Ubuntu
haproxy package

[MRE] haproxy

Bug #2012557 reported by Lucas Kanashiro
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
haproxy (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Undecided
Lucas Kanashiro
Jammy
Fix Released
Undecided
Lucas Kanashiro
Kinetic
Fix Released
Undecided
Lucas Kanashiro

Bug Description

This bug tracks an update for the HAProxy package in the following Ubuntu
releases to the versions below:

 * Kinetic (22.10): HAProxy 2.4.22
 * Jammy (22.04): HAProxy 2.4.22
 * Focal (20.04): HAProxy 2.0.31

These updates include bugfixes only following the SRU policy exception defined
at https://wiki.ubuntu.com/HAProxyUpdates.

[Upstream changes]

Changelog of version 2.4.22:

http://git.haproxy.org/?p=haproxy-2.4.git;a=blob;f=CHANGELOG;h=d59309ffed498206bd15775e59bca154ee9d4b0d;hb=HEAD

Important bug fixes in 2.4.22 according to the upstream changelog:

- BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
- BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- BUG/CRITICAL: http: properly reject empty http header field names

I fixes CVE-2023-25725.

Changelog of version 2.0.31:

http://git.haproxy.org/?p=haproxy-2.0.git;a=blob;f=CHANGELOG;h=4b5713fb700f1d2a308ea8fdd18ef098efe0310a;hb=HEAD

Important bug fixes in 2.0.31 according to the upstream changelog:

- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- BUG/CRITICAL: http: properly reject empty http header field names

It fixes CVE-2023-25725.

[Test Plan]

Upstream CI tests results for 2.4.22:

https://github.com/lucaskanashiro/haproxy/actions?query=branch%3Abranch-v2.4.22

Upstream CI tests results for 2.0.31:

https://github.com/lucaskanashiro/haproxy/actions?query=branch%3Abranch-v2.0.31

Upstream is not pushing the stable branches to Github, so I am running the tests in my fork (the results above). I sent an email to their mailing list to see if they can push those changes to Github but no one replied to me so far.

autopkgtest summary in Kinetic:

autopkgtest [18:52:16]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
proxy-localhost PASS
proxy-ssl-termination PASS
proxy-ssl-pass-through PASS

autopkgtest summary in Jammy:

autopkgtest [18:37:20]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
proxy-localhost PASS

autopkgtest summary in Focal:

autopkgtest [18:17:03]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
proxy-localhost PASS

[Regression Potential]

HAProxy itself does not have many reverse dependencies, however, any upgrade is
a risk to introduce some breakage to other packages. Whenever a test failure is
detected, we will be on top of it and make sure it doesn't affect existing
users.

