG/MAJOR: h2: correctly check the request length when building an H1 request + * BUG/MAJOR: thread: Be sure to request a sync between threads only once at a time + * BUG/MAJOR: thread/peers: fix deadlock on peers sync. + * BUG/MEDIUM: h2: do not accept upper case letters in request header names + * BUG/MEDIUM: h2: remove connection-specific headers from request + * BUG/MEDIUM: h2: enforce the per-connection stream limit + * BUG/MEDIUM: checks: Be sure we have a mux if we created a cs. + * BUG/MEDIUM: peers: fix some track counter rules dont register entries for sync. + * BUG/MEDIUM: h2: don't report an error after parsing a 100-continue response + * BUG/MEDIUM: threads/peers: decrement, not increment jobs on quitting + * BUG/MEDIUM: stream: fix session leak on applet-initiated connections + * BUG/MEDIUM: cache: bad computation of the remaining size + * BUG/MEDIUM: ssl: don't allocate shctx several time + * BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main + * BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. + * BUG/MINOR: h2: use the H2_F_DATA_* macros for DATA frames + * BUG/MINOR: h2: reject response pseudo-headers from requests + * BUG/MINOR: h2: properly check PRIORITY frames + * BUG/MINOR: h2: reject incorrect stream dependencies on HEADERS frame + * BUG/MINOR: h2: do not accept SETTINGS_ENABLE_PUSH other than 0 or 1 + * BUG/MINOR: h2: the TE header if present may only contain trailers + * BUG/MINOR: h2: fix a typo causing PING/ACK to be responded to + * BUG/MINOR: h2: ":path" must not be empty + * BUG/MINOR: h2: try to abort closed streams as soon as possible + * BUG/MINOR: h2: immediately close if receiving GOAWAY after the last stream + * BUG/MINOR: hpack: dynamic table size updates are only allowed before headers + * BUG/MINOR: hpack: reject invalid header index + * BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits + * BUG/MINOR: hpack: fix debugging output of pseudo header names + * BUG/MINOR: mworker: detach from tty when in daemon mode + * BUG/MINOR: mworker: fix validity check for the pipe FDs + * BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream + +------------------------------------------------------------------- +Tue Nov 28 13:54:07 UTC 2017 - kgronlund@suse.com + +- License is now GPL-3.0+ and LGPL-2.1+ + +------------------------------------------------------------------- +Mon Nov 27 13:40:32 UTC 2017 - mrueckert@suse.de + +- [apparmor]: allow haproxy to restart itself. needed for seamless + restart. also reload the apparmor profile on update. + +------------------------------------------------------------------- +Mon Nov 27 13:31:07 UTC 2017 - mrueckert@suse.de + +- enable network namespaces on 42.3 +- Enabled systemd notify mode: new BR: pkgconfig(libsystemd) + This fixes problems with starting 1.8 on 42.3. +- apply build option changes as adviced by upstream + +------------------------------------------------------------------- +Mon Nov 27 13:30:30 UTC 2017 - mrueckert@suse.de + +- Update to version 1.8.0 (bsc#1069954): + https://www.mail-archive.com/haproxy@formilux.org/msg28004.html + +------------------------------------------------------------------- +Wed Aug 23 06:52:05 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.9: + * BUG/MINOR: peers: peer synchronization issue (with several peers sections). + * BUG/MINOR: lua: In error case, the safe mode is not removed + * BUG/MINOR: lua: executes the function destroying the Lua session in safe mode + * BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted + * BUG/MEDIUM: lua: bad memory access + * DOC: update the list of OpenSSL versions in the README + * DOC: Updated 51Degrees git URL to point to a stable version. + * BUG/MINOR: http: Set the response error state in http_sync_res_state + * MINOR: http: Reorder/rewrite checks in http_resync_states + * MINOR: http: Switch requests/responses in TUNNEL mode only by checking txn flags + * BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body length is undefined + * BUG/MAJOR: http: Fix possible infinity loop in http_sync_(req|res)_state + * BUG/MINOR: lua: Fix Server.get_addr() port values + * BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr() + * BUG/MINOR: lua: always detach the tcp/http tasks before freeing them + * BUG/MINOR: lua: Fix bitwise logic for hlua_server_check_* functions. + +------------------------------------------------------------------- +Mon Jul 10 12:05:16 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.8: + * BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue + * BUG/MAJOR: cli: fix custom io_release was crushed by NULL. + * BUG/MAJOR: map: fix segfault during 'show map/acl' on cli. + * BUG/MAJOR: compression: Be sure to release the compression state in all cases + * DOC: fix references to the section about time format. + * BUG/MEDIUM: map/acl: fix unwanted flags inheritance. + * BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel + * BUG/MINOR: http: Don't reset the transaction if there are still data to send + * BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both channels + * BUG/MINOR: http: properly handle all 1xx informational responses + +------------------------------------------------------------------- +Mon Jul 10 12:05:07 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.7: + * BUG/MINOR: Wrong peer task expiration handling during synchronization processing. + * BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed + * BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range 1..32767 + * DOC: fix references to the section about the unix socket + * BUG/MINOR: log: pin the front connection when front ip/ports are logged + +------------------------------------------------------------------- +Mon Jun 19 05:09:38 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.6: + * DOC: changed "block"(deprecated) examples to http-request deny + * DOC: add few comments to examples. + * DOC: update sample code for PROXY protocol + * DOC: mention lighttpd 1.4.46 implements PROXY + * DOC: stick-table is available in frontend sections + * BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets. + * BUG/MINOR: config: missing goto out after parsing an incorrect ACL character + * BUG/MINOR: arg: don't try to add an argument on failed memory allocation + * BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error + * BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr() + * MINOR: lua: ensure the memory allocator is used all the time + * CLEANUP: logs: typo: simgle => single + * BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr() + * BUG/MAJOR: Use -fwrapv. + * BUG/MINOR: server: don't use "proxy" when px is really meant. + * BUG/MINOR: server: missing default server 'resolvers' setting duplication. + * DOC: add layer 4 links/cross reference to "block" keyword. + * DOC: errloc/errorloc302/errorloc303 missing status codes. + * BUG/MEDIUM: lua: memory leak + * MEDIUM: config: don't check config validity when there are fatal errors + * BUG/MINOR: hash-balance-factor isn't effective in certain circumstances + * MINOR/DOC: lua: just precise one thing + * BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next request + * DOC: update RFC references + * BUG/MINOR: checks: don't send proxy protocol with agent checks + * BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything + * BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer + * BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers + * BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map + * BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING + * BUG/MEDIUM: peers: Peers CLOSE_WAIT issue. + * BUG/MAJOR: server: Segfault after parsing server state file. + * BUG/MEDIUM: unix: never unlink a unix socket from the file system + +------------------------------------------------------------------- +Mon May 08 13:18:54 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.5: + * BUG/MEDIUM: peers: fix buffer overflow control in intdecode. + * BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers + * BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled + * BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze + * MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections + +------------------------------------------------------------------- +Wed Mar 29 11:53:23 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.4: + * MINOR: config: warn when some HTTP rules are used in a TCP proxy + * BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters + * BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section + * BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file + * BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup + * BUG/MINOR: Fix "get map " CLI command + * BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer + * BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING + * BUG/MINOR: checks: attempt clean shutw for SSL check + * BUG/MEDIUM: listener: do not try to rebind another process' socket + * BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze + * BUG/MAJOR: stream-int: do not depend on connection flags to detect connection + * BUG/MEDIUM: connection: ensure to always report the end of handshakes + * BUG: payload: fix payload not retrieving arbitrary lengths + * BUG/MAJOR: http: fix typo in http_apply_redirect_rule + * BUG/MEDIUM: stream: fix client-fin/server-fin handling + * MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller + * BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available + * DOC/MINOR: Fix typos in proxy protocol doc + * DOC: Protocol doc: add checksum, TLV type ranges + * DOC: Protocol doc: add SSL TLVs, rename CHECKSUM + * DOC: Protocol doc: add noop TLV + * MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time + * BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity(). + * MINOR: server: irrelevant error message with 'default-server' config file keyword. + * MINOR: doc: fix use-server example (imap vs mail) + * BUG/MEDIUM: tcp: don't require privileges to bind to device + +------------------------------------------------------------------- +Tue Feb 28 11:31:02 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.3: + * BUG/MINOR: stream: Fix how backend-specific analyzers are set on a stream + * BUG/MEDIUM: tcp: don't poll for write when connect() succeeds + * BUG/MINOR: unix: fix connect's polling in case no data are scheduled + * BUG/MINOR: lua: Map.end are not reliable because "end" is a reserved keyword + * MINOR: dns: give ability to dns_init_resolvers() to close a socket when requested + * BUG/MAJOR: dns: restart sockets after fork() + * MINOR: chunks: implement a simple dynamic allocator for trash buffers + * BUG/MEDIUM: http: prevent redirect from overwriting a buffer + * BUG/MEDIUM: filters: Do not truncate HTTP response when body length is undefined + * BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer + * BUG/MINOR: http: Return an error when a replace-header rule failed on the response + * BUG/MINOR: sendmail: The return of vsnprintf is not cleanly tested + * BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1' + * BUG/MEDIUM: config: reject anything but "if" or "unless" after a use-backend rule + * MINOR: http: don't close when redirect location doesn't start with "/" + +------------------------------------------------------------------- +Mon Jan 30 14:43:01 UTC 2017 - kgronlund@suse.com + +- Update to version 1.7.2 (bsc#1023141): + * BUG/MEDIUM: lua: In some case, the return of sample-fetches is ignored (2) + * BUG/MINOR: stream-int: automatically release SI_FL_WAIT_DATA on SHUTW_NOW + * DOC: lua: documentation about time parser functions + * DOC: lua: section declared twice + * BUG/MINOR: lua/cli: bad error message + * DOC: fix small typo in fe_id (backend instead of frontend) + * BUG/MINOR: Fix the sending function in Lua's cosocket + * BUG/MINOR: lua: memory leak executing tasks + * BUG/MINOR: lua: bad return code + * BUG/MEDIUM: ssl: properly reset the reused_sess during a forced handshake + * BUG/MEDIUM: ssl: avoid double free when releasing bind_confs + * BUG/MINOR: stats: fix be/sessions/current out in typed stats + * BUG/MINOR: backend: nbsrv() should return 0 if backend is disabled + * BUG/MEDIUM: ssl: for a handshake when server-side SNI changes + * BUG/MINOR: systemd: potential zombie processes + * DOC: Add timings events schemas + * BUG/MINOR: option prefer-last-server must be ignored in some case + * MINOR: stats: Support "select all" for backend actions + * BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0 + * BUG/MAJOR: channel: Fix the definition order of channel analyzers + * BUG/MINOR: http: report real parser state in error captures + * BUG/MAJOR: http: fix risk of getting invalid reports of bad requests + * MINOR: http: custom status reason. + * MINOR: connection: add sample fetch "fc_rcvd_proxy" + * BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options + * BUG/MINOR: tools: fix off-by-one in port size check + * BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family + * MEDIUM: server: split the address and the port into two different fields + * MINOR: tools: make str2sa_range() return the port in a separate argument + * MINOR: server: take the destination port from the port field, not the addr + * MEDIUM: server: disable protocol validations when the server doesn't resolve + * BUG/MEDIUM: tools: do not force an unresolved address to AF_INET:0.0.0.0 + * BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage + * MINOR: proto_http.c 502 error txt typo. + * DOC: add deprecation notice to "block" + * BUG/MINOR: Reset errno variable before calling strtol(3) + +------------------------------------------------------------------- +Sat Dec 24 02:36:10 UTC 2016 - mrueckert@suse.de + +- Update to version 1.7.1: + * BUG/MAJOR: stream: fix session abort on resource shortage + * BUG/MINOR: cli: allow the backslash to be escaped on the CLI + * BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" + * DOC: Fix map table's format + * DOC: Added 51Degrees conv and fetch functions to documentation. + * BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a redirect + * DOC: mention that req_tot is for both frontends and backends + * BUG/MEDIUM: variables: some variable name can hide another ones + * BUG/MINOR: stats: fix be/sessions/max output in html stats + * MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id + * DOC: lua: Documentation about some entry missing + * MINOR: Do not forward the header "Expect: 100-continue" when the option http-buffer-request is set + * DOC: Add undocumented argument of the trace filter + * DOC: Fix some typo in SPOE documentation + * BUG/MINOR: cli: be sure to always warn the cli applet when input buffer is full + * MINOR: applet: Count number of (active) applets + * MINOR: task: Rename run_queue and run_queue_cur counters + * BUG/MEDIUM: stream: Save unprocessed events for a stream + * BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled + * BUILD/MEDIUM: Fixing the build using LibreSSL + * [RELEASE] Released version 1.7.1 + +------------------------------------------------------------------- +Fri Dec 02 07:31:16 UTC 2016 - kgronlund@suse.com + +- Update to version 1.7.0: + * BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos + * BUG/MINOR: stats: make field_str() return an empty string on NULL + * BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used + * BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for tunneled txn + * BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and IS_DATA_FILTER + * BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and XFER_DATA analyzers + * BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in tunnel mode + +------------------------------------------------------------------- +Fri Dec 02 07:30:49 UTC 2016 - kgronlund@suse.com + +- Update to version 1.6.10: + * BUG/MEDIUM: systemd-wrapper: return correct exit codes + * BUG/MEDIUM: srv-state: properly restore the DRAIN state + * BUG/MINOR: srv-state: allow to have both CMAINT and FDRAIN flags + * BUG/MEDIUM: servers: properly propagate the maintenance states during startup + * BUG: vars: Fix 'set-var' converter because of a typo + * BUG/MEDIUM: channel: bad unlikely macro + * CLEANUP: lua: move