Accepting request 1323692 from server:http

- Update to version 3.3.1+git0.9c24c11a6:

OBS-URL: https://build.opensuse.org/request/show/1323692
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=173

0001-BUG-CRITICAL-mjson-fix-possible-DoS-when-parsing-num.patch

@@ -1,85 +0,0 @@
-From 06675db4bf234ed17e14305f1d59259d2fe78b06 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 29 Sep 2025 18:34:11 +0200
-Subject: [PATCH] BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
-
-Mjson comes with its own strtod() implementation for portability
-reasons and probably also because many generic strtod() versions as
-provided by operating systems do not focus on resource preservation
-and may call malloc(), which is not welcome in a parser.
-
-The strtod() implementation used here apparently originally comes from
-https://gist.github.com/mattn/1890186 and seems to have purposely
-omitted a few parts that were considered as not needed in this context
-(e.g. skipping white spaces, or setting errno). But when subject to the
-relevant test cases of the designated file above, the current function
-provides the same results.
-
-The aforementioned implementation uses pow() to calculate exponents,
-but mjson authors visibly preferred not to introduce a libm dependency
-and replaced it with an iterative loop in O(exp) time. The problem is
-that the exponent is not bounded and that this loop can take a huge
-amount of time. There's even an issue already opened on mjson about
-this: https://github.com/cesanta/mjson/issues/59. In the case of
-haproxy, fortunately, the watchdog will quickly stop a runaway process
-but this remains a possible denial of service.
-
-A first approach would consist in reintroducing pow() like in the
-original implementation, but if haproxy is built without Lua nor
-51Degrees, -lm is not used so this will not work everywhere.
-
-Anyway here we're dealing with integer exponents, so an easy alternate
-approach consists in simply using shifts and squares, to compute the
-exponent in O(log(exp)) time. Not only it doesn't introduce any new
-dependency, but it turns out to be even faster than the generic pow()
-(85k req/s per core vs 83.5k on the same machine).
-
-This must be backported as far as 2.4, where mjson was introduced.
-
-Many thanks to Oula Kivalo for reporting this issue.
-
-CVE-2025-11230 was assigned to this issue.
----
- src/mjson.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/src/mjson.c b/src/mjson.c
-index 73b7a5797f..2a4106bbd8 100644
---- a/src/mjson.c
-+++ b/src/mjson.c
-@@ -767,11 +767,13 @@ static double mystrtod(const char *str, char **end) {
- 
-   /* exponential part */
-   if ((*p == 'E') || (*p == 'e')) {
-+    double exp, f;
-     int i, e = 0, neg = 0;
-     p++;
-     if (*p == '-') p++, neg++;
-     if (*p == '+') p++;
-     while (is_digit(*p)) e = e * 10 + *p++ - '0';
-+    i = e;
-     if (neg) e = -e;
- #if 0
-     if (d == 2.2250738585072011 && e == -308) {
-@@ -785,8 +787,16 @@ static double mystrtod(const char *str, char **end) {
-       goto done;
-     }
- #endif
--    for (i = 0; i < e; i++) d *= 10;
--    for (i = 0; i < -e; i++) d /= 10;
-+    /* calculate f = 10^i */
-+    exp = 10;
-+    f = 1;
-+    while (i > 0) {
-+      if (i & 1) f *= exp;
-+      exp *= exp;
-+      i >>= 1;
-+    }
-+    if (e > 0) d *= f;
-+    else if (e < 0) d /= f;
-     a = p;
-   } else if (p > str && !is_digit(*(p - 1))) {
-     a = str;
--- 
-2.51.0
-

README.SUSE.PACKAGING

@@ -1,8 +1,14 @@
 Packaging notes regarding QUIC:
 
-We enable QUIC for Tumbleweed where OpenSSL 3.x is the default.
-OpenSSL is not the perfect fit, but it's better than nothing - the best recommendation by HAProxy currently seems to be AWS-LC, but we do not ship it.
-
+By default we enable QUIC with OpenSSL for Tumbleweed. OpenSSL is not the perfect fit - the best recommendation by HAProxy currently seems to be AWS-LC:
 https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr
 
-Note to remove USE_QUIC_OPENSSL_COMPAT if switching to a different implementation in the future.
+The project configuration can be adjusted to enable QUIC with AWS-LC:
+
+```
+Macros:
+%_with_awslc 1
+# for < 1600
+%_with_quic 1
+:Macros
+```

_service

@@ -1,12 +1,12 @@
 <services>
   <service name="tar_scm" mode="manual">
-    <param name="url">http://git.haproxy.org/git/haproxy-3.2.git/</param>
+    <param name="url">http://git.haproxy.org/git/haproxy-3.3.git/</param>
     <param name="scm">git</param>
     <param name="filename">haproxy</param>
     <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="versionrewrite-replacement">\1</param>
-    <param name="revision">v3.2.0</param>
+    <param name="revision">v3.3.1</param>
     <param name="changesgenerate">enable</param>
   </service>
 

_servicedata

@@ -1,6 +1,10 @@
 <servicedata>
   <service name="tar_scm">
     <param name="url">http://git.haproxy.org/git/haproxy-3.2.git/</param>
-    <param name="changesrevision">e134140d282c006417945d78e7964cc8fa14586a</param>
+    <param name="changesrevision">170436929ac78cfc4d1a43b3340535e1ac4d00d8</param>
   </service>
-</servicedata>
+  <service name="tar_scm">
+    <param name="url">http://git.haproxy.org/git/haproxy-3.3.git/</param>
+    <param name="changesrevision">9c24c11a6e54ab1c280b43c2756edcb49cf873b1</param>
+  </service>
+</servicedata>

haproxy-1.6.0-makefile_lib.patch

@@ -1,8 +1,8 @@
-Index: haproxy-3.0/Makefile
+Index: haproxy-3.3/Makefile
 ===================================================================
---- haproxy-3.0.orig/Makefile
-+++ haproxy-3.0/Makefile
-@@ -784,7 +784,7 @@ ifneq ($(USE_PCRE:0=)$(USE_STATIC_PCRE:0
+--- haproxy-3.3.orig/Makefile
++++ haproxy-3.3/Makefile
+@@ -799,7 +799,7 @@ ifneq ($(USE_PCRE:0=)$(USE_STATIC_PCRE:0
    PCREDIR     := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local)
    ifneq ($(PCREDIR),)
      PCRE_INC := $(PCREDIR)/include
@@ -11,7 +11,7 @@ Index: haproxy-3.0/Makefile
    endif
  
    PCRE_CFLAGS := $(if $(PCRE_INC),-I$(PCRE_INC))
-@@ -802,7 +802,7 @@ ifneq ($(USE_PCRE2:0=)$(USE_STATIC_PCRE2
+@@ -817,7 +817,7 @@ ifneq ($(USE_PCRE2:0=)$(USE_STATIC_PCRE2
    PCRE2DIR     := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local)
    ifneq ($(PCRE2DIR),)
      PCRE2_INC := $(PCRE2DIR)/include

haproxy-1.6.0-sec-options.patch

@@ -4,11 +4,21 @@ Date:   Mon Jun 17 13:00:08 2019 +0000
 
     SUSE: Makefile sec options
 
-Index: haproxy-3.0/Makefile
+Index: haproxy-3.3/Makefile
 ===================================================================
---- haproxy-3.0.orig/Makefile
-+++ haproxy-3.0/Makefile
-@@ -887,6 +887,35 @@ ifneq ($(TRACE),)
+--- haproxy-3.3.orig/Makefile
++++ haproxy-3.3/Makefile
+@@ -351,7 +351,8 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETF
+            USE_MEMORY_PROFILING USE_SHM_OPEN                                  \
+            USE_STATIC_PCRE USE_STATIC_PCRE2                                   \
+            USE_PCRE USE_PCRE_JIT USE_PCRE2 USE_PCRE2_JIT                      \
+-           USE_QUIC_OPENSSL_COMPAT USE_KTLS
++           USE_QUIC_OPENSSL_COMPAT USE_KTLS \
++					 USE_PIE USE_STACKPROTECTOR USE_RELRO_NOW
+ 
+ # preset all variables for all supported build options among use_opts
+ $(reset_opts_vars)
+@@ -902,6 +903,35 @@ ifneq ($(TRACE),)
    COPTS += -finstrument-functions
  endif
  

haproxy-3.3.1+git0.9c24c11a6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d2c7fb7e1279b50bb1e003b85f40169447e322ca0c61bb2c1e3add8986eb93b
+size 5401340

haproxy.changes

@@ -1,10 +1,550 @@
 -------------------------------------------------------------------
-Fri Nov 28 19:27:06 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+Fri Dec 19 16:04:39 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
 
