Micro release updates for jammy, noble, and plucky

This bug tracks an update for the HAProxy package in the following Ubuntu
releases to the versions below:

* plucky (25.04): HAProxy 3.0.10 (See entries from 3.0.9 to 3.0.10).
* noble (24.04): HAProxy 2.8.15 (See entries from 2.8.6 to 2.8.15).
* jammy (22.04): HAProxy 2.4.29 (See entries from 2.4.15 to 2.4.29).

These updates include bugfixes only following the SRU policy exception defined
at https://documentation.ubuntu.com/sru/en/latest/reference/exception-HAProxy-Updates

DISCLAIMER: For these updates, we are not upgrading to the latest patch version possible. Instead, we are sticking to the versions which include the fixes up to the version we currently ship in questing to avoid upgrade path regressions.

[Upstream changes]

HAProxy 3.0.10: https://www.haproxy.org/download/3.0/src/CHANGELOG
HAProxy 2.8.15: https://www.haproxy.org/download/2.8/src/CHANGELOG
HAProxy 2.4.29: https://www.haproxy.org/download/2.4/src/CHANGELOG

Important bug fixes include:

* noble (24.04) - HAProxy 2.8.15:
 - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
 - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
 - BUG/MAJOR: server: fix stream crash due to deleted server
 - BUG/MAJOR: promex: fix crash on deleted server
 - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
 - BUG/MAJOR: server: do not delete srv referenced by session
 - BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
 - BUG/MAJOR: quic: reject too large CRYPTO frames
 - BUG/MAJOR: ocsp: Separate refcount per instance and per store
 - BUG/MAJOR: quic: fix wrong packet building due to already acked frames

* jammy (22.04) - HAProxy 2.4.29:
 - BUG/MAJOR: server: do not delete srv referenced by session
 - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
 - BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
 - BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
 - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe

[Test Plan]

Since the upstream CI piplines do not run (publicly) for HAProxy 2.4, 2.8, and 3.0, we triggered those using the upstream project github workflows:

HAproxy 2.4.29 (jammy): https://github.com/athos-ribeiro/haproxy-2.4/actions
HAproxy 2.8.15 (noble): https://github.com/athos-ribeiro/haproxy-2.8/actions
HAproxy 3.0.10 (plucky): https://github.com/athos-ribeiro/haproxy-3.0/actions

The windows related workflows are failing, but this should not be relevant here. For 2.4 and 2.8, the macOS tests in the vtest workflow are also failing. These should not be relevant here either.

There is an error in the spec compliance run for the 2.4 actions. However, we can see in the actions matrix that upstream did add a "-Wno-deprecated-declarations" when openssl3 is being used for the other test runs (it seems it is just missing for this run). I patched the github actions workflow to add the missing flag and the test passes, as one can see in the 2.4 github repository above.

The vtest workflow was failing for 2.8 and 3.0. The workflow is configure to run on ubuntu-latest and depend on libpcre2. I replaced the dependency to libpcre3 and the tests pass.

Some of the spelling checks are also failing, which should not be relevant here.

A test build set is available at https://launchpad.net/~athos/+archive/ubuntu/haproxy/+packages. We ran the haproxy DEP8 test suite for the packages built in that PPA. Here are the results:

* Results:
  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [amd64]
    + ✅ haproxy on jammy for amd64 @ 11.10.25 01:21:25 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [arm64]
    + ✅ haproxy on jammy for arm64 @ 11.10.25 01:21:38 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [armhf]
    + ✅ haproxy on jammy for armhf @ 11.10.25 01:24:48 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [i386]
  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [ppc64el]
    + ✅ haproxy on jammy for ppc64el @ 11.10.25 01:21:58 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [s390x]
    + ✅ haproxy on jammy for s390x @ 11.10.25 01:20:56 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [amd64]
    + ✅ haproxy on noble for amd64 @ 11.10.25 01:20:32 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [arm64]
    + ✅ haproxy on noble for arm64 @ 11.10.25 01:21:27 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [armhf]
    + ✅ haproxy on noble for armhf @ 11.10.25 01:23:59 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [i386]
  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [ppc64el]
    + ✅ haproxy on noble for ppc64el @ 11.10.25 01:21:23 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [s390x]
    + ✅ haproxy on noble for s390x @ 11.10.25 01:20:38 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [amd64]
    + ✅ haproxy on plucky for amd64 @ 11.10.25 01:20:26 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [arm64]
    + ✅ haproxy on plucky for arm64 @ 11.10.25 01:22:09 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [armhf]
    + ✅ haproxy on plucky for armhf @ 11.10.25 01:23:55 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [i386]
  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [ppc64el]
    + ✅ haproxy on plucky for ppc64el @ 11.10.25 01:21:43 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [s390x]
    + ✅ haproxy on plucky for s390x @ 11.10.25 01:20:36 Log️ 🗒️

[Regression Potential]

HAProxy itself does not have many reverse dependencies, however, any upgrade is
a risk to introduce some breakage to other packages. Whenever a test failure is
detected, we will be on top of it and make sure it doesn't affect existing
users.