comment + * CLEANUP: lua: control executed twice + * CLEANUP: ssl: Fix bind keywords name in comments + * DOC: ssl: Use correct wording for ca-sign-pass + * BUG/MINOR: stick-table: handle out-of-memory condition gracefully + * BUG/MEDIUM: connection: check the control layer before stopping polling + * BUG/MEDIUM: stick-table: fix regression caused by recent fix for out-of-memory + * CONTRIB: initiate a debugging suite to make debugging easier + * BUG/MINOR: cli: properly decrement ref count on tables during failed dumps + * BUG/MEDIUM: lua: In some case, the return of sample-fetche is ignored + +------------------------------------------------------------------- +Wed Nov 02 16:56:57 UTC 2016 - kgronlund@suse.com + +- Update to version 1.6.9+git.1477940904.ab45181 (fate#321723) + * BUILD: poll: remove unused hap_fd_isset() which causes a warning with clang + * MINOR: cfgparse: few memory leaks fixes. + * MINOR: build: Allow linking to device-atlas library file + * DOC: Fix typo in description of `-st` parameter in man page + * BUG/MEDIUM: peers: on shutdown, wake up the appctx, not the stream + * BUG/MEDIUM: peers: fix use after free in peer_session_create() + * BUG/MEDIUM: systemd: let the wrapper know that haproxy has completed or failed + * MINOR: systemd: report it when execve() fails + * BUG/MINOR: systemd: check return value of calloc() + * BUG/MINOR: systemd: always restore signals before execve() + * BUG/MINOR: systemd: make the wrapper return a non-null status code on error + * BUG/MINOR: ssl: prevent multiple entries for the same certificate + * BUG/MINOR: ssl: Check malloc return code + * BUG/MINOR: vars: smp_fetch_var() doesn't depend on HTTP but on the session + * BUG/MINOR: vars: make smp_fetch_var() more robust against misuses + * BUG/MINOR: vars: use sess and not s->sess in action_store() + * MEDIUM: make SO_REUSEPORT configurable + * MINOR: Add fe_req_rate sample fetch + * MINOR: show Running on zlib version + * MINOR: show Built with PCRE version + * BUG/MINOR: displayed PCRE version is running release + +------------------------------------------------------------------- +Thu Sep 1 07:16:13 UTC 2016 - kgronlund@suse.com + +- Update to 1.6.9 (bsc#1003264) + - MINOR: cli: allow the semi-colon to be escaped on the CLI + - BUG/MINOR: payload: fix SSLv2 version parser + - BUG/MAJOR: stream: properly mark the server address as unset on connect retry + - DOC: Updated 51Degrees readme. + - BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table + - BUG/MINOR: peers: empty chunks after a resync. + - BUG/MINOR: peers: some updates are pushed twice after a resync. + - MINOR: sample: use smp_make_rw() in upper/lower converters + - BUG/MEDIUM: stick-table: properly convert binary samples to keys + - BUG/MEDIUM: stick-tables: do not fail on string keys with no allocated size + - BUG/MAJOR: server: the "sni" directive could randomly cause trouble + - MINOR: sample: provide smp_is_rw() and smp_make_rw() + - MINOR: sample: implement smp_is_safe() and smp_make_safe() + - BUG/MEDIUM: samples: make smp_dup() always duplicate the sample + - BUG/MAJOR: compression: initialize avail_in/next_in even during flush + - BUILD: make proto_tcp.c compatible with musl library + - DOC: minor typo fixes to improve HTML parsing by haproxy-dconv + - BUG/MEDIUM: stream-int: completely detach connection on connect error + - BUG/MEDIUM: lua: somme HTTP manipulation functions are called without valid requests + - DOC: lua: remove old functions + - BUG/MINOR: peers: Fix peers data decoding issue + - BUG/MEDIUM: lua: the function txn_done() from action wrapper can crash + - BUG/MEDIUM: lua: the function txn_done() from sample fetches can crash + +------------------------------------------------------------------- +Tue Jul 19 01:50:28 UTC 2016 - mrueckert@suse.de + +- update to 1.6.7 + - MINOR: new function my_realloc2 = realloc + free upon failure + - CLEANUP: fixed some usages of realloc leading to memory leak + - Revert "BUG/MINOR: ssl: fix potential memory leak in + ssl_sock_load_dh_params()" + - BUG/MEDIUM: dns: fix alignment issues in the DNS response + parser + - BUG/MINOR: Fix endiness issue in DNS header creation code +- changes from 1.6.6 + - BUG/MAJOR: fix listening IP address storage for frontends + - BUG/MINOR: fix listening IP address storage for frontends + (cont) + - DOC: Fix typo so fetch is properly parsed by Cyril's converter + - BUG/MAJOR: http: fix breakage of "reqdeny" causing random + crashes + - BUG/MEDIUM: stick-tables: fix breakage in table converters + - BUG/MEDIUM: dns: unbreak DNS resolver after header fix + - BUILD: fix build on Solaris 11 + - CLEANUP: connection: fix double negation on memcmp() + - BUG/MEDIUM: stats: show servers state may show an servers from + another backend + - BUG/MEDIUM: fix risk of segfault with "show tls-keys" + - BUG/MEDIUM: sticktables: segfault in some configuration error + cases + - BUG/MEDIUM: lua: converters doesn't work + - BUG/MINOR: http: add-header: header name copied twice + - BUG/MEDIUM: http: add-header: buffer overwritten + - BUG/MINOR: ssl: fix potential memory leak in + ssl_sock_load_dh_params() + - BUG/MINOR: http: url32+src should use the big endian version of + url32 + - BUG/MINOR: http: url32+src should check cli_conn before using + it + - DOC: http: add documentation for url32 and url32+src + - BUG/MINOR: fix http-response set-log-level parsing error + - MINOR: systemd: Use variable for config and pidfile paths + - MINOR: systemd: Perform sanity check on config before reload + (cherry picked from commit + 68535bddf305fdd22f1449a039939b57245212e7) + - BUG/MINOR: init: always ensure that global.rlimit_nofile + matches actual limits + - BUG/MINOR: init: ensure that FD limit is raised to the max + allowed + - BUG/MEDIUM: external-checks: close all FDs right after the + fork() + - BUG/MAJOR: external-checks: use asynchronous signal delivery + - BUG/MINOR: external-checks: do not unblock undesired signals + - BUILD/MEDIUM: rebuild everything when an include file is + changed + - BUILD/MEDIUM: force a full rebuild if some build options change + - BUG/MINOR: srv-state: fix incorrect output of state file + - BUG/MINOR: ssl: close ssl key file on error + - BUG/MINOR: http: fix misleading error message for response + captures + - BUG/BUILD: don't automatically run "make" on "make install" + - DOC: add missing doc for + http-request deny [deny_status ] +- drop patches which were pulled from git before + 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch + 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch + 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch + 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch + 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch + 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch + 0007-BUILD-fix-build-on-Solaris-11.patch + 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch + 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch + 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch + 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch + 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch + 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch + 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch + +------------------------------------------------------------------- +Thu Jun 9 12:48:27 UTC 2016 - mrueckert@suse.de + +- pull patches from git to fix some important issues (bsc#983972) (bsc#983974): + 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch + 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch + 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch + 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch + 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch + 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch + 0007-BUILD-fix-build-on-Solaris-11.patch + 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch + 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch + 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch + 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch + 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch + 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch + 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch + +------------------------------------------------------------------- +Tue May 10 14:24:24 UTC 2016 - mrueckert@suse.de + +- update to 1.6.5 + - BUG/MINOR: log: Don't use strftime() which can clobber timezone + if chrooted + - BUILD: namespaces: fix a potential build warning in + namespaces.c + - DOC: add encoding to json converter example + - BUG/MINOR: conf: "listener id" expects integer, but its not + checked + - DOC: Clarify tunes.vars.xxx-max-size settings + - BUG/MEDIUM: peers: fix incorrect age in frequency counters + - BUG/MEDIUM: Fix RFC5077 resumption when more than + TLS_TICKETS_NO are present + - BUG/MAJOR: Fix crash in http_get_fhdr with exactly + MAX_HDR_HISTORY headers + - BUG/MINOR: lua: can't load external libraries + - DOC: "addr" parameter applies to both health and agent checks + - DOC: timeout client: pointers to timeout http-request + - DOC: typo on stick-store response + - DOC: stick-table: amend paragraph blaming the loss of table + upon reload + - DOC: typo: ACL subdir match + - DOC: typo: maxconn paragraph is wrong due to a wrong buffer + size + - DOC: regsub: parser limitation about the inability to use + closing square brackets + - DOC: typo: req.uri is now replaced by capture.req.uri + - DOC: name set-gpt0 mismatch with the expected keyword + - BUG/MEDIUM: stick-tables: some sample-fetch doesn't work in the + connection state. + - DOC: fix "needed" typo + - BUG/MINOR: dns: inapropriate way out after a resolution timeout + - BUG/MINOR: dns: trigger a DNS query type change on resolution + timeout + - BUG/MINOR : allow to log cookie for tarpit and denied request + - OPTIM/MINOR: session: abort if possible before connecting to + the backend + - BUG/MEDIUM: trace.c: rdtsc() is defined in two files + - BUG/MEDIUM: channel: fix miscalculation of available buffer + space (2nd try) + - BUG/MINOR: cfgparse: couple of small memory leaks. + - BUG/MEDIUM: sample: initialize the pointer before parse_binary + call. + - DOC: fix discrepancy in the example for http-request redirect + - DOC: Clarify IPv4 address / mask notation rules + - CLEANUP: fix inconsistency between fd->iocb, proto->accept and + accept() + - BUG/MEDIUM: fix maxaccept computation on per-process listeners + - BUG/MINOR: listener: stop unbound listeners on startup + - BUG/MINOR: fix maxaccept computation according to the frontend + process range + - MEDIUM: unblock signals on startup. + - BUG/MEDIUM: channel: don't allow to overwrite the reserve until + connected + - BUG/MEDIUM: channel: incorrect polling condition may delay + event delivery + - BUG/MEDIUM: channel: fix miscalculation of available buffer + space (3rd try) + - BUG/MEDIUM: log: fix risk of segfault when logging HTTP fields + in TCP mode + - BUG/MEDIUM: lua: protects the upper boundary of the argument + list for converters/fetches. + - BUG/MINOR: log: fix a typo that would cause %HP to log + - MINOR: channel: add new function channel_congested() + - BUG/MEDIUM: http: fix risk of CPU spikes with pipelined + requests from dead client + - BUG/MAJOR: channel: fix miscalculation of available buffer + space (4th try) + - BUG/MEDIUM: stream: ensure the SI_FL_DONT_WAKE flag is properly + cleared + - BUG/MEDIUM: channel: fix inconsistent handling of 4GB-1 + transfers + - BUG/MEDIUM: stats: show servers state may show an empty or + incomplete result + - BUG/MEDIUM: stats: show backend may show an empty or incomplete + result + - MINOR: stats: fix typo in help messages + - MINOR: stats: show stat resolvers missing in the help message + - BUG/MINOR: dns: fix DNS header definition + - BUG/MEDIUM: dns: fix alignment issue when building DNS queries + - CLEANUP/MINOR: stats: fix accidental addition of member "env" + in the applet ctx +- refreshed patches to apply cleanly again + - haproxy-1.6.0-makefile_lib.patch + - haproxy-1.6.0-sec-options.patch + +------------------------------------------------------------------- +Mon Mar 14 02:45:05 UTC 2016 - mrueckert@suse.de + +- update to 1.6.4 (fate#320607) (bsc#937202) + - BUG/MINOR: http: fix several off-by-one errors in the url_param + parser + - BUG/MINOR: http: Be sure to process all the data received from + a server + - BUG/MINOR: chunk: make chunk_dup() always check and set + dst->size + - MINOR: chunks: ensure that chunk_strcpy() adds a trailing zero + - MINOR: chunks: add chunk_strcat() and chunk_newstr() + - MINOR: chunk: make chunk_initstr() take a const string + - MINOR: lru: new function to delete least recently used + keys + - DOC: add Ben Shillito as the maintainer of 51d + - BUG/MINOR: 51d: Ensures a unique domain for each configuration + - BUG/MINOR: 51d: Aligns Pattern cache implementation with + HAProxy best practices. + - BUG/MINOR: 51d: Releases workset back to pool. + - BUG/MINOR: 51d: Aligned const pointers to changes in 51Degrees. + - CLEANUP: 51d: Aligned if statements with HAProxy best practices + and removed casts from malloc. + - DOC: fix a few spelling mistakes (cherry picked from commit + cc123c66c2075add8524a6a9925382927daa6ab0) + - DOC: fix "workaround" spelling + - BUG/MINOR: examples: Fixing haproxy.spec to remove references + to .cfg files + - MINOR: fix the return type for dns_response_get_query_id() + function + - MINOR: server state: missing LF (\n) on error message printed + when parsing server state file + - BUG/MEDIUM: dns: no DNS resolution happens if no ports provided + to the nameserver + - BUG/MAJOR: servers state: server port is erased when dns + resolution is enabled on a server + - BUG/MEDIUM: servers state: server port is used uninitialized + - BUG/MEDIUM: config: Adding validation to stick-table expire + value. + - BUG/MEDIUM: sample: http_date() doesn't provide the right day + of the week + - BUG/MEDIUM: channel: fix miscalculation of available buffer + space. + - MEDIUM: pools: add a new flag to avoid rounding pool size up + - BUG/MEDIUM: buffers: do not round up buffer size during + allocation + - BUG/MINOR: stream: don't force retries if the server is DOWN + - BUG/MINOR: counters: make the sc-inc-gpc0 and sc-set-gpt0 touch + the table + - MINOR: unix: don't mention free ports on EAGAIN + - BUG/CLEANUP: CLI: report the proper field states in "show sess" + - MINOR: stats: send content-length with the redirect to allow + keep-alive + - BUG: stream_interface: Reuse connection even if the output + channel is empty + - DOC: remove old tunnel mode assumptions + - BUG/MAJOR: http-reuse: fix risk of orphaned connections + - BUG/MEDIUM: http-reuse: do not share private connections across + backends + - BUG/MINOR: ssl: Be sure to use unique serial for regenerated + certificates + - BUG/MINOR: stats: fix missing comma in stats on agent drain + - BUG/MINOR: lua: unsafe initialization + - DOC: lua: fix somme errors + - DOC: add server name at rate-limit sessions example + - BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation + - BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation + - DOC: LUA: fix some typos and syntax errors + - MINOR: cfgparse: warn for incorrect 'timeout retry' keyword + spelling in resolvers + - MINOR: mailers: increase default timeout to 10 seconds + - MINOR: mailers: use for all line endings + - BUG/MAJOR: lua: applets can't sleep. + - BUG/MINOR: server: some prototypes are renamed + - BUG/MINOR: lua: Useless copy + - BUG/MEDIUM: stats: stats bind-process doesn't propagate the + process mask correctly + - BUG/MINOR: server: fix the format of the warning on address + change + - BUG/MEDIUM: chunks: always reject negative-length chunks + - BUG/MINOR: systemd: ensure we don't miss signals + - BUG/MINOR: systemd: report the correct signal in debug message + output + - BUG/MINOR: systemd: propagate the correct signal to haproxy + - MINOR: systemd: ensure a reload doesn't mask a stop + - BUG/MEDIUM: cfgparse: wrong argument offset after parsing + server "sni" keyword + - CLEANUP: stats: Avoid computation with uninitialized bits. + - CLEANUP: pattern: Ignore unknown samples in pat_match_ip(). + - CLEANUP: map: Avoid memory leak in out-of-memory