-- VUL-0: CVE-2025-11230: haproxy: issue in the mjson JSON decoder leads
-  to excessive resource consumption when processing numbers with large exponents
-  (bsc#1250983)  Add upstream patch:
-  0001-BUG-CRITICAL-mjson-fix-possible-DoS-when-parsing-num.patch 
+- Update to version 3.3.1+git0.9c24c11a6:
+  * [RELEASE] Released version 3.3.1
+  * BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend stream
+  * BUG/MEDIUM: backend: Do not remove CO_FL_SESS_IDLE in assign_server()
+  * BUG/MEDIUM: quic: Don't try to use hystart if not implemented
+  * BUG/MINOR: quic-be: Missing keywords array NULL termination
+  * MINOR: quic: implement cc-algo server keyword
+  * MINOR: quic: extract cc-algo parsing in a dedicated function
+  * MINOR: quic: define quic_cc_algo as const
+  * Revert "MINOR: quic: use dynamic cc_algo on bind_conf"
+  * BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already received
+  * BUG/MEDIUM: http-ana: Properly detect client abort when forwarding response (v2)
+  * MINOR: h2/trace: emit a trace of the received RST_STREAM type
+  * BUG/MEDIUM: h3: fix access to QCS <sd> definitely
+  * BUG/MEDIUM: ssl: Don't resume session for check connections
+  * BUG/MEDIUM: ssl: Don't store the ALPN for check connections
+  * MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag
+  * BUG/MEDIUM: ssl: Always check the ALPN after handshake
+  * MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions
+  * BUG/MEDIUM: ssl: Don't reuse TLS session if the connection's SNI differs
+  * MEDIUM: tcpcheck/backend: Get the connection SNI before initializing SSL ctx
+  * MINOR: connection/ssl: Store the SNI hash value in the connection itself
+  * MINOR: ssl: Compare hashes instead of SNIs when a session is cached
+  * MINOR: ssl: Store hash of the SNI for cached TLS sessions
+  * MINOR: ssl: Add a function to hash SNIs
+  * MEDIUM: quic: Add connection as argument when qc_new_conn() is called
+  * BUG/MINOR: mworker/cli: 'show proc' is limited by buffer size
+  * CLEANUP: mworker/cli: remove useless variable
+  * BUG/MEDIUM: h3: do not access QCS <sd> if not allocated
+  * DOC: config: Improve spop mode documentation
+  * DOC: config: Fix description of the spop mode
+  * BUG/MEDIUM: http-ana: Don't close server connection on read0 in TUNNEL mode
+  * BUG/MINOR: log: Dump good %B and %U values in logs
+  * BUG/MINOR: ssl: Don't allow to set NULL sni
+  * BUG/MINOR: quic: do not set first the default QUIC curves
+  * BUG/MINOR: quic-be: missing connection stream closure upon TLS alert to send
+  * MINOR: quic: avoid code duplication in TLS alert callback
+  * MINOR: quic: Add useful debugging traces in qc_idle_timer_do_rearm()
+  * BUG/MINOR: quic-be: handshake errors without connection stream closure
+  * BUG/MINOR: quic/ssl: crash in ClientHello callback ssl traces
+  * DOC: config: reorder the cache section's keywords
+  * DOC: config: mention clearer that the cache's total-max-size is mandatory
+  * BUG/MEDIUM: config: ignore empty args in skipped blocks
+  * BUG/MEDIUM: connection: fix "bc_settings_streams_limit" typo
+  * DOC: configuration: ECH support details
+  * BUG/MINOR: jwt: Missing "case" in switch statement
+  * BUG/MEDIUM: mworker/listener: ambiguous use of RX_F_INHERITED with shards
+
+-------------------------------------------------------------------
+Wed Nov 26 15:48:38 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.3.0+git0.7832fb21f:
+  https://www.haproxy.com/blog/announcing-haproxy-3-3
+  https://www.mail-archive.com/haproxy@formilux.org/msg46300.html
+- refresh patches:
+  haproxy-1.6.0-makefile_lib.patch
+  haproxy-1.6.0-sec-options.patch
+- enable USE_KTLS
+- prepare ech/quic support
+
+-------------------------------------------------------------------
+Fri Nov 21 10:27:18 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.9+git0.170436929:
+  * [RELEASE] Released version 3.2.9
+  * DOC: http: document 413 response code
+  * ADMIN: dump-certs: let dry-run compare certificates
+  * ADMIN: dump-certs: use same error format as haproxy
+  * ADMIN: dump-certs: fix lack of / in -p
+  * ADMIN: dump-certs: create files in a tmpdir
+  * ADMIN: dump-certs: don't update the file if it's up to date
+  * ADMIN: haproxy-dump-certs: implement a certificate dumper
+  * BUG/MEDIUM: proxy: do not align proxy_per_tgroup beyond allocator's capabilities
+  * BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if forced
+  * MINOR: config: Do proto detection for listeners before checks about ALPN
+  * MINOR: muxes: Support an optional ALPN string when defining mux protocols
+  * BUG/MEDIUM: queues: Don't forget to unlock the queue before exiting
+  * DOC: acme: configuring acme needs a crt file
+  * DOC: acme: explain how to dump the certificates
+  * DOC: acme: add details about the DNS-01 support
+  * BUG/MINOR: acme: alert when the map doesn't exist at startup
+  * BUG/MINOR: ssl: remove dead code in ssl_sock_from_buf()
+  * BUG/MINOR: mworker: wrong signals during startup
+  * BUG/MEDIUM: mworker: signals inconsistencies during startup and reload
+  * BUG/MINOR: quic-be: backend SSL session reuse fix (OpenSSL 3.5)
+  * BUG/MEDIUM: h1: prevent a crash on HTTP/2 upgrade
+  * MINOR: h1: h1_release() should return if it destroyed the connection
+  * BUG/MINOR: stick-tables: Fix return value for __stksess_kill()
+  * BUG/MEDIUM: stick-tables: Always return the good stksess from stktable_set_entry
+  * DOC: configuration: add missing openssl_version predicates
+  * DOC: configuration: add missing ssllib_name_startswith()
+  * BUG/MINOR: check: fix reuse-pool if MUX inherited from server
+  * BUG/MINOR: acme: can't override the default resolver
+  * BUG/MEDIUM: acme: move from mt_list to a rwlock + ebmbtree
+  * BUG/MINOR: acme: more explicit error when BIO_new_file()
+  * BUG/MINOR: quic: close connection on CID alloc failure
+  * BUG/MEDIUM: stick-tables: Make sure updates are seen as local
+  * BUG/MINOR: config: Limit "tune.maxpollevents" parameter to 1000000
+  * BUG/MEDIUM: connection/ssl: also fix the ssl_sock_io_cb() regarding idle list
+  * BUG/MEDIUM: connection: do not reinsert a purgeable conn in idle list
+  * Revert "BUG/MEDIUM: connections: permit to permanently remove an idle conn"
+  * MINOR: ssl/sample: expose ssl_*c_curve for AWS-LC
+
+-------------------------------------------------------------------
+Thu Nov 20 14:50:10 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- refresh haproxy-1.6.0-makefile_lib.patch
+- Readd USE_RELRO_NOW=1, USE_STACKPROTECTOR=1, USE_PIE=1
+  all of them are still used. (boo#1251868)
+- adapt haproxy-1.6.0-sec-options.patch so the build no longer
+  complains about unused options
+- drop CPU="%{_target_cpu}" as it is unused
+- migrate to DEBUG_CFLAGS to OPT_CFLAGS
+
+-------------------------------------------------------------------
+Fri Nov  7 20:10:51 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- Remove checks for not supported openSUSE versions
+- Remove deprecated build options: USE_RELRO_NOW=1, USE_STACKPROTECTOR=1, USE_PIE=1, USE_SYSTEMD=1
+- Remove deprecated init file
+
+-------------------------------------------------------------------
+Fri Nov 07 10:18:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.8+git0.9200f398d:
+  * [RELEASE] Released version 3.2.8
+  * BUG/MINOR: acme: wrong dns-01 challenge in the log
+  * BUG/MEDIUM: server: close a race around ready_srv when deleting a server
+  * BUG/MEDIUM: connections: permit to permanently remove an idle conn
+  * BUG/MEDIUM: mux-h2: make sure not to move a dead connection to idle
+  * BUG/MEDIUM: mux-h1: fix 414 / 431 status code reporting
+  * SCRIPTS: build-ssl: fix rpath in AWS-LC install for openssl and bssl bin
+  * OPTIM: backend: skip conn reuse for incompatible proxies
+  * BUG/MINOR: resolvers: ensure fair round robin iteration
+  * BUG/MINOR: ssl: returns when SSL_CTX_new failed during init
+  * BUG/MINOR: resolvers: Apply dns-accept-family setting on additional records
+  * BUG/MINOR: init: Do not close previously created fd in stdio_quiet
