haproxy/haproxy.changes

1945 lines
89 KiB
Plaintext

-------------------------------------------------------------------
Tue May 10 14:24:24 UTC 2016 - mrueckert@suse.de
- update to 1.6.5
- BUG/MINOR: log: Don't use strftime() which can clobber timezone
if chrooted
- BUILD: namespaces: fix a potential build warning in
namespaces.c
- DOC: add encoding to json converter example
- BUG/MINOR: conf: "listener id" expects integer, but its not
checked
- DOC: Clarify tunes.vars.xxx-max-size settings
- BUG/MEDIUM: peers: fix incorrect age in frequency counters
- BUG/MEDIUM: Fix RFC5077 resumption when more than
TLS_TICKETS_NO are present
- BUG/MAJOR: Fix crash in http_get_fhdr with exactly
MAX_HDR_HISTORY headers
- BUG/MINOR: lua: can't load external libraries
- DOC: "addr" parameter applies to both health and agent checks
- DOC: timeout client: pointers to timeout http-request
- DOC: typo on stick-store response
- DOC: stick-table: amend paragraph blaming the loss of table
upon reload
- DOC: typo: ACL subdir match
- DOC: typo: maxconn paragraph is wrong due to a wrong buffer
size
- DOC: regsub: parser limitation about the inability to use
closing square brackets
- DOC: typo: req.uri is now replaced by capture.req.uri
- DOC: name set-gpt0 mismatch with the expected keyword
- BUG/MEDIUM: stick-tables: some sample-fetch doesn't work in the
connection state.
- DOC: fix "needed" typo
- BUG/MINOR: dns: inapropriate way out after a resolution timeout
- BUG/MINOR: dns: trigger a DNS query type change on resolution
timeout
- BUG/MINOR : allow to log cookie for tarpit and denied request
- OPTIM/MINOR: session: abort if possible before connecting to
the backend
- BUG/MEDIUM: trace.c: rdtsc() is defined in two files
- BUG/MEDIUM: channel: fix miscalculation of available buffer
space (2nd try)
- BUG/MINOR: cfgparse: couple of small memory leaks.
- BUG/MEDIUM: sample: initialize the pointer before parse_binary
call.
- DOC: fix discrepancy in the example for http-request redirect
- DOC: Clarify IPv4 address / mask notation rules
- CLEANUP: fix inconsistency between fd->iocb, proto->accept and
accept()
- BUG/MEDIUM: fix maxaccept computation on per-process listeners
- BUG/MINOR: listener: stop unbound listeners on startup
- BUG/MINOR: fix maxaccept computation according to the frontend
process range
- MEDIUM: unblock signals on startup.
- BUG/MEDIUM: channel: don't allow to overwrite the reserve until
connected
- BUG/MEDIUM: channel: incorrect polling condition may delay
event delivery
- BUG/MEDIUM: channel: fix miscalculation of available buffer
space (3rd try)
- BUG/MEDIUM: log: fix risk of segfault when logging HTTP fields
in TCP mode
- BUG/MEDIUM: lua: protects the upper boundary of the argument
list for converters/fetches.
- BUG/MINOR: log: fix a typo that would cause %HP to log <BADREQ>
- MINOR: channel: add new function channel_congested()
- BUG/MEDIUM: http: fix risk of CPU spikes with pipelined
requests from dead client
- BUG/MAJOR: channel: fix miscalculation of available buffer
space (4th try)
- BUG/MEDIUM: stream: ensure the SI_FL_DONT_WAKE flag is properly
cleared
- BUG/MEDIUM: channel: fix inconsistent handling of 4GB-1
transfers
- BUG/MEDIUM: stats: show servers state may show an empty or
incomplete result
- BUG/MEDIUM: stats: show backend may show an empty or incomplete
result
- MINOR: stats: fix typo in help messages
- MINOR: stats: show stat resolvers missing in the help message
- BUG/MINOR: dns: fix DNS header definition
- BUG/MEDIUM: dns: fix alignment issue when building DNS queries
- CLEANUP/MINOR: stats: fix accidental addition of member "env"
in the applet ctx
- refreshed patches to apply cleanly again
- haproxy-1.6.0-makefile_lib.patch
- haproxy-1.6.0-sec-options.patch
-------------------------------------------------------------------
Mon Mar 14 02:45:05 UTC 2016 - mrueckert@suse.de
- update to 1.6.4
- BUG/MINOR: http: fix several off-by-one errors in the url_param
parser
- BUG/MINOR: http: Be sure to process all the data received from
a server
- BUG/MINOR: chunk: make chunk_dup() always check and set
dst->size
- MINOR: chunks: ensure that chunk_strcpy() adds a trailing zero
- MINOR: chunks: add chunk_strcat() and chunk_newstr()
- MINOR: chunk: make chunk_initstr() take a const string
- MINOR: lru: new function to delete <nb> least recently used
keys
- DOC: add Ben Shillito as the maintainer of 51d
- BUG/MINOR: 51d: Ensures a unique domain for each configuration
- BUG/MINOR: 51d: Aligns Pattern cache implementation with
HAProxy best practices.
- BUG/MINOR: 51d: Releases workset back to pool.
- BUG/MINOR: 51d: Aligned const pointers to changes in 51Degrees.
- CLEANUP: 51d: Aligned if statements with HAProxy best practices
and removed casts from malloc.
- DOC: fix a few spelling mistakes (cherry picked from commit
cc123c66c2075add8524a6a9925382927daa6ab0)
- DOC: fix "workaround" spelling
- BUG/MINOR: examples: Fixing haproxy.spec to remove references
to .cfg files
- MINOR: fix the return type for dns_response_get_query_id()
function
- MINOR: server state: missing LF (\n) on error message printed
when parsing server state file
- BUG/MEDIUM: dns: no DNS resolution happens if no ports provided
to the nameserver
- BUG/MAJOR: servers state: server port is erased when dns
resolution is enabled on a server
- BUG/MEDIUM: servers state: server port is used uninitialized
- BUG/MEDIUM: config: Adding validation to stick-table expire
value.
- BUG/MEDIUM: sample: http_date() doesn't provide the right day
of the week
- BUG/MEDIUM: channel: fix miscalculation of available buffer
space.
- MEDIUM: pools: add a new flag to avoid rounding pool size up
- BUG/MEDIUM: buffers: do not round up buffer size during
allocation
- BUG/MINOR: stream: don't force retries if the server is DOWN
- BUG/MINOR: counters: make the sc-inc-gpc0 and sc-set-gpt0 touch
the table
- MINOR: unix: don't mention free ports on EAGAIN
- BUG/CLEANUP: CLI: report the proper field states in "show sess"
- MINOR: stats: send content-length with the redirect to allow
keep-alive
- BUG: stream_interface: Reuse connection even if the output
channel is empty
- DOC: remove old tunnel mode assumptions
- BUG/MAJOR: http-reuse: fix risk of orphaned connections
- BUG/MEDIUM: http-reuse: do not share private connections across
backends
- BUG/MINOR: ssl: Be sure to use unique serial for regenerated
certificates
- BUG/MINOR: stats: fix missing comma in stats on agent drain
- BUG/MINOR: lua: unsafe initialization
- DOC: lua: fix somme errors
- DOC: add server name at rate-limit sessions example
- BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation
- BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation
- DOC: LUA: fix some typos and syntax errors
- MINOR: cfgparse: warn for incorrect 'timeout retry' keyword
spelling in resolvers
- MINOR: mailers: increase default timeout to 10 seconds
- MINOR: mailers: use <CRLF> for all line endings
- BUG/MAJOR: lua: applets can't sleep.
- BUG/MINOR: server: some prototypes are renamed
- BUG/MINOR: lua: Useless copy
- BUG/MEDIUM: stats: stats bind-process doesn't propagate the
process mask correctly
- BUG/MINOR: server: fix the format of the warning on address
change
- BUG/MEDIUM: chunks: always reject negative-length chunks
- BUG/MINOR: systemd: ensure we don't miss signals
- BUG/MINOR: systemd: report the correct signal in debug message
output
- BUG/MINOR: systemd: propagate the correct signal to haproxy
- MINOR: systemd: ensure a reload doesn't mask a stop
- BUG/MEDIUM: cfgparse: wrong argument offset after parsing
server "sni" keyword
- CLEANUP: stats: Avoid computation with uninitialized bits.
- CLEANUP: pattern: Ignore unknown samples in pat_match_ip().
- CLEANUP: map: Avoid memory leak in out-of-memory condition.
- BUG/MINOR: tcpcheck: fix incorrect list usage resulting in
failure to load certain configs
- BUG/MAJOR: samples: check smp->strm before using it
- MINOR: sample: add a new helper to initialize the owner of a
sample
- MINOR: sample: always set a new sample's owner before
evaluating it
- BUG/MAJOR: vars: always retrieve the stream and session from
the sample
- CLEANUP: payload: remove useless and confusing nullity checks
for channel buffer
- BUG/MINOR: ssl: fix usage of the various sample fetch functions
- MINOR: cfgparse: warn when uid parameter is not a number
- MINOR: cfgparse: warn when gid parameter is not a number
- BUG/MINOR: standard: Avoid free of non-allocated pointer
- BUG/MINOR: pattern: Avoid memory leak on out-of-memory
condition
- CLEANUP: http: fix a build warning introduced by a recent fix
- BUG/MINOR: log: GMT offset not updated when entering/leaving
DST
-------------------------------------------------------------------
Mon Jan 11 14:22:44 UTC 2016 - e.istomin@edss.ee
- update to 1.6.3
- BUG/MEDIUM: lua: clean output buffer
- BUG/MEDIUM: http: switch the request channel to no-delay once done.