condition. + - BUG/MINOR: tcpcheck: fix incorrect list usage resulting in + failure to load certain configs + - BUG/MAJOR: samples: check smp->strm before using it + - MINOR: sample: add a new helper to initialize the owner of a + sample + - MINOR: sample: always set a new sample's owner before + evaluating it + - BUG/MAJOR: vars: always retrieve the stream and session from + the sample + - CLEANUP: payload: remove useless and confusing nullity checks + for channel buffer + - BUG/MINOR: ssl: fix usage of the various sample fetch functions + - MINOR: cfgparse: warn when uid parameter is not a number + - MINOR: cfgparse: warn when gid parameter is not a number + - BUG/MINOR: standard: Avoid free of non-allocated pointer + - BUG/MINOR: pattern: Avoid memory leak on out-of-memory + condition + - CLEANUP: http: fix a build warning introduced by a recent fix + - BUG/MINOR: log: GMT offset not updated when entering/leaving + DST + +------------------------------------------------------------------- +Mon Jan 11 14:22:44 UTC 2016 - e.istomin@edss.ee + +- update to 1.6.3 (fate#320607) + - BUG/MEDIUM: lua: clean output buffer + - BUG/MEDIUM: http: switch the request channel to no-delay once done. + - BUG/MEDIUM: http: don't enable auto-close on the response side + - BUG/MEDIUM: stream: fix half-closed timeout handling + - BUG/MEDIUM: cli: changing compression rate-limiting must require admin level + - BUG/MEDIUM: sample: urlp can't match an empty value + - BUG/MEDIUM: da: stop DeviceAtlas processing in the convertor if there is no input. + - BUG/MEDIUM: checks: email-alert not working when declared in defaults + - BUG/MEDIUM: http: fix http-reuse when frontend and backend differ + - BUG/MEDIUM: config: properly adjust maxconn with nbproc when memmax is forced + - BUG/MEDIUM: peers: table entries learned from a remote are pushed to others after a random delay. + - BUG/MEDIUM: peers: old stick table updates could be repushed + - BUG/MEDIUM: lua: Lua applets must not fetch samples using http_txn + - BUG/MEDIUM: lua: Forbid HTTP applets from being called from tcp rulesets + - BUG/MAJOR: lua: Do not force the HTTP analysers in use-services + +for all the details see /usr/share/doc/packages/haproxy/CHANGELOG +or http://www.haproxy.org/download/1.6/src/CHANGELOG +------------------------------------------------------------------- +Sat Nov 21 01:36:11 UTC 2015 - mrueckert@suse.de + +- on sle11 we still need to own /etc/apparmor.d/local + +------------------------------------------------------------------- +Sat Nov 21 01:15:07 UTC 2015 - mrueckert@suse.de + +- instead of owning the apparmor directories, BR apparmor-profiles. + +------------------------------------------------------------------- +Tue Nov 10 14:50:26 UTC 2015 - mrueckert@suse.de + +- fix link to tarball + +------------------------------------------------------------------- +Tue Nov 3 12:02:19 UTC 2015 - mrueckert@suse.de + +- update to 1.6.2 + - BUILD: ssl: fix build error introduced in commit 7969a3 with + OpenSSL < 1.0.0 + - DOC: fix a typo for a "deviceatlas" keyword + - FIX: small typo in an example using the "Referer" header + - BUG/MEDIUM: config: count memory limits on 64 bits, not 32 + - BUG/MAJOR: dns: first DNS response packet not matching queried + hostname may lead to a loop + - BUG/MINOR: dns: unable to parse CNAMEs response + - BUG/MINOR: examples/haproxy.init: missing brace in + quiet_check() + - DOC: deviceatlas: more example use cases. + - BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in + install-bin. + - BUG/MAJOR: http: don't requeue an idle connection that is + already queued + - DOC: typo on capture.res.hdr and capture.req.hdr + - BUG/MINOR: dns: check for duplicate nameserver id in a + resolvers section was missing + - CLEANUP: use direction names in place of numeric values + - BUG/MEDIUM: lua: sample fetches based on response doesn't work +- drop haproxy-1.6.0-ssl-098.patch: included upstream + +------------------------------------------------------------------- +Thu Oct 22 10:21:00 UTC 2015 - mrueckert@suse.de + +- update to 1.6.1 + - DOC: specify that stats socket doc (section 9.2) is in + management + - BUILD: install only relevant and existing documentation + - CLEANUP: don't ignore debian/ directory if present + - BUG/MINOR: dns: parsing error of some DNS response + - BUG/MEDIUM: namespaces: don't fail if no namespace is used + - BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is + disabled + - MEDIUM: dns: Don't use the ANY query type +- drop haproxy-1.6.0-ssl.crash.patch included in update + +------------------------------------------------------------------- +Mon Oct 19 16:15:57 UTC 2015 - mrueckert@suse.de + +- add haproxy-1.6.0-ssl-098.patch: + fix building on openssl 0.9.8 + +------------------------------------------------------------------- +Fri Oct 16 17:16:40 UTC 2015 - mrueckert@suse.de + +- added haproxy-1.6.0-ssl.crash.patch: fix SNI related crash + +------------------------------------------------------------------- +Thu Oct 15 23:19:33 UTC 2015 - mrueckert@suse.de + +- only use network namespace support on distros newer than 13.2 + +------------------------------------------------------------------- +Tue Oct 13 19:39:12 UTC 2015 - mrueckert@suse.de + +- update to 1.6.0 + The most user-visible changes, we can cite the simpler handling + of multiple configuration files, the support for quotes and + environment variables in the configuration, a significant + reduction of the memory usage thanks to a new dynamic buffer + allocator, notifications over e-mail, server state keeping across + reloads, dynamic DNS-based server address resolution, new + scripting capabilities thanks to the embedded Lua interpreter, + use of variables in the configuration to manipulate samples, + request body buffering and analysis, support for two third-party + device identification products (DeviceAtlas and 51Degrees), a lot + of new sample converters including arithmetic operators and table + lookups, TLS ticket secret sharing between nodes, TLS SNI to the + server, full tables replication between peers, ability to + instruct the kernel to quickly kill dead connections, support for + Linux namespaces, and a number of other less visible goodies. The + performance has also been improved a lot with support for server + connection multiplexing, much faster and cheaper HTTP compression + via libslz, and the addition of a pattern cache to speed up + certain expensive ACLs. The great flexibility offered by this + version will allow many users to significantly simplify their + configurations. Some users will notice a huge performance boost + after they enable the features designed for them. + + for all the details see /usr/share/doc/packages/haproxy/CHANGELOG +- drop patches we pulled from upstream git: + 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch + 0002-DOC-usesrc-root-privileges-requirements.patch + 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch + 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch + 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch + 0006-DOC-typo-in-redirect-302-code-meaning.patch + 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch + 0008-CLEANUP-.gitignore-ignore-more-test-files.patch + 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch + 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch + 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch + 0012-DOC-ssl-missing-LF.patch + 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch + 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch + 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch +- refresh/redo patches to apply cleanly again: + old: haproxy-1.2.16_config_haproxy_user.patch + new: haproxy-1.6.0_config_haproxy_user.patch + old: haproxy-makefile_lib.patch + new: haproxy-1.6.0-makefile_lib.patch + old: sec-options.patch + new: haproxy-1.6.0-sec-options.patch +- added new haproxy.cfg to have a minimal config we can actually + launch! +- drop patch haproxy-1.5.8-fix-bashisms.patch: patched files no + longer exist +- drop haproxy.vim: we will use the copy which ships with the + upstream tarball now. + +------------------------------------------------------------------- +Wed Sep 23 19:26:54 UTC 2015 - dmueller@suse.com + +- fix haproxy status checks (bsc#947204) + +------------------------------------------------------------------- +Tue Sep 8 09:10:02 UTC 2015 - kgronlund@suse.com + +- Backport patches from upstream: + - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry + - BUG/MAJOR: http: don't call http_send_name_header() after an error +- Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch +- Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch + +------------------------------------------------------------------- +Wed Aug 26 22:47:34 UTC 2015 - kgronlund@suse.com + +- Backport patches from upstream: + - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives() + - DOC: usesrc root privileges requirements + - BUILD: ssl: Allow building against libssl without SSLv3. + - DOC/MINOR: fix OpenBSD versions where haproxy works + - BUG/MINOR: http/sample: gmtime/localtime can fail + - DOC: typo in 'redirect', 302 code meaning + - DOC: mention that %ms is left-padded with zeroes. + - CLEANUP: .gitignore: ignore more test files + - CLEANUP: .gitignore: finally ignore everything but what is known. + - MEDIUM: config: emit a warning on a frontend without listener + - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry + - DOC: ssl: missing LF + - DOC: fix example of http-request using ssl_fc_session_id + +- Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch +- Add 0002-DOC-usesrc-root-privileges-requirements.patch +- Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch +- Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch +- Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch +- Add 0006-DOC-typo-in-redirect-302-code-meaning.patch +- Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch +- Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch +- Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch +- Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch +- Add 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch +- Add 0012-DOC-ssl-missing-LF.patch +- Add 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch + +------------------------------------------------------------------- +Fri Jul 3 16:37:55 UTC 2015 - kgronlund@suse.com + +- Update to 1.5.14 (CVE-2015-3281) (bsc#937042) + + BUILD/MINOR: tools: rename popcount to my_popcountl + + BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data + +------------------------------------------------------------------- +Fri Jun 26 11:45:33 UTC 2015 - kgronlund@suse.com + +- Update to 1.5.13 + - Dropped all patches backported from git, no further changes + than those patches provided. + +- Removed patches: + + Remove 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch + + Remove 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch + + Remove 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch + + Remove 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch + + Remove 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch + + Remove 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch + + Remove 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch + + Remove 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch + + Remove 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch + + Remove 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch + + Remove 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch + + Remove 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch + + Remove 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch + + Remove 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch + + Remove 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch + + Remove 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch + + Remove 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch + + Remove 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch + + Remove 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch + + Remove 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch + + Remove 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch + + Remove 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch + + Remove 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch + + Remove 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch + + Remove 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch + + Remove 0026-DOC-relax-the-peers-restriction-to-single-process.patch + + Remove 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch + + Remove 0028-MINOR-config-report-the-number-of-processes-using-a-.patch + + Remove 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch + +------------------------------------------------------------------- +Thu Jun 25 15:01:34 UTC 2015 - kgronlund@suse.com + +- Backport upstream patches: + + DOC: Update doc about weight, act and bck fields in the statistics + + MINOR: ssl: add a destructor to free allocated SSL ressources + + BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten + + BUG/MINOR: cfgparse: fix typo in 'option httplog' error message + + BUG/MEDIUM: cfgparse: segfault when userlist is misused + + MEDIUM: ssl: replace standards DH groups with custom ones + + BUG/MINOR: debug: display (null) in place of "meth" + + CLEANUP: deinit: remove codes for cleaning p->block_rules + + BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id + + MEDIUM: init: don't stop proxies in parent process when exiting + + MINOR: peers: store the pointer to the signal handler + + MEDIUM: peers: unregister peers that were never started + + MEDIUM: config: propagate the table's process list to the peers sections + + MEDIUM: init: stop any peers section not bound to the correct process + + MEDIUM: config: validate that peers sections are bound to exactly one process + + MAJOR: peers: allow peers section to be used with nbproc > 1 + + DOC: relax the peers restriction to single-process + + CLEANUP: config: fix misleading information in error message. + + MINOR: config: report the number of processes using a peers section in the error case + + BUG/MEDIUM: config: properly compute the default number of processes for a proxy + +- Added patches: + + Add 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch + + Add 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch + + Add 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch + + Add 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch + + Add 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch + + Add 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch + + Add 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch + + Add 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch + + Add 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch + + Add 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch + + Add 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch + + Add 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch + + Add 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch + + Add 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch + + Add 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch + + Add 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch + + Add 0026-DOC-relax-the-peers-restriction-to-single-process.patch + + Add 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch + + Add 0028-MINOR-config-report-the-number-of-processes-using-a-.patch + + Add 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch + +------------------------------------------------------------------- +Mon May 25 09:34:58 UTC 2015 - kgronlund@suse.com + +- BUG/MINOR: check: fix tcpcheck error message +- CLEANUP: checks: fix double usage of cur / current_step in tcp-checks +- BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end +- CLEANUP: checks: simplify the loop processing of tcp-checks +- BUG/MAJOR: checks: always check for end of list before proceeding +- BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct +- BUG/MEDIUM: peers: apply a random reconnection timeout +- Add 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch +- Add 