SUSE-CU-2023:1459-1: Security update of ses/7.1/ceph/haproxy

sle-security-updates at sle-security-updates at
Sun May 7 07:02:41 UTC 2023

SUSE Container Update Advisory: ses/7.1/ceph/haproxy
Container Advisory ID : SUSE-CU-2023:1459-1
Container Tags        : ses/7.1/ceph/haproxy:2.0.31 , ses/7.1/ceph/haproxy: , ses/7.1/ceph/haproxy:latest , ses/7.1/ceph/haproxy:sle15.3.pacific
Container Release     : 3.5.391
Severity              : important
Type                  : security
References            : 1065270 1178233 1199132 1203248 1203249 1203599 1203715 1204548
                        1204585 1204956 1205570 1205636 1206949 1207181 1207294 1207571
                        1207780 1207957 1207975 1207992 1208132 1208358 1208828 1208828
                        1208957 1208959 1209042 1209122 1209187 1209209 1209210 1209211
                        1209212 1209214 1209533 1209624 1209713 1209714 1209873 1209878
                        1210135 1210411 1210412 1210434 1210507 CVE-2021-3541 CVE-2022-29824
                        CVE-2022-4899 CVE-2023-0056 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466
                        CVE-2023-0512 CVE-2023-0687 CVE-2023-1127 CVE-2023-1127 CVE-2023-1170
                        CVE-2023-1175 CVE-2023-1264 CVE-2023-1355 CVE-2023-23916 CVE-2023-24593
                        CVE-2023-25180 CVE-2023-25725 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535
                        CVE-2023-27536 CVE-2023-27538 CVE-2023-28484 CVE-2023-29383 CVE-2023-29469

The container ses/7.1/ceph/haproxy was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2023:714-1
Released:    Mon Mar 13 10:53:25 2023
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1207294
This update for rpm fixes the following issues:

- Fix missing python(abi) for 3.XX versions (bsc#1207294)

Advisory ID: SUSE-RU-2023:776-1
Released:    Thu Mar 16 17:29:23 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
This update for gcc12 fixes the following issues:

This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.

SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

Advisory ID: SUSE-SU-2023:781-1
Released:    Thu Mar 16 19:07:00 2023
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1207780,1208828,1208957,1208959,CVE-2023-0512,CVE-2023-1127,CVE-2023-1170,CVE-2023-1175
This update for vim fixes the following issues:

- CVE-2023-0512: Fixed a divide By Zero (bsc#1207780).
- CVE-2023-1175: vim: an incorrect calculation of buffer size (bsc#1208957).
- CVE-2023-1170: Fixed a heap-based Buffer Overflow (bsc#1208959).
- CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).

Updated to version 9.0 with patch level 1386.


Advisory ID: SUSE-RU-2023:786-1
Released:    Thu Mar 16 19:36:09 2023
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    important
References:  1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949
This update for libsolv, libzypp, zypper fixes the following issues:


- Do not autouninstall SUSE PTF packages
- Ensure 'duplinvolvedmap_all' is reset when a solver is reused
- Fix 'keep installed' jobs not disabling 'best update' rules
- New '-P' and '-W' options for `testsolv`
- New introspection interface for weak dependencies similar to ruleinfos
- Ensure special case file dependencies are written correctly in the testcase writer
- Support better info about alternatives
- Support decision reason queries
- Support merging of related decisions
- Support stringification of multiple solvables
- Support stringification of ruleinfo, decisioninfo and decision reasons


- Avoid calling getsockopt when we know the info already.
  This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when
  accepting new socket connections (bsc#1178233)
- Avoid redirecting 'history.logfile=/dev/null' into the target
- Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
- Enhance yaml-cpp detection
- Improve download of optional files
- MultiCurl: Make sure to reset the progress function when falling back.
- Properly reset range requests (bsc#1204548)
- Removing a PTF without enabled repos should always fail (bsc#1203248)
  Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. 
  To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the
  installed PTF packages to theit latest version.
- Skip media.1/media download for http repo status calc.
  This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed.
  This optimisation only takes place if the repo does specify only downloading base urls.
- Use a dynamic fallback for BLKSIZE in downloads.
  When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed,
  relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar
  metric as the MirrorCache implementation on the server side.
- ProgressData: enforce reporting the INIT||END state (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems (bsc#1205636)


