Update HAProxy to the latest versions

essentialkaos · Nov 2, 2024 · 80c8bc3 · 80c8bc3
1 parent 9ac9ba9
commit 80c8bc3
Show file tree

Hide file tree

Showing 4 changed files with 421 additions and 8 deletions.
diff --git a/specs/haproxy/haproxy.spec b/specs/haproxy/haproxy.spec
@@ -14,15 +14,15 @@
 
 %define lua_ver       5.4.7
 %define pcre_ver      10.44
-%define openssl_ver   3.2.2
+%define openssl_ver   3.2.3
 %define ncurses_ver   6.4
 %define readline_ver  8.2
 
 ################################################################################
 
 Name:           haproxy
 Summary:        TCP/HTTP reverse proxy for high availability environments
-Version:        3.0.3
+Version:        3.0.5
 Release:        0%{?dist}
 License:        GPLv2+
 URL:            https://haproxy.1wt.eu
@@ -216,6 +216,129 @@ fi
 ################################################################################
 
 %changelog
+* Sat Nov 02 2024 Anton Novojilov <andy@essentialkaos.com> - 3.0.5-0
+- BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss and
+  leak
+- BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set
+- BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending
+  path
+- BUILD: mux-pt: Use the right name for the sedesc variable
+- BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect
+- BUG/MEDIUM: ssl: reactivate 0-RTT for AWS-LC
+- BUG/MEDIUM: ssl: 0-RTT initialized at the wrong place for AWS-LC
+- BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
+- BUG/MEDIUM: http-ana: Report error on write error waiting for the response
+- BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
+- BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream
+- BUG/MEDIUM: peer: Notify the applet won't consume data when it waits for sync
+- BUG/MINOR: fcgi-app: handle a possible strdup() failure
+- DOC: configuration: fix alphabetical ordering of {bs,fs}.aborted
+- BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
+- BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
+- BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()
+- BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
+- BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
+- BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
+- BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
+- BUG/MINOR: proto_tcp: keep error msg if listen() fails
+- MINOR: channel: implement ci_insert() function
+- BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI
+- REGTESTS: mcli: test the pipelined commands on master CLI
+- BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
+- BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
+- BUG/MINOR: h3: properly reject too long header responses
+- BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
+- BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
+- DOC: config: correct the table for option tcplog
+- BUG/MINOR: cfgparse-global: remove tune.fast-forward from common_kw_list
+- BUILD: quic: 32bits build broken by wrong integer conversions for printf()
+- BUG/MEDIUM: clock: also update the date offset on time jumps
+- MINOR: tools: Implement ipaddrcpy().
+- MINOR: quic: Implement quic_tls_derive_token_secret().
+- MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD
+- MINOR: quic: Token for future connections implementation.
+- BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder
+- MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct)
+- MINOR: quic: Implement qc_ssl_eary_data_accepted().
+- MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event.
+- BUG/MEDIUM: quic: always validate sender address on 0-RTT
+- BUG/MINOR: quic: Crash from trace dumping SSL eary data status (AWS-LC)
+- BUG/MINOR: quic: Too short datagram during packet building failures
+  (aws-lc only)
+- DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line
+- REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
+- BUG/MEDIUM: clock: detect and cover jumps during execution
+- BUG/MINOR: pattern: prevent const sample from being tampered in
+  pat_match_beg()
+- BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
+- BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
+- BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is
+ established
+- BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
+- MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option
+- BUG/MINOR: polling: fix time reporting when using busy polling
+- BUG/MINOR: clock: make time jump corrections a bit more accurate
+- BUG/MINOR: clock: validate that now_offset still applies to the current date
+- BUG/MEDIUM: queue: implement a flag to check for the dequeuing
+- BUG/MINOR: peers: local entries updates may not be advertised after resync
+- DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options
+- BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous send
+- BUG/MEDIUM: cache/stats: Wait to have the request before sending the response
+- BUG/MEDIUM: promex: Wait to have the request before sending the response
+- BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
+- MINOR: quic: convert qc_stream_desc release field to flags
+- MINOR: quic: implement function to check if STREAM is fully acked
+- BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM
+- BUG/MINOR: quic: prevent freeze after early QCS closure
+
+* Sat Nov 02 2024 Anton Novojilov <andy@essentialkaos.com> - 3.0.4-0
+- MINOR: proto: extend connection thread rebind API
+- BUILD: listener: silence a build warning about unused value without threads
+- BUG/MEDIUM: quic: prevent crash on accept queue full
+- CLEANUP: proto: rename TID affinity callbacks
+- CLEANUP: quic: rename TID affinity elements
+- BUG/MINOR: session: Eval L4/L5 rules defined in the default section
+- BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts
+- DOC: install: don't reference removed CPU arg
+- BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
+- BUG/MAJOR: mux-h2: force a hard error upon short read with pending error
+- DOC: configuration: issuers-chain-path not compatible with OCSP
+- DOC: config: improve the http-keep-alive section
+- BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
+- BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution
+- BUG/MINOR: cli: Atomically inc the global request counter between CLI commands
+- BUG/MINOR: quic: Non optimal first datagram.
+- MEDIUM: sink: don't set NOLINGER flag on the outgoing stream interface
+- BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)
+- BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
+- MINOR: quic: Dump TX in flight bytes vs window values ratio.
+- MINOR: quic: Add information to "show quic" for CUBIC cc.
+- MEDIUM: h1: allow to preserve keep-alive on T-E + C-L
+- MINOR: queue: add a function to check for TOCTOU after queueing
+- BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
+- MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
+- BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
+- Revert "MEDIUM: sink: don't set NOLINGER flag on the outgoing stream
+  interface"
+- MEDIUM: log: relax some checks and emit diag warnings instead in
+  lf_expr_postcheck()
+- DOC: quic: fix default minimal value for max window size
+- MINOR: proxy: Add support of 429-Too-Many-Requests in retry-on status
+- BUG/MEDIUM: mux-h2: Set ES flag when necessary on 0-copy data forwarding
+- BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer
+  ready
+- BUG/MINIR: proxy: Match on 429 status when trying to perform a L7 retry
+- BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown
+- BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli
+- BUG/MINOR: quic: unexploited retransmission cases for Initial pktns.
+- BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered
+- MINOR: mux-h2: try to clear DEM_MROOM and MUX_MFULL at more places
+- BUG/MAJOR: mux-h2: always clear MUX_MFULL and DEM_MROOM when clearing the mbuf
+- BUG/MINOR: quic: Too shord datagram during O-RTT handshakes (aws-lc only)
+- BUG/MINOR: Crash on O-RTT RX packet after dropping Initial pktns
+- BUG/MEDIUM: mux-pt: Fix condition to perform a shutdown for writes in
+  mux_pt_shut()
+
 * Sat Aug 17 2024 Anton Novojilov <andy@essentialkaos.com> - 3.0.3-0
 - BUG/MINOR: log: fix broken '+bin' logformat node option
 - DEBUG: hlua: distinguish burst timeout errors from exec timeout errors