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch +- Add 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch +- Add 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch +- Add 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch +- Add 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch +- Add 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch + +------------------------------------------------------------------- +Mon May 11 19:27:33 UTC 2015 - mrueckert@suse.de + +- added 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch + BUG/MEDIUM: http: don't forward client shutdown without NOLINGER + except for tunnels + +------------------------------------------------------------------- +Mon May 4 22:02:30 UTC 2015 - mrueckert@suse.de + +- added first patch from the 1.5 branch after the update: + 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch + +------------------------------------------------------------------- +Sat May 2 22:17:57 UTC 2015 - mrueckert@suse.de + +- update to 1.5.12 + - BUG/MINOR: ssl: Display correct filename in error message + - DOC: Fix L4TOUT typo in documentation + - BUG/MEDIUM: Do not consider an agent check as failed on L7 + error + - BUG/MINOR: pattern: error message missing + - BUG/MEDIUM: pattern: some entries are not deleted with case + insensitive match + - BUG/MEDIUM: buffer: one byte miss in buffer free space check + - BUG/MAJOR: http: don't read past buffer's end in + http_replace_value + - BUG/MEDIUM: http: the function "(req|res)-replace-value" + doesn't respect the HTTP syntax + - BUG/MEDIUM: peers: correctly configure the client timeout + - BUG/MINOR: compression: consider the expansion factor in init + - BUG/MEDIUM: http: hdr_cnt would not count any header when + called without name + - BUG/MEDIUM: listener: don't report an error when resuming + unbound listeners + - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes + only + - BUG/MEDIUM: stream-int: always reset si->ops when si->end is + nullified + - BUG/MEDIUM: http: remove content-length from chunked messages + - DOC: http: update the comments about the rules for determining + transfer-length + - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding + to HTTP/1.1 + - BUG/MEDIUM: http: incorrect transfer-coding in the request is a + bad request + - BUG/MEDIUM: http: remove content-length form responses with bad + transfer-encoding + - MEDIUM: http: restrict the HTTP version token to 1 digit as per + RFC7230 + - MEDIUM: http: add option-ignore-probes to get rid of the floods + of 408 + - BUG/MINOR: config: clear proxy->table.peers.p for disabled + proxies + - MINOR: stick-table: don't attach to peers in stopped state + - MEDIUM: config: initialize stick-tables after peers, not before + - MEDIUM: peers: add the ability to disable a peers section + - DOC: document option http-ignore-probes + - DOC: fix the comments about the meaning of msg->sol in HTTP + - BUG/MEDIUM: http: wait for the exact amount of body bytes in + wait_for_request_body + - BUG/MAJOR: http: prevent risk of reading past end with balance + url_param + - DOC: update the doc on the proxy protocol +- remove patches that we pulled from the 1.5 tree + 0001-BUG-MINOR-pattern-error-message-missing.patch + 0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch + 0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch + 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch + 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch + 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch + 0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch + 0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch + 0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch + 0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch + 0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch + 0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch + +------------------------------------------------------------------- +Mon Apr 20 10:52:12 UTC 2015 - mrueckert@suse.de + +- pull 3 patches from upstream: + 0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch + 0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch + 0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch + +------------------------------------------------------------------- +Thu Apr 2 10:54:29 UTC 2015 - mrueckert@suse.de + +- pull 3 patches from upstream: + 0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch + 0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch + 0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch + +------------------------------------------------------------------- +Mon Mar 16 15:00:13 UTC 2015 - kgronlund@suse.com + +- pull 3 patches from upstream: + - BUG/MEDIUM: peers: correctly configure the client timeout + - BUG/MEDIUM: buffer: one byte miss in buffer free space check + - BUG/MAJOR: http: don't read past buffer's end in http_replace_value +- Add 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch +- Add 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch +- Add 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch + +------------------------------------------------------------------- +Thu Mar 5 22:10:56 UTC 2015 - mrueckert@suse.de + +- added another fix from upstream: + 0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch + +------------------------------------------------------------------- +Wed Feb 11 12:38:06 GMT 2015 - aspiers@suse.com + +- haproxy.init: fix reload and force-reload not to start a stopped + service + +------------------------------------------------------------------- +Fri Feb 6 18:47:17 UTC 2015 - mrueckert@suse.de + +- pulled 2 patches from upstream: + 0001-BUG-MINOR-pattern-error-message-missing.patch + 0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch + +------------------------------------------------------------------- +Sun Feb 1 08:27:43 UTC 2015 - mrueckert@suse.de + +- update to 1.5.11 + - BUG/MEDIUM: backend: correctly detect the domain when + use_domain_only is used + - MINOR: ssl: load certificates in alphabetical order + - BUG/MINOR: checks: prevent http keep-alive with http-check + expect + - BUG/MEDIUM: Do not set agent health to zero if server is + disabled in config + - MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent + health is zero + - BUG/MINOR: stats:Fix incorrect printf type. + - DOC: add missing entry for log-format and clarify the text + - BUG/MEDIUM: http: fix header removal when previous header ends + with pure LF + - BUG/MEDIUM: channel: fix possible integer overflow on reserved + size computation + - BUG/MINOR: channel: compare to_forward with buf->i, not + buf->size + - MINOR: channel: add channel_in_transit() + - MEDIUM: channel: make buffer_reserved() use + channel_in_transit() + - MEDIUM: channel: make bi_avail() use channel_in_transit() + - BUG/MEDIUM: channel: don't schedule data in transit for leaving + until connected + - BUG/MAJOR: log: don't try to emit a log if no logger is set + - BUG/MINOR: args: add missing entry for ARGT_MAP in + arg_type_names + - BUG/MEDIUM: http: make http-request set-header compute the + string before removal + - BUG/MINOR: http: fix incorrect header value offset in + replace-hdr/replace-value + - BUG/MINOR: http: abort request processing on filter failure +- drop patch included in update: + 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch + +------------------------------------------------------------------- +Tue Jan 6 09:28:16 UTC 2015 - mrueckert@suse.de + +- pull fix from usptream: + 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch + BUG/MEDIUM: backend: correctly detect the domain when + use_domain_only is used + +------------------------------------------------------------------- +Wed Dec 31 22:17:18 UTC 2014 - mrueckert@suse.de + +- update to 1.5.10 + - DOC: fix a few typos + - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 + Unauthorized" + - BUG/MINOR: parse: refer curproxy instead of proxy + - DOC: httplog does not support 'no' + - MINOR: map/acl/dumpstats: remove the "Done." message + - BUG/MEDIUM: sample: fix random number upper-bound + - BUG/MEDIUM: patterns: previous fix was incomplete + - BUG/MEDIUM: payload: ensure that a request channel is available + - BUG/MINOR: tcp-check: don't condition data polling on check + type + - BUG/MEDIUM: tcp-check: don't rely on random memory contents + - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is + an expect + - BUG/MINOR: config: fix typo in condition when propagating + process binding + - BUG/MEDIUM: config: do not propagate processes between stopped + processes + - BUG/MAJOR: stream-int: properly check the memory allocation + return + - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() + - BUG/MEDIUM: compression: correctly report zlib_mem +- drop patches that we pulled from git before: + 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch + 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch + 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch + 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch + 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch + 0006-DOC-fix-a-few-typos.patch + 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch + 0008-DOC-httplog-does-not-support-no.patch + 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch + 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch + 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch + 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch + +------------------------------------------------------------------- +Sat Dec 20 01:20:07 UTC 2014 - mrueckert@suse.de + +- pulled some more fixes from git: + 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch + 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch + 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch + 0006-DOC-fix-a-few-typos.patch + 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch + 0008-DOC-httplog-does-not-support-no.patch + 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch + 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch + 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch + 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch + + see patch headers for details. + +------------------------------------------------------------------- +Fri Nov 28 18:21:43 UTC 2014 - mrueckert@suse.de + +- pulled 2 fixes from git: + - 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch + Dmitry Sivachenko reported that commit + 315ec42 ("BUG/MEDIUM: pattern: don't load more than once a + pattern list.") relies on an uninitialised variable in the + stack. While it used to work fine during the tests, if the + uninitialized variable is non-null, some patterns may be + aggregated if loaded multiple times, resulting in slower + processing, which was the original issue it tried to address. + - 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch + Denys Fedoryshchenko reported a segfault when using certain + sample fetch functions in the "tcp-request connection" rulesets + despite the warnings. This is because some tests for the + existence of the channel were missing. + +------------------------------------------------------------------- +Wed Nov 26 12:29:42 UTC 2014 - ledest@gmail.com + +- fix bashisms in example scripts +- add patches: + * haproxy-1.5.8-fix-bashisms.patch + +------------------------------------------------------------------- +Wed Nov 26 11:50:42 UTC 2014 - mrueckert@suse.de + +- update to 1.5.9 + - BUILD: fix "make install" to support spaces in the install dirs + - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl + healthchecks + - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in + case of OOM. + - BUG/MINOR: samples: fix unnecessary memcopy converting binary + to string. + - BUG/MEDIUM: connection: sanitize PPv2 header length before + parsing address information + - BUG/MEDIUM: pattern: don't load more than once a pattern list. + - BUG/MEDIUM: ssl: force a full GC in case of memory shortage + - BUG/MINOR: config: don't inherit the default balance algorithm + in frontends + - BUG/MAJOR: frontend: initialize capture pointers earlier + - BUG/MINOR: stats: correctly set the request/response analysers + - DOC: fix typo in the body parser documentation for msg.sov + - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not + trash.size + - MINOR: sample: add a few basic internal fetches (nbproc, proc, + stopping) + - BUG/MAJOR: sessions: unlink session from list on out of memory +- Drop patches pulled from git + - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch + - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch + - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch + - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch + - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch + - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch + +------------------------------------------------------------------- +Thu Nov 20 06:56:23 UTC 2014 - kgronlund@suse.com + +- BUILD: fix "make install" to support spaces in the install dirs +- BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. +- BUG/MEDIUM: ssl: force a full GC in case of memory shortage +- BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks +- BUG/MINOR: config: don't inherit the default balance algorithm in frontends +- BUG/MAJOR: frontend: initialize capture pointers earlier + +- Add patches: + - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch + - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch + - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch + - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch + - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch + - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch + +------------------------------------------------------------------- +Sun Nov 09 21:52:00 UTC 2014 - Led + +- fix bashisms in pre script + +------------------------------------------------------------------- +Fri Oct 31 22:24:27 UTC 2014 - mrueckert@suse.de + +- update to 1.5.8 + - BUG/MAJOR: buffer: check the space left is enough or not when + input data in a buffer is wrapped + - BUG/BUILD: revert accidental change in the makefile from latest + SSL fix +- changes in 1.5.7 + - BUG/MEDIUM: regex: fix pcre_study error handling + - BUG/MINOR: log: fix request flags when keep-alive is enabled + - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return + DER formatted certs + - MINOR: ssl: add statement to force some ssl options in global. + - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid + certificates + - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR + - BUG/MAJOR: cli: explicitly call cli_release_handler() upon + error + - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET + sockets +- Dropped patches: + - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch + - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch + - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch + - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch + +------------------------------------------------------------------- +Wed Oct 29 08:07:07 UTC 2014 - kgronlund@suse.com + +- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR +- BUG/MAJOR: cli: explicitly call cli_release_handler() upon error +- BUG/MINOR: log: fix request flags when keep-alive is enabled +- BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + +- Added patches: + - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch + - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch + - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch + - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch + +------------------------------------------------------------------- +Sat Oct 18 18:23:29 UTC 2014 - mrueckert@suse.de + +- update to 1.5.6 + - BUG/MEDIUM: systemd: set KillMode to 'mixed' + - MINOR: systemd: Check configuration before start + - BUG/MEDIUM: config: avoid skipping disabled proxies + - BUG/MINOR: config: do not accept more track-sc than configured + - BUG/MEDIUM: backend: fix URI hash when a query string is present +- dropped patches that were pulled from upstream + 0001-BUG-MEDIUM-config-avoid-skipping-disabled-proxies.patch + 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch + 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch + 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch +- dropped patch we sent upstream + haproxy-1.5_check_config_before_start.patch + +------------------------------------------------------------------- +Fri Oct 17 16:03:39 UTC 2014 - kgronlund@suse.com + +- BUG/MINOR: config: do not accept more track-sc than configured +- BUG/MEDIUM: backend: fix URI hash when a query string is present +- Add patch: 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch +- Add patch: 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch + +------------------------------------------------------------------- +Fri Oct 10 20:01:33 UTC 2014 - kgronlund@suse.com + +- BUG/MEDIUM: config: avoid skipping disabled proxies +- Add patch: 0001-BUG-MEDIUM-config-avoid-skipping-disabled-proxies.patch + +------------------------------------------------------------------- +Thu Oct 9 14:24:45 UTC 2014 - kgronlund@suse.com + +- Fix check config before start patch to apply after previous patch +- Update patch: haproxy-1.5_check_config_before_start.patch + +------------------------------------------------------------------- +Thu Oct 9 14:14:35 UTC 2014 - kgronlund@suse.com + +- BUG/MEDIUM: systemd: set KillMode to 'mixed' +- Add patch: + - 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch + +------------------------------------------------------------------- +Wed Oct 8 12:53:41 UTC 2014 - kgronlund@suse.com + +- update to 1.5.5 + - DOC: indicate that weight zero is reported as DRAIN + - DOC: Address issue where documentation is excluded due to a gitignore rule + - This update includes all previous patches since 1.5.4 + +- Removed patches: + - 0001-DOC-clearly-state-that-the-show-sess-output-format-i.patch + - 0002-MINOR-stats-fix-minor-typo-fix-in-stats_dump_errors_.patch + - 0003-MEDIUM-Improve-signal-handling-in-systemd-wrapper.patch + - 0004-MINOR-Also-accept-SIGHUP-SIGTERM-in-systemd-wrapper.patch + - 0005-DOC-indicate-in-the-doc-that-track-sc-can-wait-if-da.patch + - 0006-MEDIUM-http-enable-header-manipulation-for-101-respo.patch + - 0007-BUG-MEDIUM-config-propagate-frontend-to-backend-proc.patch + - 0008-MEDIUM-config-properly-propagate-process-binding-bet.patch + - 0009-MEDIUM-config-make-the-frontends-automatically-bind-.patch + - 0010-MEDIUM-config-compute-the-exact-bind-process-before-.patch + - 0011-MEDIUM-config-only-warn-if-stats-are-attached-to-mul.patch + - 0012-MEDIUM-config-report-it-when-tcp-request-rules-are-m.patch + - 0013-MINOR-config-detect-the-case-where-a-tcp-request-con.patch + - 0014-MEDIUM-systemd-wrapper-support-multiple-executable-v.patch + - 0015-BUG-MEDIUM-remove-debugging-code-from-systemd-wrappe.patch + - 0016-BUG-MEDIUM-http-adjust-close-mode-when-switching-to-.patch + - 0017-BUG-MINOR-config-don-t-propagate-process-binding-on-.patch + - 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch + - 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch + - 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch + +------------------------------------------------------------------- +Mon Oct 6 09:09:58 UTC 2014 - kgronlund@suse.com + +- Backported fixes: + - BUG/MEDIUM: http: adjust close mode when switching to backend + - BUG/MINOR: config: don't propagate process binding on fatal errors. + - BUG/MEDIUM: check: rule-less tcp-check must detect connect failures + - BUG/MINOR: tcp-check: report the correct failed step in the status + - BUG/MINOR: config: don't propagate process binding for dynamic use_backend + +- Added patches: + - 0016-BUG-MEDIUM-http-adjust-close-mode-when-switching-to-.patch + - 0017-BUG-MINOR-config-don-t-propagate-process-binding-on-.patch + - 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch + - 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch + - 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch + +------------------------------------------------------------------- +Thu Sep 25 16:10:08 UTC 2014 - kgronlund@suse.com + +- Backported fixes (bnc#898498): + - DOC: clearly state that the "show sess" output format is not fixed + - MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer() + - MEDIUM: Improve signal handling in systemd wrapper. + - MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper + - DOC: indicate in the doc that track-sc* can wait if data are missing + - MEDIUM: http: enable header manipulation for 101 responses + - BUG/MEDIUM: config: propagate frontend to backend process binding again. + - MEDIUM: config: properly propagate process binding between proxies + - MEDIUM: config: make the frontends automatically bind to the listeners' processes + - MEDIUM: config: compute the exact bind-process before listener's maxaccept + - MEDIUM: config: only warn if stats are attached to multi-process bind directives + - MEDIUM: config: report it when tcp-request rules are misplaced + - MINOR: config: detect the case where a tcp-request content rule has no inspect-delay + - MEDIUM: systemd-wrapper: support multiple executable versions and names + - BUG/MEDIUM: remove debugging code from systemd-wrapper + +- Added patches: + - 0001-DOC-clearly-state-that-the-show-sess-output-format-i.patch + - 0002-MINOR-stats-fix-minor-typo-fix-in-stats_dump_errors_.patch + - 0003-MEDIUM-Improve-signal-handling-in-systemd-wrapper.patch + - 0004-MINOR-Also-accept-SIGHUP-SIGTERM-in-systemd-wrapper.patch + - 0005-DOC-indicate-in-the-doc-that-track-sc-can-wait-if-da.patch + - 0006-MEDIUM-http-enable-header-manipulation-for-101-respo.patch + - 0007-BUG-MEDIUM-config-propagate-frontend-to-backend-proc.patch + - 0008-MEDIUM-config-properly-propagate-process-binding-bet.patch + - 0009-MEDIUM-config-make-the-frontends-automatically-bind-.patch + - 0010-MEDIUM-config-compute-the-exact-bind-process-before-.patch + - 0011-MEDIUM-config-only-warn-if-stats-are-attached-to-mul.patch + - 0012-MEDIUM-config-report-it-when-tcp-request-rules-are-m.patch + - 0013-MINOR-config-detect-the-case-where-a-tcp-request-con.patch + - 0014-MEDIUM-systemd-wrapper-support-multiple-executable-v.patch + - 0015-BUG-MEDIUM-remove-debugging-code-from-systemd-wrappe.patch + +------------------------------------------------------------------- +Wed Sep 3 07:35:14 UTC 2014 - kgronlund@suse.com + +- update to 1.5.4 (bnc#895849 CVE-2014-6269) + - BUG: config: error in http-response replace-header number of arguments + - BUG/MINOR: Fix search for -p argument in systemd wrapper. + - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm + - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported + - MEDIUM: connection: add new bit in Proxy Protocol V2 + - BUG/MINOR: server: move the directive #endif to the end of file + - BUG/MEDIUM: http: tarpit timeout is reset + - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* + - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() + - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs + - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() + - BUG/MEDIUM: acl: correctly compute the output type when a converter is used + - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix + - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer + +- Dropped patches: + - 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch + - 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch + - 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch + - 0004-BUG-config-error-in-http-response-replace-header-num.patch + - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch + +------------------------------------------------------------------- +Fri Aug 22 14:38:59 UTC 2014 - mrueckert@suse.de + +- pull 2 more fixes from git: + - 0004-BUG-config-error-in-http-response-replace-header-num.patch + A couple of typo fixed in 'http-response replace-header': + - an error when counting the number of arguments + - a typo in the alert message + - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch + Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b + (1.5-dev24-8), the tarpit section set timeout and return, after + this commit, the tarpit section set the timeout, and go to the + "done" label which reset the timeout. + +------------------------------------------------------------------- +Wed Jul 30 09:47:38 UTC 2014 - mrueckert@suse.de + +- pull important fixes from git: + 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch + 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch + 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch + Especially the last patch is important: + As a consequence of various recent changes on the sample + conversion, a corner case has emerged where it is possible to + wait forever for a sample in track-sc*. + +------------------------------------------------------------------- +Mon Jul 28 11:33:14 UTC 2014 - kgronlund@suse.com + +- update to 1.5.3 + - DOC: fix typo in Unix Socket commands + - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header + - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange + - DOC: mention that Squid correctly responds 400 to PPv2 header + - BUG/MINOR: http: base32+src should use the big endian version of base32 + - BUG/MEDIUM: connection: fix proxy v2 header again! +- Removed backported patches: + - 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch + - 0002-DOC-fix-typo-in-Unix-Socket-commands.patch + - 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch + - 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch + - 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch + - 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch + +------------------------------------------------------------------- +Mon Jul 21 13:45:40 UTC 2014 - mrueckert@suse.de + +- added 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch: + Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory + corruption when building a proxy v2 header") was wrong, using + &cn_trash instead of cn_trash resulting in a warning and the + client's SSL cert CN not being stored at the proper location. + +------------------------------------------------------------------- +Fri Jul 18 15:01:53 UTC 2014 - mrueckert@suse.de + +- added + 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch: + BUG/MEDIUM: connection: fix memory corruption when building a + proxy v2 header + +------------------------------------------------------------------- +Thu Jul 17 10:45:28 UTC 2014 - mrueckert@suse.de + +- pulled a few fixes from the 1.5 branch: most notable the DHE + memleak fix. Adds the following patches: + 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch + 0002-DOC-fix-typo-in-Unix-Socket-commands.patch + 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch + 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch + +------------------------------------------------------------------- +Sat Jul 12 16:56:27 UTC 2014 - mrueckert@suse.de + +- update to 1.5.2 + - BUG/MEDIUM: backend: Update hash to use unsigned int throughout + - BUG/MINOR: ssl: Fix external function in order not to return a + pointer on an internal trash buffer. + - DOC: expand the docs for the provided stats. + - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets + upon failure. + - MINOR: stats: fix minor typo in HTML page + - BUG/MEDIUM: http: fetch "base" is not compatible with + set-header + - BUG/MINOR: counters: do not untrack counters before logging + - BUG/MAJOR: sample: correctly reinitialize sample fetch context + before calling sample_process() + - MINOR: stick-table: make stktable_fetch_key() indicate why it + failed + - BUG/MEDIUM: counters: fix track-sc* to wait on unstable + contents + - BUILD: remove TODO from the spec file and add README + - MINOR: log: make MAX_SYSLOG_LEN overridable at build time + - MEDIUM: log: support a user-configurable max log line length + - DOC: provide an example of how to use ssl_c_sha1 + - BUILD: http: fix isdigit & isspace warnings on Solaris + - BUG/MINOR: listener: set the listener's fd to -1 after deletion + - BUG/MEDIUM: unix: failed abstract socket binding is retryable + - MEDIUM: listener: implement a per-protocol pause() function + - MEDIUM: listener: support rebinding during resume() + - BUG/MEDIUM: unix: completely unbind abstract sockets during a + pause() + - DOC: explicitly mention the limits of abstract namespace + sockets + - DOC: minor fix on {sc,src}_kbytes_{in,out} + - DOC: fix alphabetical sort of converters + - BUG/MAJOR: http: correctly rewind the request body after start + of forwarding + - DOC: remove references to CPU=native in the README + - DOC: mention that "compression offload" is ignored in defaults + section +- drop patches including in version upgrade. + - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch + - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch + - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch + - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch + - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch + - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch +- use www.haproxy.org now instead of the old domain which is just + redirecting to haproxy.org now. + +------------------------------------------------------------------- +Tue Jul 1 12:13:33 UTC 2014 - kgronlund@suse.com + +- BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents +- MINOR: stick-table: make stktable_fetch_key() indicate why it failed +- BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process() +- BUG/MINOR: counters: do not untrack counters before logging +- BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. +- BUG/MEDIUM: http: fetch "base" is not compatible with set-header + +- Add patches: + - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch + - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch + - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch + - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch + - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch + - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch + +------------------------------------------------------------------- +Tue Jun 24 15:55:48 UTC 2014 - mrueckert@suse.de + +- install the vim file into the versioned directory and dont cover + the current symlink with a directory + +------------------------------------------------------------------- +Tue Jun 24 13:00:39 UTC 2014 - mrueckert@suse.de + +- add Requires to vim to make the ownership of the vim directory + clear and not break any symlink handling the vim package might + use. + +------------------------------------------------------------------- +Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de + +- update to 1.5.1 + - BUG/MINOR: config: http-request replace-header arg typo + - BUG/MINOR: ssl: rejects OCSP response without nextupdate. + - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. + - BUG/MINOR: ssl: Fix OCSP resp update fails with the same + certificate configured twice. (cherry picked from commit + 1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f) + - BUG/MEDIUM: Consistently use 'check' in process_chk + - BUG/MAJOR: session: revert all the crappy client-side timeout + changes + - BUG/MINOR: logs: properly initialize and count log sockets +- drop haproxy-1.5.0_consistently_use_check.patch: + included upstream + +------------------------------------------------------------------- +Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com + +- Install vim file to a more appropriate location + +------------------------------------------------------------------- +Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com + +- added pre macro for systemd service file + +------------------------------------------------------------------- +Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com + +- Use better systemd detection consistently + +------------------------------------------------------------------- +Sun Jun 22 19:48:11 UTC 2014 - mrueckert@suse.de + +- pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6: + Consistently use 'check' in process_chk + I am not entirely sure that this is a bug, but it seems + to me that it may cause a problem if there agent-check is + configured and there is some kind of error making a connection + for it. + adds patch haproxy-1.5.0_consistently_use_check.patch + +------------------------------------------------------------------- +Fri