+  * MINOR: http: fix 405,431,501 default errorfile
+  * MINOR: ssl-sample: add ssl_fc_early_rcvd() to detect use of early data
+  * DOC: config: slightly clarify the ssl_fc_has_early() behavior
+  * BUG/MEDIUM: ssl: Crash because of dangling ckch_store reference in a ckch instance
+  * MINOR: backend: srv_is_up converter
+  * MINOR: backend: srv_queue helper
+  * BUG/MEDIUM: cli: do not return ACKs one char at a time
+  * MINOR: cli: create cli_raw_rcv_buf() from the generic applet_raw_rcv_buf()
+  * MINOR: applet: do not put SE_FL_WANT_ROOM on rcv_buf() if the channel is empty
+  * BUG/MEDIUM: mt_list: Use atomic operations to prevent compiler optims
+  * BUG/MINOR: stick-tables: properly index string-type keys
+  * BUG/MEDIUM: applet: Improve again spinning loops detection with the new API
+  * BUG/MEDIUM: mt_lists: Avoid el->prev = el->next = el
+
+-------------------------------------------------------------------
+Thu Oct 23 12:01:07 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.7+git0.be4f72dc5:
+  * [RELEASE] Released version 3.2.7
+  * MINOR: acme: display the complete challenge_ready command in the logs
+  * MINOR: acme: add the dns-01-record field to the sink
+  * BUG/MINOR: acme: memory leak from the config parser
+  * MEDIUM: acme: don't insert acme account key in ckchs_tree
+  * MINOR: acme: implement "reuse-key" option
+  * BUILD: acme: fix false positive null pointer dereference
+  * MINOR: acme: provider-name for dpapi sink
+  * CLEANUP: acme: acme_will_expire() uses acme_schedule_date()
+  * MINOR: acme: check acme-vars allocation during escaping
+  * MINOR: acme: acme-vars allow to pass data to the dpapi sink
+  * BUG/MEDIUM: build: limit excessive and counter-productive gcc-15 vectorization
+  * BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling
+  * MINOR: ncbmbuf: add tests as standalone mode
+  * MINOR: ncbmbuf: implement advance operation
+  * MINOR: ncbmbuf: implement ncbmb_data()
+  * MINOR: ncbmbuf: implement iterator bitmap utilities functions
+  * MINOR: ncbmbuf: implement add
+  * MINOR: ncbmbuf: define new ncbmbuf type
+  * MINOR: ncbuf: extract common types
+  * BUG/MEDIUM: h3: properly encode response after interim one in same buf
+  * BUG/MAJOR: quic: uninitialized quic_conn_closed struct members
+  * BUG/MINOR: quic: SSL counters not handled
+  * BUG/MEDIUM: cli: also free the trash chunk on the error path
+  * BUG/MEDIUM: mt_list: Make sure not to unlock the element twice
+  * BUG/MEDIUM: threads/config: drop absent threads from thread groups
+  * DOC: clarify the experimental status for certain features
+  * BUG/MINOR: quic: check applet_putchk() for 'show quic' first line
+  * BUG/MEDIUM: stick-tables: Don't forget to dec count on failure.
+  * MINOR: quic: restore QUIC_HP_SAMPLE_LEN constant
+  * BUG/MINOR: quic: too short PADDING frame for too short packets
+  * BUILD: ssl: can't build when using -DLISTEN_DEFAULT_CIPHERS
+  * BUG/MAJOR: lb-chash: fix key calculation when using default hash-key id
+  * BUG/MINOR: pools: don't report "limited to the first X entries" by default
+  * BUG/MEDIUM: pools: fix crash on filtered "show pools" output
+  * TESTS: quic: useless param for b_quic_dec_int()
+  * BUG/MINOR: ssl: Potential NULL deref in trace macro
+  * BUG/MINOR: ssl: Free key_base from global_ssl structure during deinit
+  * BUG/MINOR: ssl: Free global_ssl structure contents during deinit
+  * MINOR: debug: add distro name and version in postmortem
+  * BUG/MINOR: sink: retry attempt for sft server may never occur
+  * BUG/MEDIUM: apppet: Improve spinning loop detection with the new API
+  * BUILD: makefile: disable tail calls optimizations with memory profiling
+  * BUG/MINOR: ssl: leak crtlist_name in ssl-f-use
+  * BUG/MINOR: ssl: leak in ssl-f-use
+  * BUG/MINOR: ssl: always clear the remains of the first hello for the second one
+  * BUG/MEDIUM: ssl: take care of second client hello
+  * BUG/MINOr: hlua: Fix receive from HTTP applet by properly accounting data
+  * BUG/MINOR: acme: avoid overflow when diff > notAfter
+
+-------------------------------------------------------------------
+Tue Oct  7 13:31:33 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Fix apparmor profile:
+  - we need attach disconnected for the systemd notify socket
+  - more access for the cpu scheduling support in haproxy
+
+-------------------------------------------------------------------
+Fri Oct 03 13:37:06 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.6+git0.81568b2d1: (CVE-2025-11230 boo#1250983)
+  * [RELEASE] Released version 3.2.6
+  * BUG/MEDIUM: resolvers: break an infinite loop in resolv_get_ip_from_response()
+  * BUG/MINOR: h3: forbid 'Z' as well in header field names checks
+  * BUG/MINOR: h2: forbid 'Z' as well in header field names checks
+  * BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
+  * DOC: config: clarify some known limitations of the json_query() converter
+  * BUG/MEDIUM: fwlc: Handle memory allocation failures.
+  * MEDIUM: fwlc: Make it so fwlc_srv_reposition works with unqueued srv
+  * MEDIUM: servers: Schedule the server requeue target on creation
+  * BUG/MEDIUM: stick-tables: Make sure not to free a pending entry
+  * MINOR: mt_list: Implement MT_LIST_POP_LOCKED()
+  * BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file
+  * BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix
+  * BUG/MINOR: acme: possible overflow in acme_will_expire()
+  * BUG/MINOR: acme: possible overflow on scheduling computation
+  * BUG/MINOR: pattern: Properly flag virtual maps as using samples
+  * BUG/MINOR: compression: Test payload size only if content-length is specified
+  * MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI
+  * BUG/MEDIUM: wdt: improve stuck task detection accuracy
+  * MINOR: sched: pass the thread number to is_sched_alive()
+  * MINOR: sched: let's permit to share the local ctx between threads
+  * BUG/MEDIUM: acme: free() of i2d_X509_REQ() with AWS-LC
+  * BUG/MEDIUM: acme: cfg_postsection_acme() don't init correctly acme sections
+  * BUG/MINOR: acme: don't unlink from acme_ctx_destroy()
+  * CI: github: build halog on the vtest job
+  * BUILD: halog: misleading indentation in halog.c
+  * BUG/MINOR: pools: Fix the dump of pools info to deal with buffers limitations
+  * BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt
+  * BUG/MINOR: acme/cli: wrong description for "acme challenge_ready"
+  * MEDIUM: resolvers: make the process_resolvers() task single-threaded
+  * MEDIUM: dns: bind the nameserver sockets to the initiating thread
+  * OPTIM: sink: reduce contention on sink_announce_dropped()
+  * BUG/MEDIUM: resolvers: Wake resolver task up whne unlinking a stream requester
+  * BUG/MEDIUM: resolvers: Accept to create resolution without hostname
+  * BUG/MEDIUM: resolvers: Make resolution owns its hostname_dn value
+  * BUG/MEDIUM: resolvers: Test for empty tree when getting a record from DNS answer
+  * BUG/MINOR: resolvers: Restore round-robin selection on records in DNS answers
+  * BUG/MEDIUM: resolvers: Properly cache do-resolv resolution
+  * MINOR: tools: don't emit "+0" for symbol names which exactly match known ones
+  * MINOR: activity: indicate the number of calls on "show tasks"
+  * MEDIUM: peers: move process_peer_sync() to a single thread
+  * MEDIUM: stick-table: move process_table_expire() to a single thread
+  * MEDIUM: peers: don't even try to process updates under contention
+  * MEDIUM: stick-tables: don't wait indefinitely in stktable_add_pend_updates()
+  * MEDIUM: stick-tables: give up on lock contention in process_table_expire()
+  * MEDIUM: stick-tables: relax stktable_trash_oldest() to only purge what is needed
+  * MINOR: stick-table: permit stksess_new() to temporarily allocate more entries
+  * DEBUG: peers: export functions that use locks
+  * MINOR: debug: report the time since last wakeup and call
+  * MINOR: debug: report the number of loops and ctxsw for each thread
+  * DEBUG: stream: count the number of passes in the connect loop