[Regression Potential - Changes Analysis (CA)]

There is a significant number of low regression risk (as per upstream classification) functional changes.

Moreover, some (fewer) bug fixes have a possible medium regression risk (again, as per upstream classification).

The functional changes mentioned above were included because they are, in majority, needed by other entries which are bug fixes, i.e., these are functional changes needed to fix specific bugs.

[Regression Potential - CA - Upstream changes classification criteria]

https://github.com/haproxy/haproxy/blob/master/CONTRIBUTING#L632
describes the upstream guidelines for tagging the entries in the upstream changelog based
on their purpose, importance, severity, etc.

Below, I summarize the relevant bits of such guidelines.

Patches "fixing a bug must have the 'BUG' tag", e.g., "BUG/MAJOR: description"

"When the patch cannot be categorized, [...] only use a risk or complexity
information [...]. This is commonly the case for new features". For
instance, "MINOR: description"

For MINOR tags, the patch "is safe enough to be backported to stable
branches".

Patches tagged MEDIUM "may cause unexpected regressions of low importance
[...], the patch is safe but touches working areas".

Patches tagged MAJOR carry a "major risk of hidden regression". No changes are tagged MAJOR without a bug classifier, i.e., all of the patches classified as MAJOR are BUG/MAJOR and will be discussed below.

There is also a CRITICAL tag but no changes are tagged with it in the new
candidate versions.

[Regression Potential - CA - Impact]

For the next Jammy update, we would upgrade HAPRoxy from 2.4.14 to 2.4.29. Among
the changes, there are 5 bug fixes tagged as BUG/MAJOR and 15 uncategorized changes (potentially functional), where 13 are tagged as MINOR and 2 are tagged as MEDIUM.

For the next Noble update, we would upgrade HAPRoxy from 2.8.5 to 2.8.15. This has the largest impactful change set for these proposed HAProxy upgrades. Among the changes, there are 12 bug fixes tagged as BUG/MAJOR and 80 uncategorized changes (potentially functional), where 74 are tagged as MINOR and 6 are tagged as MEDIUM.

For the next Plucky update, we would upgrade HAPRoxy from 3.0.8 to 3.0.10. Among the changes, there are 21 uncategorized changes (potentially functional), where 20 are tagged as MINOR and 1 is tagged as MEDIUM.

[Regression Potential - CA - Assessment]

Below we discuss the changes with the greater regression potential (and the most relevant uncategorized ones, which may contain functional changes)

All uncategorized MINOR changes are either adding new internal functions used by other bug fixes, or other internal changes where regressions are not expected. Hence, they will not be discussed.

Unless they are discussed below changes tagged BUG/MAJOR had the MAJOR tag chosen due to the severity of the bugs and not due to the regression potential (and that is why they are not being discussed).

Plucky (25.04): HAProxy 3.0.10:

- MEDIUM: epoll: skip reports of stale file descriptors

This was an internal change to make the poller stop reporting events for wrong file descriptions.

Noble (24.04): HAProxy 2.8.15:

- BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions

This was done to mimic the behavior of the OpenSSL socket BIO

- MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection

This introduces two new configuration keywords
      tune.h2.be.glitches-threshold
      tune.h2.fe.glitches-threshold
to set a glitch threshold to eliminate bad behaving clients. The default value is set to zero, meaning no threshold is set, i.e., there is no change of behavior by default.

- MEDIUM: debug: on panic, make the target thread automatically allocate its buf

This is an improvement on how threads states are kept upon panic to improve debugging. This is a functional change, but helpful for debugging and only triggered upon panic.

- MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option

For HTTP/1, accept invalid entries for chuncked Transfer-Encoding values when the accept-invalid-http-response is set. This is done to match the 2.4 behavior (jammy).

- MEDIUM: ssl: initialize the SSL stack explicitly

The SSL stack will always be fully, explicitly initialized. This was needed to fix issues with FIPS enabled servers.

- MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)

This sets a default value for fd_hard_limit in case it is not set in the configuration to a reasonable vaule of 1048576. This is done to avoid having the process killed by its watchdog on systems where the limit is too high. The fd_hard_limit configuration has precedence over the new default value. Hence, any issues for special cases where it needs to be larger than the new default value, can be fixed by setting a value for fd_hard_limit.