- Allow to (re)add a service with the same URL (bsc#1203715)
- Bump dependency requirement to libzypp-devel 17.31.7 or greater
- Explain outdatedness of repositories
- patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
- Provide `removeptf` command (bsc#1203249)
  A remove command which prefers replacing dependant packages to removing them as well.
  A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant
  packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the
  remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official
  update versions.
- Update man page and explain '.no_auto_prune' (bsc#1204956)

Advisory ID: SUSE-SU-2023:1711-1
Released:    Fri Mar 31 13:33:04 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538
This update for curl fixes the following issues:

- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

Advisory ID: SUSE-SU-2023:1718-1
Released:    Fri Mar 31 15:47:34 2023
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1207571,1207957,1207975,1208358,CVE-2023-0687
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

Other issues fixed:

- Fix avx2 strncmp offset compare condition check (bsc#1208358)
- elf: Allow dlopen of filter object to work (bsc#1207571)
- powerpc: Fix unrecognized instruction errors with recent GCC
- x86: Cache computation for AMD architecture (bsc#1207957)

Advisory ID: SUSE-RU-2023:1753-1
Released:    Tue Apr  4 11:55:00 2023
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
This update for systemd-presets-common-SUSE fixes the following issue:

- Enable systemd-pstore.service by default (jsc#PED-2663)

Advisory ID: SUSE-SU-2023:1790-1
Released:    Thu Apr  6 15:36:15 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
- CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
- CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

Advisory ID: SUSE-RU-2023:1805-1
Released:    Tue Apr 11 10:12:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
This update for timezone fixes the following issues:

- Version update from 2022g to 2023c:
  * Egypt now uses DST again, from April through October.
  * This year Morocco springs forward April 23, not April 30.
  * Palestine delays the start of DST this year.
  * Much of Greenland still uses DST from 2024 on.
  * America/Yellowknife now links to America/Edmonton.
  * tzselect can now use current time to help infer timezone.
  * The code now defaults to C99 or later.

Advisory ID: SUSE-RU-2023:1945-1
Released:    Fri Apr 21 14:13:27 2023
Summary:     Recommended update for elfutils
Type:        recommended
Severity:    moderate
References:  1203599
This update for elfutils fixes the following issues:

- go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)

Advisory ID: SUSE-SU-2023:2048-1
Released:    Wed Apr 26 21:05:45 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469
This update for libxml2 fixes the following issues:

- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). 
  The following non-security bugs were fixed:

- Added W3C conformance tests to the testsuite (bsc#1204585).
- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . 

Advisory ID: SUSE-SU-2023:2070-1
Released:    Fri Apr 28 13:56:33 2023
Summary:     Security update for shadow
Type:        security
Severity:    moderate
References:  1210507,CVE-2023-29383
This update for shadow fixes the following issues:

- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

Advisory ID: SUSE-SU-2023:2074-1
Released:    Fri Apr 28 17:02:25 2023
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1209533,CVE-2022-4899
This update for zstd fixes the following issues:

- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

Advisory ID: SUSE-SU-2023:2076-1
Released:    Fri Apr 28 17:35:05 2023
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180
This update for glib2 fixes the following issues:

- CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
- CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).

The following non-security bug was fixed:

- Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).

Advisory ID: SUSE-SU-2023:2103-1
Released:    Thu May  4 20:05:44 2023
Summary:     Security update for vim
Type:        security
Severity:    moderate
References:  1208828,1209042,1209187,CVE-2023-1127,CVE-2023-1264,CVE-2023-1355
This update for vim fixes the following issues:

Updated to version 9.0 with patch level 1443, fixes the following security problems

-  CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042).
-  CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187).
-  CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).