diff --git a/specs/haproxy/haproxy26.spec b/specs/haproxy/haproxy26.spec
@@ -18,15 +18,15 @@
 
 %define lua_ver       5.4.7
 %define pcre_ver      10.44
-%define openssl_ver   3.0.14
+%define openssl_ver   3.0.15
 %define ncurses_ver   6.4
 %define readline_ver  8.2
 
 ################################################################################
 
 Name:           haproxy%{comp_ver}
 Summary:        TCP/HTTP reverse proxy for high availability environments
-Version:        2.6.18
+Version:        2.6.19
 Release:        0%{?dist}
 License:        GPLv2+
 URL:            https://haproxy.1wt.eu
@@ -220,6 +220,75 @@ fi
 ################################################################################
 
 %changelog
+* Fri Nov 01 2024 Anton Novojilov <andy@essentialkaos.com> - 2.6.19-0
+- BUG/MEDIUM: cli: fix cli_output_msg() regression
+- BUG/MINOR: quic: fix computed length of emitted STREAM frames
+- DOC/MINOR: management: add missed -dR and -dv options
+- DOC: management: rename show stats domain cli "dns" to "resolvers"
+- DOC: configuration: fix alphabetical order of bind options
+- SCRIPTS: git-show-backports: do not truncate git-show output
+- BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
+- BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
+- BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()
+- BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
+- BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
+- DOC: configuration: more details about the master-worker mode
+- MEDIUM: ssl: initialize the SSL stack explicitely
+- MINOR: mux-h2/traces: explicitly show the error/refused stream states
+- REGTESTS: add a test to ensure map-ordering is preserved
+- MINOR: quic: Add packet loss and maximum cc window to "show quic"
+- MINOR: quic: Add a counter for reordered packets
+- BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)
+- BUG/MINOR: jwt: don't try to load files with HMAC algorithm
+- BUG/MINOR: jwt: fix variable initialisation
+- BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
+- BUG/MINOR: h1: Fail to parse empty transfer coding names
+- BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
+- BUG/MEDIUM: h1: Reject empty Transfer-encoding header
+- BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current
+  thread
+- BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
+- BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution
+- BUG/MINOR: cli: Atomically inc the global request counter between CLI commands
+- MINOR: queue: add a function to check for TOCTOU after queueing
+- BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
+- MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
+- BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
+- DOC: configuration: update maxconn description
+- DOC: configuration: issuers-chain-path not compatible with OCSP
+- DOC: config: improve the http-keep-alive section
+- BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer
+  ready
+- BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli
+- BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
+- BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
+- BUG/MINOR: fcgi-app: handle a possible strdup() failure
+- BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
+- CLEANUP: trace: remove the QUIC-specific ifdefs
+- BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
+- BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
+- BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
+- BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
+- BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
+- BUG/MINOR: proto_tcp: keep error msg if listen() fails
+- REGTESTS: mcli: test the pipelined commands on master CLI
+- BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
+- BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
+- BUG/MINOR: h3: properly reject too long header responses
+- DOC: config: correct the table for option tcplog
+- BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
+- BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
+- BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
+- REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
+- BUG/MINOR: pattern: prevent const sample from being tampered in
+  pat_match_beg()
+- BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
+- BUG/MINOR: polling: fix time reporting when using busy polling
+- BUG/MEDIUM: queue: implement a flag to check for the dequeuing
+- BUG/MEDIUM: cache/stats: Wait to have the request before sending the response
+- BUG/MEDIUM: promex: Wait to have the request before sending the response
+- BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
+
 * Sat Aug 17 2024 Anton Novojilov <andy@essentialkaos.com> - 2.6.18-0
 - BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
 - BUG/MEDIUM: mux-quic: report early error on stream