- MEDIUM: config: prevent communication with privileged ports

Introduces a new configuration harden.reject_privileged_ports.{tcp|quic}. This is a security feature and the default is to not reject connections from privileged ports to avoid regressions (i.e., maintain the pre-upgrade behavior).

Jammy (22.04): HAProxy 2.4.29:

- MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads

This internal change is needed to fix a bug to properly handle abortonclose when it is set on backend only. This was functional, non-buggy code being touched and thus the MEDIUM tag.

- MEDIUM: ssl: initialize the SSL stack explicitly

The SSL stack will always be fully, explicitly initialized. This was needed to fix issues with FIPS enabled servers.

[Appendix A - Upstream potentially breaking changes list]

Below you will find the list of changes I extracted from the full changelogs of
the new candidate versions. I filtered the changelogs with the following command:

$ cat $CHANGELOG_FILE | grep -E '^[^ ]|(- )?(MAJOR|CRIT)|- (MINOR|MEDIUM)'

This selected only the unclassified (not bug fixing) changes and the bug fixing
changes classified as BUG/MAJOR or BUG/CRITICAL.

Plucky:
2025/04/22 : 3.0.10
    - MINOR: log: support "raw" logformat node typecast
    - MINOR: task: add thread safe notification_new and notification_wake variants
    - MINOR: fd: add a generation number to file descriptors
    - MINOR: epoll: permit to mask certain specific events
    - MEDIUM: epoll: skip reports of stale file descriptors
    - MINOR: tools: also protect the library name resolution against concurrent accesses
2025/03/20 : 3.0.9
    - MINOR: mux-quic: change return value of qcs_attach_sc()
    - MINOR: startup: adjust alert messages, when capabilities are missed
    - MINOR: clock: always use atomic ops for global_now_ms
    - MINOR: tinfo: add a new thread flag to indicate a call from a sig handler
    - MINOR: freq_ctr: provide non-blocking read functions
    - MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or "server" lines
    - MINOR: compiler: add a simple macro to concatenate resolved strings
    - MINOR: compiler: add a new __decl_thread_var() macro to declare local variables
    - MINOR: tools: resolve main() only once in resolve_sym_name()
    - MINOR: tools: use only opportunistic symbols resolution
    - MINOR: tinfo: split the signal handler report flags into 3
    - MINOR: cli: export cli_io_handler() to ease symbol resolution
    - MINOR: tools: improve symbol resolution without dl_addr
    - MINOR: tools: ease the declaration of known symbols in resolve_sym_name()
    - MINOR: tools: teach resolve_sym_name() a few more common symbols