See original description

Related branches

~lucaskanashiro/ubuntu/+source/haproxy:focal-mre
Andreas Hasenack: Approve
git-ubuntu bot: Approve
Canonical Server Reporter: Pending requested
Diff: 3289 lines (+1130/-445)
72 files modified
.github/matrix.py (+6/-3)
.github/workflows/cross-zoo.yml (+110/-0)
.github/workflows/vtest.yml (+5/-2)
.github/workflows/windows.yml (+2/-1)
CHANGELOG (+100/-0)
Makefile (+5/-1)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
contrib/prometheus-exporter/service-prometheus.c (+1/-0)
contrib/wurfl/wurfl/wurfl.h (+10/-5)
debian/changelog (+20/-0)
debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch (+0/-2)
debian/patches/series (+0/-2)
debian/tests/control (+8/-0)
debian/tests/proxy-localhost (+5/-9)
debian/tests/proxy-ssl-pass-through (+59/-0)
debian/tests/proxy-ssl-termination (+48/-0)
debian/tests/utils (+58/-0)
dev/null (+0/-175)
doc/configuration.txt (+99/-41)
doc/management.txt (+4/-0)
doc/proxy-protocol.txt (+1/-1)
include/common/buf.h (+1/-1)
include/common/compiler.h (+3/-1)
include/common/memory.h (+2/-2)
include/common/standard.h (+3/-2)
include/proto/server.h (+1/-0)
include/proto/ssl_sock.h (+25/-0)
include/types/global.h (+1/-0)
include/types/listener.h (+11/-2)
reg-tests/http-messaging/http_abortonclose.vtc (+27/-5)
reg-tests/http-messaging/http_request_buffer.vtc (+29/-4)
scripts/announce-release (+12/-11)
scripts/make-releases-json (+103/-0)
scripts/publish-release (+6/-0)
src/backend.c (+0/-5)
src/cache.c (+7/-7)
src/cfgparse-listen.c (+2/-1)
src/cfgparse.c (+40/-12)
src/dns.c (+18/-6)
src/ev_epoll.c (+2/-2)
src/ev_evports.c (+2/-4)
src/ev_kqueue.c (+2/-2)
src/ev_poll.c (+2/-1)
src/flt_spoe.c (+22/-9)
src/h1.c (+4/-0)
src/haproxy.c (+10/-2)
src/hlua.c (+3/-1)
src/hlua_fcn.c (+3/-0)
src/hpack-dec.c (+9/-0)
src/http_fetch.c (+9/-6)
src/http_msg.c (+7/-1)
src/listener.c (+6/-0)
src/log.c (+8/-3)
src/memory.c (+6/-6)
src/mux_h1.c (+1/-1)
src/mux_h2.c (+9/-2)
src/mworker.c (+4/-2)
src/peers.c (+40/-23)
src/proto_http.c (+8/-2)
src/proto_htx.c (+1/-0)
src/proto_sockpair.c (+1/-1)
src/proxy.c (+24/-10)
src/sample.c (+2/-1)
src/server.c (+4/-5)
src/signal.c (+3/-0)
src/ssl_sock.c (+50/-27)
src/standard.c (+4/-3)
src/stick_table.c (+29/-17)
src/stream.c (+18/-8)
src/stream_interface.c (+1/-1)
~lucaskanashiro/ubuntu/+source/haproxy:jammy-mre
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 7019 lines (+2604/-830)
120 files modified
.cirrus.yml (+1/-1)
.github/matrix.py (+10/-7)
.github/workflows/compliance.yml (+2/-2)
.github/workflows/cross-zoo.yml (+110/-0)
.github/workflows/vtest.yml (+5/-2)
.github/workflows/windows.yml (+2/-1)
CHANGELOG (+190/-0)
Makefile (+7/-3)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
addons/promex/README (+2/-0)
addons/promex/service-prometheus.c (+30/-1)
addons/wurfl/dummy/wurfl/wurfl.h (+10/-5)
debian/changelog (+24/-0)
debian/patches/haproxy.service-start-after-syslog.patch (+0/-2)
debian/patches/reproducible.patch (+1/-3)
debian/patches/series (+0/-3)
debian/tests/control (+8/-0)
debian/tests/proxy-localhost (+4/-9)
debian/tests/proxy-ssl-pass-through (+59/-0)
debian/tests/proxy-ssl-termination (+48/-0)
debian/tests/utils (+58/-0)