- BUG/MEDIUM: http: don't enable auto-close on the response side
- BUG/MEDIUM: stream: fix half-closed timeout handling
- BUG/MEDIUM: cli: changing compression rate-limiting must require admin level
- BUG/MEDIUM: sample: urlp can't match an empty value
- BUG/MEDIUM: da: stop DeviceAtlas processing in the convertor if there is no input.
- BUG/MEDIUM: checks: email-alert not working when declared in defaults
- BUG/MEDIUM: http: fix http-reuse when frontend and backend differ
- BUG/MEDIUM: config: properly adjust maxconn with nbproc when memmax is forced
- BUG/MEDIUM: peers: table entries learned from a remote are pushed to others after a random delay.
- BUG/MEDIUM: peers: old stick table updates could be repushed
- BUG/MEDIUM: lua: Lua applets must not fetch samples using http_txn
- BUG/MEDIUM: lua: Forbid HTTP applets from being called from tcp rulesets
- BUG/MAJOR: lua: Do not force the HTTP analysers in use-services
for all the details see /usr/share/doc/packages/haproxy/CHANGELOG
or http://www.haproxy.org/download/1.6/src/CHANGELOG
-------------------------------------------------------------------
Sat Nov 21 01:36:11 UTC 2015 - mrueckert@suse.de
- on sle11 we still need to own /etc/apparmor.d/local
-------------------------------------------------------------------
Sat Nov 21 01:15:07 UTC 2015 - mrueckert@suse.de
- instead of owning the apparmor directories, BR apparmor-profiles.
-------------------------------------------------------------------
Tue Nov 10 14:50:26 UTC 2015 - mrueckert@suse.de
- fix link to tarball
-------------------------------------------------------------------
Tue Nov 3 12:02:19 UTC 2015 - mrueckert@suse.de
- update to 1.6.2
- BUILD: ssl: fix build error introduced in commit 7969a3 with
OpenSSL < 1.0.0
- DOC: fix a typo for a "deviceatlas" keyword
- FIX: small typo in an example using the "Referer" header
- BUG/MEDIUM: config: count memory limits on 64 bits, not 32
- BUG/MAJOR: dns: first DNS response packet not matching queried
hostname may lead to a loop
- BUG/MINOR: dns: unable to parse CNAMEs response
- BUG/MINOR: examples/haproxy.init: missing brace in
quiet_check()
- DOC: deviceatlas: more example use cases.
- BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in
install-bin.
- BUG/MAJOR: http: don't requeue an idle connection that is
already queued
- DOC: typo on capture.res.hdr and capture.req.hdr
- BUG/MINOR: dns: check for duplicate nameserver id in a
resolvers section was missing
- CLEANUP: use direction names in place of numeric values
- BUG/MEDIUM: lua: sample fetches based on response doesn't work
- drop haproxy-1.6.0-ssl-098.patch: included upstream
-------------------------------------------------------------------
Thu Oct 22 10:21:00 UTC 2015 - mrueckert@suse.de
- update to 1.6.1
- DOC: specify that stats socket doc (section 9.2) is in
management
- BUILD: install only relevant and existing documentation
- CLEANUP: don't ignore debian/ directory if present
- BUG/MINOR: dns: parsing error of some DNS response
- BUG/MEDIUM: namespaces: don't fail if no namespace is used
- BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is
disabled
- MEDIUM: dns: Don't use the ANY query type
- drop haproxy-1.6.0-ssl.crash.patch included in update
-------------------------------------------------------------------
Mon Oct 19 16:15:57 UTC 2015 - mrueckert@suse.de
- add haproxy-1.6.0-ssl-098.patch:
fix building on openssl 0.9.8
-------------------------------------------------------------------
Fri Oct 16 17:16:40 UTC 2015 - mrueckert@suse.de
- added haproxy-1.6.0-ssl.crash.patch: fix SNI related crash
-------------------------------------------------------------------
Thu Oct 15 23:19:33 UTC 2015 - mrueckert@suse.de
- only use network namespace support on distros newer than 13.2
-------------------------------------------------------------------
Tue Oct 13 19:39:12 UTC 2015 - mrueckert@suse.de
- update to 1.6.0
The most user-visible changes, we can cite the simpler handling
of multiple configuration files, the support for quotes and
environment variables in the configuration, a significant
reduction of the memory usage thanks to a new dynamic buffer
allocator, notifications over e-mail, server state keeping across
reloads, dynamic DNS-based server address resolution, new
scripting capabilities thanks to the embedded Lua interpreter,
use of variables in the configuration to manipulate samples,
request body buffering and analysis, support for two third-party
device identification products (DeviceAtlas and 51Degrees), a lot
of new sample converters including arithmetic operators and table
lookups, TLS ticket secret sharing between nodes, TLS SNI to the
server, full tables replication between peers, ability to
instruct the kernel to quickly kill dead connections, support for
Linux namespaces, and a number of other less visible goodies. The
performance has also been improved a lot with support for server
connection multiplexing, much faster and cheaper HTTP compression
via libslz, and the addition of a pattern cache to speed up
certain expensive ACLs. The great flexibility offered by this
version will allow many users to significantly simplify their
configurations. Some users will notice a huge performance boost
after they enable the features designed for them.
for all the details see /usr/share/doc/packages/haproxy/CHANGELOG
- drop patches we pulled from upstream git:
0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
0002-DOC-usesrc-root-privileges-requirements.patch
0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
0006-DOC-typo-in-redirect-302-code-meaning.patch
0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
0008-CLEANUP-.gitignore-ignore-more-test-files.patch
0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
0012-DOC-ssl-missing-LF.patch
0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
- refresh/redo patches to apply cleanly again:
old: haproxy-1.2.16_config_haproxy_user.patch
new: haproxy-1.6.0_config_haproxy_user.patch
old: haproxy-makefile_lib.patch
new: haproxy-1.6.0-makefile_lib.patch
old: sec-options.patch
new: haproxy-1.6.0-sec-options.patch
- added new haproxy.cfg to have a minimal config we can actually
launch!
- drop patch haproxy-1.5.8-fix-bashisms.patch: patched files no
longer exist
- drop haproxy.vim: we will use the copy which ships with the
upstream tarball now.
-------------------------------------------------------------------
Wed Sep 23 19:26:54 UTC 2015 - dmueller@suse.com
- fix haproxy status checks (bsc#947204)
-------------------------------------------------------------------
Tue Sep 8 09:10:02 UTC 2015 - kgronlund@suse.com
- Backport patches from upstream:
- BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
- BUG/MAJOR: http: don't call http_send_name_header() after an error
- Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
- Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
-------------------------------------------------------------------
Wed Aug 26 22:47:34 UTC 2015 - kgronlund@suse.com
- Backport patches from upstream:
- BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
- DOC: usesrc root privileges requirements
- BUILD: ssl: Allow building against libssl without SSLv3.
- DOC/MINOR: fix OpenBSD versions where haproxy works
- BUG/MINOR: http/sample: gmtime/localtime can fail
- DOC: typo in 'redirect', 302 code meaning
- DOC: mention that %ms is left-padded with zeroes.
- CLEANUP: .gitignore: ignore more test files
- CLEANUP: .gitignore: finally ignore everything but what is known.
- MEDIUM: config: emit a warning on a frontend without listener
- BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
- DOC: ssl: missing LF
- DOC: fix example of http-request using ssl_fc_session_id
- Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
- Add 0002-DOC-usesrc-root-privileges-requirements.patch
- Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
- Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
- Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
- Add 0006-DOC-typo-in-redirect-302-code-meaning.patch
- Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
- Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
- Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
- Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
- Add 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
- Add 0012-DOC-ssl-missing-LF.patch
- Add 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
-------------------------------------------------------------------
Fri Jul 3 16:37:55 UTC 2015 - kgronlund@suse.com
- Update to 1.5.14 (CVE-2015-3281) (bsc#937042)
+ BUILD/MINOR: tools: rename popcount to my_popcountl
+ BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
-------------------------------------------------------------------
Fri Jun 26 11:45:33 UTC 2015 - kgronlund@suse.com
- Update to 1.5.13
- Dropped all patches backported from git, no further changes
than those patches provided.
- Removed patches:
+ Remove 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch
+ Remove 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch
+ Remove 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch
+ Remove 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch
+ Remove 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch
+ Remove 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch
+ Remove 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch
+ Remove 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch
+ Remove 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch
+ Remove 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch
+ Remove 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch
+ Remove 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch
+ Remove 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch
+ Remove 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch
+ Remove 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch
+ Remove 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch
+ Remove 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch
+ Remove 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch
+ Remove 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch
+ Remove 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch
+ Remove 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch
+ Remove 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch
+ Remove 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch
+ Remove 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch
+ Remove 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch
+ Remove 0026-DOC-relax-the-peers-restriction-to-single-process.patch
+ Remove 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch
+ Remove 0028-MINOR-config-report-the-number-of-processes-using-a-.patch
+ Remove 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch
-------------------------------------------------------------------
Thu Jun 25 15:01:34 UTC 2015 - kgronlund@suse.com
- Backport upstream patches:
+ DOC: Update doc about weight, act and bck fields in the statistics
+ MINOR: ssl: add a destructor to free allocated SSL ressources
+ BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
+ BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
+ BUG/MEDIUM: cfgparse: segfault when userlist is misused
+ MEDIUM: ssl: replace standards DH groups with custom ones
+ BUG/MINOR: debug: display (null) in place of "meth"
+ CLEANUP: deinit: remove codes for cleaning p->block_rules
+ BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
+ MEDIUM: init: don't stop proxies in parent process when exiting
+ MINOR: peers: store the pointer to the signal handler
+ MEDIUM: peers: unregister peers that were never started
+ MEDIUM: config: propagate the table's process list to the peers sections
+ MEDIUM: init: stop any peers section not bound to the correct process
+ MEDIUM: config: validate that peers sections are bound to exactly one process
+ MAJOR: peers: allow peers section to be used with nbproc > 1
+ DOC: relax the peers restriction to single-process
+ CLEANUP: config: fix misleading information in error message.