+  * MINOR: debug: report the process id in warnings and panics
+  * BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections
+  * BUG/MINOR: server: Update healthcheck when server settings are changed via CLI
+  * BUG/MEDIUM: server: Use sni as pool connection name for SSL server only
+  * MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function
+  * OPTIM: stick-tables: exit expiry faster when the update lock is held
+  * MINOR: stick-tables: limit the number of visited nodes during expiration
+
+-------------------------------------------------------------------
+Wed Sep 24 08:25:21 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- Update to version 3.2.5+git0.ba0fd6b8e:
+  * [RELEASE] Released version 3.2.5
+  * BUG/MEDIUM: pattern: fix possible infinite loops on deletion (try 2)
+  * DEBUG: stick-tables: export stktable_add_pend_updates() for better reporting
+  * BUG/MEDIUM: ring: invert the length check to avoid an int overflow
+  * BUG/MINOR: resolvers: always normalize FQDN from response
+  * BUG/MINOR: ocsp: Crash when updating CA during ocsp updates
+  * BUG/MEDIUM: http_ana: fix potential NULL deref in http_process_req_common()
+  * BUG/MINOR: ocsp: prototype inconsistency
+  * BUG/MINOR: ssl: Fix potential NULL deref in trace callback
+  * BUG/MINOR: ssl: Potential NULL deref in trace macro
+  * BUG/MEDIUM: jws: return size_t in JWS functions
+  * BUG/MINOR: acme: null pointer dereference upon allocation failure
+  * BUG/MAJOR: stream: Force channel analysis on successful synchronous send
+  * BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval
+  * BUG/MINOR: stick-table: make sure never to miss a process_table_expire update
+  * BUG/MEDIUM: stick-tables: don't loop on non-expirable entries
+  * BUG/MINOR: activity: fix reporting of task latency
+  * BUG/MEDIUM: ssl: create the mux immediately on early data
+  * BUG/MEDIUM: h1: Allow reception if we have early data
+  * BUG/MEDIUM: checks: fix ALPN inheritance from server
+  * OPTIM: check: do not delay MUX for ALPN if SSL not active
+  * BUG/MEDIUM: mux-h2: Reinforce conditions to report an error to app-layer stream
+  * BUG/MEDIUM: mux-h2: Report RST/error to app-layer stream during 0-copy fwding
+  * BUG/MINOR: mux-h2: Remove H2_CF_DEM_DFULL flags when the demux buffer is reset
+  * BUG/MEDIUM: mux-h2: Restart reading when mbuf ring is no longer full
+  * BUG/MEDIUM: mux-h2; Don't block reveives in H2_CS_ERROR and H2_CS_ERROR2 states
+  * BUG/MEDIUM: mux-h2: Reset MUX blocking flags when a send error is caught
+  * CLEANUP: quic: fix typo in quic_tx trace
+  * BUG/MINOR: cpu_topo: work around a small bug in musl's CPU_ISSET()
+  * BUILD: trace: silence a bogus build warning at -Og
+  * BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list()
+  * BUG/MINOR: connection: streamline conn detach from lists
+  * BUG/MEDIUM: conn: fix UAF on connection after reversal on edge
+  * REGTESTS: explicitly use "balance roundrobin" where RR is needed
+  * BUG/MINOR: check: fix dst address when reusing a connection
+  * BUG/MINOR: check: ensure check-reuse is compatible with SSL
+  * BUG/MEDIUM: peers: don't fail twice to grab the update lock
+  * BUG/MINOR: stick-tables: never leave used entries without expiration
+  * BUG/MEDIUM: stick-tables: don't leave the expire loop with elements deleted
+  * MINOR: quic: Add more information about RX packets
+  * BUILD: acl: silence a possible null deref warning in parse_acl_expr()
+  * BUG/MINOR: haproxy: be sure not to quit too early on soft stop
+  * BUG/MINOR: quic: fix padding issue on INITIAL retransmit
+  * BUG/MINOR: quic: fix room check if padding requested
+  * BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames
+  * BUG/MINOR: tools: Add OOM check for malloc() in indent_msg()
+  * BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options()
+  * BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen()
+  * BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse()
+  * BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger()
+  * BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url()
+  * BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server
+  * REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method
+  * BUG/MAJOR: mux-quic: fix crash on reload during emission
+  * BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete()
+  * CLEANUP: quic: remove a useless CRYPTO frame variable assignment
+  * MINOR: doc: add missing statistics column
+  * MINOR: doc: add missing statistics column
+  * DOC: configuration: confuse "strict-mode" with "zero-warning"
+  * DOC: unreliable sockpair@ on macOS
+  * BUILD: mworker: fix ignoring return value of ‘read’
+  * BUG/MINOR: server: decrement session idle_conns on del server
+  * BUG/MINOR: connection: remove extra session_unown_conn() on reverse
+  * BUG/MINOR: connection: rearrange union list members
+  * BUG/MEDIUM: mworker: fix startup and reload on macOS
+  * BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found
+  * BUG/MINOR: mux-quic: trace with non initialized qcc
+  * MINOR: quic: remove ->offset qf_crypto struct field
+  * DOC: configuration: clarify 'default-crt' and implicit default certificates
+  * MINOR: ssl: diagnostic warning when both 'default-crt' and 'strict-sni' are used
+  * BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets
+  * MINOR: sample: Add base2 converter
+  * MINOR: sample: Add le2dec (little endian to decimal) sample fetch
+  * BUG/MEDIUM: spoe: Improve error detection in SPOE applet on client abort
+  * BUG/MEDIUM: http_ana: handle yield for "stats http-request" evaluation
+  * BUG/MEDIUM: mux-spop: Reject connection attempts from a non-spop frontend
+  * MINOR: http_ana: fix typo in http_res_get_intercept_rule
+  * MINOR: quic: centralize padding for HP sampling on packet building
+  * BUG/MINOR: quic: don't coalesce probing and ACK packet of same type
+  * BUG/MAJOR: quic: fix INITIAL padding with probing packet only
+  * BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested
+  * BUG/MEDIUM: quic: reset padding when building GSO datagrams
+  * MINOR: dns: dns_connect_nameserver: fix fd leak at error path
+  * BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind
+  * BUG/MEDIUM: mux-h2: fix crash on idle-ping due to unwanted ABORT_NOW
+  * BUG/MEDIUM: mworker: more verbose error upon loading failure
+  * BUG/MEDIUM: cli: Report inbuf is no longer full when a line is consumed
+  * BUG/MINOR: spoe: Properly detect and skip empty NOTIFY frames
+  * MEDIUM: dns: don't call connect to dest socket for AF_INET*
+  * BUG/MINOR: mux-h1: fix wrong lock label
+  * BUG/MEDIUM: quic: listener connection stuck during handshakes (OpenSSL 3.5)
+  * MINOR: quic: implement qc_ssl_do_hanshake()
+  * BUG/MEDIUM: Remove sync sends from streams to applets
+  * BUG/MEDIUM: stconn: Fix conditions to know an applet can get data from stream
+
+-------------------------------------------------------------------
+Wed Aug 13 16:49:42 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.4+git0.98813a13e:
+  * [RELEASE] Released version 3.2.4
+  * BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer
+  * BUG/MEDIUM: mux-quic: adjust wakeup behavior
+  * DOC: config: recommend single quoting passwords
+  * DOC: management: fix typo in commit f4f93c56
+  * BUG/MINOR: init: Initialize random seed earlier in the init process
+  * BUG/MEDIUM: ssl: fix build with AWS-LC
+  * BUG/MEDIUM: ssl: Fix 0rtt to the server
+  * MINOR: sock: update broken accept4 detection for older hardwares.
+  * BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR
+  * BUILD: compat: always set _POSIX_VERSION to ease comparisons
+  * BUILD: compat: provide relaxed versions of the MIN/MAX macros
+  * DOC: list missing global QUIC settings
+  * CLEANUP: http-client: Remove useless indentation when sending request body
+  * BUG/MINOR: mux-quic: ensure close-spread-time is properly applied
+  * BUG/MINOR mux-quic: apply correctly timeout on output pending data
+  * BUG/MINOR: hq-interop: fix FIN transmission