Advisory ID: SUSE-RU-2023:2104-1
Released:    Thu May  4 21:05:30 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1209122
This update for procps fixes the following issue:

- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

Advisory ID: SUSE-SU-2023:2111-1
Released:    Fri May  5 14:34:00 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1210434,CVE-2023-29491
This update for ncurses fixes the following issues:

- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

Advisory ID: SUSE-feature-2023:2119-1
Released:    Fri May  5 22:28:54 2023
Summary:     Feature update for haproxy
Type:        feature
Severity:    moderate
References:  1207181,1208132,CVE-2023-0056,CVE-2023-25725
This update for haproxy fixes the following issues:

Update to version 2.0.31 (jsc#PED-3821):

* BUG/CRITICAL: http: properly reject empty http header field names
* CI: github: don't warn on deprecated openssl functions on windows
* DOC: proxy-protocol: fix wrong byte in provided example
* DOC: config: 'http-send-name-header' option may be used in default section
* DOC: config: fix option spop-check proxy compatibility
* BUG/MEDIUM: cache: use the correct time reference when comparing dates
* BUG/MEDIUM: stick-table: do not leave entries in end of window during purge
* BUG/MEDIUM: ssl: wrong eviction from the session cache tree
* BUG/MINOR: http-ana: make set-status also update txn->status
* BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
* BUG/MINOR: promex: Don't forget to consume the request on error
* BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
* BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
* BUILD: makefile: sort the features list
* BUILD: makefile: build the features list dynamically
* BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
* BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
* LICENSE: wurfl: clarify the dummy library license.
* BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout
* BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
* BUG/MINOR: ssl: Fix potential overflow
* BUG/MEDIUM: ssl: Verify error codes can exceed 63
* CI: github: change 'ubuntu-latest' to 'ubuntu-20.04'
* SCRIPTS: announce-release: add a link to the data plane API
* [RELEASE] Released version 2.0.30
* Revert 'CI: determine actual LibreSSL version dynamically'
* DOC: config: clarify the -m dir and -m dom pattern matching methods
* DOC: config: clarify the fact that 'retries' is not just for connections
* DOC: config: explain how default matching method for ACL works
* DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
* DOC: config: provide some configuration hints for 'http-reuse'
* BUILD: listener: fix build warning on global_listener_rwlock without threads
* BUILD: peers: Remove unused variables
* BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
* BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
* BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
* CI: emit the compiler's version in the build reports
* CI: add monthly gcc cross compile jobs
* BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
* BUG/MAJOR: stick-table: don't process store-response rules for applets
* DOC: management: add forgotten 'show startup-logs'
* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in
* BUG/MAJOR: stick-tables: do not try to index a server name for applets
* DOC: configuration: missing 'if' in tcp-request content example
* BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
* BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
* BUG/MEDIUM: lua: handle stick table implicit arguments right.
* BUILD: cfgparse: Fix GCC warning about a variable used after realloc
* BUILD: fix compilation for OpenSSL-3.0.0-alpha17
* BUG/MINOR: log: improper behavior when escaping log data
* SCRIPTS: announce-release: update some URLs to https
* BUG/MEDIUM: captures: free() an error capture out of the proxy lock
* BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
* BUG/MINOR: signals/poller: ensure wakeup from signals
* BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
* BUG/MINOR: h1: Support headers case adjustment for TCP proxies
* REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
* BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
* BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
* BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
* BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
* DOC: configuration: do-resolve doesn't work with a port in the string
* BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
* BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
* BUILD: http: silence an uninitialized warning affecting gcc-5
* BUG/MEDIUM: proxy: Perform a custom copy for default server settings
* REORG: server: Export srv_settings_cpy() function
* MINOR: server: Constify source server to copy its settings
* BUG/MINOR: peers: Use right channel flag to consider the peer as connected
* BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
* MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
* BUG/MINOR: ssl: free the fields in srv->ssl_ctx
* BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
* BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
* BUG/MINOR: peers: fix possible NULL dereferences at config parsing
* BUG/MINOR: peers/config: always fill the bind_conf's argument
* BUG/MINOR: http-fetch: Use integer value when possible in 'method' sample fetch
* BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
* BUG/MINOR: server: do not enable DNS resolution on disabled proxies
* BUILD: compiler: implement unreachable for older compilers too
* REGTESTS: http_request_buffer: Increase client timeout to wait 'slow' clients
* REGTESTS: abortonclose: Add a barrier to not mix up log messages
* BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
* DOC: peers: fix port number and addresses on new peers section format
* DOC: peers: clarify when entry expiration date is renewed.