Jun 20 14:37:21 UTC 2014 - mrueckert@suse.de + +- update to 1.5.0 + For people who don't follow the development versions, 1.5 expands + 1.4 with many new features and performance improvements, + including native SSL support on both sides with SNI/NPN/ALPN and + OCSP stapling, IPv6 and UNIX sockets are supported everywhere, + full HTTP keep-alive for better support of NTLM and improved + efficiency in static farms, HTTP/1.1 compression (deflate, gzip) + to save bandwidth, PROXY protocol versions 1 and 2 on both sides, + data sampling on everything in request or response, including + payload, ACLs can use any matching method with any input sample + maps and dynamic ACLs updatable from the CLI stick-tables support + counters to track activity on any input sample custom format for + logs, unique-id, header rewriting, and redirects, improved health + checks (SSL, scripted TCP, check agent, ...), much more scalable + configuration supports hundreds of thousands of backends and + certificates without sweating. + + For all the details see /usr/share/doc/packages/haproxy/CHANGELOG + +- enable tcp fast open if the kernel is recent enough +- enable PCRE JIT if PCRE is recent enough +- enable openssl support! + - haproxy can finally terminate ssl itself and also talk SSL to + the backend servers. + - including SNI/NPN/ALPN support. + new buildrequires openssl and pkgconfig +- enable deflate support + new buildrequires zlib-devel +- enable transparent proxy support +- enable usage of accept4. reduces the syscall amount. +- enable building and installing of halog +- install vim file into the correct place +- dropped patches: + 0001-MEDIUM-add-systemd-service.patch + 0002-MEDIUM-add-haproxy-systemd-wrapper.patch + 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch + 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch + 0005-BUILD-stdbool-is-not-portable-again.patch + 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch + 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch + 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch + 0009-openSUSE-Configure-haproxy-user.patch + 0010-openSUSE-Fix-path-to-PCRE-library.patch + 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch + 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch + 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch + 0014-MINOR-systemd-wrapper-improve-logging.patch + 0015-MINOR-systemd-wrapper-propagate-exit-status.patch +- added haproxy-1.2.16_config_haproxy_user.patch: + (replaces 0009-openSUSE-Configure-haproxy-user.patch) +- added haproxy-1.5_check_config_before_start.patch: + systemd allows us to run other things before we start the final + daemon. use this to check the configuration before launching. +- added haproxy-makefile_lib.patch + (replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch) +- added sec-options.patch: + allow it more easily to build haproxy with PIE, stackprotector + and relro. all those options are enabled on our build. +- added apparmor profile + usr.sbin.haproxy.apparmor + local.usr.sbin.haproxy.apparmor +- change the conditionals for systemd to use bcond_with to make it + more obvious what we are guarding. + +------------------------------------------------------------------- +Wed May 21 10:50:21 UTC 2014 - jsegitz@novell.com + +- added necessary macros for systemd files + +------------------------------------------------------------------- +Tue May 6 06:12:08 UTC 2014 - kgronlund@suse.com + +- update to 1.4.25 (bnc#876438) + - DOC: typo: nosepoll self reference in config guide + - BUG/MINOR: deinit: free fdinfo while doing cleanup + - BUG/MEDIUM: server: set the macro for server's max weight SRV_UWGHT_MAX to SRV_UWGHT_RANGE + - BUG/MINOR: use the same check condition for server as other algorithms + - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN for recv() + - BUG/MINOR: fix forcing fastinter in "on-error" + - BUG/MEDIUM: http/auth: Sometimes the authentication credentials can be mix between two requests + - BUG/MAJOR: http: don't emit the send-name-header when no server is available + - BUG/MEDIUM: http: "option checkcache" fails with the no-cache header + - MEDIUM: session: disable lingering on the server when the client aborts + - MINOR: config: warn when a server with no specific port uses rdp-cookie + - MEDIUM: increase chunk-size limit to 2GB-1 + - DOC: add a mention about the limited chunk size + - MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection + - BUILD: proto_tcp: remove a harmless warning + - BUG/MINOR: acl: remove patterns from the tree before freeing them + - BUG/MEDIUM: checks: fix slow start regression after fix attempt + - BUG/MAJOR: server: weight calculation fails for map-based algorithms + - BUG/MINOR: backend: fix target address retrieval in transparent mode + - BUG/MEDIUM: stick: completely remove the unused flag from the store entries + - BUG/MEDIUM: stick-tables: complete the latest fix about store-responses + - BUG/MEDIUM: checks: tracking servers must not inherit the MAINT flag + - BUG/MINOR: stats: report correct throttling percentage for servers in slowstart + - BUG/MINOR: stats: correctly report throttle rate of low weight servers + - BUG/MINOR: checks: successful check completion must not re-enable MAINT servers + - BUG/MEDIUM: stats: the web interface must check the tracked servers before enabling + - BUG/MINOR: channel: initialize xfer_small/xfer_large on new buffers + - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN + - BUG/MEDIUM: http: don't start to forward request data before the connect + - DOC: fix misleading information about SIGQUIT + - BUILD: simplify the date and version retrieval in the makefile + - BUILD: prepare the makefile to skip format lines in SUBVERS and VERDATE + - BUILD: use format tags in VERDATE and SUBVERS files + +- Reorganized patches and backported fixes for systemd wrapper: + - Renamed 0006-haproxy-1.2.16_config_haproxy_user.patch to 0009-openSUSE-Configure-haproxy-user.patch + - Renamed 0007-haproxy-makefile_lib.patch to 0010-openSUSE-Fix-path-to-PCRE-library.patch + - Removed 0008-MEDIUM-haproxy-systemd-wrapper-Revised-implementatio.patch + - Added 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch + - Added 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch + - Added 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch + - Added 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch + - Added 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch + - Added 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch + - Added 0014-MINOR-systemd-wrapper-improve-logging.patch + - Added 0015-MINOR-systemd-wrapper-propagate-exit-status.patch + +------------------------------------------------------------------- +Fri Nov 22 09:54:48 UTC 2013 - kgronlund@suse.com + +- Backport haproxy-systemd-wrapper from upstream +- Patch haproxy-systemd-wrapper to work on openSUSE + +------------------------------------------------------------------- +Thu Oct 31 12:46:04 UTC 2013 - kgronlund@suse.com + +- Remove duplicate Requires: from .spec file. + +------------------------------------------------------------------- +Thu Oct 31 12:41:12 UTC 2013 - kgronlund@suse.com + +- Re-enable sysvinit support for older versions + (server:http still builds for older versions) + +------------------------------------------------------------------- +Mon Oct 28 14:32:00 UTC 2013 - p.drouand@gmail.com + +- Add systemd support + Target distributions all support systemd; keep alive sysvinit support + is useless + +------------------------------------------------------------------- +Thu Oct 10 15:16:32 UTC 2013 - cdenicolo@suse.com + +- license update: GPL-2.0+ and LGPL-2.1+ + only header files are LGPL, the rest is still GPL + +------------------------------------------------------------------- +Tue Jun 18 09:14:13 UTC 2013 - mrueckert@suse.de + +- update to 1.4.24 (bnc#825412) + - BUG/MAJOR: backend: consistent hash can loop forever in certain + circumstances + - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks + are used + - MEDIUM: protocol: implement a "drain" function in protocol + layers + - BUG/CRITICAL: fix a possible crash when using negative header + occurrences CVE-2013-2175 + +------------------------------------------------------------------- +Wed Apr 3 14:47:43 UTC 2013 - mrueckert@suse.de + +- update to 1.4.23 CVE-2013-1912 + - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read + - BUG: fix garbage data when http-send-name-header replaces an + existing header + - BUG/MEDIUM: remove supplementary groups when changing gid + - BUG/MINOR: Correct logic in cut_crlf() + - BUG/MINOR: config: use a copy of the file name in proxy + configurations + - BUG/MINOR: epoll: correctly disable FD polling in fd_rem() + - MINOR: halog: sort output by cookie code + - BUG/MINOR: halog: -ad/-ac report the correct number of output + lines + - BUG/MINOR: halog: fix help message for -ut/-uto + - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel + mode + - BUG/MEDIUM: command-line option -D must have precedence over + "debug" + - OPTIM: halog: keep a fast path for the lines-count only + - MINOR: halog: add a parameter to limit output line count + - BUG: halog: fix broken output limitation + - MEDIUM: checks: avoid accumulating TIME_WAITs during checks + - MEDIUM: checks: prevent TIME_WAITs from appearing also on + timeouts + - BUG/MAJOR: cli: show sess may randomly corrupt the + back-ref list + - BUG/MINOR: http: don't report client aborts as server errors + - BUG/MINOR: http: don't log a 503 on client errors while waiting + for requests + - BUG/MEDIUM: tcp: process could theorically crash on lack of + source ports + - BUG/MINOR: http: don't abort client connection on premature + responses + - BUILD: no need to clean up when making git-tar + - MINOR: http: always report PR-- flags for redirect rules + - BUG/MINOR: time: frequency counters are not totally accurate + - BUG/MINOR: http: don't process abortonclose when request was + sent + - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait() + - BUG/MINOR: config: fix improper check for failed memory alloc + in ACL parser + - BUG/MEDIUM: checks: ensure the health_status is always within + bounds + - CLEANUP: http: remove a useless null check + - BUG/MEDIUM: signal: signal handler does not properly check for + signal bounds + - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on + memory shortage + - CLEANUP: config: slowstart is never negative + - BUILD: improve the makefile's support for libpcre + - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a + - MEDIUM: halog: add support for counting per source address + (-ic) + - DOC: mention the new HTTP 307 and 308 redirect statues + (cherry picked from commit + b67fdc4cd8bde202f2805d98683ddab929469a05) + - MEDIUM: poll: do not use FD_* macros anymore + - BUG/MAJOR: ev_select: disable the select() poller if maxsock > + FD_SETSIZE + - BUILD: enable poll() by default in the makefile + - BUILD: add explicit support for Mac OS/X + - BUG/CRITICAL: using HTTP information in tcp-request content may + crash the process CVE-2013-1912 + - MEDIUM: http: implement redirect 307 and 308 + - MINOR: http: status 301 should not be marked non-cacheable +- adapt haproxy-makefile_lib.patch to the rewritten Makefile + +------------------------------------------------------------------- +Mon Nov 12 14:10:33 UTC 2012 - mrueckert@suse.de + +- switch license tag to spdx format. + +------------------------------------------------------------------- +Mon Nov 12 13:50:46 UTC 2012 - mrueckert@suse.de + +- update to 1.4.22 + - BUG/MEDIUM: option forwardfor if-none doesn't work with some + configurations + - MINOR: balance uri: added 'whole' parameter to include query + string in hash calculation + - DOC: specify the default value for maxconn in the context of a + proxy + - BUG/MINOR: checks: expire on timeout.check if smaller than + timeout.connect + - REORG/MINOR: use dedicated proxy flags for the cookie handling + - BUG/MINOR: config: do not report twice the incompatibility + between cookie and non-http + - MINOR: http: add support for "httponly" and "secure" cookie + attributes + - MEDIUM: stats: add support for soft stop/soft start in the + admin interface + - BUILD: add support for linux kernels >= 2.6.28 + - MINOR: contrib/iprange: add a network IP range to mask + converter + - BUILD: add an AIX 5.2 (and later) target. + - MINOR: halog: use the more recent dual-mode fgets2 + implementation + - BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on + full-length matches + - CLEANUP: halog: make clean should also remove .o files + (cherry picked from commit + 8ad4193100aafa19f04929670371bf823dbe11d0) + - OPTIM: halog: make use of memchr() on platforms which provide a + fast one + - OPTIM: halog: improve cold-cache behaviour when loading a file + - [MINOR] config: make it possible to specify a cookie even + without a server + - MINOR: config: tolerate server "cookie" setting in non-HTTP + mode + - BUG/MINOR: tarpit: fix condition to return the HTTP 500 message + +------------------------------------------------------------------- +Tue Oct 30 16:02:03 UTC 2012 - mrueckert@suse.de + +- fix description in the init script + +------------------------------------------------------------------- +Tue May 22 16:47:45 UTC 2012 - pascal.bleser@opensuse.org + +- update to 1.4.21 (bnc#763833) CVE-2012-2391 + - MINOR: patch for minor typo (ressources/resources) + - CLEANUP: fix typo in findserver() log message + - DOC: cleanup indentation, alignment, columns and chapters + - DOC: fix some keywords arguments documentation + - MINOR: stats admin: allow unordered parameters in POST requests + - MINOR: stats admin: use the backend id instead of its name in + the form + - BUG/MAJOR: trash must always be the size of a buffer + - DOC: fix minor regex example issue and improve doc on stats + - BUG/MAJOR: possible crash when using capture headers on TCP + frontends + - MINOR: config: disable header captures in TCP mode and complain + - BUG/MEDIUM: balance source did not properly hash IPv6 addresses + - CLEANUP: http: message parser must ignore HTTP_MSG_ERROR + - CLEANUP: remove a few warning about unchecked return values in + debug code + - CLEANUP: http: remove unused http_msg->col + - BUG/MINOR: http: error snapshots are wrong if buffer wraps + - BUG/MAJOR: checks: don't call set_server_status_* when no LB + algo is set + - MINOR: proxy: make findproxy() return proxies from numeric IDs + too + - BUILD: http: stop gcc-4.1.2 from complaining about possibly + uninitialized values + - BUG/MINOR: stop connect timeout when connect succeeds + +------------------------------------------------------------------- +Sun Mar 11 19:16:20 UTC 2012 - pascal.bleser@opensuse.org + +- update to 1.4.20: + - BUG/MINOR: fix typo in processing of http-send-name-header + - BUG/MEDIUM: correctly disable servers tracking another disabled servers. + - BUG/MEDIUM: zero-weight servers must not dequeue requests from the backend + - MINOR: halog: add some help on the command line (cherry picked from + commit 615674cdec067066a42f53f5d55628ab7b207e6c) + - BUG: queue: fix dequeueing sequence on HTTP keep-alive sessions + - BUG: http: disable TCP delayed ACKs when forwarding content-length data + - BUG: checks: fix server maintenance exit sequence + - BUG/MINOR: stream_sock: don't remove BF_EXPECT_MORE and BF_SEND_DONTWAIT on + partial writes + - DOC: enumerate valid status codes for "observe layer7" + +------------------------------------------------------------------- +Wed Feb 8 15:30:58 UTC 2012 - mrueckert@suse.de + +- update to 1.4.19 + - MEDIUM: http: add support for sending the server's name in the + outgoing request + - BUG/MINOR: fix options forwardfor if-none when an alternative + header name is specified + - MINOR: task: new function task_schedule() to schedule a wake up + - BUG/MEDIUM: checks: fix slowstart behaviour when server + tracking is in use + - BUG: tcp: option nolinger does not work on backends + - BUG: ebtree: ebst_lookup() could return the wrong entry + - BUG: http: re-enable TCP quick-ack upon incomplete HTTP + requests + - CLEANUP: ebtree: remove a few annoying signedness warnings + - CLEANUP: ebtree: remove 4-year old