+  * BUG/MINOR: logs: fix log-steps extra log origins selection
+  * BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS
+  * BUG/MINOR: halog: exit with error when some output filters are set simultaneosly
+  * BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init
+  * MINOR: h3: remove unused outbuf in h3_resp_headers_send()
+  * BUG/MINOR: quic: Wrong source address use on FreeBSD
+  * BUG/MEDIUM: h3: handle interim response properly on FE side
+  * MINOR: qmux: change API for snd_buf FIN transmission
+  * BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side)
+  * BUG/MINOR: h3: properly realloc buffer after interim response encoding
+  * BUG/MEDIUM: h3: do not overwrite interim with final response
+  * BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function
+  * BUG/MINOR: mux-h1: Use configured error files if possible for early H1 errors
+  * MINOR: h1-htx: Add function to format an HTX message in its H1 representation
+  * BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM
+  * BUG/MEDIUM: http-client: Drain the request if an early response is received
+  * BUG/MINOR: http-client: Reject any 101-switching-protocols response
+  * BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode
+  * BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred
+  * BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred
+  * BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred
+  * BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5)
+  * MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version < 3.5.1
+  * BUG/MINOR: listener: really assign distinct IDs to shards
+  * MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory
+  * DOC: management: clarify usage of -V with -c
+  * MEDIUM: acme: use lowercase for challenge names in configuration
+  * BUG/MINOR: acme: possible integer underflow in acme_txt_record()
+  * MINOR: acme: update the log for DNS-01
+  * MEDIUM: acme: allow to wait and restart the task for DNS-01
+  * MINOR: acme: emit the DNS-01 challenge details on the dpapi sink
+  * MINOR: acme: emit a log for DNS-01 challenge response
+  * BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator
+  * BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h
+  * CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h
+  * BUG/MEDIUM: mux-quic: ensure Early-data header is set
+  * BUG/MINOR: hlua: take default-path into account with lua-load-per-thread
+  * BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options
+  * BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established
+  * BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket
+  * BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket
+  * BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet
+  * MINOR: acme: implement traces
+  * MINOR: acme: add ACME to the haproxy -vv feature list
+  * CLEANUP: acme: fix wrong spelling of "resources"
+  * BUG/MINOR: acme: allow "processing" in challenge requests
+  * MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead
+  * BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources
+  * BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers
+  * DOC: deviceatlas build clarifications
+
+-------------------------------------------------------------------
+Wed Jul 09 09:19:41 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.3+git0.1844da7c6:
+  * [RELEASE] Released version 3.2.3
+  * BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.
+  * BUG/MINOR: http-act: Fix parsing of the expression argument for pause action
+  * BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections
+  * BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
+  * BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5 QUIC API)
+  * CI: github: update to OpenSSL 3.5.1
+  * BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
+  * BUILD: quic: QUIC build against OpenSSL 3.5 broken
+  * CI: github: update the stable CI to ubuntu-24.04
+  * CI: github: add an OpenSSL 3.5.0 job
+  * CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
+
+-------------------------------------------------------------------
+Wed Jul 02 10:07:48 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.2+git0.a55102f09:
+  * [RELEASE] Released version 3.2.2
+  * BUILD: dev/phash: remove the accidentally committed a.out file
+  * BUG/MINOR: httpclient: wrongly named httpproxy flag
+  * DOC: Fix 'jwt_verify' converter doc
+  * BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter
+  * BUG/MEDIUM: mux-h2: Properly handle connection error during preface sending
+  * BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services
+  * MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent AWS-LC
+  * BUG/MINOR: tools: use my_unsetenv instead of unsetenv
+  * SCRIPTS: drop the HTML generation from announce-release
+  * DOC: config: crt-list clarify default cert + cert-bundle
+  * MINOR: quic: Useless TX buffer size reduction in closing state
+  * BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding
+  * DOC: configuration: add details on prefer-client-ciphers
+  * BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation
+  * BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself
+  * BUG/MINOR: tools: only reset argument start upon new argument
+  * MINOR: fwlc: Factorize code.
+  * BUG/MAJOR: fwlc: Count an avoided server as unusable.
+  * BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream
+  * DOC: config: prefer-last-server: add notes for non-deterministic algorithms
+  * BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported
+  * MINOR: cli: handle EOS/ERROR first
+  * BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available
+  * BUG/MINOR: quic: Fix OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn callback (OpenSSL3.5)
+  * BUG/MINOR: http-ana: Properly handle keep-query redirect option if no QS
+  * BUG/MINOR: config/server: reject QUIC addresses
+
+-------------------------------------------------------------------
+Wed Jul 02 10:07:34 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 3.2.1+git0.f4d1a4e27:
+  * [RELEASE] Released version 3.2.1
+  * BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing
+  * BUG/MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info
+  * BUG/MINOR: quic: Missing SSL session object freeing
+  * BUG/MINOR: config: fix arg number reported on empty arg warning
+  * BUG/MINOR: config: emit warning for empty args only in discovery mode
+  * BUG/MEDIUM: cli: Properly parse empty lines and avoid crashed
+  * BUG/MINOR: mux-spop: Fix null-pointer deref on SPOP stream allocation failure
+  * BUG/MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout
+  * BUG/MAJOR: leastconn: Protect tree_elt with the lbprm lock
+  * DOC: config: Fix a typo in 2.7 (Name format for maps and ACLs)
+  * BUILD: tools: properly define ha_dump_backtrace() to avoid a build warning
+
+-------------------------------------------------------------------
+Mon Jun 30 10:20:11 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- always build with quic when using awslc
+
+-------------------------------------------------------------------
+Fri Jun 20 10:44:20 UTC 2025 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
+
+- Repair rc_symlink conditionals
+
+-------------------------------------------------------------------
+Fri Jun 20 00:45:43 UTC 2025 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
+
+- Update QUIC documentation in README.SUSE.PACKAGING
+
+-------------------------------------------------------------------
+Wed Jun 11 10:50:55 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- modernize spec file with spec-cleaner. some changes (mostly
+  whitespaces) got reverted for readability
+
+-------------------------------------------------------------------
+Wed Jun 11 10:44:58 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Add support to build against aws-lc with --with=awslc or in the
+  project config
+
+  ```
+  Macros:
+  %_with_awslc 1
+  :Macros
+  ```
 
