------------------------------------------------------------------- Thu Oct 9 14:24:45 UTC 2014 - kgronlund@suse.com - Fix check config before start patch to apply after previous patch - Update patch: haproxy-1.5_check_config_before_start.patch ------------------------------------------------------------------- Thu Oct 9 14:14:35 UTC 2014 - kgronlund@suse.com - BUG/MEDIUM: systemd: set KillMode to 'mixed' - Add patch: - 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch ------------------------------------------------------------------- Wed Oct 8 12:53:41 UTC 2014 - kgronlund@suse.com - update to 1.5.5 - DOC: indicate that weight zero is reported as DRAIN - DOC: Address issue where documentation is excluded due to a gitignore rule - This update includes all previous patches since 1.5.4 - Removed patches: - 0001-DOC-clearly-state-that-the-show-sess-output-format-i.patch - 0002-MINOR-stats-fix-minor-typo-fix-in-stats_dump_errors_.patch - 0003-MEDIUM-Improve-signal-handling-in-systemd-wrapper.patch - 0004-MINOR-Also-accept-SIGHUP-SIGTERM-in-systemd-wrapper.patch - 0005-DOC-indicate-in-the-doc-that-track-sc-can-wait-if-da.patch - 0006-MEDIUM-http-enable-header-manipulation-for-101-respo.patch - 0007-BUG-MEDIUM-config-propagate-frontend-to-backend-proc.patch - 0008-MEDIUM-config-properly-propagate-process-binding-bet.patch - 0009-MEDIUM-config-make-the-frontends-automatically-bind-.patch - 0010-MEDIUM-config-compute-the-exact-bind-process-before-.patch - 0011-MEDIUM-config-only-warn-if-stats-are-attached-to-mul.patch - 0012-MEDIUM-config-report-it-when-tcp-request-rules-are-m.patch - 0013-MINOR-config-detect-the-case-where-a-tcp-request-con.patch - 0014-MEDIUM-systemd-wrapper-support-multiple-executable-v.patch - 0015-BUG-MEDIUM-remove-debugging-code-from-systemd-wrappe.patch - 0016-BUG-MEDIUM-http-adjust-close-mode-when-switching-to-.patch - 0017-BUG-MINOR-config-don-t-propagate-process-binding-on-.patch - 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch - 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch - 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch ------------------------------------------------------------------- Mon Oct 6 09:09:58 UTC 2014 - kgronlund@suse.com - Backported fixes: - BUG/MEDIUM: http: adjust close mode when switching to backend - BUG/MINOR: config: don't propagate process binding on fatal errors. - BUG/MEDIUM: check: rule-less tcp-check must detect connect failures - BUG/MINOR: tcp-check: report the correct failed step in the status - BUG/MINOR: config: don't propagate process binding for dynamic use_backend - Added patches: - 0016-BUG-MEDIUM-http-adjust-close-mode-when-switching-to-.patch - 0017-BUG-MINOR-config-don-t-propagate-process-binding-on-.patch - 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch - 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch - 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch ------------------------------------------------------------------- Thu Sep 25 16:10:08 UTC 2014 - kgronlund@suse.com - Backported fixes (bnc#898498): - DOC: clearly state that the "show sess" output format is not fixed - MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer() - MEDIUM: Improve signal handling in systemd wrapper. - MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper - DOC: indicate in the doc that track-sc* can wait if data are missing - MEDIUM: http: enable header manipulation for 101 responses - BUG/MEDIUM: config: propagate frontend to backend process binding again. - MEDIUM: config: properly propagate process binding between proxies - MEDIUM: config: make the frontends automatically bind to the listeners' processes - MEDIUM: config: compute the exact bind-process before listener's maxaccept - MEDIUM: config: only warn if stats are attached to multi-process bind directives - MEDIUM: config: report it when tcp-request rules are misplaced - MINOR: config: detect the case where a tcp-request content rule has no inspect-delay - MEDIUM: systemd-wrapper: support multiple executable versions and names - BUG/MEDIUM: remove debugging code from systemd-wrapper - Added patches: - 0001-DOC-clearly-state-that-the-show-sess-output-format-i.patch - 0002-MINOR-stats-fix-minor-typo-fix-in-stats_dump_errors_.patch - 0003-MEDIUM-Improve-signal-handling-in-systemd-wrapper.patch - 0004-MINOR-Also-accept-SIGHUP-SIGTERM-in-systemd-wrapper.patch - 0005-DOC-indicate-in-the-doc-that-track-sc-can-wait-if-da.patch - 0006-MEDIUM-http-enable-header-manipulation-for-101-respo.patch - 0007-BUG-MEDIUM-config-propagate-frontend-to-backend-proc.patch - 0008-MEDIUM-config-properly-propagate-process-binding-bet.patch - 0009-MEDIUM-config-make-the-frontends-automatically-bind-.patch - 0010-MEDIUM-config-compute-the-exact-bind-process-before-.patch - 0011-MEDIUM-config-only-warn-if-stats-are-attached-to-mul.patch - 0012-MEDIUM-config-report-it-when-tcp-request-rules-are-m.patch - 0013-MINOR-config-detect-the-case-where-a-tcp-request-con.patch - 0014-MEDIUM-systemd-wrapper-support-multiple-executable-v.patch - 0015-BUG-MEDIUM-remove-debugging-code-from-systemd-wrappe.patch ------------------------------------------------------------------- Wed Sep 3 07:35:14 UTC 2014 - kgronlund@suse.com - update to 1.5.4 (bnc#895849 CVE-2014-6269) - BUG: config: error in http-response replace-header number of arguments - BUG/MINOR: Fix search for -p argument in systemd wrapper. - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported - MEDIUM: connection: add new bit in Proxy Protocol V2 - BUG/MINOR: server: move the directive #endif to the end of file - BUG/MEDIUM: http: tarpit timeout is reset - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() - BUG/MEDIUM: acl: correctly compute the output type when a converter is used - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer - Dropped patches: - 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch - 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch - 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch - 0004-BUG-config-error-in-http-response-replace-header-num.patch - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch ------------------------------------------------------------------- Fri Aug 22 14:38:59 UTC 2014 - mrueckert@suse.de - pull 2 more fixes from git: - 0004-BUG-config-error-in-http-response-replace-header-num.patch A couple of typo fixed in 'http-response replace-header': - an error when counting the number of arguments - a typo in the alert message - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b (1.5-dev24-8), the tarpit section set timeout and return, after this commit, the tarpit section set the timeout, and go to the "done" label which reset the timeout. ------------------------------------------------------------------- Wed Jul 30 09:47:38 UTC 2014 - mrueckert@suse.de - pull important fixes from git: 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch Especially the last patch is important: As a consequence of various recent changes on the sample conversion, a corner case has emerged where it is possible to wait forever for a sample in track-sc*. ------------------------------------------------------------------- Mon Jul 28 11:33:14 UTC 2014 - kgronlund@suse.com - update to 1.5.3 - DOC: fix typo in Unix Socket commands - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange - DOC: mention that Squid correctly responds 400 to PPv2 header - BUG/MINOR: http: base32+src should use the big endian version of base32 - BUG/MEDIUM: connection: fix proxy v2 header again! - Removed backported patches: - 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch - 0002-DOC-fix-typo-in-Unix-Socket-commands.patch - 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch - 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch - 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch - 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch ------------------------------------------------------------------- Mon Jul 21 13:45:40 UTC 2014 - mrueckert@suse.de - added 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch: Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header") was wrong, using &cn_trash instead of cn_trash resulting in a warning and the client's SSL cert CN not being stored at the proper location. ------------------------------------------------------------------- Fri Jul 18 15:01:53 UTC 2014 - mrueckert@suse.de - added 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch: BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header ------------------------------------------------------------------- Thu Jul 17 10:45:28 UTC 2014 - mrueckert@suse.de - pulled a few fixes from the 1.5 branch: most notable the DHE memleak fix. Adds the following patches: 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch 0002-DOC-fix-typo-in-Unix-Socket-commands.patch 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch ------------------------------------------------------------------- Sat Jul 12 16:56:27 UTC 2014 - mrueckert@suse.de - update to 1.5.2 - BUG/MEDIUM: backend: Update hash to use unsigned int throughout - BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. - DOC: expand the docs for the provided stats. - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets upon failure. - MINOR: stats: fix minor typo in HTML page - BUG/MEDIUM: http: fetch "base" is not compatible with set-header - BUG/MINOR: counters: do not untrack counters before logging - BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process() - MINOR: stick-table: make stktable_fetch_key() indicate why it failed - BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents - BUILD: remove TODO from the spec file and add README - MINOR: log: make MAX_SYSLOG_LEN overridable at build time - MEDIUM: log: support a user-configurable max log line length - DOC: provide an example of how to use ssl_c_sha1 - BUILD: http: fix isdigit & isspace warnings on Solaris - BUG/MINOR: listener: set the listener's fd to -1 after deletion - BUG/MEDIUM: unix: failed abstract socket binding is retryable - MEDIUM: listener: implement a per-protocol pause() function - MEDIUM: listener: support rebinding during resume() - BUG/MEDIUM: unix: completely unbind abstract sockets during a pause() - DOC: explicitly mention the limits of abstract namespace sockets - DOC: minor fix on {sc,src}_kbytes_{in,out} - DOC: fix alphabetical sort of converters - BUG/MAJOR: http: correctly rewind the request body after start of forwarding - DOC: remove references to CPU=native in the README - DOC: mention that "compression offload" is ignored in defaults section - drop patches including in version upgrade. - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch - use www.haproxy.org now instead of the old domain which is just redirecting to haproxy.org now. ------------------------------------------------------------------- Tue Jul 1 12:13:33 UTC 2014 - kgronlund@suse.com - BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents - MINOR: stick-table: make stktable_fetch_key() indicate why