[MRE] haproxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
haproxy (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Lucas Kanashiro | ||
Jammy |
Fix Released
|
Undecided
|
Lucas Kanashiro | ||
Kinetic |
Fix Released
|
Undecided
|
Lucas Kanashiro |
Bug Description
This bug tracks an update for the HAProxy package in the following Ubuntu
releases to the versions below:
* Kinetic (22.10): HAProxy 2.4.22
* Jammy (22.04): HAProxy 2.4.22
* Focal (20.04): HAProxy 2.0.31
These updates include bugfixes only following the SRU policy exception defined
at https:/
[Upstream changes]
Changelog of version 2.4.22:
Important bug fixes in 2.4.22 according to the upstream changelog:
- BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
- BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- BUG/CRITICAL: http: properly reject empty http header field names
I fixes CVE-2023-25725.
Changelog of version 2.0.31:
Important bug fixes in 2.0.31 according to the upstream changelog:
- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- BUG/CRITICAL: http: properly reject empty http header field names
It fixes CVE-2023-25725.
[Test Plan]
Upstream CI tests results for 2.4.22:
https:/
Upstream CI tests results for 2.0.31:
https:/
Upstream is not pushing the stable branches to Github, so I am running the tests in my fork (the results above). I sent an email to their mailing list to see if they can push those changes to Github but no one replied to me so far.
autopkgtest summary in Kinetic:
autopkgtest [18:52:16]: @@@@@@@
cli PASS
proxy-localhost PASS
proxy-ssl-
proxy-ssl-
autopkgtest summary in Jammy:
autopkgtest [18:37:20]: @@@@@@@
cli PASS
proxy-localhost PASS
autopkgtest summary in Focal:
autopkgtest [18:17:03]: @@@@@@@
cli PASS
proxy-localhost PASS
[Regression Potential]
HAProxy itself does not have many reverse dependencies, however, any upgrade is
a risk to introduce some breakage to other packages. Whenever a test failure is
detected, we will be on top of it and make sure it doesn't affect existing
users.
Related branches
- Andreas Hasenack: Approve
- git-ubuntu bot: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 3289 lines (+1130/-445)72 files modified.github/matrix.py (+6/-3)
.github/workflows/cross-zoo.yml (+110/-0)
.github/workflows/vtest.yml (+5/-2)
.github/workflows/windows.yml (+2/-1)
CHANGELOG (+100/-0)
Makefile (+5/-1)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
contrib/prometheus-exporter/service-prometheus.c (+1/-0)
contrib/wurfl/wurfl/wurfl.h (+10/-5)
debian/changelog (+20/-0)
debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch (+0/-2)
debian/patches/series (+0/-2)
debian/tests/control (+8/-0)
debian/tests/proxy-localhost (+5/-9)
debian/tests/proxy-ssl-pass-through (+59/-0)
debian/tests/proxy-ssl-termination (+48/-0)
debian/tests/utils (+58/-0)
dev/null (+0/-175)
doc/configuration.txt (+99/-41)
doc/management.txt (+4/-0)
doc/proxy-protocol.txt (+1/-1)
include/common/buf.h (+1/-1)
include/common/compiler.h (+3/-1)
include/common/memory.h (+2/-2)
include/common/standard.h (+3/-2)
include/proto/server.h (+1/-0)