+ MINOR: config: report the number of processes using a peers section in the error case
+ BUG/MEDIUM: config: properly compute the default number of processes for a proxy
- Added patches:
+ Add 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch
+ Add 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch
+ Add 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch
+ Add 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch
+ Add 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch
+ Add 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch
+ Add 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch
+ Add 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch
+ Add 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch
+ Add 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch
+ Add 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch
+ Add 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch
+ Add 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch
+ Add 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch
+ Add 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch
+ Add 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch
+ Add 0026-DOC-relax-the-peers-restriction-to-single-process.patch
+ Add 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch
+ Add 0028-MINOR-config-report-the-number-of-processes-using-a-.patch
+ Add 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch
-------------------------------------------------------------------
Mon May 25 09:34:58 UTC 2015 - kgronlund@suse.com
- BUG/MINOR: check: fix tcpcheck error message
- CLEANUP: checks: fix double usage of cur / current_step in tcp-checks
- BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
- CLEANUP: checks: simplify the loop processing of tcp-checks
- BUG/MAJOR: checks: always check for end of list before proceeding
- BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
- BUG/MEDIUM: peers: apply a random reconnection timeout
- Add 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch
- Add 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch
- Add 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch
- Add 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch
- Add 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch
- Add 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch
- Add 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch
-------------------------------------------------------------------
Mon May 11 19:27:33 UTC 2015 - mrueckert@suse.de
- added 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch
BUG/MEDIUM: http: don't forward client shutdown without NOLINGER
except for tunnels
-------------------------------------------------------------------
Mon May 4 22:02:30 UTC 2015 - mrueckert@suse.de
- added first patch from the 1.5 branch after the update:
0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch
-------------------------------------------------------------------
Sat May 2 22:17:57 UTC 2015 - mrueckert@suse.de
- update to 1.5.12
- BUG/MINOR: ssl: Display correct filename in error message
- DOC: Fix L4TOUT typo in documentation
- BUG/MEDIUM: Do not consider an agent check as failed on L7
error
- BUG/MINOR: pattern: error message missing
- BUG/MEDIUM: pattern: some entries are not deleted with case
insensitive match
- BUG/MEDIUM: buffer: one byte miss in buffer free space check
- BUG/MAJOR: http: don't read past buffer's end in
http_replace_value
- BUG/MEDIUM: http: the function "(req|res)-replace-value"
doesn't respect the HTTP syntax
- BUG/MEDIUM: peers: correctly configure the client timeout
- BUG/MINOR: compression: consider the expansion factor in init
- BUG/MEDIUM: http: hdr_cnt would not count any header when
called without name
- BUG/MEDIUM: listener: don't report an error when resuming
unbound listeners
- BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes
only
- BUG/MEDIUM: stream-int: always reset si->ops when si->end is
nullified
- BUG/MEDIUM: http: remove content-length from chunked messages
- DOC: http: update the comments about the rules for determining
transfer-length
- BUG/MEDIUM: http: do not restrict parsing of transfer-encoding
to HTTP/1.1
- BUG/MEDIUM: http: incorrect transfer-coding in the request is a
bad request
- BUG/MEDIUM: http: remove content-length form responses with bad
transfer-encoding
- MEDIUM: http: restrict the HTTP version token to 1 digit as per
RFC7230
- MEDIUM: http: add option-ignore-probes to get rid of the floods
of 408
- BUG/MINOR: config: clear proxy->table.peers.p for disabled
proxies
- MINOR: stick-table: don't attach to peers in stopped state
- MEDIUM: config: initialize stick-tables after peers, not before
- MEDIUM: peers: add the ability to disable a peers section
- DOC: document option http-ignore-probes
- DOC: fix the comments about the meaning of msg->sol in HTTP
- BUG/MEDIUM: http: wait for the exact amount of body bytes in
wait_for_request_body
- BUG/MAJOR: http: prevent risk of reading past end with balance
url_param
- DOC: update the doc on the proxy protocol
- remove patches that we pulled from the 1.5 tree
0001-BUG-MINOR-pattern-error-message-missing.patch
0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch
0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch
0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch
0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch
0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch
0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch
0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch
0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch
0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch
0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch
0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch
-------------------------------------------------------------------
Mon Apr 20 10:52:12 UTC 2015 - mrueckert@suse.de
- pull 3 patches from upstream:
0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch
0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch
0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch
-------------------------------------------------------------------
Thu Apr 2 10:54:29 UTC 2015 - mrueckert@suse.de
- pull 3 patches from upstream:
0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch
0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch
0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch
-------------------------------------------------------------------
Mon Mar 16 15:00:13 UTC 2015 - kgronlund@suse.com
- pull 3 patches from upstream:
- BUG/MEDIUM: peers: correctly configure the client timeout
- BUG/MEDIUM: buffer: one byte miss in buffer free space check
- BUG/MAJOR: http: don't read past buffer's end in http_replace_value
- Add 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch
- Add 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch
- Add 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch
-------------------------------------------------------------------
Thu Mar 5 22:10:56 UTC 2015 - mrueckert@suse.de
- added another fix from upstream:
0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch
-------------------------------------------------------------------
Wed Feb 11 12:38:06 GMT 2015 - aspiers@suse.com
- haproxy.init: fix reload and force-reload not to start a stopped
service
-------------------------------------------------------------------
Fri Feb 6 18:47:17 UTC 2015 - mrueckert@suse.de
- pulled 2 patches from upstream:
0001-BUG-MINOR-pattern-error-message-missing.patch
0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch
-------------------------------------------------------------------
Sun Feb 1 08:27:43 UTC 2015 - mrueckert@suse.de
- update to 1.5.11
- BUG/MEDIUM: backend: correctly detect the domain when
use_domain_only is used
- MINOR: ssl: load certificates in alphabetical order
- BUG/MINOR: checks: prevent http keep-alive with http-check
expect
- BUG/MEDIUM: Do not set agent health to zero if server is
disabled in config
- MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent
health is zero
- BUG/MINOR: stats:Fix incorrect printf type.
- DOC: add missing entry for log-format and clarify the text
- BUG/MEDIUM: http: fix header removal when previous header ends
with pure LF
- BUG/MEDIUM: channel: fix possible integer overflow on reserved
size computation
- BUG/MINOR: channel: compare to_forward with buf->i, not
buf->size
- MINOR: channel: add channel_in_transit()
- MEDIUM: channel: make buffer_reserved() use
channel_in_transit()
- MEDIUM: channel: make bi_avail() use channel_in_transit()
- BUG/MEDIUM: channel: don't schedule data in transit for leaving
until connected
- BUG/MAJOR: log: don't try to emit a log if no logger is set
- BUG/MINOR: args: add missing entry for ARGT_MAP in
arg_type_names
- BUG/MEDIUM: http: make http-request set-header compute the
string before removal
- BUG/MINOR: http: fix incorrect header value offset in
replace-hdr/replace-value
- BUG/MINOR: http: abort request processing on filter failure
- drop patch included in update:
0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch
-------------------------------------------------------------------
Tue Jan 6 09:28:16 UTC 2015 - mrueckert@suse.de
- pull fix from usptream:
0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch
BUG/MEDIUM: backend: correctly detect the domain when
use_domain_only is used
-------------------------------------------------------------------
Wed Dec 31 22:17:18 UTC 2014 - mrueckert@suse.de
- update to 1.5.10
- DOC: fix a few typos
- BUG/MINOR: http: fix typo: "401 Unauthorized" => "407
Unauthorized"
- BUG/MINOR: parse: refer curproxy instead of proxy
- DOC: httplog does not support 'no'
- MINOR: map/acl/dumpstats: remove the "Done." message
- BUG/MEDIUM: sample: fix random number upper-bound
- BUG/MEDIUM: patterns: previous fix was incomplete
- BUG/MEDIUM: payload: ensure that a request channel is available
- BUG/MINOR: tcp-check: don't condition data polling on check
type
- BUG/MEDIUM: tcp-check: don't rely on random memory contents
- BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is
an expect
- BUG/MINOR: config: fix typo in condition when propagating
process binding
- BUG/MEDIUM: config: do not propagate processes between stopped
processes
- BUG/MAJOR: stream-int: properly check the memory allocation
return
- BUG/MEDIUM: memory: fix freeing logic in pool_gc2()
- BUG/MEDIUM: compression: correctly report zlib_mem
- drop patches that we pulled from git before:
0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch
0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch
0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch
0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch
0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch
0006-DOC-fix-a-few-typos.patch
0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch
0008-DOC-httplog-does-not-support-no.patch
0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch
0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch
0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
-------------------------------------------------------------------
Sat Dec 20 01:20:07 UTC 2014 - mrueckert@suse.de
- pulled some more fixes from git:
0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch
0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch
0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch
0006-DOC-fix-a-few-typos.patch
0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch
0008-DOC-httplog-does-not-support-no.patch
0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch
0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch
0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
see patch headers for details.