Noble:
2025/04/22 : 2.8.15
    - MINOR: mux-quic: change return value of qcs_attach_sc()
    - MINOR: clock: always use atomic ops for global_now_ms
    - MINOR: tinfo: add a new thread flag to indicate a call from a sig handler
    - MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or "server" lines
    - MINOR: compiler: add a simple macro to concatenate resolved strings
    - MINOR: compiler: add a new __decl_thread_var() macro to declare local variables
    - MINOR: tools: resolve main() only once in resolve_sym_name()
    - MINOR: tools: use only opportunistic symbols resolution
    - MINOR: cli: export cli_io_handler() to ease symbol resolution
    - MINOR: tools: improve symbol resolution without dl_addr
    - MINOR: tools: ease the declaration of known symbols in resolve_sym_name()
    - MINOR: tools: teach resolve_sym_name() a few more common symbols
    - MINOR: task: add thread safe notification_new and notification_wake variants
    - MINOR: tools: also protect the library name resolution against concurrent accesses
2025/01/29 : 2.8.14
    - MINOR: debug: make mark_tainted() return the previous value
    - MINOR: chunk: drop the global thread_dump_buffer
    - MINOR: debug: split ha_thread_dump() in two parts
    - MINOR: debug: slightly change the thread_dump_pointer signification
    - MINOR: debug: make ha_thread_dump_done() take the pointer to be used
    - MINOR: debug: replace ha_thread_dump() with its two components
    - MEDIUM: debug: on panic, make the target thread automatically allocate its buf
    - MINOR: quic: notify connection layer on handshake completion
    - MINOR: quic: simplify qc_parse_pkt_frms() return path
    - MINOR: quic: use dynamically allocated frame on parsing
    - MINOR: quic: extend return value of CRYPTO parsing
    - MINOR: config: Alert about extra arguments for errorfile and errorloc
    - BUG/MAJOR: quic: reject too large CRYPTO frames
    - MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount
2024/12/12 : 2.8.13
    - MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state
    - MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG
    - MINOR: activity/memprofile: offer a function to unregister stale info
    - MINOR: quic: convert qc_stream_desc release field to flags
    - MINOR: quic: implement function to check if STREAM is fully acked
    - BUG/MAJOR: quic: fix wrong packet building due to already acked frames
2024/11/08 : 2.8.12
    - BUG/MAJOR: ocsp: Separate refcount per instance and per store
    - MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option
    - MINOR: activity/memprofile: always return "other" bin on NULL return address
    - MINOR: pools: export the pools variable
    - MINOR: cli: remove non-printable characters from 'debug dev fd'
    - MINOR: stream: Save last evaluated rule on invalid yield
2024/09/19 : 2.8.11
    - MINOR: activity: make the memory profiling hash size configurable at build time
    - MEDIUM: ssl: initialize the SSL stack explicitely
    - MINOR: queue: add a function to check for TOCTOU after queueing
    - MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
    - MINOR: channel: implement ci_insert() function
    - BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
2024/06/14 : 2.8.10
    - MINOR: net_helper: Add support for floats/doubles.
    - MINOR: log: add dup_logsrv() helper function
    - BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
    - MEDIUM: config: prevent communication with privileged ports
    - MINOR: session: rename private conns elements
    - BUG/MAJOR: server: do not delete srv referenced by session
    - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
2024/04/05 : 2.8.9
2024/04/05 : 2.8.8
    - MINOR: mux-h2: add a counter of "glitches" on a connection
    - MINOR: mux-h2: count excess of CONTINUATION frames as a glitch
    - MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch
    - MINOR: mux-h2: always use h2c_report_glitch()
    - MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection
    - MINOR: connection: add a new mux_ctl to report number of connection glitches
    - MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES
    - MINOR: connection: add sample fetches to report per-connection glitches
    - BUG/MAJOR: promex: fix crash on deleted server
    - MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support
    - BUG/MAJOR: server: fix stream crash due to deleted server
    - MINOR: hlua: Be able to disable logging from lua
    - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
    - MINOR: hlua: use accessors for stream hlua ctx
    - MINOR: server: allow cookie for dynamic servers
    - MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
2024/02/26 : 2.8.7
    - BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
2024/02/15 : 2.8.6
    - MINOR: stats: store the parent proxy in stats ctx (http)
    - MINOR: h3: check connection error during sending
    - MINOR: mux-h2: support limiting the total number of H2 streams per connection
    - MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding
    - MINOR: debug: make sure calls to ha_crash_now() are never merged
    - MINOR: debug: make ABORT_NOW() store the caller's line number when using abort
    - MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT
    - MINOR: mux-h2/traces: also suggest invalid header upon parsing error
    - MINOR: mux-h2/traces: explicitly show the error/refused stream states
    - MINOR: mux-h2/traces: clarify the "rejected H2 request" event
    - MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc
    - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
    - MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid
    - MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)
    - MINOR: quic: extract qc_stream_buf free in a dedicated function
    - MINOR: h3: add traces for stream sending function
    - MINOR: quic: Stop using 1024th of a second.
    - MINOR: quic: Update K CUBIC calculation (RFC 9438)
    - MINOR: quic: Dynamic packet reordering threshold
    - MINOR: quic: Add a counter for reordered packets
    - MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()
    - MINOR: ext-check: add an option to preserve environment variables

Jammy:
2025/04/22 : 2.4.29
    - MINOR: cli: export cli_io_handler() to ease symbol resolution
2024/11/08 : 2.4.28
    - MINOR: session: rename private conns elements
    - BUG/MAJOR: server: do not delete srv referenced by session
    - MEDIUM: ssl: initialize the SSL stack explicitely
2024/06/18 : 2.4.27
    - MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
    - MINOR: hlua: don't dump empty entries in hlua_traceback()
    - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
2024/04/05 : 2.4.26
    - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
    - MINOR: hlua: Be able to disable logging from lua
    - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
    - MINOR: hlua: use accessors for stream hlua ctx
2023/12/14 : 2.4.25
    - MINOR: hlua: add hlua_stream_ctx_prepare helper function
    - MINOR: buf: Add b_force_xfer() function
    - BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
    - MINOR: pattern: fix pat_{parse,match}_ip() function comments
    - MINOR: connection: Add a CTL flag to notify mux it should wait for reads again
    - MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
    - MINOR: htx: Use a macro for overhead induced by HTX
    - MINOR: channel: Add functions to get info on buffers and deal with HTX streams
    - MINOR: stktable: add stktable_deinit function

[Previous updates]

- LP: #2012557
- LP: #2028418