dev/null (+0/-145)
doc/configuration.txt (+282/-224)
doc/intro.txt (+1/-1)
doc/management.txt (+4/-0)
doc/proxy-protocol.txt (+1/-1)
include/haproxy/buf.h (+1/-1)
include/haproxy/bug.h (+2/-0)
include/haproxy/http.h (+2/-0)
include/haproxy/listener-t.h (+11/-2)
include/haproxy/listener.h (+11/-5)
include/haproxy/peers-t.h (+1/-0)
include/haproxy/pool.h (+2/-2)
include/haproxy/server.h (+9/-5)
include/haproxy/sink.h (+2/-0)
include/haproxy/ssl_sock-t.h (+11/-7)
include/haproxy/ssl_sock.h (+23/-0)
include/haproxy/stats-t.h (+2/-0)
include/haproxy/stream.h (+1/-1)
include/haproxy/task.h (+2/-1)
include/haproxy/tcpcheck-t.h (+1/-0)
include/haproxy/tools.h (+3/-2)
include/import/ebmbtree.h (+53/-0)
reg-tests/cache/if-modified-since.vtc (+4/-1)
reg-tests/cache/if-none-match.vtc (+4/-0)
reg-tests/checks/4be_1srv_smtpchk_httpchk_layer47errors.vtc (+8/-3)
reg-tests/checks/pgsql-check.vtc (+16/-0)
reg-tests/checks/smtp-check.vtc (+6/-2)
reg-tests/contrib/prometheus.vtc (+4/-3)
reg-tests/converter/digest.vtc (+1/-1)
reg-tests/converter/hmac.vtc (+1/-1)
reg-tests/converter/iif.vtc (+1/-1)
reg-tests/converter/json_query.vtc (+1/-1)
reg-tests/http-messaging/h1_host_normalization.vtc (+276/-0)
reg-tests/http-messaging/http_request_buffer.vtc (+18/-1)
reg-tests/http-rules/restrict_req_hdr_names.vtc (+62/-0)
reg-tests/log/log_forward.vtc (+57/-0)
reg-tests/mailers/healthcheckmail.vtc (+1/-1)
reg-tests/ssl/log_forward_ssl.vtc (+60/-0)
reg-tests/startup/automatic_maxconn.vtc (+102/-0)
reg-tests/startup/common.pem (+117/-0)
scripts/announce-release (+12/-11)
src/backend.c (+0/-1)
src/cache.c (+17/-17)
src/cfgparse-listen.c (+4/-2)
src/cfgparse-ssl.c (+7/-7)
src/cfgparse.c (+52/-5)
src/check.c (+7/-0)
src/dns.c (+1/-1)
src/ev_epoll.c (+2/-2)
src/ev_evports.c (+2/-4)
src/ev_kqueue.c (+2/-2)
src/ev_poll.c (+2/-1)
src/fcgi-app.c (+1/-1)
src/fcgi.c (+6/-2)
src/fd.c (+3/-3)
src/flt_http_comp.c (+21/-21)
src/flt_spoe.c (+22/-9)
src/h1.c (+92/-15)
src/h1_htx.c (+3/-0)
src/haproxy.c (+10/-2)
src/hlua.c (+8/-3)
src/hlua_fcn.c (+3/-0)
src/hpack-dec.c (+10/-0)
src/http.c (+32/-0)
src/http_act.c (+2/-0)
src/http_ana.c (+20/-14)
src/http_fetch.c (+6/-5)
src/http_htx.c (+14/-25)
src/listener.c (+45/-16)
src/log.c (+11/-5)
src/mux_fcgi.c (+14/-8)
src/mux_h1.c (+26/-13)
src/mux_h2.c (+24/-10)
src/mworker.c (+4/-2)
src/pattern.c (+6/-6)
src/peers.c (+41/-25)
src/pool.c (+12/-12)
src/proto_tcp.c (+9/-6)
src/proto_udp.c (+8/-5)
src/protocol.c (+3/-3)
src/proxy.c (+32/-16)
src/regex.c (+9/-5)
src/resolvers.c (+29/-10)
src/ring.c (+11/-1)
src/server.c (+5/-6)
src/signal.c (+3/-0)
src/sink.c (+46/-15)
src/ssl_crtlist.c (+5/-0)
src/ssl_sample.c (+3/-0)
src/ssl_sock.c (+17/-11)
src/stats.c (+20/-5)
src/stick_table.c (+29/-17)
src/stream.c (+22/-12)
src/stream_interface.c (+28/-4)
src/tcpcheck.c (+37/-6)
src/time.c (+1/-0)
src/tools.c (+4/-3)
~lucaskanashiro/ubuntu/+source/haproxy:kinetic-mre
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 6773 lines (+2423/-819)
114 files modified
.cirrus.yml (+1/-1)
.github/matrix.py (+10/-7)
.github/workflows/compliance.yml (+2/-2)
.github/workflows/cross-zoo.yml (+110/-0)
.github/workflows/vtest.yml (+5/-2)