-------------------------------------------------------------------
Fri Nov 28 18:21:43 UTC 2014 - mrueckert@suse.de
- pulled 2 fixes from git:
- 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch
Dmitry Sivachenko <trtrmitya@gmail.com> reported that commit
315ec42 ("BUG/MEDIUM: pattern: don't load more than once a
pattern list.") relies on an uninitialised variable in the
stack. While it used to work fine during the tests, if the
uninitialized variable is non-null, some patterns may be
aggregated if loaded multiple times, resulting in slower
processing, which was the original issue it tried to address.
- 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch
Denys Fedoryshchenko reported a segfault when using certain
sample fetch functions in the "tcp-request connection" rulesets
despite the warnings. This is because some tests for the
existence of the channel were missing.
-------------------------------------------------------------------
Wed Nov 26 12:29:42 UTC 2014 - ledest@gmail.com
- fix bashisms in example scripts
- add patches:
* haproxy-1.5.8-fix-bashisms.patch
-------------------------------------------------------------------
Wed Nov 26 11:50:42 UTC 2014 - mrueckert@suse.de
- update to 1.5.9
- BUILD: fix "make install" to support spaces in the install dirs
- BUG/MEDIUM: checks: fix conflicts between agent checks and ssl
healthchecks
- BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in
case of OOM.
- BUG/MINOR: samples: fix unnecessary memcopy converting binary
to string.
- BUG/MEDIUM: connection: sanitize PPv2 header length before
parsing address information
- BUG/MEDIUM: pattern: don't load more than once a pattern list.
- BUG/MEDIUM: ssl: force a full GC in case of memory shortage
- BUG/MINOR: config: don't inherit the default balance algorithm
in frontends
- BUG/MAJOR: frontend: initialize capture pointers earlier
- BUG/MINOR: stats: correctly set the request/response analysers
- DOC: fix typo in the body parser documentation for msg.sov
- BUG/MINOR: peers: the buffer size is global.tune.bufsize, not
trash.size
- MINOR: sample: add a few basic internal fetches (nbproc, proc,
stopping)
- BUG/MAJOR: sessions: unlink session from list on out of memory
- Drop patches pulled from git
- 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch
- 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch
- 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch
- 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch
- 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch
- 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch
-------------------------------------------------------------------
Thu Nov 20 06:56:23 UTC 2014 - kgronlund@suse.com
- BUILD: fix "make install" to support spaces in the install dirs
- BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM.
- BUG/MEDIUM: ssl: force a full GC in case of memory shortage
- BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks
- BUG/MINOR: config: don't inherit the default balance algorithm in frontends
- BUG/MAJOR: frontend: initialize capture pointers earlier
- Add patches:
- 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch
- 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch
- 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch
- 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch
- 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch
- 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch
-------------------------------------------------------------------
Sun Nov 09 21:52:00 UTC 2014 - Led <ledest@gmail.com>
- fix bashisms in pre script
-------------------------------------------------------------------
Fri Oct 31 22:24:27 UTC 2014 - mrueckert@suse.de
- update to 1.5.8
- BUG/MAJOR: buffer: check the space left is enough or not when
input data in a buffer is wrapped
- BUG/BUILD: revert accidental change in the makefile from latest
SSL fix
- changes in 1.5.7
- BUG/MEDIUM: regex: fix pcre_study error handling
- BUG/MINOR: log: fix request flags when keep-alive is enabled
- MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return
DER formatted certs
- MINOR: ssl: add statement to force some ssl options in global.
- BUG/MINOR: ssl: correctly initialize ssl ctx for invalid
certificates
- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
- BUG/MAJOR: cli: explicitly call cli_release_handler() upon
error
- BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
- BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET
sockets
- Dropped patches:
- 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch
- 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch
- 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch
- 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch
-------------------------------------------------------------------
Wed Oct 29 08:07:07 UTC 2014 - kgronlund@suse.com
- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
- BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
- BUG/MINOR: log: fix request flags when keep-alive is enabled
- BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
- Added patches:
- 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch
- 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch
- 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch
- 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch
-------------------------------------------------------------------
Sat Oct 18 18:23:29 UTC 2014 - mrueckert@suse.de
- update to 1.5.6
- BUG/MEDIUM: systemd: set KillMode to 'mixed'
- MINOR: systemd: Check configuration before start
- BUG/MEDIUM: config: avoid skipping disabled proxies
- BUG/MINOR: config: do not accept more track-sc than configured
- BUG/MEDIUM: backend: fix URI hash when a query string is present
- dropped patches that were pulled from upstream
0001-BUG-MEDIUM-config-avoid-skipping-disabled-proxies.patch
0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch
0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch
0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch
- dropped patch we sent upstream
haproxy-1.5_check_config_before_start.patch
-------------------------------------------------------------------
Fri Oct 17 16:03:39 UTC 2014 - kgronlund@suse.com
- BUG/MINOR: config: do not accept more track-sc than configured
- BUG/MEDIUM: backend: fix URI hash when a query string is present
- Add patch: 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch
- Add patch: 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch
-------------------------------------------------------------------
Fri Oct 10 20:01:33 UTC 2014 - kgronlund@suse.com
- BUG/MEDIUM: config: avoid skipping disabled proxies
- Add patch: 0001-BUG-MEDIUM-config-avoid-skipping-disabled-proxies.patch
-------------------------------------------------------------------
Thu Oct 9 14:24:45 UTC 2014 - kgronlund@suse.com
- Fix check config before start patch to apply after previous patch
- Update patch: haproxy-1.5_check_config_before_start.patch
-------------------------------------------------------------------
Thu Oct 9 14:14:35 UTC 2014 - kgronlund@suse.com
- BUG/MEDIUM: systemd: set KillMode to 'mixed'
- Add patch:
- 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch
-------------------------------------------------------------------
Wed Oct 8 12:53:41 UTC 2014 - kgronlund@suse.com
- update to 1.5.5
- DOC: indicate that weight zero is reported as DRAIN
- DOC: Address issue where documentation is excluded due to a gitignore rule
- This update includes all previous patches since 1.5.4
- Removed patches:
- 0001-DOC-clearly-state-that-the-show-sess-output-format-i.patch
- 0002-MINOR-stats-fix-minor-typo-fix-in-stats_dump_errors_.patch
- 0003-MEDIUM-Improve-signal-handling-in-systemd-wrapper.patch
- 0004-MINOR-Also-accept-SIGHUP-SIGTERM-in-systemd-wrapper.patch
- 0005-DOC-indicate-in-the-doc-that-track-sc-can-wait-if-da.patch
- 0006-MEDIUM-http-enable-header-manipulation-for-101-respo.patch
- 0007-BUG-MEDIUM-config-propagate-frontend-to-backend-proc.patch
- 0008-MEDIUM-config-properly-propagate-process-binding-bet.patch
- 0009-MEDIUM-config-make-the-frontends-automatically-bind-.patch
- 0010-MEDIUM-config-compute-the-exact-bind-process-before-.patch
- 0011-MEDIUM-config-only-warn-if-stats-are-attached-to-mul.patch
- 0012-MEDIUM-config-report-it-when-tcp-request-rules-are-m.patch
- 0013-MINOR-config-detect-the-case-where-a-tcp-request-con.patch
- 0014-MEDIUM-systemd-wrapper-support-multiple-executable-v.patch
- 0015-BUG-MEDIUM-remove-debugging-code-from-systemd-wrappe.patch
- 0016-BUG-MEDIUM-http-adjust-close-mode-when-switching-to-.patch
- 0017-BUG-MINOR-config-don-t-propagate-process-binding-on-.patch
- 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch
- 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch
- 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch
-------------------------------------------------------------------
Mon Oct 6 09:09:58 UTC 2014 - kgronlund@suse.com
- Backported fixes:
- BUG/MEDIUM: http: adjust close mode when switching to backend
- BUG/MINOR: config: don't propagate process binding on fatal errors.
- BUG/MEDIUM: check: rule-less tcp-check must detect connect failures
- BUG/MINOR: tcp-check: report the correct failed step in the status
- BUG/MINOR: config: don't propagate process binding for dynamic use_backend
- Added patches:
- 0016-BUG-MEDIUM-http-adjust-close-mode-when-switching-to-.patch
- 0017-BUG-MINOR-config-don-t-propagate-process-binding-on-.patch
- 0018-BUG-MEDIUM-check-rule-less-tcp-check-must-detect-con.patch
- 0019-BUG-MINOR-tcp-check-report-the-correct-failed-step-i.patch
- 0020-BUG-MINOR-config-don-t-propagate-process-binding-for.patch
-------------------------------------------------------------------
Thu Sep 25 16:10:08 UTC 2014 - kgronlund@suse.com
- Backported fixes (bnc#898498):
- DOC: clearly state that the "show sess" output format is not fixed
- MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer()
- MEDIUM: Improve signal handling in systemd wrapper.
- MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper
- DOC: indicate in the doc that track-sc* can wait if data are missing
- MEDIUM: http: enable header manipulation for 101 responses
- BUG/MEDIUM: config: propagate frontend to backend process binding again.
