New HAProxy upstream microreleases 2.4.30, 2.8.16, and 3.0.12

This bug tracks an update for the HAProxy package in the following Ubuntu
releases to the versions below:

* questing (25.10): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12).
* plucky (25.04): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12).
* noble (24.04): HAProxy 2.8.16.
* jammy (22.04): HAProxy 2.4.30.

These updates include bugfixes only following the SRU policy exception defined
at https://documentation.ubuntu.com/sru/en/latest/reference/exception-HAProxy-Updates

[Upstream changes]

HAProxy 3.0.12: https://www.haproxy.org/download/3.0/src/CHANGELOG
HAProxy 2.8.16: https://www.haproxy.org/download/2.8/src/CHANGELOG
HAProxy 2.4.30: https://www.haproxy.org/download/2.4/src/CHANGELOG

Important bug fixes include:

* questing (25.10) and plucky (25.04) - HAProxy 3.0.12:
  - BUG/MAJOR: quic: fix INITIAL padding with probing packet only
  - BUG/MAJOR: mux-quic: fix crash on reload during emission
  - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval
  - BUG/MAJOR: stream: Force channel analysis on successful synchronous send
  - BUG/MAJOR: listeners: transfer connection accounting when switching listeners
  - BUG/MAJOR: cache: Crash because of wrong cache entry deleted

* noble (24.04) - HAProxy 2.8.16:
  - BUG/MAJOR: listeners: transfer connection accounting when switching

Also, all the new releases being introduced here include a CVE fix:
- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
already inapplied by security
However, this CVE was already introduced in the security pocket by the security team, so we will be just dropping the Ubuntu patch there.

[Test Plan]

Since the upstream CI piplines do not run (publicly) for HAProxy 2.4, 2.8, and 3.0, we triggered those using the upstream project github workflows:

HAproxy 2.4.30 (jammy): https://github.com/athos-ribeiro/haproxy-2.4/actions
HAproxy 2.8.16 (noble): https://github.com/athos-ribeiro/haproxy-2.8/actions
HAproxy 3.0.12 (plucky/questing): https://github.com/athos-ribeiro/haproxy-3.0/actions

The windows related workflows are failing, but this should not be relevant here. For 2.4 and 2.8, the macOS tests in the vtest workflow are also failing. These should not be relevant here either.

A test build set is available at https://launchpad.net/~athos/+archive/ubuntu/haproxy/+packages. We ran the haproxy DEP8 test suite for the packages built in that PPA. Here are the results:

* Results:
  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [amd64]
    + ✅ haproxy on jammy for amd64 @ 04.12.25 10:33:02 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [arm64]
    + ✅ haproxy on jammy for arm64 @ 04.12.25 10:33:56 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [armhf]
    + ✅ haproxy on jammy for armhf @ 04.12.25 10:36:41 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [ppc64el]
    + ✅ haproxy on jammy for ppc64el @ 04.12.25 10:51:14 Log️ 🗒️
  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [s390x]
    + ✅ haproxy on jammy for s390x @ 04.12.25 11:19:32 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [amd64]
    + ✅ haproxy on noble for amd64 @ 04.12.25 10:35:07 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [arm64]
    + ✅ haproxy on noble for arm64 @ 04.12.25 10:44:40 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [armhf]
    + ✅ haproxy on noble for armhf @ 04.12.25 10:36:22 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [ppc64el]
    + ✅ haproxy on noble for ppc64el @ 04.12.25 10:35:49 Log️ 🗒️
  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [s390x]
    + ✅ haproxy on noble for s390x @ 04.12.25 10:32:47 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [amd64]
    + ✅ haproxy on plucky for amd64 @ 04.12.25 10:34:25 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [arm64]
    + ✅ haproxy on plucky for arm64 @ 04.12.25 10:33:38 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [armhf]
    + ✅ haproxy on plucky for armhf @ 04.12.25 10:35:54 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [ppc64el]
    + ✅ haproxy on plucky for ppc64el @ 04.12.25 10:34:12 Log️ 🗒️
  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [s390x]
    + ✅ haproxy on plucky for s390x @ 04.12.25 10:33:14 Log️ 🗒️
  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [amd64]
    + ✅ haproxy on questing for amd64 @ 04.12.25 10:43:49 Log️ 🗒️
  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [arm64]
    + ✅ haproxy on questing for arm64 @ 04.12.25 10:54:32 Log️ 🗒️
  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [armhf]
    + ✅ haproxy on questing for armhf @ 04.12.25 10:35:43 Log️ 🗒️
  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [ppc64el]
    + ✅ haproxy on questing for ppc64el @ 04.12.25 10:35:28 Log️ 🗒️
  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [s390x]
    + ✅ haproxy on questing for s390x @ 04.12.25 10:53:24 Log️ 🗒️

[Regression Potential]

HAProxy itself does not have many reverse dependencies, however, any upgrade is
a risk to introduce some breakage to other packages. Whenever a test failure is
detected, we will be on top of it and make sure it doesn't affect existing
users.