it failed - BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process() - BUG/MINOR: counters: do not untrack counters before logging - BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. - BUG/MEDIUM: http: fetch "base" is not compatible with set-header - Add patches: - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch ------------------------------------------------------------------- Tue Jun 24 15:55:48 UTC 2014 - mrueckert@suse.de - install the vim file into the versioned directory and dont cover the current symlink with a directory ------------------------------------------------------------------- Tue Jun 24 13:00:39 UTC 2014 - mrueckert@suse.de - add Requires to vim to make the ownership of the vim directory clear and not break any symlink handling the vim package might use. ------------------------------------------------------------------- Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de - update to 1.5.1 - BUG/MINOR: config: http-request replace-header arg typo - BUG/MINOR: ssl: rejects OCSP response without nextupdate. - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. - BUG/MINOR: ssl: Fix OCSP resp update fails with the same certificate configured twice. (cherry picked from commit 1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f) - BUG/MEDIUM: Consistently use 'check' in process_chk - BUG/MAJOR: session: revert all the crappy client-side timeout changes - BUG/MINOR: logs: properly initialize and count log sockets - drop haproxy-1.5.0_consistently_use_check.patch: included upstream ------------------------------------------------------------------- Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com - Install vim file to a more appropriate location ------------------------------------------------------------------- Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com - added pre macro for systemd service file ------------------------------------------------------------------- Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com - Use better systemd detection consistently ------------------------------------------------------------------- Sun Jun 22 19:48:11 UTC 2014 - mrueckert@suse.de - pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6: Consistently use 'check' in process_chk I am not entirely sure that this is a bug, but it seems to me that it may cause a problem if there agent-check is configured and there is some kind of error making a connection for it. adds patch haproxy-1.5.0_consistently_use_check.patch ------------------------------------------------------------------- Fri Jun 20 14:37:21 UTC 2014 - mrueckert@suse.de - update to 1.5.0 For people who don't follow the development versions, 1.5 expands 1.4 with many new features and performance improvements, including native SSL support on both sides with SNI/NPN/ALPN and OCSP stapling, IPv6 and UNIX sockets are supported everywhere, full HTTP keep-alive for better support of NTLM and improved efficiency in static farms, HTTP/1.1 compression (deflate, gzip) to save bandwidth, PROXY protocol versions 1 and 2 on both sides, data sampling on everything in request or response, including payload, ACLs can use any matching method with any input sample maps and dynamic ACLs updatable from the CLI stick-tables support counters to track activity on any input sample custom format for logs, unique-id, header rewriting, and redirects, improved health checks (SSL, scripted TCP, check agent, ...), much more scalable configuration supports hundreds of thousands of backends and certificates without sweating. For all the details see /usr/share/doc/packages/haproxy/CHANGELOG - enable tcp fast open if the kernel is recent enough - enable PCRE JIT if PCRE is recent enough - enable openssl support! - haproxy can finally terminate ssl itself and also talk SSL to the backend servers. - including SNI/NPN/ALPN support. new buildrequires openssl and pkgconfig - enable deflate support new buildrequires zlib-devel - enable transparent proxy support - enable usage of accept4. reduces the syscall amount. - enable building and installing of halog - install vim file into the correct place - dropped patches: 0001-MEDIUM-add-systemd-service.patch 0002-MEDIUM-add-haproxy-systemd-wrapper.patch 0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch 0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch 0005-BUILD-stdbool-is-not-portable-again.patch 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch 0009-openSUSE-Configure-haproxy-user.patch 0010-openSUSE-Fix-path-to-PCRE-library.patch 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch 0014-MINOR-systemd-wrapper-improve-logging.patch 0015-MINOR-systemd-wrapper-propagate-exit-status.patch - added haproxy-1.2.16_config_haproxy_user.patch: (replaces 0009-openSUSE-Configure-haproxy-user.patch) - added haproxy-1.5_check_config_before_start.patch: systemd allows us to run other things before we start the final daemon. use this to check the configuration before launching. - added haproxy-makefile_lib.patch (replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch) - added sec-options.patch: allow it more easily to build haproxy with PIE, stackprotector and relro. all those options are enabled on our build. - added apparmor profile usr.sbin.haproxy.apparmor local.usr.sbin.haproxy.apparmor - change the conditionals for systemd to use bcond_with to make it more obvious what we are guarding. ------------------------------------------------------------------- Wed May 21 10:50:21 UTC 2014 - jsegitz@novell.com - added necessary macros for systemd files ------------------------------------------------------------------- Tue May 6 06:12:08 UTC 2014 - kgronlund@suse.com - update to 1.4.25 (bnc#876438) - DOC: typo: nosepoll self reference in config guide - BUG/MINOR: deinit: free fdinfo while doing cleanup - BUG/MEDIUM: server: set the macro for server's max weight SRV_UWGHT_MAX to SRV_UWGHT_RANGE - BUG/MINOR: use the same check condition for server as other algorithms - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN for recv() - BUG/MINOR: fix forcing fastinter in "on-error" - BUG/MEDIUM: http/auth: Sometimes the authentication credentials can be mix between two requests - BUG/MAJOR: http: don't emit the send-name-header when no server is available - BUG/MEDIUM: http: "option checkcache" fails with the no-cache header - MEDIUM: session: disable lingering on the server when the client aborts - MINOR: config: warn when a server with no specific port uses rdp-cookie - MEDIUM: increase chunk-size limit to 2GB-1 - DOC: add a mention about the limited chunk size - MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection - BUILD: proto_tcp: remove a harmless warning - BUG/MINOR: acl: remove patterns from the tree before freeing them - BUG/MEDIUM: checks: fix slow start regression after fix attempt - BUG/MAJOR: server: weight calculation fails for map-based algorithms - BUG/MINOR: backend: fix target address retrieval in transparent mode - BUG/MEDIUM: stick: completely remove the unused flag from the store entries - BUG/MEDIUM: stick-tables: complete the latest fix about store-responses - BUG/MEDIUM: checks: tracking servers must not inherit the MAINT flag - BUG/MINOR: stats: report correct throttling percentage for servers in slowstart - BUG/MINOR: stats: correctly report throttle rate of low weight servers - BUG/MINOR: checks: successful check completion must not re-enable MAINT servers - BUG/MEDIUM: stats: the web interface must check the tracked servers before enabling - BUG/MINOR: channel: initialize xfer_small/xfer_large on new buffers - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN - BUG/MEDIUM: http: don't start to forward request data before the connect - DOC: fix misleading information about SIGQUIT - BUILD: simplify the date and version retrieval in the makefile - BUILD: prepare the makefile to skip format lines in SUBVERS and VERDATE - BUILD: use format tags in VERDATE and SUBVERS files - Reorganized patches and backported fixes for systemd wrapper: - Renamed 0006-haproxy-1.2.16_config_haproxy_user.patch to 0009-openSUSE-Configure-haproxy-user.patch - Renamed 0007-haproxy-makefile_lib.patch to 0010-openSUSE-Fix-path-to-PCRE-library.patch - Removed 0008-MEDIUM-haproxy-systemd-wrapper-Revised-implementatio.patch - Added 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch - Added 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch - Added 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch - Added 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch - Added 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch - Added 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch - Added 0014-MINOR-systemd-wrapper-improve-logging.patch - Added 0015-MINOR-systemd-wrapper-propagate-exit-status.patch ------------------------------------------------------------------- Fri Nov 22 09:54:48 UTC 2013 - kgronlund@suse.com - Backport haproxy-systemd-wrapper from upstream - Patch haproxy-systemd-wrapper to work on openSUSE ------------------------------------------------------------------- Thu Oct 31 12:46:04 UTC 2013 - kgronlund@suse.com - Remove duplicate Requires: from .spec file. ------------------------------------------------------------------- Thu Oct 31 12:41:12 UTC 2013 - kgronlund@suse.com - Re-enable sysvinit support for older versions (server:http still builds for older versions) ------------------------------------------------------------------- Mon Oct 28 14:32:00 UTC 2013 - p.drouand@gmail.com - Add systemd support Target distributions all support systemd; keep alive sysvinit support is useless ------------------------------------------------------------------- Thu Oct 10 15:16:32 UTC 2013 - cdenicolo@suse.com - license update: GPL-2.0+ and LGPL-2.1+ only header files are LGPL, the rest is still GPL ------------------------------------------------------------------- Tue Jun 18 09:14:13 UTC 2013 - mrueckert@suse.de - update to 1.4.24 (bnc#825412) - BUG/MAJOR: backend: consistent hash can loop forever in certain circumstances - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used - MEDIUM: protocol: implement a "drain" function in protocol layers - BUG/CRITICAL: fix a possible crash when using negative header occurrences CVE-2013-2175 ------------------------------------------------------------------- Wed Apr 3 14:47:43 UTC 2013 - mrueckert@suse.de - update to 1.4.23 CVE-2013-1912 - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read - BUG: fix garbage data when http-send-name-header replaces an existing header - BUG/MEDIUM: remove supplementary groups when changing gid - BUG/MINOR: Correct logic in cut_crlf() - BUG/MINOR: config: use a copy of the file name in proxy configurations - BUG/MINOR: epoll: correctly disable FD polling in fd_rem() - MINOR: halog: sort output by cookie code - BUG/MINOR: halog: -ad/-ac report the correct number of output lines - BUG/MINOR: halog: fix help message for -ut/-uto - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode - BUG/MEDIUM: command-line option -D must have