- MEDIUM: config: properly propagate process binding between proxies
- MEDIUM: config: make the frontends automatically bind to the listeners' processes
- MEDIUM: config: compute the exact bind-process before listener's maxaccept
- MEDIUM: config: only warn if stats are attached to multi-process bind directives
- MEDIUM: config: report it when tcp-request rules are misplaced
- MINOR: config: detect the case where a tcp-request content rule has no inspect-delay
- MEDIUM: systemd-wrapper: support multiple executable versions and names
- BUG/MEDIUM: remove debugging code from systemd-wrapper
- Added patches:
- 0001-DOC-clearly-state-that-the-show-sess-output-format-i.patch
- 0002-MINOR-stats-fix-minor-typo-fix-in-stats_dump_errors_.patch
- 0003-MEDIUM-Improve-signal-handling-in-systemd-wrapper.patch
- 0004-MINOR-Also-accept-SIGHUP-SIGTERM-in-systemd-wrapper.patch
- 0005-DOC-indicate-in-the-doc-that-track-sc-can-wait-if-da.patch
- 0006-MEDIUM-http-enable-header-manipulation-for-101-respo.patch
- 0007-BUG-MEDIUM-config-propagate-frontend-to-backend-proc.patch
- 0008-MEDIUM-config-properly-propagate-process-binding-bet.patch
- 0009-MEDIUM-config-make-the-frontends-automatically-bind-.patch
- 0010-MEDIUM-config-compute-the-exact-bind-process-before-.patch
- 0011-MEDIUM-config-only-warn-if-stats-are-attached-to-mul.patch
- 0012-MEDIUM-config-report-it-when-tcp-request-rules-are-m.patch
- 0013-MINOR-config-detect-the-case-where-a-tcp-request-con.patch
- 0014-MEDIUM-systemd-wrapper-support-multiple-executable-v.patch
- 0015-BUG-MEDIUM-remove-debugging-code-from-systemd-wrappe.patch
-------------------------------------------------------------------
Wed Sep 3 07:35:14 UTC 2014 - kgronlund@suse.com
- update to 1.5.4 (bnc#895849 CVE-2014-6269)
- BUG: config: error in http-response replace-header number of arguments
- BUG/MINOR: Fix search for -p argument in systemd wrapper.
- BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm
- BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported
- MEDIUM: connection: add new bit in Proxy Protocol V2
- BUG/MINOR: server: move the directive #endif to the end of file
- BUG/MEDIUM: http: tarpit timeout is reset
- BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc*
- BUG/MEDIUM: http: fix inverted condition in pat_match_meth()
- BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs
- BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg()
- BUG/MEDIUM: acl: correctly compute the output type when a converter is used
- CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix
- BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer
- Dropped patches:
- 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
- 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
- 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
- 0004-BUG-config-error-in-http-response-replace-header-num.patch
- 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
-------------------------------------------------------------------
Fri Aug 22 14:38:59 UTC 2014 - mrueckert@suse.de
- pull 2 more fixes from git:
- 0004-BUG-config-error-in-http-response-replace-header-num.patch
A couple of typo fixed in 'http-response replace-header':
- an error when counting the number of arguments
- a typo in the alert message
- 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b
(1.5-dev24-8), the tarpit section set timeout and return, after
this commit, the tarpit section set the timeout, and go to the
"done" label which reset the timeout.
-------------------------------------------------------------------
Wed Jul 30 09:47:38 UTC 2014 - mrueckert@suse.de
- pull important fixes from git:
0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
Especially the last patch is important:
As a consequence of various recent changes on the sample
conversion, a corner case has emerged where it is possible to
wait forever for a sample in track-sc*.
-------------------------------------------------------------------
Mon Jul 28 11:33:14 UTC 2014 - kgronlund@suse.com
- update to 1.5.3
- DOC: fix typo in Unix Socket commands
- BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header
- BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
- DOC: mention that Squid correctly responds 400 to PPv2 header
- BUG/MINOR: http: base32+src should use the big endian version of base32
- BUG/MEDIUM: connection: fix proxy v2 header again!
- Removed backported patches:
- 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
- 0002-DOC-fix-typo-in-Unix-Socket-commands.patch
- 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
- 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
- 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
- 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch
-------------------------------------------------------------------
Mon Jul 21 13:45:40 UTC 2014 - mrueckert@suse.de
- added 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch:
Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory
corruption when building a proxy v2 header") was wrong, using
&cn_trash instead of cn_trash resulting in a warning and the
client's SSL cert CN not being stored at the proper location.
-------------------------------------------------------------------
Fri Jul 18 15:01:53 UTC 2014 - mrueckert@suse.de
- added
0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch:
BUG/MEDIUM: connection: fix memory corruption when building a
proxy v2 header
-------------------------------------------------------------------
Thu Jul 17 10:45:28 UTC 2014 - mrueckert@suse.de
- pulled a few fixes from the 1.5 branch: most notable the DHE
memleak fix. Adds the following patches:
0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
0002-DOC-fix-typo-in-Unix-Socket-commands.patch
0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
-------------------------------------------------------------------
Sat Jul 12 16:56:27 UTC 2014 - mrueckert@suse.de
- update to 1.5.2
- BUG/MEDIUM: backend: Update hash to use unsigned int throughout
- BUG/MINOR: ssl: Fix external function in order not to return a
pointer on an internal trash buffer.
- DOC: expand the docs for the provided stats.
- BUG/MEDIUM: unix: do not unlink() abstract namespace sockets
upon failure.
- MINOR: stats: fix minor typo in HTML page
- BUG/MEDIUM: http: fetch "base" is not compatible with
set-header
- BUG/MINOR: counters: do not untrack counters before logging
- BUG/MAJOR: sample: correctly reinitialize sample fetch context
before calling sample_process()
- MINOR: stick-table: make stktable_fetch_key() indicate why it
failed
- BUG/MEDIUM: counters: fix track-sc* to wait on unstable
contents
- BUILD: remove TODO from the spec file and add README
- MINOR: log: make MAX_SYSLOG_LEN overridable at build time
- MEDIUM: log: support a user-configurable max log line length
- DOC: provide an example of how to use ssl_c_sha1
- BUILD: http: fix isdigit & isspace warnings on Solaris
- BUG/MINOR: listener: set the listener's fd to -1 after deletion
- BUG/MEDIUM: unix: failed abstract socket binding is retryable
- MEDIUM: listener: implement a per-protocol pause() function
- MEDIUM: listener: support rebinding during resume()
- BUG/MEDIUM: unix: completely unbind abstract sockets during a
pause()
- DOC: explicitly mention the limits of abstract namespace
sockets
- DOC: minor fix on {sc,src}_kbytes_{in,out}
- DOC: fix alphabetical sort of converters
- BUG/MAJOR: http: correctly rewind the request body after start
of forwarding
- DOC: remove references to CPU=native in the README
- DOC: mention that "compression offload" is ignored in defaults
section
- drop patches including in version upgrade.
- 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch
- 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch
- 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch
- 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch
- 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch
- 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch
- use www.haproxy.org now instead of the old domain which is just
redirecting to haproxy.org now.
-------------------------------------------------------------------
Tue Jul 1 12:13:33 UTC 2014 - kgronlund@suse.com
- BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents
- MINOR: stick-table: make stktable_fetch_key() indicate why it failed
- BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process()
- BUG/MINOR: counters: do not untrack counters before logging
- BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer.
- BUG/MEDIUM: http: fetch "base" is not compatible with set-header
- Add patches:
- 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch
- 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch
- 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch
- 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch
- 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch
- 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch
-------------------------------------------------------------------
Tue Jun 24 15:55:48 UTC 2014 - mrueckert@suse.de
- install the vim file into the versioned directory and dont cover
the current symlink with a directory
-------------------------------------------------------------------
Tue Jun 24 13:00:39 UTC 2014 - mrueckert@suse.de
- add Requires to vim to make the ownership of the vim directory
clear and not break any symlink handling the vim package might
use.
-------------------------------------------------------------------
Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de
- update to 1.5.1
- BUG/MINOR: config: http-request replace-header arg typo
- BUG/MINOR: ssl: rejects OCSP response without nextupdate.
- BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses.
- BUG/MINOR: ssl: Fix OCSP resp update fails with the same
certificate configured twice. (cherry picked from commit
1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f)
- BUG/MEDIUM: Consistently use 'check' in process_chk
- BUG/MAJOR: session: revert all the crappy client-side timeout
changes
- BUG/MINOR: logs: properly initialize and count log sockets
- drop haproxy-1.5.0_consistently_use_check.patch:
included upstream
-------------------------------------------------------------------
Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com
- Install vim file to a more appropriate location
-------------------------------------------------------------------
Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com
- added pre macro for systemd service file
-------------------------------------------------------------------
Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com
- Use better systemd detection consistently
-------------------------------------------------------------------
Sun Jun 22 19:48:11 UTC 2014 - mrueckert@suse.de
- pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6:
Consistently use 'check' in process_chk
I am not entirely sure that this is a bug, but it seems
to me that it may cause a problem if there agent-check is
configured and there is some kind of error making a connection
for it.
adds patch haproxy-1.5.0_consistently_use_check.patch
-------------------------------------------------------------------
Fri Jun 20 14:37:21 UTC 2014 - mrueckert@suse.de
- update to 1.5.0
For people who don't follow the development versions, 1.5 expands
1.4 with many new features and performance improvements,
including native SSL support on both sides with SNI/NPN/ALPN and
OCSP stapling, IPv6 and UNIX sockets are supported everywhere,
full HTTP keep-alive for better support of NTLM and improved
efficiency in static farms, HTTP/1.1 compression (deflate, gzip)
to save bandwidth, PROXY protocol versions 1 and 2 on both sides,
data sampling on everything in request or response, including
payload, ACLs can use any matching method with any input sample
maps and dynamic ACLs updatable from the CLI stick-tables support
counters to track activity on any input sample custom format for
logs, unique-id, header rewriting, and redirects, improved health
checks (SSL, scripted TCP, check agent, ...), much more scalable
configuration supports hundreds of thousands of backends and
certificates without sweating.