include/proto/ssl_sock.h (+25/-0)
include/types/global.h (+1/-0)
include/types/listener.h (+11/-2)
reg-tests/http-messaging/http_abortonclose.vtc (+27/-5)
reg-tests/http-messaging/http_request_buffer.vtc (+29/-4)
scripts/announce-release (+12/-11)
scripts/make-releases-json (+103/-0)
scripts/publish-release (+6/-0)
src/backend.c (+0/-5)
src/cache.c (+7/-7)
src/cfgparse-listen.c (+2/-1)
src/cfgparse.c (+40/-12)
src/dns.c (+18/-6)
src/ev_epoll.c (+2/-2)
src/ev_evports.c (+2/-4)
src/ev_kqueue.c (+2/-2)
src/ev_poll.c (+2/-1)
src/flt_spoe.c (+22/-9)
src/h1.c (+4/-0)
src/haproxy.c (+10/-2)
src/hlua.c (+3/-1)
src/hlua_fcn.c (+3/-0)
src/hpack-dec.c (+9/-0)
src/http_fetch.c (+9/-6)
src/http_msg.c (+7/-1)
src/listener.c (+6/-0)
src/log.c (+8/-3)
src/memory.c (+6/-6)
src/mux_h1.c (+1/-1)
src/mux_h2.c (+9/-2)
src/mworker.c (+4/-2)
src/peers.c (+40/-23)
src/proto_http.c (+8/-2)
src/proto_htx.c (+1/-0)
src/proto_sockpair.c (+1/-1)
src/proxy.c (+24/-10)
src/sample.c (+2/-1)
src/server.c (+4/-5)
src/signal.c (+3/-0)
src/ssl_sock.c (+50/-27)
src/standard.c (+4/-3)
src/stick_table.c (+29/-17)
src/stream.c (+18/-8)
src/stream_interface.c (+1/-1)
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 7019 lines (+2604/-830)120 files modified.cirrus.yml (+1/-1)
.github/matrix.py (+10/-7)
.github/workflows/compliance.yml (+2/-2)
.github/workflows/cross-zoo.yml (+110/-0)
.github/workflows/vtest.yml (+5/-2)
.github/workflows/windows.yml (+2/-1)
CHANGELOG (+190/-0)
Makefile (+7/-3)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
addons/promex/README (+2/-0)
addons/promex/service-prometheus.c (+30/-1)
addons/wurfl/dummy/wurfl/wurfl.h (+10/-5)
debian/changelog (+24/-0)
debian/patches/haproxy.service-start-after-syslog.patch (+0/-2)
debian/patches/reproducible.patch (+1/-3)
debian/patches/series (+0/-3)
debian/tests/control (+8/-0)
debian/tests/proxy-localhost (+4/-9)
debian/tests/proxy-ssl-pass-through (+59/-0)
debian/tests/proxy-ssl-termination (+48/-0)
debian/tests/utils (+58/-0)
dev/null (+0/-145)
doc/configuration.txt (+282/-224)
doc/intro.txt (+1/-1)
doc/management.txt (+4/-0)
doc/proxy-protocol.txt (+1/-1)
include/haproxy/buf.h (+1/-1)
include/haproxy/bug.h (+2/-0)
include/haproxy/http.h (+2/-0)
include/haproxy/listener-t.h (+11/-2)
include/haproxy/listener.h (+11/-5)
include/haproxy/peers-t.h (+1/-0)
include/haproxy/pool.h (+2/-2)
include/haproxy/server.h (+9/-5)
include/haproxy/sink.h (+2/-0)
include/haproxy/ssl_sock-t.h (+11/-7)
include/haproxy/ssl_sock.h (+23/-0)
include/haproxy/stats-t.h (+2/-0)
include/haproxy/stream.h (+1/-1)
include/haproxy/task.h (+2/-1)
include/haproxy/tcpcheck-t.h (+1/-0)
include/haproxy/tools.h (+3/-2)
include/import/ebmbtree.h (+53/-0)
reg-tests/cache/if-modified-since.vtc (+4/-1)
reg-tests/cache/if-none-match.vtc (+4/-0)
reg-tests/checks/4be_1srv_smtpchk_httpchk_layer47errors.vtc (+8/-3)
reg-tests/checks/pgsql-check.vtc (+16/-0)
reg-tests/checks/smtp-check.vtc (+6/-2)
reg-tests/contrib/prometheus.vtc (+4/-3)
reg-tests/converter/digest.vtc (+1/-1)
reg-tests/converter/hmac.vtc (+1/-1)
reg-tests/converter/iif.vtc (+1/-1)