precedence over "debug" - OPTIM: halog: keep a fast path for the lines-count only - MINOR: halog: add a parameter to limit output line count - BUG: halog: fix broken output limitation - MEDIUM: checks: avoid accumulating TIME_WAITs during checks - MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts - BUG/MAJOR: cli: show sess may randomly corrupt the back-ref list - BUG/MINOR: http: don't report client aborts as server errors - BUG/MINOR: http: don't log a 503 on client errors while waiting for requests - BUG/MEDIUM: tcp: process could theorically crash on lack of source ports - BUG/MINOR: http: don't abort client connection on premature responses - BUILD: no need to clean up when making git-tar - MINOR: http: always report PR-- flags for redirect rules - BUG/MINOR: time: frequency counters are not totally accurate - BUG/MINOR: http: don't process abortonclose when request was sent - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait() - BUG/MINOR: config: fix improper check for failed memory alloc in ACL parser - BUG/MEDIUM: checks: ensure the health_status is always within bounds - CLEANUP: http: remove a useless null check - BUG/MEDIUM: signal: signal handler does not properly check for signal bounds - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage - CLEANUP: config: slowstart is never negative - BUILD: improve the makefile's support for libpcre - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a - MEDIUM: halog: add support for counting per source address (-ic) - DOC: mention the new HTTP 307 and 308 redirect statues (cherry picked from commit b67fdc4cd8bde202f2805d98683ddab929469a05) - MEDIUM: poll: do not use FD_* macros anymore - BUG/MAJOR: ev_select: disable the select() poller if maxsock > FD_SETSIZE - BUILD: enable poll() by default in the makefile - BUILD: add explicit support for Mac OS/X - BUG/CRITICAL: using HTTP information in tcp-request content may crash the process CVE-2013-1912 - MEDIUM: http: implement redirect 307 and 308 - MINOR: http: status 301 should not be marked non-cacheable - adapt haproxy-makefile_lib.patch to the rewritten Makefile ------------------------------------------------------------------- Mon Nov 12 14:10:33 UTC 2012 - mrueckert@suse.de - switch license tag to spdx format. ------------------------------------------------------------------- Mon Nov 12 13:50:46 UTC 2012 - mrueckert@suse.de - update to 1.4.22 - BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations - MINOR: balance uri: added 'whole' parameter to include query string in hash calculation - DOC: specify the default value for maxconn in the context of a proxy - BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect - REORG/MINOR: use dedicated proxy flags for the cookie handling - BUG/MINOR: config: do not report twice the incompatibility between cookie and non-http - MINOR: http: add support for "httponly" and "secure" cookie attributes - MEDIUM: stats: add support for soft stop/soft start in the admin interface - BUILD: add support for linux kernels >= 2.6.28 - MINOR: contrib/iprange: add a network IP range to mask converter - BUILD: add an AIX 5.2 (and later) target. - MINOR: halog: use the more recent dual-mode fgets2 implementation - BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches - CLEANUP: halog: make clean should also remove .o files (cherry picked from commit 8ad4193100aafa19f04929670371bf823dbe11d0) - OPTIM: halog: make use of memchr() on platforms which provide a fast one - OPTIM: halog: improve cold-cache behaviour when loading a file - [MINOR] config: make it possible to specify a cookie even without a server - MINOR: config: tolerate server "cookie" setting in non-HTTP mode - BUG/MINOR: tarpit: fix condition to return the HTTP 500 message ------------------------------------------------------------------- Tue Oct 30 16:02:03 UTC 2012 - mrueckert@suse.de - fix description in the init script ------------------------------------------------------------------- Tue May 22 16:47:45 UTC 2012 - pascal.bleser@opensuse.org - update to 1.4.21 (bnc#763833) CVE-2012-2391 - MINOR: patch for minor typo (ressources/resources) - CLEANUP: fix typo in findserver() log message - DOC: cleanup indentation, alignment, columns and chapters - DOC: fix some keywords arguments documentation - MINOR: stats admin: allow unordered parameters in POST requests - MINOR: stats admin: use the backend id instead of its name in the form - BUG/MAJOR: trash must always be the size of a buffer - DOC: fix minor regex example issue and improve doc on stats - BUG/MAJOR: possible crash when using capture headers on TCP frontends - MINOR: config: disable header captures in TCP mode and complain - BUG/MEDIUM: balance source did not properly hash IPv6 addresses - CLEANUP: http: message parser must ignore HTTP_MSG_ERROR - CLEANUP: remove a few warning about unchecked return values in debug code - CLEANUP: http: remove unused http_msg->col - BUG/MINOR: http: error snapshots are wrong if buffer wraps - BUG/MAJOR: checks: don't call set_server_status_* when no LB algo is set - MINOR: proxy: make findproxy() return proxies from numeric IDs too - BUILD: http: stop gcc-4.1.2 from complaining about possibly uninitialized values - BUG/MINOR: stop connect timeout when connect succeeds ------------------------------------------------------------------- Sun Mar 11 19:16:20 UTC 2012 - pascal.bleser@opensuse.org - update to 1.4.20: - BUG/MINOR: fix typo in processing of http-send-name-header - BUG/MEDIUM: correctly disable servers tracking