For all the details see /usr/share/doc/packages/haproxy/CHANGELOG
- enable tcp fast open if the kernel is recent enough
- enable PCRE JIT if PCRE is recent enough
- enable openssl support!
- haproxy can finally terminate ssl itself and also talk SSL to
the backend servers.
- including SNI/NPN/ALPN support.
new buildrequires openssl and pkgconfig
- enable deflate support
new buildrequires zlib-devel
- enable transparent proxy support
- enable usage of accept4. reduces the syscall amount.
- enable building and installing of halog
- install vim file into the correct place
- dropped patches:
0001-MEDIUM-add-systemd-service.patch
0002-MEDIUM-add-haproxy-systemd-wrapper.patch
0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch
0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch
0005-BUILD-stdbool-is-not-portable-again.patch
0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
0009-openSUSE-Configure-haproxy-user.patch
0010-openSUSE-Fix-path-to-PCRE-library.patch
0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
0014-MINOR-systemd-wrapper-improve-logging.patch
0015-MINOR-systemd-wrapper-propagate-exit-status.patch
- added haproxy-1.2.16_config_haproxy_user.patch:
(replaces 0009-openSUSE-Configure-haproxy-user.patch)
- added haproxy-1.5_check_config_before_start.patch:
systemd allows us to run other things before we start the final
daemon. use this to check the configuration before launching.
- added haproxy-makefile_lib.patch
(replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch)
- added sec-options.patch:
allow it more easily to build haproxy with PIE, stackprotector
and relro. all those options are enabled on our build.
- added apparmor profile
usr.sbin.haproxy.apparmor
local.usr.sbin.haproxy.apparmor
- change the conditionals for systemd to use bcond_with to make it
more obvious what we are guarding.
-------------------------------------------------------------------
Wed May 21 10:50:21 UTC 2014 - jsegitz@novell.com
- added necessary macros for systemd files
-------------------------------------------------------------------
Tue May 6 06:12:08 UTC 2014 - kgronlund@suse.com
- update to 1.4.25 (bnc#876438)
- DOC: typo: nosepoll self reference in config guide
- BUG/MINOR: deinit: free fdinfo while doing cleanup
- BUG/MEDIUM: server: set the macro for server's max weight SRV_UWGHT_MAX to SRV_UWGHT_RANGE
- BUG/MINOR: use the same check condition for server as other algorithms
- BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN for recv()
- BUG/MINOR: fix forcing fastinter in "on-error"
- BUG/MEDIUM: http/auth: Sometimes the authentication credentials can be mix between two requests
- BUG/MAJOR: http: don't emit the send-name-header when no server is available
- BUG/MEDIUM: http: "option checkcache" fails with the no-cache header
- MEDIUM: session: disable lingering on the server when the client aborts
- MINOR: config: warn when a server with no specific port uses rdp-cookie
- MEDIUM: increase chunk-size limit to 2GB-1
- DOC: add a mention about the limited chunk size
- MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection
- BUILD: proto_tcp: remove a harmless warning
- BUG/MINOR: acl: remove patterns from the tree before freeing them
- BUG/MEDIUM: checks: fix slow start regression after fix attempt
- BUG/MAJOR: server: weight calculation fails for map-based algorithms
- BUG/MINOR: backend: fix target address retrieval in transparent mode
- BUG/MEDIUM: stick: completely remove the unused flag from the store entries
- BUG/MEDIUM: stick-tables: complete the latest fix about store-responses
- BUG/MEDIUM: checks: tracking servers must not inherit the MAINT flag
- BUG/MINOR: stats: report correct throttling percentage for servers in slowstart
- BUG/MINOR: stats: correctly report throttle rate of low weight servers
- BUG/MINOR: checks: successful check completion must not re-enable MAINT servers
- BUG/MEDIUM: stats: the web interface must check the tracked servers before enabling
- BUG/MINOR: channel: initialize xfer_small/xfer_large on new buffers
- BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN
- BUG/MEDIUM: http: don't start to forward request data before the connect
- DOC: fix misleading information about SIGQUIT
- BUILD: simplify the date and version retrieval in the makefile
- BUILD: prepare the makefile to skip format lines in SUBVERS and VERDATE
- BUILD: use format tags in VERDATE and SUBVERS files
- Reorganized patches and backported fixes for systemd wrapper:
- Renamed 0006-haproxy-1.2.16_config_haproxy_user.patch to 0009-openSUSE-Configure-haproxy-user.patch
- Renamed 0007-haproxy-makefile_lib.patch to 0010-openSUSE-Fix-path-to-PCRE-library.patch
- Removed 0008-MEDIUM-haproxy-systemd-wrapper-Revised-implementatio.patch
- Added 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
- Added 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
- Added 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
- Added 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
- Added 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
- Added 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
- Added 0014-MINOR-systemd-wrapper-improve-logging.patch
- Added 0015-MINOR-systemd-wrapper-propagate-exit-status.patch
-------------------------------------------------------------------
Fri Nov 22 09:54:48 UTC 2013 - kgronlund@suse.com
- Backport haproxy-systemd-wrapper from upstream
- Patch haproxy-systemd-wrapper to work on openSUSE
-------------------------------------------------------------------
Thu Oct 31 12:46:04 UTC 2013 - kgronlund@suse.com
- Remove duplicate Requires: from .spec file.
-------------------------------------------------------------------
Thu Oct 31 12:41:12 UTC 2013 - kgronlund@suse.com
- Re-enable sysvinit support for older versions
(server:http still builds for older versions)
-------------------------------------------------------------------
Mon Oct 28 14:32:00 UTC 2013 - p.drouand@gmail.com
- Add systemd support
Target distributions all support systemd; keep alive sysvinit support
is useless
-------------------------------------------------------------------
Thu Oct 10 15:16:32 UTC 2013 - cdenicolo@suse.com
- license update: GPL-2.0+ and LGPL-2.1+
only header files are LGPL, the rest is still GPL
-------------------------------------------------------------------
Tue Jun 18 09:14:13 UTC 2013 - mrueckert@suse.de
- update to 1.4.24 (bnc#825412)
- BUG/MAJOR: backend: consistent hash can loop forever in certain
circumstances
- BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks
are used
- MEDIUM: protocol: implement a "drain" function in protocol
layers
- BUG/CRITICAL: fix a possible crash when using negative header
occurrences CVE-2013-2175
-------------------------------------------------------------------
Wed Apr 3 14:47:43 UTC 2013 - mrueckert@suse.de
- update to 1.4.23 CVE-2013-1912
- CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read
- BUG: fix garbage data when http-send-name-header replaces an
existing header
- BUG/MEDIUM: remove supplementary groups when changing gid
- BUG/MINOR: Correct logic in cut_crlf()
- BUG/MINOR: config: use a copy of the file name in proxy
configurations
- BUG/MINOR: epoll: correctly disable FD polling in fd_rem()
- MINOR: halog: sort output by cookie code
- BUG/MINOR: halog: -ad/-ac report the correct number of output
lines
- BUG/MINOR: halog: fix help message for -ut/-uto
- BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel
mode
- BUG/MEDIUM: command-line option -D must have precedence over
"debug"
- OPTIM: halog: keep a fast path for the lines-count only
- MINOR: halog: add a parameter to limit output line count
- BUG: halog: fix broken output limitation
- MEDIUM: checks: avoid accumulating TIME_WAITs during checks
- MEDIUM: checks: prevent TIME_WAITs from appearing also on
timeouts
- BUG/MAJOR: cli: show sess <id> may randomly corrupt the
back-ref list
- BUG/MINOR: http: don't report client aborts as server errors
- BUG/MINOR: http: don't log a 503 on client errors while waiting
for requests
- BUG/MEDIUM: tcp: process could theorically crash on lack of
source ports
- BUG/MINOR: http: don't abort client connection on premature
responses
- BUILD: no need to clean up when making git-tar
- MINOR: http: always report PR-- flags for redirect rules
- BUG/MINOR: time: frequency counters are not totally accurate
- BUG/MINOR: http: don't process abortonclose when request was
sent
- BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait()
- BUG/MINOR: config: fix improper check for failed memory alloc
in ACL parser
- BUG/MEDIUM: checks: ensure the health_status is always within
bounds
- CLEANUP: http: remove a useless null check
- BUG/MEDIUM: signal: signal handler does not properly check for
signal bounds
- BUG/MEDIUM: uri_auth: missing NULL check and memory leak on
memory shortage
- CLEANUP: config: slowstart is never negative
- BUILD: improve the makefile's support for libpcre
- BUG/MINOR: checks: fix an warning introduced by commit 2f61455a
- MEDIUM: halog: add support for counting per source address
(-ic)
- DOC: mention the new HTTP 307 and 308 redirect statues
(cherry picked from commit
b67fdc4cd8bde202f2805d98683ddab929469a05)
- MEDIUM: poll: do not use FD_* macros anymore
- BUG/MAJOR: ev_select: disable the select() poller if maxsock >
FD_SETSIZE
- BUILD: enable poll() by default in the makefile
- BUILD: add explicit support for Mac OS/X
- BUG/CRITICAL: using HTTP information in tcp-request content may
crash the process CVE-2013-1912
- MEDIUM: http: implement redirect 307 and 308
- MINOR: http: status 301 should not be marked non-cacheable
- adapt haproxy-makefile_lib.patch to the rewritten Makefile
-------------------------------------------------------------------
Mon Nov 12 14:10:33 UTC 2012 - mrueckert@suse.de
- switch license tag to spdx format.