 -------------------------------------------------------------------
 Wed May 28 17:15:55 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>

haproxy.init

@@ -1,247 +0,0 @@
-#!/bin/sh
-#
-### BEGIN INIT INFO
-# Provides:          haproxy
-# Required-Start:    $syslog $remote_fs
-# Should-Start: $time ypbind sendmail
-# Required-Stop:     $syslog $remote_fs
-# Should-Stop: $time ypbind sendmail
-# Default-Start:     3 5
-# Default-Stop:      0 1 2 6
-# Short-Description: haproxy
-# Description:       Start haproxy a reliable, high performance TCP/HTTP load balancer
-### END INIT INFO
-# 
-# Any extensions to the keywords given above should be preceeded by 
-# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
-# 
-# Notes on Required-Start/Should-Start:
-# * There are two different issues that are solved by Required-Start
-#    and Should-Start
-# (a) Hard dependencies: This is used by the runlevel editor to determine
-#     which services absolutely need to be started to make the start of
-#     this service make sense. Example: nfsserver should have
-#     Required-Start: $portmap
-#     Also, required services are started before the dependent ones.
-#     The runlevel editor will warn about such missing hard dependencies
-#     and suggest enabling. During system startup, you may expect an error,
-#     if the dependency is not fulfilled.
-# (b) Specifying the init script ordering, not real (hard) dependencies.
-#     This is needed by insserv to determine which service should be
-#     started first (and at a later stage what services can be started
-#     in parallel). The tag Should-Start: is used for this.
-#     It tells, that if a service is available, it should be started
-#     before. If not, never mind.
-# * When specifying hard dependencies or ordering requirements, you can 
-#   use names of services (contents of their Provides: section)
-#   or pseudo names starting with a $. The following ones are available
-#   according to LSB (1.1):
-#       $local_fs               all local file systems are mounted
-#                               (most services should need this!)
-#       $remote_fs              all remote file systems are mounted
-#                               (note that /usr may be remote, so
-#                                many services should Require this!)
-#       $syslog                 system logging facility up
-#       $network                low level networking (eth card, ...)
-#       $named                  hostname resolution available
-#       $netdaemons             all network daemons are running
-#   The $netdaemons pseudo service has been removed in LSB 1.2.
-#   For now, we still offer it for backward compatibility.
-#   These are new (LSB 1.2):
-#       $time                   the system time has been set correctly  
-#       $portmap                SunRPC portmapping service available
-#   UnitedLinux extensions:
-#       $ALL                    indicates that a script should be inserted
-#                               at the end
-# * The services specified in the stop tags 
-#   (Required-Stop/Should-Stop)
-#   specify which services need to be still running when this service
-#   is shut down. Often the entries there are just copies or a subset 
-#   from the respective start tag.
-# * Should-Start/Stop are now part of LSB as of 2.0,
-#   formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
-#   insserv does support both variants.
-# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
-#   (%fillup_and_insserv macro in %post of many RPMs) to specify whether
-#   a startup script should default to be enabled after installation.
-#   It's not used by insserv.
-#
-# Note on runlevels:
-# 0 - halt/poweroff                     6 - reboot
-# 1 - single user                       2 - multiuser without network exported
-# 3 - multiuser w/ network (text mode)  5 - multiuser w/ network and X11 (xdm)
-# 
-# Note on script names:
-# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
-# A registry has been set up to manage the init script namespace.
-# http://www.lanana.org/
-# Please use the names already registered or register one or use a
-# vendor prefix.
-
-
-# Check for missing binaries (stale symlinks should not happen)
-# Note: Special treatment of stop for LSB conformance
-HAPROXY_BIN=/usr/sbin/haproxy
-test -x $HAPROXY_BIN || { echo "$HAPROXY_BIN not installed"; 
-        if [ "$1" = "stop" ]; then exit 0;
-        else exit 5; fi; }
-HAPROXY_PID="/var/run/haproxy.pid"
-HAPROXY_CONF="/etc/haproxy/haproxy.cfg"
-## Check for existence of needed config file and read it
-#HAPROXY_CONFIG=/etc/sysconfig/haproxy
-#test -r $HAPROXY_CONFIG || { echo "$HAPROXY_CONFIG not existing";
-#       if [ "$1" = "stop" ]; then exit 0;
-#       else exit 6; fi; }
-#
-## Read config  
-#. $HAPROXY_CONFIG
-
-# Source LSB init functions
-# providing start_daemon, killproc, pidofproc, 
-# log_success_msg, log_failure_msg and log_warning_msg.
-# This is currently not used by UnitedLinux based distributions and
-# not needed for init scripts for UnitedLinux only. If it is used,
-# the functions from rc.status should not be sourced or used.
-#. /lib/lsb/init-functions
-
-# Shell functions sourced from /etc/rc.status:
-#      rc_check         check and set local and overall rc status
-#      rc_status        check and set local and overall rc status
-#      rc_status -v     be verbose in local rc status and clear it afterwards
-#      rc_status -v -r  ditto and clear both the local and overall rc status
-#      rc_status -s     display "skipped" and exit with status 3
-#      rc_status -u     display "unused" and exit with status 3
-#      rc_failed        set local and overall rc status to failed
-#      rc_failed <num>  set local and overall rc status to <num>
-#      rc_reset         clear both the local and overall rc status
-#      rc_exit          exit appropriate to overall rc status
-#      rc_active        checks whether a service is activated by symlinks
-. /etc/rc.status
-
-# Reset status of this service
-rc_reset
-
-# Return values acc. to LSB for all commands but status:
-# 0       - success
-# 1       - generic or unspecified error
-# 2       - invalid or excess argument(s)
-# 3       - unimplemented feature (e.g. "reload")
-# 4       - user had insufficient privileges
-# 5       - program is not installed
-# 6       - program is not configured
-# 7       - program is not running
-# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
-# 
-# Note that starting an already running service, stopping
-# or restarting a not-running service as well as the restart
-# with force-reload (in case signaling is not supported) are
-# considered a success.
-
-function haproxy_check() {
-        HAPROXY_CONFIG_CHECK="$($HAPROXY_BIN -c -q -f $HAPROXY_CONF 2>&1)"
-        if [ $? -ne 0 ] ; then
-                echo "" >&2
-                echo "$HAPROXY_CONFIG_CHECK" >&2
-                rc_failed
-                rc_status -v
-                exit 1
-        else
-                return 0
-        fi
-}
-
-case "$1" in
-    start)
-        echo -n "Starting haproxy "
-        ## Start daemon with startproc(8). If this fails
-        ## the return value is set appropriately by startproc.
-        haproxy_check
-        /sbin/startproc $HAPROXY_BIN -D -f $HAPROXY_CONF -p $HAPROXY_PID
-        # Remember status and be verbose
-        rc_status -v
-        ;;
-    stop)
-        echo -n "Shutting down haproxy "
-        ## Stop daemon with killproc(8) and if this fails
-        ## killproc sets the return value according to LSB.
-
-        /sbin/killproc -TERM $HAPROXY_BIN
-
-        # Remember status and be verbose
-        rc_status -v
-        ;;
-    try-restart|condrestart)
-        ## Do a restart only if the service was active before.
-        ## Note: try-restart is now part of LSB (as of 1.9).
-        ## RH has a similar command named condrestart.
-        if test "$1" = "condrestart"; then
-                echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
-        fi
-        $0 status
-        if test $? = 0; then
-                # we us reload here for a graceful restart during update
-                $0 reload
-        else
-                rc_reset        # Not running is not a failure.
-        fi
-        # Remember status and be quiet
-        rc_status
-        ;;
-    restart)
-        ## Stop the service and regardless of whether it was
-        ## running or not, start it again.
-        haproxy_check
-        $0 stop
-        $0 start
-
-        # Remember status and be quiet
-        rc_status
-        ;;
-    check)
-        ## Stop the service and regardless of whether it was
-        ## running or not, start it again.
-        echo -n "Checking config of haproxy "
-        haproxy_check
-        rc_status -v
-        ;;
-    reload|force-reload)
-        ## Like force-reload, but if daemon does not support
-        ## signaling, do nothing (!)
-        haproxy_check
-        # If it supports signaling:
-        echo -n "Reload service haproxy "
-        $HAPROXY_BIN -p $HAPROXY_PID -D -f $HAPROXY_CONF -sf $(cat $HAPROXY_PID)
-        rc_status -v
-        ;;
-    status)
-        echo -n "Checking for service haproxy "
-        ## Check status with checkproc(8), if process is running
-        ## checkproc will return with exit status 0.
-
-        # Return value is slightly different for the status command:
-        # 0 - service up and running
-        # 1 - service dead, but /var/run/  pid  file exists
-        # 2 - service dead, but /var/lock/ lock file exists
-        # 3 - service not running (unused)
-        # 4 - service status unknown :-(
-        # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
-
-        # NOTE: checkproc returns LSB compliant status values.
-        /sbin/checkproc -p $HAPROXY_PID $HAPROXY_BIN
-        # NOTE: rc_status knows that we called this init script with
-        # "status" option and adapts its messages accordingly.
-        rc_status -v
-        ;;
-    probe)
-        ## Optional: Probe for the necessity of a reload, print out the
-        ## argument to this init script which is required for a reload.
-        ## Note: probe is not (yet) part of LSB (as of 1.9)
-
-        test $HAPROXY_CONF -nt $HAPROXY_PID && echo reload
-        ;;
-    *)
-        echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
-        exit 1
-        ;;
-esac
-rc_exit