.github/workflows/windows.yml (+2/-1)
CHANGELOG (+190/-0)
Makefile (+7/-3)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
addons/promex/README (+2/-0)
addons/promex/service-prometheus.c (+30/-1)
addons/wurfl/dummy/wurfl/wurfl.h (+10/-5)
debian/changelog (+20/-0)
debian/patches/reproducible.patch (+1/-3)
debian/patches/series (+0/-3)
dev/null (+0/-145)
doc/configuration.txt (+282/-224)
doc/intro.txt (+1/-1)
doc/management.txt (+4/-0)
doc/proxy-protocol.txt (+1/-1)
include/haproxy/buf.h (+1/-1)
include/haproxy/bug.h (+2/-0)
include/haproxy/http.h (+2/-0)
include/haproxy/listener-t.h (+11/-2)
include/haproxy/listener.h (+11/-5)
include/haproxy/peers-t.h (+1/-0)
include/haproxy/pool.h (+2/-2)
include/haproxy/server.h (+9/-5)
include/haproxy/sink.h (+2/-0)
include/haproxy/ssl_sock-t.h (+11/-7)
include/haproxy/ssl_sock.h (+23/-0)
include/haproxy/stats-t.h (+2/-0)
include/haproxy/stream.h (+1/-1)
include/haproxy/task.h (+2/-1)
include/haproxy/tcpcheck-t.h (+1/-0)
include/haproxy/tools.h (+3/-2)
include/import/ebmbtree.h (+53/-0)
reg-tests/cache/if-modified-since.vtc (+4/-1)
reg-tests/cache/if-none-match.vtc (+4/-0)
reg-tests/checks/4be_1srv_smtpchk_httpchk_layer47errors.vtc (+8/-3)
reg-tests/checks/pgsql-check.vtc (+16/-0)
reg-tests/checks/smtp-check.vtc (+6/-2)
reg-tests/contrib/prometheus.vtc (+4/-3)
reg-tests/converter/digest.vtc (+1/-1)
reg-tests/converter/hmac.vtc (+1/-1)
reg-tests/converter/iif.vtc (+1/-1)
reg-tests/converter/json_query.vtc (+1/-1)
reg-tests/http-messaging/h1_host_normalization.vtc (+276/-0)
reg-tests/http-messaging/http_request_buffer.vtc (+18/-1)
reg-tests/http-rules/restrict_req_hdr_names.vtc (+62/-0)
reg-tests/log/log_forward.vtc (+57/-0)
reg-tests/mailers/healthcheckmail.vtc (+1/-1)
reg-tests/ssl/log_forward_ssl.vtc (+60/-0)
reg-tests/startup/automatic_maxconn.vtc (+102/-0)
reg-tests/startup/common.pem (+117/-0)
scripts/announce-release (+12/-11)
src/backend.c (+0/-1)
src/cache.c (+17/-17)
src/cfgparse-listen.c (+4/-2)
src/cfgparse-ssl.c (+7/-7)
src/cfgparse.c (+52/-5)
src/check.c (+7/-0)
src/dns.c (+1/-1)
src/ev_epoll.c (+2/-2)
src/ev_evports.c (+2/-4)
src/ev_kqueue.c (+2/-2)
src/ev_poll.c (+2/-1)
src/fcgi-app.c (+1/-1)
src/fcgi.c (+6/-2)
src/fd.c (+3/-3)
src/flt_http_comp.c (+21/-21)
src/flt_spoe.c (+22/-9)
src/h1.c (+92/-15)
src/h1_htx.c (+3/-0)
src/haproxy.c (+10/-2)
src/hlua.c (+8/-3)
src/hlua_fcn.c (+3/-0)
src/hpack-dec.c (+10/-0)
src/http.c (+32/-0)
src/http_act.c (+2/-0)
src/http_ana.c (+20/-14)
src/http_fetch.c (+6/-5)
src/http_htx.c (+14/-25)
src/listener.c (+45/-16)
src/log.c (+11/-5)
src/mux_fcgi.c (+14/-8)
src/mux_h1.c (+26/-13)
src/mux_h2.c (+24/-10)
src/mworker.c (+4/-2)
src/pattern.c (+6/-6)
src/peers.c (+41/-25)
src/pool.c (+12/-12)
src/proto_tcp.c (+9/-6)
src/proto_udp.c (+8/-5)
src/protocol.c (+3/-3)
src/proxy.c (+32/-16)
src/regex.c (+9/-5)
src/resolvers.c (+29/-10)
src/ring.c (+11/-1)
src/server.c (+5/-6)
src/signal.c (+3/-0)
src/sink.c (+46/-15)
src/ssl_crtlist.c (+5/-0)
src/ssl_sample.c (+3/-0)
src/ssl_sock.c (+17/-11)
src/stats.c (+20/-5)
src/stick_table.c (+29/-17)
src/stream.c (+22/-12)
src/stream_interface.c (+28/-4)
src/tcpcheck.c (+37/-6)
src/time.c (+1/-0)
src/tools.c (+4/-3)