reg-tests/converter/json_query.vtc (+1/-1)
reg-tests/http-messaging/h1_host_normalization.vtc (+276/-0)
reg-tests/http-messaging/http_request_buffer.vtc (+18/-1)
reg-tests/http-rules/restrict_req_hdr_names.vtc (+62/-0)
reg-tests/log/log_forward.vtc (+57/-0)
reg-tests/mailers/healthcheckmail.vtc (+1/-1)
reg-tests/ssl/log_forward_ssl.vtc (+60/-0)
reg-tests/startup/automatic_maxconn.vtc (+102/-0)
reg-tests/startup/common.pem (+117/-0)
scripts/announce-release (+12/-11)
src/backend.c (+0/-1)
src/cache.c (+17/-17)
src/cfgparse-listen.c (+4/-2)
src/cfgparse-ssl.c (+7/-7)
src/cfgparse.c (+52/-5)
src/check.c (+7/-0)
src/dns.c (+1/-1)
src/ev_epoll.c (+2/-2)
src/ev_evports.c (+2/-4)
src/ev_kqueue.c (+2/-2)
src/ev_poll.c (+2/-1)
src/fcgi-app.c (+1/-1)
src/fcgi.c (+6/-2)
src/fd.c (+3/-3)
src/flt_http_comp.c (+21/-21)
src/flt_spoe.c (+22/-9)
src/h1.c (+92/-15)
src/h1_htx.c (+3/-0)
src/haproxy.c (+10/-2)
src/hlua.c (+8/-3)
src/hlua_fcn.c (+3/-0)
src/hpack-dec.c (+10/-0)
src/http.c (+32/-0)
src/http_act.c (+2/-0)
src/http_ana.c (+20/-14)
src/http_fetch.c (+6/-5)
src/http_htx.c (+14/-25)
src/listener.c (+45/-16)
src/log.c (+11/-5)
src/mux_fcgi.c (+14/-8)
src/mux_h1.c (+26/-13)
src/mux_h2.c (+24/-10)
src/mworker.c (+4/-2)
src/pattern.c (+6/-6)
src/peers.c (+41/-25)
src/pool.c (+12/-12)
src/proto_tcp.c (+9/-6)
src/proto_udp.c (+8/-5)
src/protocol.c (+3/-3)
src/proxy.c (+32/-16)
src/regex.c (+9/-5)
src/resolvers.c (+29/-10)
src/ring.c (+11/-1)
src/server.c (+5/-6)
src/signal.c (+3/-0)
src/sink.c (+46/-15)
src/ssl_crtlist.c (+5/-0)
src/ssl_sample.c (+3/-0)
src/ssl_sock.c (+17/-11)
src/stats.c (+20/-5)
src/stick_table.c (+29/-17)
src/stream.c (+22/-12)
src/stream_interface.c (+28/-4)
src/tcpcheck.c (+37/-6)
src/time.c (+1/-0)
src/tools.c (+4/-3)
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 6773 lines (+2423/-819)114 files modified.cirrus.yml (+1/-1)
.github/matrix.py (+10/-7)
.github/workflows/compliance.yml (+2/-2)
.github/workflows/cross-zoo.yml (+110/-0)
.github/workflows/vtest.yml (+5/-2)
.github/workflows/windows.yml (+2/-1)
CHANGELOG (+190/-0)
Makefile (+7/-3)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
addons/promex/README (+2/-0)
addons/promex/service-prometheus.c (+30/-1)
addons/wurfl/dummy/wurfl/wurfl.h (+10/-5)
debian/changelog (+20/-0)
debian/patches/reproducible.patch (+1/-3)
debian/patches/series (+0/-3)
dev/null (+0/-145)
doc/configuration.txt (+282/-224)
doc/intro.txt (+1/-1)
doc/management.txt (+4/-0)
doc/proxy-protocol.txt (+1/-1)
include/haproxy/buf.h (+1/-1)
include/haproxy/bug.h (+2/-0)
include/haproxy/http.h (+2/-0)
include/haproxy/listener-t.h (+11/-2)
include/haproxy/listener.h (+11/-5)
include/haproxy/peers-t.h (+1/-0)
include/haproxy/pool.h (+2/-2)
include/haproxy/server.h (+9/-5)
include/haproxy/sink.h (+2/-0)
include/haproxy/ssl_sock-t.h (+11/-7)
include/haproxy/ssl_sock.h (+23/-0)
include/haproxy/stats-t.h (+2/-0)
include/haproxy/stream.h (+1/-1)
include/haproxy/task.h (+2/-1)
include/haproxy/tcpcheck-t.h (+1/-0)
include/haproxy/tools.h (+3/-2)
include/import/ebmbtree.h (+53/-0)
reg-tests/cache/if-modified-since.vtc (+4/-1)