* DOC: peers: indicate that some server settings are not usable
* SCRIPTS: make publish-release try to launch make-releases-json
* SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
* BUG/MEDIUM: sample: Fix adjusting size in word converter
* BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
* BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
* BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
* BUG/MINOR: peers: fix error reporting of 'bind' lines
* REGTESTS: abortonclose: Fix some race conditions
* BUILD: fix build warning on solaris based systems with __maybe_unused.
* CI: determine actual LibreSSL version dynamically
* [RELEASE] Released version 2.0.29
* BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x
* CLEANUP: mux-h1: Fix comments and error messages for global options
* BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
* BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
* DOC: fix typo 'ant' for 'and' in INSTALL
* BUG/MINOR: map/cli: make sure patterns don't vanish under 'show map''s init
* BUG/MINOR: map/cli: protect the backref list during 'show map' errors
* BUG/MEDIUM: cli: make 'show cli sockets' really yield
* BUG/MINOR: mux-h2: mark the stream as open before processing it not after
* SCRIPTS: announce-release: add URL of dev packages
* CI: github actions: update LibreSSL to 3.5.2
* BUILD: sockpair: do not set unused flag
* BUILD: proto_uxst: do not set unused flag
* BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
* REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
* DOC: remove my name from the config doc
* BUG/MINOR: cache: Disable cache if applet creation fails
* SCRIPTS: announce-release: add shortened links to pending issues
* DOC: lua: update a few doc URLs
* SCRIPTS: announce-release: update the doc's URL
* BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
* BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
* BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
* BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
* BUG/MINOR: cache: do not display expired entries in 'show cache'
* BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
* CI: Update to actions/cache at v3
* CI: Update to actions/checkout at v3
* BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
* BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
* DOC: reflect H2 timeout changes
* BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
* MEDIUM: mux-h2: slightly relax timeout management rules
* BUG/MEDIUM: stream-int: do not rely on the connection error once established
* BUG/MINOR: tools: url2sa reads too far when no port nor path
* BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
* CI: github actions: switch to LibreSSL-3.5.1
* BUILD: dns: fix backport of previous dns fix
* BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
* Revert 'BUG/MAJOR: mux-pt: Always destroy the backend connection on detach'
* BUG/MINOR: tools: fix url2sa return value with IPv4
* [RELEASE] Released version 2.0.28
* DOC: Fix usage/examples of deprecated ACLs
* BUG/MINOR: stream: make the call_rate only count the no-progress calls
* DOC: use the req.ssl_sni in examples
* DOC: ssl: req_ssl_sni needs implicit TLS
* BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
* BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
* DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
* BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: cli: shows correct mode in 'show sess'
* BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
* CLEANUP: atomic: add a fetch-and-xxx variant for common operations
* CI: github actions: use cache for SSL libs
* CI: github actions: add the output of $CC -dM -E-
* BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
* BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
* BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
* BUG/MINOR: tools: url2sa reads ipv4 too far
* BUG/MINOR: mailers: negotiate SMTP, not ESMTP
* CI: ssl: keep the old method for ancient OpenSSL versions
* CI: ssl: do not needlessly build the OpenSSL docs
* CI: ssl: enable parallel builds for OpenSSL on Linux
* BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
* BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
* BUG/MEDIUM: mworker: close unused transferred FDs on load failure
* MINOR: sock: move the unused socket cleaning code into its own function
* BUG/MAJOR: spoe: properly detach all agents when releasing the applet
* BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
* BUG/MINOR: mworker: does not erase the pidfile upon reload
* BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
* BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
* BUG/MEDIUM: mcli: do not try to parse empty buffers
* BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
* MINOR: channel: add new function co_getdelim() to support multiple delimiters
* MEDIUM: cli: yield between each pipelined command
* [RELEASE] Released version 2.0.27
* BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
* BUG/MEDIUM: cli: Never wait for more data on client shutdown
* BUILD/MINOR: fix solaris build with clang.
* BUG/MEDIUM: mworker: don't use _getsocks in wait mode
* BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
* BUG/MINOR: cli: fix _getsocks with musl libc
* CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free
* BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
* DOC: fix misspelled keyword 'resolve_retries' in resolvers
* BUILD: ssl: unbreak the build with newer libressl
* BUILD: cli: clear a maybe-unused  warning on some older compilers
* BUG/MINOR: http: fix recent regression on authorization in legacy mode
* Revert 'BUG/MEDIUM: resolvers: always check a valid item in query_list'
* BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
* BUG/MINOR: backend: do not set sni on connection reuse
* BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