CVE References

Lucas Kanashiro (lucaskanashiro)
Changed in haproxy (Ubuntu):
status: New → Invalid
Changed in haproxy (Ubuntu Focal):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in haproxy (Ubuntu Jammy):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in haproxy (Ubuntu Kinetic):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
tags: added: server-todo
Lucas Kanashiro (lucaskanashiro)
description: updated
Lucas Kanashiro (lucaskanashiro)
Changed in haproxy (Ubuntu Focal):
status: New → In Progress
Changed in haproxy (Ubuntu Jammy):
status: New → In Progress
Changed in haproxy (Ubuntu Kinetic):
status: New → In Progress
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Lucas, or anyone else affected,

Accepted haproxy into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/haproxy/2.0.31-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in haproxy (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Lucas, or anyone else affected,

Accepted haproxy into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/haproxy/2.4.22-0ubuntu0.22.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in haproxy (Ubuntu Kinetic):
status: In Progress → Fix Committed
tags: added: verification-needed-kinetic
Changed in haproxy (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Lucas, or anyone else affected,

Accepted haproxy into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/haproxy/2.4.22-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

# Kinetic

autopkgtest summary against version in -proposed:

autopkgtest [09:49:22]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
proxy-localhost PASS
proxy-ssl-termination PASS
proxy-ssl-pass-through PASS

# Jammy

autopkgtest summary against version in -proposed:

autopkgtest [09:47:22]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
proxy-localhost PASS
proxy-ssl-termination PASS
proxy-ssl-pass-through PASS

# Focal

autopkgtest summary against version in -proposed:

autopkgtest [09:47:15]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
proxy-localhost PASS
proxy-ssl-termination PASS
proxy-ssl-pass-through PASS

tags: added: verification-done verification-done-focal verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package haproxy - 2.0.31-0ubuntu0.1

---------------
haproxy (2.0.31-0ubuntu0.1) focal; urgency=medium

  * New upstream release (LP: #2012557).
    - Major and critical bug fixes according to the upstream changelog:
      + BUG/MAJOR: stick-tables: do not try to index a server name for applets
      + BUG/MAJOR: stick-table: don't process store-response rules for applets
      + BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is
        realigned
      + BUG/CRITICAL: http: properly reject empty http header field names
    - Remove patches applied by upstream in debian/patches:
      + CVE-2023-0056.patch
      + CVE-2023-25725.patch
    - Refresh existing patches in debian/patches:
      + 0002-Use-dpkg-buildflags-to-build-halog.patch
  * Backport DEP-8 tests from Lunar:
    - d/t/proxy-ssl-termination
    - d/t/proxy-ssl-pass-through

 -- Lucas Kanashiro <email address hidden> Wed, 22 Mar 2023 17:39:46 -0300

Changed in haproxy (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for haproxy has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package haproxy - 2.4.22-0ubuntu0.22.04.1

---------------
haproxy (2.4.22-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2012557).
    - Major and critical bug fixes according to the upstream changelog:
      + BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
      + BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
      + BUG/MAJOR: stick-tables: do not try to index a server name for applets
      + BUG/MAJOR: stick-table: don't process store-response rules for applets
      + BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
      + BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
      + BUG/CRITICAL: http: properly reject empty http header field names
    - Remove patches applied by upstream in debian/patches:
      + CVE-2023-0056.patch
      + CVE-2023-25725.patch
      + CVE-2023-0836.patch
    - Refresh existing patches in debian/patches:
      + haproxy.service-start-after-syslog.patch
      + reproducible.patch
  * Backport DEP-8 tests from Lunar:
    - d/t/proxy-ssl-termination
    - d/t/proxy-ssl-pass-through

 -- Lucas Kanashiro <email address hidden> Wed, 22 Mar 2023 18:18:54 -0300

Changed in haproxy (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package haproxy - 2.4.22-0ubuntu0.22.10.1

---------------
haproxy (2.4.22-0ubuntu0.22.10.1) kinetic; urgency=medium

  * New upstream release (LP: #2012557).
    - Major and critical bug fixes according to the upstream changelog:
      + BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
      + BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
      + BUG/MAJOR: stick-tables: do not try to index a server name for applets
      + BUG/MAJOR: stick-table: don't process store-response rules for applets
      + BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
      + BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
      + BUG/CRITICAL: http: properly reject empty http header field names
    - Remove patches applied by upstream in debian/patches:
      + CVE-2023-0056.patch
      + CVE-2023-25725.patch
      + CVE-2023-0836.patch
    - Refresh existing patches in debian/patches:
      + reproducible.patch

 -- Lucas Kanashiro <email address hidden> Wed, 22 Mar 2023 18:39:05 -0300

Changed in haproxy (Ubuntu Kinetic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.