another disabled servers. - BUG/MEDIUM: zero-weight servers must not dequeue requests from the backend - MINOR: halog: add some help on the command line (cherry picked from commit 615674cdec067066a42f53f5d55628ab7b207e6c) - BUG: queue: fix dequeueing sequence on HTTP keep-alive sessions - BUG: http: disable TCP delayed ACKs when forwarding content-length data - BUG: checks: fix server maintenance exit sequence - BUG/MINOR: stream_sock: don't remove BF_EXPECT_MORE and BF_SEND_DONTWAIT on partial writes - DOC: enumerate valid status codes for "observe layer7" ------------------------------------------------------------------- Wed Feb 8 15:30:58 UTC 2012 - mrueckert@suse.de - update to 1.4.19 - MEDIUM: http: add support for sending the server's name in the outgoing request - BUG/MINOR: fix options forwardfor if-none when an alternative header name is specified - MINOR: task: new function task_schedule() to schedule a wake up - BUG/MEDIUM: checks: fix slowstart behaviour when server tracking is in use - BUG: tcp: option nolinger does not work on backends - BUG: ebtree: ebst_lookup() could return the wrong entry - BUG: http: re-enable TCP quick-ack upon incomplete HTTP requests - CLEANUP: ebtree: remove a few annoying signedness warnings - CLEANUP: ebtree: remove 4-year old harmless typo in duplicates insertion code - CLEANUP: ebtree: remove another typo, a wrong initialization in insertion code - BUG: proto_tcp: set AF_INET on tproxy for use with recent kernels - MINOR: halog: add support for matching queued requests - BUG: http: tighten the list of allowed characters in a URI ------------------------------------------------------------------- Wed Nov 9 12:09:33 UTC 2011 - mrueckert@suse.de - update to 1.4.18 - [MINOR] http: *_dom matching header functions now also split on ":" - [MINOR] halog: support backslash-escaped quotes - BUILD/MINOR: fix the source URL in the spec file - DOC: acl is http_first_req, not http_req_first - BUG/MEDIUM: don't trim last spaces from headers consisting only of spaces - MINOR: acl: add new matches for header/path/url length - [MINOR] halog: do not consider byte 0x8A as end of line - [OPTIM] halog: make fgets parse more bytes by blocks - [OPTIM] halog: add assembly version of the field lookup code - [CLEANUP] startup: report only the basename in the usage message - [DOC] update the README file to reflect new naming rules for patches ------------------------------------------------------------------- Mon Sep 05 22:26:59 UTC 2011 - pascal.bleser@opensuse.org - update to 1.4.17: - [MINOR] halog: add support for termination code matching (-tcn/-TCN) - [MINOR] halog: make SKIP_CHAR stop on field delimiters - [MINOR] halog: add support for HTTP log matching (-H) - [MINOR] halog: gain back performance before SKIP_CHAR fix - [OPTIM] halog: cache some common fields positions - [OPTIM] halog: check once for correct line format and reuse the pointer - [OPTIM] halog: remove many 'if' by using a function pointer for the filters - [OPTIM] halog: remove support for tab delimiters in input data - [MINOR] halog: add -hs/-HS to filter by HTTP status code range - [CLEANUP] update the year in the copyright banner - [BUG] check: http-check expect + regex would crash in defaults section - [MEDIUM] http: make x-forwarded-for addition conditional - [DOC] fixed a few "sensible" -> "sensitive" errors - [MINOR] stats: display "" instead of the frontend name when unknown - [BUG] http: trailing white spaces must also be trimmed after headers - [MINOR] http: take a capture of too large requests and responses - [MINOR] http: take a capture of truncated responses - [MINOR] http: take a capture of bad content-lengths. ------------------------------------------------------------------- Sat Aug 13 22:49:36 UTC 2011 - mrueckert@suse.de - update to version 1.4.16 - [BUG] checks: fix support of Mysqld >= 5.5 for mysql-check - [DOC] Minor spelling fixes and grammatical enhancements - [CLEANUP] Remove assigned but unused variables - [BUG] checks: http-check expect could fail a check on multi-packet responses - [DOC] fix minor typo in the "dispatch" doc - [MINOR] http: make the "HTTP 200" status code configurable. - [MINOR] http: partially revert the chunking optimization for now - [MINOR] stream_sock: always clear BF_EXPECT_MORE upon complete transfer - [CLEANUP] stream_sock: remove unneeded FL_TCP and factor out test - [MEDIUM] http: add support for "http-no-delay" - [OPTIM] http: optimize chunking again in non-interactive mode - [OPTIM] stream_sock: avoid fast-forwarding of partial data - [OPTIM] stream_sock: don't use splice on too small payloads - [BUG] stats: support url-encoded forms - [BUG] halog: correctly handle truncated last line - [DOC] fix typos, "#" is a sharp, not a dash ------------------------------------------------------------------- Fri Apr 15 22:14:24 UTC 2011 - pascal.bleser@opensuse.org - revert splitting out the documentation ------------------------------------------------------------------- Thu Apr 14 19:18:45 UTC 2011 - pascal.bleser@opensuse.org - split out documentation and examples into haproxy-doc - add rpmlintrc to suppress false positive warnings about script examples in documentation files (without exec flag) - fix license ------------------------------------------------------------------- Tue Apr 12 15:31:38 UTC 2011 - mrueckert@suse.de - update to version 1.4.15 - [CRITICAL] fix risk of crash when dealing with space in response cookies - additional changes from 1.4.14 - [MINOR] config: fix endianness of server check