[Regression Potential - Changes Analysis (CA)]

There are some low regression risk (as per upstream classification) functional changes.

Moreover, some (fewer) bug fixes have a possible medium regression risk (again, as per upstream classification).

The functional changes mentioned above were included because they are, in majority, needed by other entries which are bug fixes, i.e., these are functional changes needed to fix specific bugs.

[Regression Potential - CA - Upstream changes classification criteria]

https://github.com/haproxy/haproxy/blob/master/CONTRIBUTING#L632
describes the upstream guidelines for tagging the entries in the upstream changelog based
on their purpose, importance, severity, etc.

Below, I summarize the relevant bits of such guidelines.

Patches "fixing a bug must have the 'BUG' tag", e.g., "BUG/MAJOR: description"

"When the patch cannot be categorized, [...] only use a risk or complexity
information [...]. This is commonly the case for new features". For
instance, "MINOR: description"

For MINOR tags, the patch "is safe enough to be backported to stable
branches".

Patches tagged MEDIUM "may cause unexpected regressions of low importance
[...], the patch is safe but touches working areas".

Patches tagged MAJOR carry a "major risk of hidden regression". No changes are tagged MAJOR without a bug classifier, i.e., all of the patches classified as MAJOR are BUG/MAJOR and will be discussed below.

There is also a CRITICAL tag but no changes are tagged with it in the new
candidate versions other than the CVE patch which was already available in the security pocket.

[Regression Potential - CA - Impact]

For the next Jammy update, we would upgrade HAPRoxy from 2.4.29 to 2.4.30. Since the CVE fix introduced in this new upstream version is already applied in jammy, this new version is only introducing a couple minor bug fixes which should have very little regression impact.

For the next Noble update, we would upgrade HAPRoxy from 2.8.15 to 2.8.16. Among the changes, there is 1 bug fix tagged as BUG/MAJOR and 8 uncategorized changes (potentially functional), where 7 are tagged as MINOR and 1 is tagged as MEDIUM.

For the next Plucky and Questing updates, we would upgrade HAPRoxy from 3.0.10 to 3.0.12. Among the changes, there are 6 bug fixes tagged as BUG/MAJOR and 17 uncategorized changes (potentially functional), where 15 are tagged as MINOR and 2 are tagged as MEDIUM.

[Regression Potential - CA - Assessment]

Below we discuss the changes with the greater regression potential (and the most relevant uncategorized ones, which may contain functional changes)

All uncategorized MINOR changes are either adding new internal functions used by other bug fixes, or other internal changes where regressions are not expected. Hence, they will not be discussed.

Unless they are discussed below changes tagged BUG/MAJOR had the MAJOR tag chosen due to the severity of the bugs and not due to the regression potential (and that is why they are not being discussed).

Plucky (25.04) and Questing (25.10): HAProxy 3.0.12:

- MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory Since

Since the name stored in a certificate tree can be an alias and not a path,
requiring full paths in the certificate name when when adding it through a CLI
was a bug. This is now fixed. It also means that The tool or user inserting the
certificate must now check itself that the certificate was placed at the right
spot on the filesystem.

- BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval

A couple flags are being removed after evaluation. Although this is supposed
to be a safe/internal only change, It is tagged a MAJOR because this area is
really sensitive to any changes. FWIW, this change caused a regression during
development and was reverted in this same released version.

- BUG/MAJOR: stream: Force channel analysis on successful synchronous send

This reverts the change above due to a regression and fixes the underlying
issue by adding a different flag instead of removing flags. This is set as
MAJOR due to the fixed regression.

- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers

This was already applied by the security team

- MEDIUM: hlua: Add function to change the body length of an HTTP Message

This adds a new function for a lua filter to change the body length of an HTTP Message.

Noble (24.04): HAProxy 2.8.16:

Both entries here were already discussed above for Plucky/Questing:

- MEDIUM: hlua: Add function to change the body length of an HTTP Message
- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers

Jammy (22.04): HAProxy 2.4.30:

The only entry here was already discussed above for Plucky/Questing:

- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers

[Previous updates]

- LP: #2012557
- LP: #2028418
- LP: #2112526