Ubuntu
haproxy package

  1. Bug #2012557
  2. Comment #0

Comment 0 for bug 2012557

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

This bug tracks an update for the HAProxy package in the following Ubuntu
releases to the versions below:

 * Kinetic (22.10): HAProxy 2.4.22
 * Jammy (22.04): HAProxy 2.4.22
 * Focal (20.04): HAProxy 2.0.31

These updates include bugfixes only following the SRU policy exception defined
at https://wiki.ubuntu.com/StableReleaseUpdates/HAProxyUpdates.

[Upstream changes]

Changelog of version 2.4.22:

http://git.haproxy.org/?p=haproxy-2.4.git;a=blob;f=CHANGELOG;h=d59309ffed498206bd15775e59bca154ee9d4b0d;hb=HEAD

Important bug fixes in 2.4.22 according to the upstream changelog:

- BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
- BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- BUG/CRITICAL: http: properly reject empty http header field names

I fixes CVE-2023-25725.

Changelog of version 2.0.31:

http://git.haproxy.org/?p=haproxy-2.0.git;a=blob;f=CHANGELOG;h=4b5713fb700f1d2a308ea8fdd18ef098efe0310a;hb=HEAD

Important bug fixes in 2.0.31 according to the upstream changelog:

- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
- BUG/CRITICAL: http: properly reject empty http header field names

It fixes CVE-2023-25725.

[Test Plan]

Upstream CI tests results for 2.4.22:

https://github.com/lucaskanashiro/haproxy/actions?query=branch%3Abranch-v2.4.22

Upstream CI tests results for 2.0.31:

https://github.com/lucaskanashiro/haproxy/actions?query=branch%3Abranch-v2.0.31

Upstream is not pushing the stable branches to Github, so I am running the tests in my fork (the results above). I sent an email to their mailing list to see if they can push those changes to Github but no one replied to me so far.

TODO: auutopkgtest

[Regression Potential]

HAProxy itself does not have many reverse dependencies, however, any upgrade is
a risk to introduce some breakage to other packages. Whenever a test failure is
detected, we will be on top of it and make sure it doesn't affect existing
users.