port - [BUG] http: fix possible incorrect forwarded wrapping chunk size (take 2) - [MINOR] tools: add two macros MID_RANGE and MAX_RANGE - [BUG] http: fix content-length handling on 32-bit platforms - [OPTIM] buffers: uninline buffer_forward() ------------------------------------------------------------------- Wed Mar 9 12:00:23 UTC 2011 - mrueckert@suse.de - update to 1.4.13 - config: don't crash on empty pattern files. - additional changes from 1.4.12 - stats: add support for several packets in stats admin - stats: admin commands must check the proxy state - stats: admin web interface must check the proxy state - http: update the header list's tail when removing the last header - fix typos (http-request instead of http-check) (cherry picked from commit 8f2a1e72bebea700f37add40997b716fdfd86b9c) - http: use correct ACL pointer when evaluating authentication - cfgparse: correctly count one socket per port in ranges - startup: set the rlimits before binding ports, not after. - acl: srv_id must return no match when the server is NULL - acl: fd leak when reading patterns from file - fix minor typo in "usesrc" - http: fix possible incorrect forwarded wrapping chunk size - http: fix computation of message body length after forwarding has started - http: balance url_param did not work with first parameters on POST - update the url_param regression test to test check_post too ------------------------------------------------------------------- >>>>>>> ./haproxy.changes.r40 Tue Feb 15 14:30:53 UTC 2011 - mrueckert@suse.de - update to 1.4.11 - cfgparse: Check whether the path given for the stats socket actually fits into the sockaddr_un structure to avoid truncation. - fix a minor typo - fix ignore-persist documentation - http: fix http-pretend-keepalive and httpclose/tunnel mode - add warnings on features not compatible with multi-process mode - acl: add be_id/srv_id to match backend's and server's id - log: add support for passing the forwarded hostname - log: ability to override the syslog tag - fix minor typos in the doc - fix another typo in the doc - http chunking: don't report a parsing error on connection errors - stream_interface: truncate buffers when sending error messages - http: fix incorrect error reporting during data transfers - session: correctly leave turn-around and queue states on abort - session: release slot before processing pending connections - stats: report HTTP message state and buffer flags in error dumps - http: support wrapping messages in error captures - http: capture incorrectly chunked message bodies - stats: add global event ID and count - http: don't send each chunk in a separate packet - acl: fix handling of empty lines in pattern files - ebtree: fix ebmb_lookup() with len smaller than the tree's keys - ebtree: ebmb_lookup: reduce stack usage by moving the return code out of the loop ------------------------------------------------------------------- Mon Nov 29 13:57:37 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.10: * a possible crash when using Cookie-based persistence with appsessions was fixed * header processing could become wrong after a single reqidel rule removed exactly two headers * some out-of-memory conditions were not correctly handled in appsession or cookie captures * users of appsessions are strongly encouraged to upgrade ------------------------------------------------------------------- Tue Nov 2 13:11:15 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.9: * the Web interface now allows you to enable or disable servers * the ECV and LDAPv3 checks were merged * the MySQL check was improved to support a real login sequence * persistence cookies can now be timestamped to support a maximum idle time and a maximum life time, and can be removed by the server if needed (e.g. logout) * the SNMP plugin was improved to report socket stats * some Cacti templates were merged * the halog tool can now instantly report per-URL response times ------------------------------------------------------------------- Tue Aug 17 15:46:13 UTC 2010 - mrueckert@suse.de - implement graceful restart in the init script ------------------------------------------------------------------- Tue Jun 22 14:49:12 UTC 2010 - mrueckert@suse.de - update to 1.4.8: * mention 'option http-server-close' effect in Tq section * summarize and highlight persistent connections behaviour * add configuration samples * stick_table: the fix for the memory leak caused a regression * client: don't add a new session to the list too early ------------------------------------------------------------------- Thu Jun 10 09:03:34 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.7: * fixes problems where consistent hashing was broken when no server ID was specified in the configuration * some errors were incorrectly reported as failed instead of denied in the statistics * the dispatch and http_proxy modes were fixed * a few termination flags in the logs used for troubleshooting were corrected * a few other minor issues were fixed * upgrading is recommended ------------------------------------------------------------------- Mon May 17 20:29:02 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.6: * a minor precision about RDP cookies was added to the documentation * a new ACL keyword was added * those who had no problem building and running 1.4.5 don't need to upgrade - drop haproxy-fix_dprintf.patch, merged upstream ------------------------------------------------------------------- Fri May 14 07:18:03 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.5: * Haproxy can now read huge ACL pattern lists from files and match inputs against them without any noticeable performance impact, making geolocation possible * adds a new "ignore-persist" directive, allowing it to ignore the persistence cookie if an ACL-based condition is matched (which is useful for static objects in stateful farms) * a few other minor improvements * a nice performance boost of the log analyzer, which can now process more than 1 GB of logs per second and report request counts by status codes ------------------------------------------------------------------- Thu Apr 8 09:41:51 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.4: * brings a new option to work around optimization issues with Tomcat and Jetty in server close mode, and for a bug in Jetty's handling of Expect: 100-continue * a very old appsession unexpected match of shorter cookie names was also fixed * a new feature to make it possible to connect to a server from an IP found in a header was merged: it allows you to run stunnel+haproxy in transparent mode together ------------------------------------------------------------------- Fri Apr 2 23:42:44 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.3: * fxes a regression introduced in 1.4.2 which could cause a connection to still be attempted on the server side in case of an error on the client side; this issue could even lead to a crash if a Layer7 hash algorithm was used, so this code was strengthened * the configuration parser now detects many more inappropriate options in TCP mode and emits related warnings * it is now possible to indicate in the configuration that a server will start in the "disabled" state * other very minor issues were fixed ------------------------------------------------------------------- Thu Mar 18 12:00:49 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.2: * fixes a very rare case of stuck client sessions when using keep-alive * fixes a url_param hash bug which could result in a dead server in very rare situations * fixes status codes 501 and 505 which could cause a server to be marked down if on-error was used * fixes a risk of getting truncated HTTP responses when chunk-encoding was used * fixes an issue with anonymous ACLs * improvements on health checks ------------------------------------------------------------------- Fri Mar 5 00:45:12 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.1: * some errors were incorrectly reported as 502 with the flags "SL" in the logs; this is now fixed * other minor issues were fixed * documentation was updated ------------------------------------------------------------------- Fri Feb 26 20:44:34 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.0: * new features: + keep-alive + IP-based stickiness + consistent hashing + support for the RDP protocol + a much nicer stats interface + a much-improved performance level * add -fno-strict-aliasing - changes from 1.4rc1: * new features: + server maintenance mode + HTTP authentication (server and proxy) + secure passwords + conditional request/response header rewriting using ACLs + anonymous ACLs that can be declared inline + support for HTTP/1.1 101+Upgrade status code to support non- HTTP protocols such as WebSocket ------------------------------------------------------------------- Thu Feb 11 15:20:01 UTC 2010 - mrueckert@suse.de - update to 1.3.23 ------------------------------------------------------------------- Tue Sep 15 14:09:34 CEST 2009 - mrueckert@suse.de - update to 1.3.20 ------------------------------------------------------------------- Fri Apr 3 13:54:40 CEST 2009 - mrueckert@suse.de - update to 1.3.17 ------------------------------------------------------------------- Mon Mar 9 16:40:38 CET 2009 - mrueckert@suse.de - update to 1.3.15.8 ------------------------------------------------------------------- Wed Feb 4 15:13:15 CET 2009 - mrueckert@suse.de - update to 1.3.15.7 ------------------------------------------------------------------- Mon Sep 15 15:52:45 CEST 2008 - mrueckert@suse.de - update to 1.3.15.4 ------------------------------------------------------------------- Sun Nov 4 21:21:35 CET 2007 - mrueckert@suse.de - update to 1.3.13.1: too many changes see changelog file ------------------------------------------------------------------- Mon Apr 2 00:53:38 CEST 2007 - mrueckert@suse.de - prepared spec for easy split out of -snapshot packages. - added vim syntax file ------------------------------------------------------------------- Mon Mar 19 17:50:33 CET 2007 - mrueckert@suse.de - update to 1.2.17: - replaced the linked-list with a faster rbtree in the scheduler - add user/group support (Marcus Rueckert) - add the "except" keyword to the "forwardfor" option (Bryan Germann) - re-implemented support for multi-line headers (was incidently reverted) - fixed possible crash when no cookie was set on a server - fixed various length checks in appsession - fixed unlikely memory leak in appsession in case of memory shortage - updates to the architecture guide - remove haproxy-1.2.16_username_groupname_support.patch: patch included upstream ------------------------------------------------------------------- Mon Jan 8 00:27:17 CET 2007 - mrueckert@suse.de - initial package of 1.2.16 - added 2 patches: haproxy-1.2.16_config_haproxy_user.patch haproxy-1.2.16_username_groupname_support.patch the patches allow to specify username and groupname instead of uid/gid. The patches are needed as we do not have a static uid/gid for the haproxy user/group.