* DOC: config: Specify %Ta is only available in HTTP mode
* DOC: spoe: Clarify use of the event directive in spoe-message section
* MINOR: ssl: make tlskeys_list_get_next() take a list element
* CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()
* CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()
* BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
* MINOR: cli: 'show version' displays the current process version
* BUILD: general: always pass unsigned chars to is* functions
* CLEANUP: peers: Remove unused static function `free_dcache_tx`
* CLEANUP: peers: Remove unused static function `free_dcache`
* REGTESTS: mark the abns test as broken again
* BUILD: scripts/ use 'uname' instead of ${TRAVIS_OS_NAME}
* BUILD: makefile: add entries to build common debugging tools
* CI: Github Actions: temporarily disable BoringSSL builds
* CI: Github Actions: switch to LibreSSL-3.3.3
* CI: github actions: update LibreSSL to 3.2.5
* Revert 'CI: Pin VTest to a known good commit'
* CI: github actions: switch to stable LibreSSL release
* CI: Fix the coverity builds
* CI: Fix DEBUG_STRICT definition for Coverity
* CI: Pin VTest to a known good commit
* CI: github actions: build several popular 'contrib' tools
* CI: GitHub Actions: enable daily Coverity scan
* CI: github actions: enable 51degrees feature
* CI: github actions: update LibreSSL to 3.3.0
* CI: Clean up Windows CI
* CI: Pass the github.event_name to
* CI: Github Action: run 'apt-get update' before packages restore
* CI: Github Actions: enable BoringSSL builds
* CI: Github Actions: remove LibreSSL-3.0.2 builds
* CI: Github Actions: enable prometheus exporter
* CI: Stop hijacking the hosts file
* CI: Expand use of GitHub Actions for CI
* [RELEASE] Released version 2.0.26
* BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
* BUG/MINOR: shctx: do not look for available blocks when the first one is enough
* BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
* BUG/MEDIUM: mux-h2: always process a pending shut read
* BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
* CLEANUP: ssl: Release cached SSL sessions on deinit
* MINOR: mux-h2: perform a full cycle shutdown+drain on close
* MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
* BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
* BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
* BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
* BUG/MINOR: mworker: doesn't launch the program postparser
* BUG/MEDIUM: conn-stream: Don't reset CS flags on close
* BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
* DOC: config: Fix typo in ssl_fc_unique_id description
* BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
* BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
* MINOR: htx: Add a function to know if the free space wraps
* MINOR: htx: Add an HTX flag to know when a message is fragmented
* BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
* MINOR: stream: Improve dump of bogus streams
* DOC: config: Fix alphabetical order of fc_* samples
* BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
* BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration
* CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT
* CLEANUP: always initialize the answer_list
* CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()
* BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released
* BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed
* BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame
* BUG/MEDIUM: resolvers: always check a valid item in query_list
* BUILD: resolvers: avoid a possible warning on null-deref
* MINOR: resolvers: merge address and target into a union 'data'
* BUG/MEDIUM: resolvers: use correct storage for the target address
* BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix
* MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
* BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records
* BUG/MEDIUM: resolver: make sure to always use the correct hostname length
* MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
* BUG/MEDIUM: sample: properly verify that variables cast to sample
* MINOR: sample: provide a generic var-to-sample conversion function
* CLEANUP: sample: uninline sample_conv_var2smp_str()
* CLEANUP: sample: rename sample_conv_var2smp() to *_sint
* BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error
* BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames
* BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
* BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
* BUG/MINOR: filters: Set right FLT_END analyser depending on channel
* BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
* BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
* BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
* BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
* BUG/MAJOR: lua: use task_wakeup() to properly run a task once
* BUG/MEDIUM: lua: fix wakeup condition from sleep()
* DOC: peers: fix doc 'enable' statement on 'peers' sections
* BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send 'trailers'
* BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
* BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
* BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
* BUG/MINOR: server: allow 'enable health' only if check configured
* Revert 'REGTESTS: mark http_abortonclose as broken'
* BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
* MEDIUM: actions: Fix block ACL.
* BUG/MINOR: stats: fix the POST requests processing in legacy mode
* BUG/MEDIUM: http: check for a channel pending data before waiting
* BUG/MINOR: cli/payload: do not search for args inside payload
* BUG/MINOR: compat: make sure __WORDSIZE is always defined
* BUG/MINOR: systemd: ExecStartPre must use -Ws
* [RELEASE] Released version 2.0.25
* REGTESTS: mark http_abortonclose as broken
* MINOR: action: Use a generic function to check validity of an action rule list