-------------------------------------------------------------------
Mon Nov 12 13:50:46 UTC 2012 - mrueckert@suse.de
- update to 1.4.22
- BUG/MEDIUM: option forwardfor if-none doesn't work with some
configurations
- MINOR: balance uri: added 'whole' parameter to include query
string in hash calculation
- DOC: specify the default value for maxconn in the context of a
proxy
- BUG/MINOR: checks: expire on timeout.check if smaller than
timeout.connect
- REORG/MINOR: use dedicated proxy flags for the cookie handling
- BUG/MINOR: config: do not report twice the incompatibility
between cookie and non-http
- MINOR: http: add support for "httponly" and "secure" cookie
attributes
- MEDIUM: stats: add support for soft stop/soft start in the
admin interface
- BUILD: add support for linux kernels >= 2.6.28
- MINOR: contrib/iprange: add a network IP range to mask
converter
- BUILD: add an AIX 5.2 (and later) target.
- MINOR: halog: use the more recent dual-mode fgets2
implementation
- BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on
full-length matches
- CLEANUP: halog: make clean should also remove .o files
(cherry picked from commit
8ad4193100aafa19f04929670371bf823dbe11d0)
- OPTIM: halog: make use of memchr() on platforms which provide a
fast one
- OPTIM: halog: improve cold-cache behaviour when loading a file
- [MINOR] config: make it possible to specify a cookie even
without a server
- MINOR: config: tolerate server "cookie" setting in non-HTTP
mode
- BUG/MINOR: tarpit: fix condition to return the HTTP 500 message
-------------------------------------------------------------------
Tue Oct 30 16:02:03 UTC 2012 - mrueckert@suse.de
- fix description in the init script
-------------------------------------------------------------------
Tue May 22 16:47:45 UTC 2012 - pascal.bleser@opensuse.org
- update to 1.4.21 (bnc#763833) CVE-2012-2391
- MINOR: patch for minor typo (ressources/resources)
- CLEANUP: fix typo in findserver() log message
- DOC: cleanup indentation, alignment, columns and chapters
- DOC: fix some keywords arguments documentation
- MINOR: stats admin: allow unordered parameters in POST requests
- MINOR: stats admin: use the backend id instead of its name in
the form
- BUG/MAJOR: trash must always be the size of a buffer
- DOC: fix minor regex example issue and improve doc on stats
- BUG/MAJOR: possible crash when using capture headers on TCP
frontends
- MINOR: config: disable header captures in TCP mode and complain
- BUG/MEDIUM: balance source did not properly hash IPv6 addresses
- CLEANUP: http: message parser must ignore HTTP_MSG_ERROR
- CLEANUP: remove a few warning about unchecked return values in
debug code
- CLEANUP: http: remove unused http_msg->col
- BUG/MINOR: http: error snapshots are wrong if buffer wraps
- BUG/MAJOR: checks: don't call set_server_status_* when no LB
algo is set
- MINOR: proxy: make findproxy() return proxies from numeric IDs
too
- BUILD: http: stop gcc-4.1.2 from complaining about possibly
uninitialized values
- BUG/MINOR: stop connect timeout when connect succeeds
-------------------------------------------------------------------
Sun Mar 11 19:16:20 UTC 2012 - pascal.bleser@opensuse.org
- update to 1.4.20:
- BUG/MINOR: fix typo in processing of http-send-name-header
- BUG/MEDIUM: correctly disable servers tracking another disabled servers.
- BUG/MEDIUM: zero-weight servers must not dequeue requests from the backend
- MINOR: halog: add some help on the command line (cherry picked from
commit 615674cdec067066a42f53f5d55628ab7b207e6c)
- BUG: queue: fix dequeueing sequence on HTTP keep-alive sessions
- BUG: http: disable TCP delayed ACKs when forwarding content-length data
- BUG: checks: fix server maintenance exit sequence
- BUG/MINOR: stream_sock: don't remove BF_EXPECT_MORE and BF_SEND_DONTWAIT on
partial writes
- DOC: enumerate valid status codes for "observe layer7"
-------------------------------------------------------------------
Wed Feb 8 15:30:58 UTC 2012 - mrueckert@suse.de
- update to 1.4.19
- MEDIUM: http: add support for sending the server's name in the
outgoing request
- BUG/MINOR: fix options forwardfor if-none when an alternative
header name is specified
- MINOR: task: new function task_schedule() to schedule a wake up
- BUG/MEDIUM: checks: fix slowstart behaviour when server
tracking is in use
- BUG: tcp: option nolinger does not work on backends
- BUG: ebtree: ebst_lookup() could return the wrong entry
- BUG: http: re-enable TCP quick-ack upon incomplete HTTP
requests
- CLEANUP: ebtree: remove a few annoying signedness warnings
- CLEANUP: ebtree: remove 4-year old harmless typo in duplicates
insertion code
- CLEANUP: ebtree: remove another typo, a wrong initialization in
insertion code
- BUG: proto_tcp: set AF_INET on tproxy for use with recent
kernels
- MINOR: halog: add support for matching queued requests
- BUG: http: tighten the list of allowed characters in a URI
-------------------------------------------------------------------
Wed Nov 9 12:09:33 UTC 2011 - mrueckert@suse.de
- update to 1.4.18
- [MINOR] http: *_dom matching header functions now also split on
":"
- [MINOR] halog: support backslash-escaped quotes
- BUILD/MINOR: fix the source URL in the spec file
- DOC: acl is http_first_req, not http_req_first
- BUG/MEDIUM: don't trim last spaces from headers consisting only
of spaces
- MINOR: acl: add new matches for header/path/url length
- [MINOR] halog: do not consider byte 0x8A as end of line
- [OPTIM] halog: make fgets parse more bytes by blocks
- [OPTIM] halog: add assembly version of the field lookup code
- [CLEANUP] startup: report only the basename in the usage
message
- [DOC] update the README file to reflect new naming rules for
patches
-------------------------------------------------------------------
Mon Sep 05 22:26:59 UTC 2011 - pascal.bleser@opensuse.org
- update to 1.4.17:
- [MINOR] halog: add support for termination code matching (-tcn/-TCN)
- [MINOR] halog: make SKIP_CHAR stop on field delimiters
- [MINOR] halog: add support for HTTP log matching (-H)
- [MINOR] halog: gain back performance before SKIP_CHAR fix
- [OPTIM] halog: cache some common fields positions
- [OPTIM] halog: check once for correct line format and reuse the pointer
- [OPTIM] halog: remove many 'if' by using a function pointer for the filters
- [OPTIM] halog: remove support for tab delimiters in input data
- [MINOR] halog: add -hs/-HS to filter by HTTP status code range
- [CLEANUP] update the year in the copyright banner
- [BUG] check: http-check expect + regex would crash in defaults section
- [MEDIUM] http: make x-forwarded-for addition conditional
- [DOC] fixed a few "sensible" -> "sensitive" errors
- [MINOR] stats: display "<NONE>" instead of the frontend name when unknown
- [BUG] http: trailing white spaces must also be trimmed after headers
- [MINOR] http: take a capture of too large requests and responses
- [MINOR] http: take a capture of truncated responses
- [MINOR] http: take a capture of bad content-lengths.
-------------------------------------------------------------------
Sat Aug 13 22:49:36 UTC 2011 - mrueckert@suse.de
- update to version 1.4.16
- [BUG] checks: fix support of Mysqld >= 5.5 for mysql-check
- [DOC] Minor spelling fixes and grammatical enhancements
- [CLEANUP] Remove assigned but unused variables
- [BUG] checks: http-check expect could fail a check on
multi-packet responses
- [DOC] fix minor typo in the "dispatch" doc
- [MINOR] http: make the "HTTP 200" status code configurable.
- [MINOR] http: partially revert the chunking optimization for
now
- [MINOR] stream_sock: always clear BF_EXPECT_MORE upon complete
transfer
- [CLEANUP] stream_sock: remove unneeded FL_TCP and factor out
test
- [MEDIUM] http: add support for "http-no-delay"
- [OPTIM] http: optimize chunking again in non-interactive mode
- [OPTIM] stream_sock: avoid fast-forwarding of partial data
- [OPTIM] stream_sock: don't use splice on too small payloads
- [BUG] stats: support url-encoded forms
- [BUG] halog: correctly handle truncated last line
- [DOC] fix typos, "#" is a sharp, not a dash
-------------------------------------------------------------------
Fri Apr 15 22:14:24 UTC 2011 - pascal.bleser@opensuse.org
- revert splitting out the documentation
-------------------------------------------------------------------
Thu Apr 14 19:18:45 UTC 2011 - pascal.bleser@opensuse.org
- split out documentation and examples into haproxy-doc
- add rpmlintrc to suppress false positive warnings about
script examples in documentation files (without exec flag)
- fix license
-------------------------------------------------------------------
Tue Apr 12 15:31:38 UTC 2011 - mrueckert@suse.de
- update to version 1.4.15
- [CRITICAL] fix risk of crash when dealing with space in
response cookies
- additional changes from 1.4.14
- [MINOR] config: fix endianness of server check port
- [BUG] http: fix possible incorrect forwarded wrapping chunk
size (take 2)
- [MINOR] tools: add two macros MID_RANGE and MAX_RANGE
- [BUG] http: fix content-length handling on 32-bit platforms
- [OPTIM] buffers: uninline buffer_forward()
-------------------------------------------------------------------
Wed Mar 9 12:00:23 UTC 2011 - mrueckert@suse.de
- update to 1.4.13
- config: don't crash on empty pattern files.