harmless typo in duplicates + insertion code + - CLEANUP: ebtree: remove another typo, a wrong initialization in + insertion code + - BUG: proto_tcp: set AF_INET on tproxy for use with recent + kernels + - MINOR: halog: add support for matching queued requests + - BUG: http: tighten the list of allowed characters in a URI + +------------------------------------------------------------------- +Wed Nov 9 12:09:33 UTC 2011 - mrueckert@suse.de + +- update to 1.4.18 + - [MINOR] http: *_dom matching header functions now also split on + ":" + - [MINOR] halog: support backslash-escaped quotes + - BUILD/MINOR: fix the source URL in the spec file + - DOC: acl is http_first_req, not http_req_first + - BUG/MEDIUM: don't trim last spaces from headers consisting only + of spaces + - MINOR: acl: add new matches for header/path/url length + - [MINOR] halog: do not consider byte 0x8A as end of line + - [OPTIM] halog: make fgets parse more bytes by blocks + - [OPTIM] halog: add assembly version of the field lookup code + - [CLEANUP] startup: report only the basename in the usage + message + - [DOC] update the README file to reflect new naming rules for + patches + +------------------------------------------------------------------- +Mon Sep 05 22:26:59 UTC 2011 - pascal.bleser@opensuse.org + +- update to 1.4.17: + - [MINOR] halog: add support for termination code matching (-tcn/-TCN) + - [MINOR] halog: make SKIP_CHAR stop on field delimiters + - [MINOR] halog: add support for HTTP log matching (-H) + - [MINOR] halog: gain back performance before SKIP_CHAR fix + - [OPTIM] halog: cache some common fields positions + - [OPTIM] halog: check once for correct line format and reuse the pointer + - [OPTIM] halog: remove many 'if' by using a function pointer for the filters + - [OPTIM] halog: remove support for tab delimiters in input data + - [MINOR] halog: add -hs/-HS to filter by HTTP status code range + - [CLEANUP] update the year in the copyright banner + - [BUG] check: http-check expect + regex would crash in defaults section + - [MEDIUM] http: make x-forwarded-for addition conditional + - [DOC] fixed a few "sensible" -> "sensitive" errors + - [MINOR] stats: display "" instead of the frontend name when unknown + - [BUG] http: trailing white spaces must also be trimmed after headers + - [MINOR] http: take a capture of too large requests and responses + - [MINOR] http: take a capture of truncated responses + - [MINOR] http: take a capture of bad content-lengths. + +------------------------------------------------------------------- +Sat Aug 13 22:49:36 UTC 2011 - mrueckert@suse.de + +- update to version 1.4.16 + - [BUG] checks: fix support of Mysqld >= 5.5 for mysql-check + - [DOC] Minor spelling fixes and grammatical enhancements + - [CLEANUP] Remove assigned but unused variables + - [BUG] checks: http-check expect could fail a check on + multi-packet responses + - [DOC] fix minor typo in the "dispatch" doc + - [MINOR] http: make the "HTTP 200" status code configurable. + - [MINOR] http: partially revert the chunking optimization for + now + - [MINOR] stream_sock: always clear BF_EXPECT_MORE upon complete + transfer + - [CLEANUP] stream_sock: remove unneeded FL_TCP and factor out + test + - [MEDIUM] http: add support for "http-no-delay" + - [OPTIM] http: optimize chunking again in non-interactive mode + - [OPTIM] stream_sock: avoid fast-forwarding of partial data + - [OPTIM] stream_sock: don't use splice on too small payloads + - [BUG] stats: support url-encoded forms + - [BUG] halog: correctly handle truncated last line + - [DOC] fix typos, "#" is a sharp, not a dash + +------------------------------------------------------------------- +Fri Apr 15 22:14:24 UTC 2011 - pascal.bleser@opensuse.org + +- revert splitting out the documentation + +------------------------------------------------------------------- +Thu Apr 14 19:18:45 UTC 2011 - pascal.bleser@opensuse.org + +- split out documentation and examples into haproxy-doc +- add rpmlintrc to suppress false positive warnings about + script examples in documentation files (without exec flag) +- fix license + +------------------------------------------------------------------- +Tue Apr 12 15:31:38 UTC 2011 - mrueckert@suse.de + +- update to version 1.4.15 + - [CRITICAL] fix risk of crash when dealing with space in + response cookies +- additional changes from 1.4.14 + - [MINOR] config: fix endianness of server check port + - [BUG] http: fix possible incorrect forwarded wrapping chunk + size (take 2) + - [MINOR] tools: add two macros MID_RANGE and MAX_RANGE + - [BUG] http: fix content-length handling on 32-bit platforms + - [OPTIM] buffers: uninline buffer_forward() + +------------------------------------------------------------------- +Wed Mar 9 12:00:23 UTC 2011 - mrueckert@suse.de + +- update to 1.4.13 + - config: don't crash on empty pattern files. +- additional changes from 1.4.12 + - stats: add support for several packets in stats admin + - stats: admin commands must check the proxy state + - stats: admin web interface must check the proxy state + - http: update the header list's tail when removing the last + header + - fix typos (http-request instead of http-check) (cherry + picked from commit 8f2a1e72bebea700f37add40997b716fdfd86b9c) + - http: use correct ACL pointer when evaluating authentication + - cfgparse: correctly count one socket per port in ranges + - startup: set the rlimits before binding ports, not after. + - acl: srv_id must return no match when the server is NULL + - acl: fd leak when reading patterns from file + - fix minor typo in "usesrc" + - http: fix possible incorrect forwarded wrapping chunk size + - http: fix computation of message body length after forwarding + has started + - http: balance url_param did not work with first parameters on + POST + - update the url_param regression test to test check_post too + +------------------------------------------------------------------- +>>>>>>> ./haproxy.changes.r40 +Tue Feb 15 14:30:53 UTC 2011 - mrueckert@suse.de + +- update to 1.4.11 + - cfgparse: Check whether the path given for the stats socket + actually fits into the sockaddr_un structure to avoid + truncation. + - fix a minor typo + - fix ignore-persist documentation + - http: fix http-pretend-keepalive and httpclose/tunnel mode + - add warnings on features not compatible with multi-process mode + - acl: add be_id/srv_id to match backend's and server's id + - log: add support for passing the forwarded hostname + - log: ability to override the syslog tag + - fix minor typos in the doc + - fix another typo in the doc + - http chunking: don't report a parsing error on connection + errors + - stream_interface: truncate buffers when sending error messages + - http: fix incorrect error reporting during data transfers + - session: correctly leave turn-around and queue states on abort + - session: release slot before processing pending connections + - stats: report HTTP message state and buffer flags in error + dumps + - http: support wrapping messages in error captures + - http: capture incorrectly chunked message bodies + - stats: add global event ID and count + - http: don't send each chunk in a separate packet + - acl: fix handling of empty lines in pattern files + - ebtree: fix ebmb_lookup() with len smaller than the tree's keys + - ebtree: ebmb_lookup: reduce stack usage by moving the return + code out of the loop + +------------------------------------------------------------------- +Mon Nov 29 13:57:37 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.10: + * a possible crash when using Cookie-based persistence with + appsessions was fixed + * header processing could become wrong after a single reqidel + rule removed exactly two headers + * some out-of-memory conditions were not correctly handled in + appsession or cookie captures + * users of appsessions are strongly encouraged to upgrade + +------------------------------------------------------------------- +Tue Nov 2 13:11:15 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.9: + * the Web interface now allows you to enable or disable servers + * the ECV and LDAPv3 checks were merged + * the MySQL check was improved to support a real login sequence + * persistence cookies can now be timestamped to support a maximum + idle time and a maximum life time, and can be removed by the + server if needed (e.g. logout) + * the SNMP plugin was improved to report socket stats + * some Cacti templates were merged + * the halog tool can now instantly report per-URL response times + +------------------------------------------------------------------- +Tue Aug 17 15:46:13 UTC 2010 - mrueckert@suse.de + +- implement graceful restart in the init script + +------------------------------------------------------------------- +Tue Jun 22 14:49:12 UTC 2010 - mrueckert@suse.de + +- update to 1.4.8: + * mention 'option http-server-close' effect in Tq section + * summarize and highlight persistent connections behaviour + * add configuration samples + * stick_table: the fix for the memory leak caused a regression + * client: don't add a new session to the list too early + +------------------------------------------------------------------- +Thu Jun 10 09:03:34 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.7: + * fixes problems where consistent hashing was broken when no + server ID was specified in the configuration + * some errors were incorrectly reported as failed instead of + denied in the statistics + * the dispatch and http_proxy modes were fixed + * a few termination flags in the logs used for troubleshooting + were corrected + * a few other minor issues were fixed + * upgrading is recommended + +------------------------------------------------------------------- +Mon May 17 20:29:02 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.6: + * a minor precision about RDP cookies was added to the + documentation + * a new ACL keyword was added + * those who had no problem building and running 1.4.5 don't need + to upgrade + +- drop haproxy-fix_dprintf.patch, merged upstream + +------------------------------------------------------------------- +Fri May 14 07:18:03 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.5: + * Haproxy can now read huge ACL pattern lists from files and + match inputs against them without any noticeable performance + impact, making geolocation possible + * adds a new "ignore-persist" directive, allowing it to ignore + the persistence cookie if an ACL-based condition is matched + (which is useful for static objects in stateful farms) + * a few other minor improvements + * a nice performance boost of the log analyzer, which can now + process more than 1 GB of logs per second and report request + counts by status codes + +------------------------------------------------------------------- +Thu Apr 8 09:41:51 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.4: + * brings a new option to work around optimization issues with + Tomcat and Jetty in server close mode, and for a bug in Jetty's + handling of Expect: 100-continue + * a very old appsession unexpected match of shorter cookie names + was also fixed + * a new feature to make it possible to connect to a server from + an IP found in a header was merged: it allows you to run + stunnel+haproxy in transparent mode together + +------------------------------------------------------------------- +Fri Apr 2 23:42:44 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.3: + * fxes a regression introduced in 1.4.2 which could cause a + connection to still be attempted on the server side in case of + an error on the client side; this issue could even lead to a + crash if a Layer7 hash algorithm was used, so this code was + strengthened + * the configuration parser now detects many more inappropriate + options in TCP mode and emits related warnings + * it is now possible to indicate in the configuration that a + server will start in the "disabled" state + * other very minor issues were fixed + +------------------------------------------------------------------- +Thu Mar 18 12:00:49 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.2: + * fixes a very rare case of stuck client sessions when using + keep-alive + * fixes a url_param hash bug which could result in a dead server + in very rare situations + * fixes status codes 501 and 505 which could cause a server to be + marked down if on-error was used + * fixes a risk of getting truncated HTTP responses when + chunk-encoding was used + * fixes an issue with anonymous ACLs + * improvements on health checks + +------------------------------------------------------------------- +Fri Mar 5 00:45:12 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.1: + * some errors were incorrectly reported as 502 with the flags + "SL" in the logs; this is now fixed + * other minor issues were fixed + * documentation was updated + +------------------------------------------------------------------- +Fri Feb 26 20:44:34 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.4.0: + * new features: + + keep-alive + + IP-based stickiness + + consistent hashing + + support for the RDP protocol + + a much nicer stats interface + + a much-improved performance level + * add -fno-strict-aliasing + +- changes from 1.4rc1: + * new features: + + server maintenance mode + + HTTP authentication (server and proxy) + + secure passwords + + conditional request/response header rewriting using ACLs + + anonymous ACLs that can be declared inline + + support for HTTP/1.1 101+Upgrade status code to support non- + HTTP protocols such as WebSocket + +------------------------------------------------------------------- +Thu Feb 11 15:20:01 UTC 2010 - mrueckert@suse.de + +- update to 1.3.23 + +------------------------------------------------------------------- +Tue Sep 15 14:09:34 CEST 2009 - mrueckert@suse.de + +- update to 1.3.20 + +------------------------------------------------------------------- +Fri Apr 3 13:54:40 CEST 2009 - mrueckert@suse.de + +- update to 1.3.17 + +------------------------------------------------------------------- +Mon Mar 9 16:40:38 CET 2009 - mrueckert@suse.de + +- update to 1.3.15.8 + +------------------------------------------------------------------- +Wed Feb 4 15:13:15 CET 2009 - mrueckert@suse.de + +- update to 1.3.15.7 + +------------------------------------------------------------------- +Mon Sep 15 15:52:45 CEST 2008 - mrueckert@suse.de + +- update to 1.3.15.4 + +------------------------------------------------------------------- +Sun Nov 4 21:21:35 CET 2007 - mrueckert@suse.de + +- update to 1.3.13.1: + too many changes see changelog file + +------------------------------------------------------------------- +Mon Apr 2 00:53:38 CEST 2007 - mrueckert@suse.de + +- prepared spec for easy split out of -snapshot packages. +- added vim syntax file + +------------------------------------------------------------------- +Mon Mar 19 17:50:33 CET 2007 - mrueckert@suse.de + +- update to 1.2.17: + - replaced the linked-list with a faster rbtree in the scheduler + - add user/group support (Marcus Rueckert) + - add the "except" keyword to the "forwardfor" option (Bryan + Germann) + - re-implemented support for multi-line headers (was + incidently reverted) + - fixed possible crash when no cookie was set on a server + - fixed various length checks in appsession + - fixed unlikely memory leak in appsession in case of memory + shortage + - updates to the architecture guide +- remove haproxy-1.2.16_username_groupname_support.patch: + patch included upstream + +------------------------------------------------------------------- +Mon Jan 8 00:27:17 CET 2007 - mrueckert@suse.de + +- initial package of 1.2.16 +- added 2 patches: + haproxy-1.2.16_config_haproxy_user.patch + haproxy-1.2.16_username_groupname_support.patch + the patches allow to specify username and groupname instead of + uid/gid. The patches are needed as we do not have a static + uid/gid for the haproxy user/group. + diff --git a/haproxy.init b/haproxy.init new file mode 100644 index 0000000..6fea7c6 --- /dev/null +++ b/haproxy.init @@ -0,0 +1,247 @@ +#!