* Revert 'BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive'
* BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
* CLEANUP: htx: remove comments about 'must be < 256 MB'
* BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
* DOC: configuration: remove wrong tcp-request examples in tcp-response
* CLEANUP: Add missing include guard to signal.h
* BUG/MINOR: tools: Fix loop condition in dump_text()
* BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
* BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
* BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
* MINOR: compiler: implement an ONLY_ONCE() macro
* BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
* REGTESTS: abortonclose: after retries, 503 is expected, not close
* BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-
* [RELEASE] Released version 2.0.24
* REGTESTS: add a test to prevent h2 desync attacks
* BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
* DOC/MINOR: fix typo in management document
* MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade
* DOC: config: Fix 'http-response send-spoe-group' documentation
* DOC: Improve the lua documentation
* BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued
* BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released
* MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure
* BUG/MINOR: server: update last_change on maint->ready transitions too
* BUG/MINOR: connection: Add missing error labels to conn_err_code_str
* BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
* BUG/MINOR: mux-h2: Obey dontlognull option during the preface
* BUG/MINOR: systemd: must check the configuration using -Ws
* BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
* BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
* BUILD: add detection of missing important CFLAGS
* BUG/MEDIUM: tcp-check: Do not dereference inexisting connection
* [RELEASE] Released version 2.0.23
* BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled
* BUG/MINOR: server-state: load SRV resolution only if params match the config
* CLEANUP: pools: remove now unused seq and pool_free_list
* BUG/MAJOR: pools: fix possible race with free() in the lockless variant
* MEDIUM: pools: use a single pool_gc() function for locked and lockless
* MEDIUM: memory: make pool_gc() run under thread isolation
* BUG/MEDIUM: pools: Always update free_list in pool_gc().
* MINOR: pools: do not maintain the lock during pool_flush()
* BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()
* MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS
* Revert 'MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules'
* BUG/MINOR: peers: fix data_type bit computation more than 32 data_types
* MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()
* BUG/MINOR: resolvers: Reset server IP when no ip is found in the response
* DOC: config: use CREATE USER for mysql-check
* DOC: peers: fix the protocol tag name in the doc
* DOC: stick-table: add missing documentation about gpt0 stored type
* BUG/MINOR: stick-table: fix several printf sign errors dumping tables
* BUG/MINOR: cli: fix server name output in 'show fd'
* BUG/MEDIUM: sock: make sure to never miss early connection failures
* BUG/MINOR: server/cli: Fix locking in function processing 'set server' command
* BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI
* BUG/MINOR: resolvers: answser item list was randomly purged or errors
* DOC: config: Add missing actions in 'tcp-request session' documentation
* MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules
* BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check
* BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function
* BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken
* MINOR: mux-h2: obey http-ignore-probes during the preface
* BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue
* BUG/MINOR: mworker: fix typo in chroot error message
* BUG/MINOR: ssl: use atomic ops to update global shctx stats
* BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE
* BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id
* DOC: lua: Add a warning about buffers modification in HTTP
* BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded
* BUG/MEDIUM: dns: reset file descriptor if send returns an error
* BUG/MEDIUM: compression: Add a flag to know the filter is still processing data
* BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
* BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree
* BUG/MINOR: http: Missing calloc return value check in make_arg_list
* BUG/MINOR: http: Missing calloc return value check while parsing redirect rule
* BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list
* BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo
* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule
* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response
* BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy
* BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare
* BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture
* BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine
* BUG/MINOR: peers: Missing calloc return value check in peers_register_table
* BUG/MINOR: server: Missing calloc return value check in srv_parse_source
* BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts
* BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response
* BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter
* BUG/MAJOR: server: prevent deadlock when using 'set maxconn server'
* BUG/MEDIUM: ebtree: Invalid read when looking for dup entry
* REGTESTS: Add script to test abortonclose option
* MEDIUM: mux-h1: Don't block reads when waiting for the other side
* BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive
* MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()
* BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port