- additional changes from 1.4.12
- stats: add support for several packets in stats admin
- stats: admin commands must check the proxy state
- stats: admin web interface must check the proxy state
- http: update the header list's tail when removing the last
header
- fix typos (http-request instead of http-check) (cherry
picked from commit 8f2a1e72bebea700f37add40997b716fdfd86b9c)
- http: use correct ACL pointer when evaluating authentication
- cfgparse: correctly count one socket per port in ranges
- startup: set the rlimits before binding ports, not after.
- acl: srv_id must return no match when the server is NULL
- acl: fd leak when reading patterns from file
- fix minor typo in "usesrc"
- http: fix possible incorrect forwarded wrapping chunk size
- http: fix computation of message body length after forwarding
has started
- http: balance url_param did not work with first parameters on
POST
- update the url_param regression test to test check_post too
-------------------------------------------------------------------
>>>>>>> ./haproxy.changes.r40
Tue Feb 15 14:30:53 UTC 2011 - mrueckert@suse.de
- update to 1.4.11
- cfgparse: Check whether the path given for the stats socket
actually fits into the sockaddr_un structure to avoid
truncation.
- fix a minor typo
- fix ignore-persist documentation
- http: fix http-pretend-keepalive and httpclose/tunnel mode
- add warnings on features not compatible with multi-process mode
- acl: add be_id/srv_id to match backend's and server's id
- log: add support for passing the forwarded hostname
- log: ability to override the syslog tag
- fix minor typos in the doc
- fix another typo in the doc
- http chunking: don't report a parsing error on connection
errors
- stream_interface: truncate buffers when sending error messages
- http: fix incorrect error reporting during data transfers
- session: correctly leave turn-around and queue states on abort
- session: release slot before processing pending connections
- stats: report HTTP message state and buffer flags in error
dumps
- http: support wrapping messages in error captures
- http: capture incorrectly chunked message bodies
- stats: add global event ID and count
- http: don't send each chunk in a separate packet
- acl: fix handling of empty lines in pattern files
- ebtree: fix ebmb_lookup() with len smaller than the tree's keys
- ebtree: ebmb_lookup: reduce stack usage by moving the return
code out of the loop
-------------------------------------------------------------------
Mon Nov 29 13:57:37 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.10:
* a possible crash when using Cookie-based persistence with
appsessions was fixed
* header processing could become wrong after a single reqidel
rule removed exactly two headers
* some out-of-memory conditions were not correctly handled in
appsession or cookie captures
* users of appsessions are strongly encouraged to upgrade
-------------------------------------------------------------------
Tue Nov 2 13:11:15 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.9:
* the Web interface now allows you to enable or disable servers
* the ECV and LDAPv3 checks were merged
* the MySQL check was improved to support a real login sequence
* persistence cookies can now be timestamped to support a maximum
idle time and a maximum life time, and can be removed by the
server if needed (e.g. logout)
* the SNMP plugin was improved to report socket stats
* some Cacti templates were merged
* the halog tool can now instantly report per-URL response times
-------------------------------------------------------------------
Tue Aug 17 15:46:13 UTC 2010 - mrueckert@suse.de
- implement graceful restart in the init script
-------------------------------------------------------------------
Tue Jun 22 14:49:12 UTC 2010 - mrueckert@suse.de
- update to 1.4.8:
* mention 'option http-server-close' effect in Tq section
* summarize and highlight persistent connections behaviour
* add configuration samples
* stick_table: the fix for the memory leak caused a regression
* client: don't add a new session to the list too early
-------------------------------------------------------------------
Thu Jun 10 09:03:34 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.7:
* fixes problems where consistent hashing was broken when no
server ID was specified in the configuration
* some errors were incorrectly reported as failed instead of
denied in the statistics
* the dispatch and http_proxy modes were fixed
* a few termination flags in the logs used for troubleshooting
were corrected
* a few other minor issues were fixed
* upgrading is recommended
-------------------------------------------------------------------
Mon May 17 20:29:02 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.6:
* a minor precision about RDP cookies was added to the
documentation
* a new ACL keyword was added
* those who had no problem building and running 1.4.5 don't need
to upgrade
- drop haproxy-fix_dprintf.patch, merged upstream
-------------------------------------------------------------------
Fri May 14 07:18:03 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.5:
* Haproxy can now read huge ACL pattern lists from files and
match inputs against them without any noticeable performance
impact, making geolocation possible
* adds a new "ignore-persist" directive, allowing it to ignore
the persistence cookie if an ACL-based condition is matched
(which is useful for static objects in stateful farms)
* a few other minor improvements
* a nice performance boost of the log analyzer, which can now
process more than 1 GB of logs per second and report request
counts by status codes
-------------------------------------------------------------------
Thu Apr 8 09:41:51 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.4:
* brings a new option to work around optimization issues with
Tomcat and Jetty in server close mode, and for a bug in Jetty's
handling of Expect: 100-continue
* a very old appsession unexpected match of shorter cookie names
was also fixed
* a new feature to make it possible to connect to a server from
an IP found in a header was merged: it allows you to run
stunnel+haproxy in transparent mode together
-------------------------------------------------------------------
Fri Apr 2 23:42:44 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.3:
* fxes a regression introduced in 1.4.2 which could cause a
connection to still be attempted on the server side in case of
an error on the client side; this issue could even lead to a
crash if a Layer7 hash algorithm was used, so this code was
strengthened
* the configuration parser now detects many more inappropriate
options in TCP mode and emits related warnings
* it is now possible to indicate in the configuration that a
server will start in the "disabled" state
* other very minor issues were fixed
-------------------------------------------------------------------
Thu Mar 18 12:00:49 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.2:
* fixes a very rare case of stuck client sessions when using
keep-alive
* fixes a url_param hash bug which could result in a dead server
in very rare situations
* fixes status codes 501 and 505 which could cause a server to be
marked down if on-error was used
* fixes a risk of getting truncated HTTP responses when
chunk-encoding was used
* fixes an issue with anonymous ACLs
* improvements on health checks
-------------------------------------------------------------------
Fri Mar 5 00:45:12 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.1:
* some errors were incorrectly reported as 502 with the flags
"SL" in the logs; this is now fixed
* other minor issues were fixed
* documentation was updated
-------------------------------------------------------------------
Fri Feb 26 20:44:34 UTC 2010 - pascal.bleser@opensuse.org
- update to 1.4.0:
* new features:
+ keep-alive
+ IP-based stickiness
+ consistent hashing
+ support for the RDP protocol
+ a much nicer stats interface
+ a much-improved performance level
* add -fno-strict-aliasing
- changes from 1.4rc1:
* new features:
+ server maintenance mode
+ HTTP authentication (server and proxy)
+ secure passwords
+ conditional request/response header rewriting using ACLs
+ anonymous ACLs that can be declared inline
+ support for HTTP/1.1 101+Upgrade status code to support non-
HTTP protocols such as WebSocket
-------------------------------------------------------------------
Thu Feb 11 15:20:01 UTC 2010 - mrueckert@suse.de
- update to 1.3.23
-------------------------------------------------------------------
Tue Sep 15 14:09:34 CEST 2009 - mrueckert@suse.de
- update to 1.3.20
-------------------------------------------------------------------
Fri Apr 3 13:54:40 CEST 2009 - mrueckert@suse.de
- update to 1.3.17
-------------------------------------------------------------------
Mon Mar 9 16:40:38 CET 2009 - mrueckert@suse.de
- update to 1.3.15.8
-------------------------------------------------------------------
Wed Feb 4 15:13:15 CET 2009 - mrueckert@suse.de
- update to 1.3.15.7
-------------------------------------------------------------------
Mon Sep 15 15:52:45 CEST 2008 - mrueckert@suse.de
- update to 1.3.15.4
-------------------------------------------------------------------
Sun Nov 4 21:21:35 CET 2007 - mrueckert@suse.de
- update to 1.3.13.1:
too many changes see changelog file
-------------------------------------------------------------------
Mon Apr 2 00:53:38 CEST 2007 - mrueckert@suse.de
- prepared spec for easy split out of -snapshot packages.
- added vim syntax file
-------------------------------------------------------------------
Mon Mar 19 17:50:33 CET 2007 - mrueckert@suse.de
- update to 1.2.17:
- replaced the linked-list with a faster rbtree in the scheduler
- add user/group support (Marcus Rueckert)
- add the "except" keyword to the "forwardfor" option (Bryan
Germann)
- re-implemented support for multi-line headers (was
incidently reverted)
- fixed possible crash when no cookie was set on a server
- fixed various length checks in appsession
- fixed unlikely memory leak in appsession in case of memory
shortage
- updates to the architecture guide
- remove haproxy-1.2.16_username_groupname_support.patch:
patch included upstream
-------------------------------------------------------------------
Mon Jan 8 00:27:17 CET 2007 - mrueckert@suse.de
- initial package of 1.2.16
- added 2 patches:
haproxy-1.2.16_config_haproxy_user.patch
haproxy-1.2.16_username_groupname_support.patch
the patches allow to specify username and groupname instead of
uid/gid. The patches are needed as we do not have a static
uid/gid for the haproxy user/group.