haproxy.spec

@@ -15,7 +15,14 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 
 # => notes regarding QUIC in README.SUSE.PACKAGING
-%if 0%{?suse_version} > 1600
+
+%define pkg_name haproxy
+%define pkg_home %{_localstatedir}/lib/%{pkg_name}
+%{!?vim_data_dir:%global vim_data_dir %{_datadir}/vim/%(readlink %{_datadir}/vim/current)}
+
+%bcond_with awslc
+
+%if 0%{?suse_version} > 1600 || %{with awslc}
 %bcond_without quic
 %else
 %bcond_with quic
@@ -27,34 +34,9 @@
 %bcond_without rc_symlink
 %endif
 
-%if 0%{?suse_version} >= 1230
-%bcond_without tcp_fast_open
-%bcond_without network_namespace
-%else
-%bcond_with tcp_fast_open
-%bcond_with network_namespace
-%endif
-
-%if 0%{?suse_version} > 1320
-%bcond_without lua
-%else
-%bcond_with    lua
-%endif
-
-%if 0%{?suse_version} >= 1310
-%bcond_without systemd
-%else
-%bcond_with systemd
-%endif
-
 %bcond_without pcre2_jit
 
 %bcond_without  apparmor
-%if 0%{?suse_version} > 1320
-%bcond_without apparmor_reload
-%else
-%bcond_with    apparmor_reload
-%endif
 
 %if 0%{?suse_version} >= 1500
 %bcond_without sysusers
@@ -64,48 +46,19 @@
 %bcond_with tmpfiles
 %endif
 
+%bcond_with ech
+
 Name:           haproxy
-Version:        3.2.0+git0.e134140d2
+Version:        3.3.1+git0.9c24c11a6
 Release:        0
 #
+Summary:        The Reliable, High Performance TCP/HTTP Load Balancer
+License:        GPL-3.0-or-later AND LGPL-2.1-or-later
+Group:          Productivity/Networking/Web/Proxy
 #
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-%if %{with apparmor}
-%if 0%{?suse_version} <= 1315
-BuildRequires:  apparmor-profiles
-Recommends:     apparmor-profiles
-%else
-BuildRequires:  apparmor-abstractions
-Recommends:     apparmor-abstractions
-%endif
-%if %{with apparmor_reload}
-BuildRequires:  apparmor-rpm-macros
-%endif
-%endif
-BuildRequires:  libgcrypt-devel
-%if %{with lua}
-BuildRequires:  lua-devel >= 5.3
-%endif
-BuildRequires:  pcre2-devel
-BuildRequires:  zlib-devel
-BuildRequires:  openssl-devel
-BuildRequires:  pkg-config
-%if %{with systemd}
-BuildRequires:  pkgconfig(systemd)
-BuildRequires:  pkgconfig(libsystemd)
-%if %{with sysusers}
-BuildRequires:  sysuser-shadow
-BuildRequires:  sysuser-tools
-%endif
-%endif
-BuildRequires:  vim
-%define pkg_name haproxy
-%define pkg_home /var/lib/%{pkg_name}
-#
-Url:            http://www.haproxy.org/
+URL:            https://www.haproxy.org/
 #               source URL in _service file
 Source:         haproxy-%{version}.tar.gz
-Source1:        %{pkg_name}.init
 Source2:        usr.sbin.haproxy.apparmor
 Source3:        local.usr.sbin.haproxy.apparmor
 Source4:        haproxy.cfg
@@ -113,29 +66,41 @@ Source5:        haproxy-user.conf
 Source6:        haproxy-tmpfiles.conf
 Source7:        README.SUSE
 Source8:        README.SUSE.PACKAGING
+#
+Source98:       series
+Source99:       haproxy-rpmlintrc
 Patch1:         haproxy-1.6.0_config_haproxy_user.patch
 Patch2:         haproxy-1.6.0-makefile_lib.patch
 Patch3:         haproxy-1.6.0-sec-options.patch
 Patch4:         haproxy-service.patch
-Patch5:         0001-BUG-CRITICAL-mjson-fix-possible-DoS-when-parsing-num.patch
-#
-Source98:       series
-Source99:       haproxy-rpmlintrc
-#
-Summary:        The Reliable, High Performance TCP/HTTP Load Balancer
-License:        GPL-3.0+ and LGPL-2.1+
-Group:          Productivity/Networking/Web/Proxy
+BuildRequires:  libgcrypt-devel
+BuildRequires:  pcre2-devel
+BuildRequires:  pkgconfig
+BuildRequires:  vim
+BuildRequires:  zlib-devel
 Provides:       %{name}-doc = %{version}
 Obsoletes:      %{name}-doc < %{version}
 Provides:       haproxy-1.5 = %{version}
 Obsoletes:      haproxy-1.5 < %{version}
-%if %{with systemd}
+#
+#
+%if %{with apparmor}
+BuildRequires:  apparmor-abstractions
+Recommends:     apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+%endif
+BuildRequires:  lua-devel >= 5.3
+%if %{with awslc}
+BuildRequires:  aws-lc-devel
+%else
+BuildRequires:  openssl-devel
+%endif
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  sysuser-shadow
+BuildRequires:  sysuser-tools
 %{?systemd_ordering}
-%if %{with sysusers}
 %sysusers_requires
-%endif
-%endif
-%{!?vim_data_dir:%global vim_data_dir /usr/share/vim/%(readlink /usr/share/vim/current)}
 
 %description
 HAProxy implements an event-driven, mono-process model which enables support
@@ -153,40 +118,41 @@ the most work done from every CPU cycle.
 cp %{SOURCE7} .
 