/bin/sh +# +### BEGIN INIT INFO +# Provides: haproxy +# Required-Start: $syslog $remote_fs +# Should-Start: $time ypbind sendmail +# Required-Stop: $syslog $remote_fs +# Should-Stop: $time ypbind sendmail +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: haproxy +# Description: Start haproxy a reliable, high performance TCP/HTTP load balancer +### END INIT INFO +# +# Any extensions to the keywords given above should be preceeded by +# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. +# +# Notes on Required-Start/Should-Start: +# * There are two different issues that are solved by Required-Start +# and Should-Start +# (a) Hard dependencies: This is used by the runlevel editor to determine +# which services absolutely need to be started to make the start of +# this service make sense. Example: nfsserver should have +# Required-Start: $portmap +# Also, required services are started before the dependent ones. +# The runlevel editor will warn about such missing hard dependencies +# and suggest enabling. During system startup, you may expect an error, +# if the dependency is not fulfilled. +# (b) Specifying the init script ordering, not real (hard) dependencies. +# This is needed by insserv to determine which service should be +# started first (and at a later stage what services can be started +# in parallel). The tag Should-Start: is used for this. +# It tells, that if a service is available, it should be started +# before. If not, never mind. +# * When specifying hard dependencies or ordering requirements, you can +# use names of services (contents of their Provides: section) +# or pseudo names starting with a $. The following ones are available +# according to LSB (1.1): +# $local_fs all local file systems are mounted +# (most services should need this!) +# $remote_fs all remote file systems are mounted +# (note that /usr may be remote, so +# many services should Require this!) +# $syslog system logging facility up +# $network low level networking (eth card, ...) +# $named hostname resolution available +# $netdaemons all network daemons are running +# The $netdaemons pseudo service has been removed in LSB 1.2. +# For now, we still offer it for backward compatibility. +# These are new (LSB 1.2): +# $time the system time has been set correctly +# $portmap SunRPC portmapping service available +# UnitedLinux extensions: +# $ALL indicates that a script should be inserted +# at the end +# * The services specified in the stop tags +# (Required-Stop/Should-Stop) +# specify which services need to be still running when this service +# is shut down. Often the entries there are just copies or a subset +# from the respective start tag. +# * Should-Start/Stop are now part of LSB as of 2.0, +# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. +# insserv does support both variants. +# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time +# (%fillup_and_insserv macro in %post of many RPMs) to specify whether +# a startup script should default to be enabled after installation. +# It's not used by insserv. +# +# Note on runlevels: +# 0 - halt/poweroff 6 - reboot +# 1 - single user 2 - multiuser without network exported +# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) +# +# Note on script names: +# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html +# A registry has been set up to manage the init script namespace. +# http://www.lanana.org/ +# Please use the names already registered or register one or use a +# vendor prefix. + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +HAPROXY_BIN=/usr/sbin/haproxy +test -x $HAPROXY_BIN || { echo "$HAPROXY_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } +HAPROXY_PID="/var/run/haproxy.pid" +HAPROXY_CONF="/etc/haproxy/haproxy.cfg" +## Check for existence of needed config file and read it +#HAPROXY_CONFIG=/etc/sysconfig/haproxy +#test -r $HAPROXY_CONFIG || { echo "$HAPROXY_CONFIG not existing"; +# if [ "$1" = "stop" ]; then exit 0; +# else exit 6; fi; } +# +## Read config +#. $HAPROXY_CONFIG + +# Source LSB init functions +# providing start_daemon, killproc, pidofproc, +# log_success_msg, log_failure_msg and log_warning_msg. +# This is currently not used by UnitedLinux based distributions and +# not needed for init scripts for UnitedLinux only. If it is used, +# the functions from rc.status should not be sourced or used. +#. /lib/lsb/init-functions + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks +. /etc/rc.status + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +function haproxy_check() { + HAPROXY_CONFIG_CHECK="$($HAPROXY_BIN -c -q -f $HAPROXY_CONF 2>&1)" + if [ $? -ne 0 ] ; then + echo "" >&2 + echo "$HAPROXY_CONFIG_CHECK" >&2 + rc_failed + rc_status -v + exit 1 + else + return 0 + fi +} + +case "$1" in + start) + echo -n "Starting haproxy " + ## Start daemon with startproc(8). If this fails + ## the return value is set appropriately by startproc. + haproxy_check + /sbin/startproc $HAPROXY_BIN -D -f $HAPROXY_CONF -p $HAPROXY_PID + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down haproxy " + ## Stop daemon with killproc(8) and if this fails + ## killproc sets the return value according to LSB. + + /sbin/killproc -TERM $HAPROXY_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + # we us reload here for a graceful restart during update + $0 reload + else + rc_reset # Not running is not a failure. + fi + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + haproxy_check + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + check) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + echo -n "Checking config of haproxy " + haproxy_check + rc_status -v + ;; + reload|force-reload) + ## Like force-reload, but if daemon does not support + ## signaling, do nothing (!) + haproxy_check + # If it supports signaling: + echo -n "Reload service haproxy " + $HAPROXY_BIN -p $HAPROXY_PID -D -f $HAPROXY_CONF -sf $(cat $HAPROXY_PID) + rc_status -v + ;; + status) + echo -n "Checking for service haproxy " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + # NOTE: checkproc returns LSB compliant status values. + /sbin/checkproc -p $HAPROXY_PID $HAPROXY_BIN + # NOTE: rc_status knows that we called this init script with + # "status" option and adapts its messages accordingly. + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, print out the + ## argument to this init script which is required for a reload. + ## Note: probe is not (yet) part of LSB (as of 1.9) + + test $HAPROXY_CONF -nt $HAPROXY_PID && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/haproxy.spec b/haproxy.spec new file mode 100644 index 0000000..ba16f8c --- /dev/null +++ b/haproxy.spec @@ -0,0 +1,308 @@ +# +# spec file for package haproxy +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ + +%bcond_with quic +%if 0%{?suse_version} >= 1230 +%bcond_without tcp_fast_open +%bcond_without network_namespace +%else +%bcond_with tcp_fast_open +%bcond_with network_namespace +%endif + +%if 0%{?suse_version} > 1320 +%bcond_without lua +%else +%bcond_with lua +%endif + +%if 0%{?suse_version} >= 1310 +%bcond_without systemd +%else +%bcond_with systemd +%endif + +%bcond_without pcre2_jit + +%bcond_without apparmor +%if 0%{?suse_version} > 1320 +%bcond_without apparmor_reload +%else +%bcond_with apparmor_reload +%endif + +%if 0%{?suse_version} >= 1500 +%bcond_without sysusers +%bcond_without tmpfiles +%else +%bcond_with sysusers +%bcond_with tmpfiles +%endif + +Name: haproxy +Version: 3.1.0+git0.f2b97918e +Release: 0 +# +# +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if %{with apparmor} +%if 0%{?suse_version} <= 1315 +BuildRequires: apparmor-profiles +Recommends: apparmor-profiles +%else +BuildRequires: apparmor-abstractions +Recommends: apparmor-abstractions +%endif +%if %{with apparmor_reload} +BuildRequires: apparmor-rpm-macros +%endif +%endif +BuildRequires: libgcrypt-devel +%if %{with lua} +BuildRequires: lua-devel >= 5.3 +%endif +BuildRequires: pcre2-devel +BuildRequires: zlib-devel +BuildRequires: openssl-devel +BuildRequires: pkg-config +%if %{with systemd} +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(libsystemd) +%if %{with sysusers} +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools +%endif +%endif +BuildRequires: vim +%define pkg_name haproxy +%define pkg_home /var/lib/%{pkg_name} +# +Url: http://www.haproxy.org/ +# source URL in _service file +Source: haproxy-%{version}.tar.gz +Source1: %{pkg_name}.init +Source2: usr.sbin.haproxy.apparmor +Source3: local.usr.sbin.haproxy.apparmor +Source4: haproxy.cfg +Source5: haproxy-user.conf +Source6: haproxy-tmpfiles.conf +Patch1: haproxy-1.6.0_config_haproxy_user.patch +Patch2: haproxy-1.6.0-makefile_lib.patch +Patch3: haproxy-1.6.0-sec-options.patch +Patch4: haproxy-service.patch +# +Source98: series +Source99: haproxy-rpmlintrc +# +Summary: The Reliable, High Performance TCP/HTTP Load Balancer +License: GPL-3.0+ and LGPL-2.1+ +Group: Productivity/Networking/Web/Proxy +Provides: %{name}-doc = %{version} +Obsoletes: %{name}-doc < %{version} +Provides: haproxy-1.5 = %{version} +Obsoletes: haproxy-1.5 < %{version} +%if %{with systemd} +%{?systemd_ordering} +%if %{with sysusers} +%sysusers_requires +%endif +%endif +%{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)} + +%description +HAProxy implements an event-driven, mono-process model which enables support +for very high number of simultaneous connections at very high speeds. +Multi-process or multi-threaded models can rarely cope with thousands of +connections because of memory limits, system scheduler limits, and lock +contention everywhere. Event-driven models do not have these problems because +implementing all the tasks in user-space allows a finer resource and time +management. The down side is that those programs generally don't scale well on +multi-processor systems. That's the reason why they must be optimized to get +the most work done from every CPU cycle. + +%prep +%autosetup -p1 + +%build +make %{?_smp_mflags} \ + TARGET=linux-glibc \ + CPU="%{_target_cpu}" \ + USE_PCRE2=1 \ + %if %{with pcre2_jit} + USE_PCRE2_JIT=1 \ + %endif + %ifarch %ix86 + USE_REGPARM=1 \ + %endif + USE_GETADDRINFO=1 \ + USE_OPENSSL=1 \ + %if %{with lua} + USE_LUA=1 \ + %endif + USE_ZLIB=1 \ + %if %{with tcp_fast_open} + USE_TFO=1 \ + %endif + %if %{with network_namespace} + USE_NS=1 \ + %endif +%if %{with systemd} + USE_SYSTEMD=1 \ +%endif + USE_PIE=1 \ + USE_STACKPROTECTOR=1 \ + USE_RELRO_NOW=1 \ + LIB="%{_lib}" \ + PREFIX="%{_prefix}" \ + USE_PROMEX=1 \ + %if %{with quic} + USE_QUIC=1 \ + %endif + %if %{with opentracing} + USE_OT=1 \ + %endif + %if %{with memory_profiling} + USE_MEMORY_PROFILING=1 \ + %endif + DEBUG_CFLAGS="%{optflags}" V=1 +%if %{with systemd} +make -C admin/systemd PREFIX="%{_prefix}" +%if %{with sysusers} +%sysusers_generate_pre %{SOURCE5} haproxy haproxy-user.conf +%endif +%endif +make admin/halog/halog DEBUG_CFLAGS="%{optflags}" V=1 + +%install +install -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name} +install -d -m 0750 %{buildroot}%{_sysconfdir}/%{pkg_name}/ +install -m 0640 %{S:4} %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg + +install -D -m 0755 admin/halog/halog %{buildroot}%{_sbindir}/haproxy-halog + +%if %{with systemd} +install -D -m 0644 admin/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service +ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} +%if %{with sysusers} +install -D -m 644 %{SOURCE5} %{buildroot}%{_sysusersdir}/haproxy-user.conf +%endif +%if %{with tmpfiles} +install -D -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/%{name}.conf +%endif +%else +install -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} +ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} +%endif + +install -d -m 0750 %{buildroot}%{pkg_home} +install -D -m 0644 admin/syntax-highlight/haproxy.vim %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim +install -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1 +%if %{with apparmor} +install -D -m 0644 %{S:2} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy +install -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/local/haproxy +install -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy +%endif + +rm examples/*init* + + +%if %{with systemd} +%if %{with sysusers} +%pre -f haproxy.pre +%else +%pre +%endif +%service_add_pre %{pkg_name}.service + +%post +%if %{with apparmor} && %{with apparmor_reload} +%apparmor_reload /etc/apparmor.d/usr.sbin.haproxy +%endif +%if %{with systemd} +%if %{with tmpfiles} +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%endif +%endif +%service_add_post %{pkg_name}.service + +%preun +%service_del_preun %{pkg_name}.service + +%postun +%service_del_postun %{pkg_name}.service + +%else + +%pre +getent group %{pkg_name} >/dev/null || /usr/sbin/groupadd -r %{pkg_name} +getent passwd %{pkg_name} >/dev/null || \ + /usr/sbin/useradd -g %{pkg_name} -s /bin/false -r \ + -c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name} + +%post +%fillup_and_insserv %{pkg_name} +%if %{with apparmor} && %{with apparmor_reload} +%apparmor_reload /etc/apparmor.d/usr.sbin.haproxy +%endif + +%preun +%stop_on_removal %{pkg_name} + +%postun +%restart_on_update %{pkg_name} +%{insserv_cleanup} + +%endif + +%files +%defattr(-,root,root,-) +%license LICENSE +%doc CHANGELOG README.md +%doc doc/* examples/ +%doc admin/netsnmp-perl/ admin/selinux/ +%dir %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name} +%config(noreplace) %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}/* +%if %{with systemd} +%{_unitdir}/%{pkg_name}.service +%if %{with sysusers} +%{_sysusersdir}/haproxy-user.conf +%endif +%if %{with tmpfiles} +%{_tmpfilesdir}/%{name}.conf +%dir %ghost %{_rundir}/%{name} +%endif +%else +%config(noreplace) %{_sysconfdir}/init.d/%{pkg_name} +%endif +%{_sbindir}/haproxy +%{_sbindir}/haproxy-halog +%{_sbindir}/rchaproxy +%dir %attr(-,root,haproxy) %{pkg_home} +%{_mandir}/man1/%{pkg_name}.1.gz +%dir %{_datadir}/vim +%dir %{vim_data_dir} +%dir %{vim_data_dir}/syntax +%{vim_data_dir}/syntax/%{pkg_name}.vim +%if %{with apparmor} +%if 0%{?suse_version} == 1110 +%dir /etc/apparmor.d/local/ +%endif +%config(noreplace) /etc/apparmor.d/usr.sbin.haproxy +%config(noreplace) %ghost /etc/apparmor.d/local/haproxy +%config(noreplace) %ghost /etc/apparmor.d/local/usr.sbin.haproxy +%endif + +%changelog diff --git a/local.usr.sbin.haproxy.apparmor b/local.usr.sbin.haproxy.apparmor new file mode 100644 index 0000000..fc278de --- /dev/null +++ b/local.usr.sbin.haproxy.apparmor @@ -0,0 +1 @@ +# Site-specific additions and overrides for usr.sbin.haproxy.apparmor diff --git a/series b/series new file mode 100644 index 0000000..8ead05e --- /dev/null +++ b/series @@ -0,0 +1,4 @@ +haproxy-1.6.0_config_haproxy_user.patch +haproxy-1.6.0-makefile_lib.patch +haproxy-1.6.0-sec-options.patch +haproxy-service.patch diff --git a/usr.sbin.haproxy.apparmor b/usr.sbin.haproxy.apparmor new file mode 100644 index 0000000..2bc5b5b --- /dev/null +++ b/usr.sbin.haproxy.apparmor @@ -0,0 +1,59 @@ +#include + +profile haproxy /usr/sbin/haproxy { + #include + #include + #include + #include + #include + capability net_bind_service, + capability setgid, + capability setuid, + capability kill, + capability sys_resource, + capability sys_chroot, + capability net_admin, + + # those are needed for the stats socket creation + capability chown, + capability fowner, + capability fsetid, + + network inet, + network inet6, + + /etc/haproxy/* r, + + /usr/sbin/haproxy rmix, + + /dev/shm/haproxy_startup_logs_* rwlk, + + # old stats socket location, for compatibility + /var/lib/haproxy/stats rwl, + /var/lib/haproxy/stats.*.bak rwl, + /var/lib/haproxy/stats.*.tmp rwl, + # new stats socket location + /run/haproxy/stats*.sock{,*.{bak,tmp}} rwl, + + /{,var/}run/haproxy/pid rw, + /{,var/}run/haproxy/master.sock* rwlk, + + # This is for the additional debug output in haproxy >= 2.9 + # can be accessed with "p post_mortem" in gdb + /sys/devices/system/node/ r, + /sys/devices/system/node/*/cpumap r, + /sys/devices/system/cpu/online r, + /sys/class/dmi/id/sys_vendor r, + /sys/class/dmi/id/product_family r, + /sys/class/dmi/id/product_name r, + /sys/class/dmi/id/board_vendor r, + /sys/firmware/devicetree/base/model r, + /sys/class/dmi/id/board_name r, + /proc/2/status r, + /proc/cpuinfo r, + # end of debug.c files + + # Site-specific additions and overrides. See local/README for details. + #include if exists + #include if exists +}