reg-tests/cache/if-none-match.vtc (+4/-0)
reg-tests/checks/4be_1srv_smtpchk_httpchk_layer47errors.vtc (+8/-3)
reg-tests/checks/pgsql-check.vtc (+16/-0)
reg-tests/checks/smtp-check.vtc (+6/-2)
reg-tests/contrib/prometheus.vtc (+4/-3)
reg-tests/converter/digest.vtc (+1/-1)
reg-tests/converter/hmac.vtc (+1/-1)
reg-tests/converter/iif.vtc (+1/-1)
reg-tests/converter/json_query.vtc (+1/-1)
reg-tests/http-messaging/h1_host_normalization.vtc (+276/-0)
reg-tests/http-messaging/http_request_buffer.vtc (+18/-1)
reg-tests/http-rules/restrict_req_hdr_names.vtc (+62/-0)
reg-tests/log/log_forward.vtc (+57/-0)
reg-tests/mailers/healthcheckmail.vtc (+1/-1)
reg-tests/ssl/log_forward_ssl.vtc (+60/-0)
reg-tests/startup/automatic_maxconn.vtc (+102/-0)
reg-tests/startup/common.pem (+117/-0)
scripts/announce-release (+12/-11)
src/backend.c (+0/-1)
src/cache.c (+17/-17)
src/cfgparse-listen.c (+4/-2)
src/cfgparse-ssl.c (+7/-7)
src/cfgparse.c (+52/-5)
src/check.c (+7/-0)
src/dns.c (+1/-1)
src/ev_epoll.c (+2/-2)
src/ev_evports.c (+2/-4)
src/ev_kqueue.c (+2/-2)
src/ev_poll.c (+2/-1)
src/fcgi-app.c (+1/-1)
src/fcgi.c (+6/-2)
src/fd.c (+3/-3)
src/flt_http_comp.c (+21/-21)
src/flt_spoe.c (+22/-9)
src/h1.c (+92/-15)
src/h1_htx.c (+3/-0)
src/haproxy.c (+10/-2)
src/hlua.c (+8/-3)
src/hlua_fcn.c (+3/-0)
src/hpack-dec.c (+10/-0)
src/http.c (+32/-0)
src/http_act.c (+2/-0)
src/http_ana.c (+20/-14)
src/http_fetch.c (+6/-5)
src/http_htx.c (+14/-25)
src/listener.c (+45/-16)
src/log.c (+11/-5)
src/mux_fcgi.c (+14/-8)
src/mux_h1.c (+26/-13)
src/mux_h2.c (+24/-10)
src/mworker.c (+4/-2)
src/pattern.c (+6/-6)
src/peers.c (+41/-25)
src/pool.c (+12/-12)
src/proto_tcp.c (+9/-6)
src/proto_udp.c (+8/-5)
src/protocol.c (+3/-3)
src/proxy.c (+32/-16)
src/regex.c (+9/-5)
src/resolvers.c (+29/-10)
src/ring.c (+11/-1)
src/server.c (+5/-6)
src/signal.c (+3/-0)
src/sink.c (+46/-15)
src/ssl_crtlist.c (+5/-0)
src/ssl_sample.c (+3/-0)
src/ssl_sock.c (+17/-11)
src/stats.c (+20/-5)
src/stick_table.c (+29/-17)
src/stream.c (+22/-12)
src/stream_interface.c (+28/-4)
src/tcpcheck.c (+37/-6)
src/time.c (+1/-0)
src/tools.c (+4/-3)
CVE References
Changed in haproxy (Ubuntu): | |
status: | New → Invalid |
Changed in haproxy (Ubuntu Focal): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
Changed in haproxy (Ubuntu Jammy): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
Changed in haproxy (Ubuntu Kinetic): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
tags: | added: server-todo |
description: | updated |
Changed in haproxy (Ubuntu Focal): | |
status: | New → In Progress |
Changed in haproxy (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in haproxy (Ubuntu Kinetic): | |
status: | New → In Progress |
description: | updated |
Hello Lucas, or anyone else affected,
Accepted haproxy into focal-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ haproxy/ 2.0.31- 0ubuntu0. 1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification- needed- focal to verification- done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- focal. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.