 %build
-make %{?_smp_mflags} \
+%make_build \
     TARGET=linux-glibc \
-    CPU="%{_target_cpu}" \
+    USE_RELRO_NOW=1 \
+    USE_STACKPROTECTOR=1 \
+    USE_PIE=1 \
+    USE_KTLS=1 \
     USE_PCRE2=1 \
     %if %{with pcre2_jit}
     USE_PCRE2_JIT=1 \
     %endif
-    %ifarch %ix86
+    %ifarch %{ix86}
     USE_REGPARM=1 \
     %endif
     USE_GETADDRINFO=1 \
+%if %{with awslc}
+    USE_OPENSSL_AWSLC=1 \
+%else
     USE_OPENSSL=1 \
-    %if %{with lua}
-    USE_LUA=1 \
-    %endif
-    USE_ZLIB=1 \
-    %if %{with tcp_fast_open}
-    USE_TFO=1 \
-    %endif
-    %if %{with network_namespace}
-    USE_NS=1 \
-    %endif
-%if %{with systemd}
-    USE_SYSTEMD=1 \
+%if %{with ech}
+    USE_QUIC_OPENSSL_COMPAT=1 \
+    USE_ECH=1 \
 %endif
-    USE_PIE=1 \
-    USE_STACKPROTECTOR=1 \
-    USE_RELRO_NOW=1 \
+%endif
+    USE_LUA=1 \
+    USE_ZLIB=1 \
+    USE_TFO=1 \
+    USE_NS=1 \
     LIB="%{_lib}" \
     PREFIX="%{_prefix}" \
     USE_PROMEX=1 \
     %if %{with quic}
     USE_QUIC=1 \
+%if %{without awslc}
     USE_QUIC_OPENSSL_COMPAT=1 \
+%endif
     %endif
     %if %{with opentracing}
     USE_OT=1 \
@@ -194,67 +160,44 @@ make %{?_smp_mflags} \
     %if %{with memory_profiling}
     USE_MEMORY_PROFILING=1 \
     %endif
-    DEBUG_CFLAGS="%{optflags}" V=1
-%if %{with systemd}
-make -C admin/systemd  PREFIX="%{_prefix}"
-%if %{with sysusers}
+    OPT_CFLAGS="%{optflags}" V=1
+%make_build -C admin/systemd  PREFIX="%{_prefix}"
 %sysusers_generate_pre %{SOURCE5} haproxy haproxy-user.conf
-%endif
-%endif
-make admin/halog/halog DEBUG_CFLAGS="%{optflags}" V=1
+%make_build admin/halog/halog DEBUG_CFLAGS="%{optflags}"
 
 %install
 install -D -m 0755 %{pkg_name}         %{buildroot}%{_sbindir}/%{pkg_name}
 install -d -m 0750                     %{buildroot}%{_sysconfdir}/%{pkg_name}/
-install    -m 0640 %{S:4}              %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
+install    -m 0640 %{SOURCE4}              %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
 
 install -D -m 0755 admin/halog/halog %{buildroot}%{_sbindir}/haproxy-halog
 
-%if %{with systemd}
 install -D -m 0644 admin/systemd/%{pkg_name}.service  %{buildroot}%{_unitdir}/%{pkg_name}.service
-%if %{with rc_symlinks}
+%if %{with rc_symlink}
 ln -sf /sbin/service   %{buildroot}%{_sbindir}/rc%{pkg_name}
 %endif
-%if %{with sysusers}
 install -D -m 644 %{SOURCE5} %{buildroot}%{_sysusersdir}/haproxy-user.conf
-%endif
-%if %{with tmpfiles}
 install -D -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-%endif
-%else
-install -D -m 0755 %{S:1}                      %{buildroot}%{_sysconfdir}/init.d/%{pkg_name}
-ln -fs %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name}
-%endif
-
 install -d -m 0750                          %{buildroot}%{pkg_home}
 install -D -m 0644 admin/syntax-highlight/haproxy.vim     %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim
 install -D -m 0644 doc/%{pkg_name}.1        %{buildroot}%{_mandir}/man1/%{pkg_name}.1
 %if %{with apparmor}
-install -D -m 0644 %{S:2}                   %{buildroot}/etc/apparmor.d/usr.sbin.haproxy
-install -D -m 0644 %{S:3}                   %{buildroot}/etc/apparmor.d/local/haproxy
-install -D -m 0644 %{S:3}                   %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy
+install -D -m 0644 %{SOURCE2}                   %{buildroot}%{_sysconfdir}/apparmor.d/usr.sbin.haproxy
+install -D -m 0644 %{SOURCE3}                   %{buildroot}%{_sysconfdir}/apparmor.d/local/haproxy
+install -D -m 0644 %{SOURCE3}                   %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.sbin.haproxy
 %endif
 
 rm examples/*init*
 
 
-%if %{with systemd}
-%if %{with sysusers}
 %pre -f haproxy.pre
-%else
-%pre
-%endif
 %service_add_pre %{pkg_name}.service
 
 %post
-%if %{with apparmor} && %{with apparmor_reload}
-%apparmor_reload /etc/apparmor.d/usr.sbin.haproxy
+%if %{with apparmor}
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.sbin.haproxy
 %endif
-%if %{with systemd}
-%if %{with tmpfiles}
 %tmpfiles_create %{_tmpfilesdir}/%{name}.conf
-%endif
-%endif
 %service_add_post %{pkg_name}.service
 
 %preun
@@ -263,67 +206,35 @@ rm examples/*init*
 %postun
 %service_del_postun %{pkg_name}.service
 
-%else
-
-%pre
-getent group %{pkg_name} >/dev/null || /usr/sbin/groupadd -r %{pkg_name}
-getent passwd %{pkg_name} >/dev/null || \
-	/usr/sbin/useradd  -g %{pkg_name} -s /bin/false -r \
-	-c "user for %{pkg_name}" -d %{pkg_home} %{pkg_name}
-
-%post
-%fillup_and_insserv %{pkg_name}
-%if %{with apparmor} && %{with apparmor_reload}
-%apparmor_reload /etc/apparmor.d/usr.sbin.haproxy
-%endif
-
-%preun
-%stop_on_removal %{pkg_name}
-
-%postun
-%restart_on_update %{pkg_name}
-%{insserv_cleanup}
-
-%endif
-
 %files
-%defattr(-,root,root,-)
 %license LICENSE
 %doc README.SUSE CHANGELOG README.md
 %doc doc/* examples/
 %doc admin/netsnmp-perl/ admin/selinux/
-%dir               %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}
+%dir %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}
 %config(noreplace) %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}/*
-%if %{with systemd}
 %{_unitdir}/%{pkg_name}.service
-%if %{with sysusers}
 %{_sysusersdir}/haproxy-user.conf
-%endif
-%if %{with tmpfiles}
 %{_tmpfilesdir}/%{name}.conf
 %dir %ghost %{_rundir}/%{name}
-%endif
-%else
-%config(noreplace) %{_sysconfdir}/init.d/%{pkg_name}
-%endif
 %{_sbindir}/haproxy
 %{_sbindir}/haproxy-halog
-%if %{with rc_symlinks}
+%if %{with rc_symlink}
 %{_sbindir}/rchaproxy
 %endif
 %dir %attr(-,root,haproxy) %{pkg_home}
-%{_mandir}/man1/%{pkg_name}.1.gz
+%{_mandir}/man1/%{pkg_name}.1%{?ext_man}
 %dir %{_datadir}/vim
 %dir %{vim_data_dir}
 %dir %{vim_data_dir}/syntax
 %{vim_data_dir}/syntax/%{pkg_name}.vim
 %if %{with apparmor}
 %if 0%{?suse_version} == 1110
-%dir /etc/apparmor.d/local/
+%dir %{_sysconfdir}/apparmor.d/local/
 %endif
-%config(noreplace)        /etc/apparmor.d/usr.sbin.haproxy
-%config(noreplace) %ghost /etc/apparmor.d/local/haproxy
-%config(noreplace) %ghost /etc/apparmor.d/local/usr.sbin.haproxy
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.haproxy
+%config(noreplace) %ghost %{_sysconfdir}/apparmor.d/local/haproxy
+%config(noreplace) %ghost %{_sysconfdir}/apparmor.d/local/usr.sbin.haproxy
 %endif
 
 %changelog

usr.sbin.haproxy.apparmor

@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-profile haproxy /usr/sbin/haproxy {
+profile haproxy /usr/sbin/haproxy flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/openssl>
   #include <abstractions/ssl_certs>
@@ -24,6 +24,8 @@ profile haproxy /usr/sbin/haproxy {
 
   /etc/haproxy/* r, 
 
+  /etc/os-release r,
+
   /usr/sbin/haproxy rmix,
 
   /dev/shm/haproxy_startup_logs_* rwlk,
@@ -52,6 +54,7 @@ profile haproxy /usr/sbin/haproxy {
   /sys/devices/system/cpu/cpu[0-9]*/topology/package_cpus_list r,
   /sys/devices/system/cpu/cpu[0-9]*/topology/physical_package_id r,
   /sys/devices/system/cpu/cpu[0-9]*/topology/core_siblings_list r,
+  /sys/devices/system/cpu/cpu[0-9]*/cpu_capacity r,
   /sys/class/dmi/id/sys_vendor r,
   /sys/devices/virtual/dmi/id/sys_vendor r,
   /sys/class/dmi/id/product_family r,