* BUG/MINOR: stream: Reset stream final state and si error type on L7 retry
* BUG/MINOR: stream: properly clear the previous error mask on L7 retries
* BUG/MINOR: stream: Decrement server current session counter on L7 retry
* BUG/MEDIUM: cli: prevent memory leak on write errors
* BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers
* MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode
* MINOR: peers: add informative flags about resync process for debugging
* BUG/MEDIUM: peers: reset tables stage flags stages on new conns
* BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly
* BUG/MEDIUM: peers: reset commitupdate value in new conns
* BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected
* BUG/MEDIUM: peers: stop considering ack messages teaching a full resync
* BUG/MEDIUM: peers: register last acked value as origin receiving a resync req
* BUG/MEDIUM: peers: initialize resync timer to get an initial full resync
* BUG/MINOR: applet: Notify the other side if data were consumed by an applet
* BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message
* BUG/MEDIUM: peers: re-work refcnt on table to protect against flush
* BUG/MEDIUM: peers: re-work connection to new process during reload.
* BUG/MINOR: peers: remove useless table check if initial resync is finished
* BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data
* BUG/MINOR: mworker: don't use oldpids[] anymore for reload
* BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases
* BUG/MEDIUM: config: fix cpu-map notation with both process and threads
* BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames
* BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers
* BUG/MINOR: server: free srv.lb_nodes in free_server
* BUG/MINOR: mux-h1: Release idle server H1 connection if data are received
* BUG/MINOR: logs: Report the true number of retries if there was no connection
* BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function
* BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded
* BUG/MEDIUM: threads: Ignore current thread to end its harmless period
* BUG/MEDIUM: sample: Fix adjusting size in field converter
* DOC: clarify that compression works for HTTP/2
* BUG/MINOR: tools: fix parsing 'us' unit for timers
* DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options
* [RELEASE] Released version 2.0.22
* BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks
* MINOR: resolvers: Directly call srvrq_update_srv_state() when possible
* MINOR: resolvers: Add function to change the srv status based on SRV resolution
* MINOR: resolvers: Purge answer items when a SRV resolution triggers an error
* MINOR: resolvers: Use a function to remove answers attached to a resolution
* BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution
* BUG/MAJOR: dns: disabled servers through SRV records never recover
* BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status
* BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields
* BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS
* BUG/MINOR: tcp: fix silent-drop workaround for IPv6
* BUG/MINOR: stats: Apply proper styles in HTML status page.
* BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent
* BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters
* MINOR: tools: make url2ipv4 return the exact number of bytes parsed
* BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless
* BUG/MEDIUM: time: make sure to always initialize the global tick
* BUG/MEDIUM: lua: Always init the lua stack before referencing the context
* BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback
* MINOR: lua: Slightly improve function dumping the lua traceback
* MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket
* BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable
* MINOR: time: also provide a global, monotonic global_now_ms timer
* [RELEASE] Released version 2.0.21
* BUG/MINOR: freq_ctr/threads: make use of the last updated global time
* MINOR: time: export the global_now variable
* BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames
* BUG/MINOR: resolvers: Reset server address on DNS error only on status change
* BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error
* CLEANUP: tcp-rules: add missing actions in the tcp-request error message
* BUG/MINOR: session: Add some forgotten tests on session's listener
* BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters
* BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached
* BUG/MEDIUM: session: NULL dereference possible when accessing the listener
* BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode
* BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring()
* BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
* BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout
* DOC: spoe: Add a note about fragmentation support in HAProxy
* BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1
* BUG/MINOR: connection: Use the client's dst family for adressless servers
* BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule
* BUG/MINOR: http-ana: Only consider dst address to process originalto option
* BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
* BUG/MEDIUM: resolvers: Reset address for unresolved servers
* BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records
* BUG/MINOR: resolvers: new callback to properly handle SRV record errors
* BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
* BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
* BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
* BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
* BUG/MINOR: sample: secure convs that accept base64 string and var name as args
* BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
* BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line
* BUG/MINOR: server: Init params before parsing a new server-state line
* BUG/MINOR: sample: Always consider zero size string samples as unsafe
* BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
* BUG/MINOR: session: atomically increment the tracked sessions counter
* BUG/MINOR: server: Remove RMAINT from admin state when loading server state
* CLEANUP: channel: fix comment in ci_putblk.
* BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL
* BUG/MINOR: cfgparse: do not mention 'addr:port' as supported on proxy lines
* BUG/MEDIUM: config: don't pick unset values from last defaults section
* CLEANUP: deinit: release global and per-proxy server-state variables on deinit
* BUG/MINOR: server: Fix server-state-file-name directive
* BUG/MINOR: backend: hold correctly lock when killing idle conn
* BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
* BUG/MINOR: server: re-align state file fields number
* BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
* BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty
* BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED
* BUG/MEDIUM: mux-h2: handle remaining read0 cases
* BUILD: Makefile: move REGTESTST_TYPE default setting
* BUG/MINOR: xxhash: make sure armv6 uses memcpy()
* BUG/MEDIUM: ssl: check a connection's status before computing a handshake
* BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list
* DOC: management: fix 'show resolvers' alphabetical ordering
* BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name
* BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown
* BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition
* BUG/MEDIUM: mux-h2: fix read0 handling on partial frames
* BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()
* BUG/MINOR: peers: Wrong 'new_conn' value for 'show peers' CLI command.
* BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable
* BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
* BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
* [RELEASE] Released version 2.0.20
* BUG/MINOR: sample: fix concat() converter's corruption with non-string variables
* DOC: Add maintainers for the Prometheus exporter
* SCRIPTS: announce-release: fix typo in help message
* DOC: fix some spelling issues over multiple files
* MINOR: contrib/prometheus-exporter: export build_info
* BUILD: Makefile: exclude broken tests by default
* BUG/MINOR: srv: do not init address if backend is disabled
* SCRIPTS: make announce release support preparing announces before tag exists
* SCRIPTS: improve announce-release to support different tag and versions
* BUG/MINOR: cfgparse: Fail if the strdup() for `rule->` for `use_backend` fails
* MINOR: atomic: don't use ; to separate instruction on aarch64.
* BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h
* BUILD: plock: remove dead code that causes a warning in gcc 11
* CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps
* CONTRIB: halog: mark the has_zero* functions unused
* CONTRIB: halog: fix build issue caused by %L printf format
* BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode
* BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests
* BUILD: Makefile: have 'make clean' destroy .o/.a/.s in contrib subdirs as well
* REGTESTS: make use of HAPROXY_ARGS and pass -dM by default
* CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric
* CLEANUP: lua: Remove declaration of an inexistant function
* BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight
* BUG/MINOR: tools: Reject size format not starting by a digit
* BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
* DOC: email change of the DeviceAtlas maintainer
* BUG/MEDIUM: spoa/python: Fixing references to None
* BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
* BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
* BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
* DOC: spoa/python: Fixing typos in comments
* DOC: spoa/python: Rephrasing memory related error messages
* DOC: spoa/python: Fixing typo in IP related error messages
* BUG/MAJOR: spoa/python: Fixing return None
* DOC/MINOR: Fix formatting in Management Guide
* BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times
* MINOR: cli: add a function to look up a CLI service description
* MINOR: actions: add a function returning a service pointer from its name
* MINOR: actions: Export actions lookup functions
* BUG/MINOR: lua: Some lua init operation are processed unsafe
* BUG/MINOR: lua: Post init register function are not executed beyond the first one
* BUG/MINOR: lua: lua-load doesn't check its parameters
* MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
* DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
* BUG/MAJOR: peers: fix partial message decoding
* BUG/MAJOR: filters: Always keep all offsets up to date during data filtering
* BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
* BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering
* BUILD: http-htx: fix build warning regarding long type in printf
* MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.
* MINOR: spoe: Don't close connection in sync mode on processing timeout
* BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet
* BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches
* BUG/MINOR: http-fetch: Extract cookie value even when no cookie name
* BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages
* BUG/MINOR: peers: Missing TX cache entries reset.
* BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.
* BUG/MINOR: lua: set buffer size during map lookups
* BUG/MINOR: pattern: a sample marked as const could be written
* [RELEASE] Released version 2.0.19
* BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L
* MINOR: http-htx: Add understandable errors for the errorfiles parsing
* BUG/MEDIUM: stick-table: limit the time spent purging old entries
* BUG/MINOR: filters: Skip disabled proxies during startup only
* BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
* MINOR: server: Copy configuration file and line for server templates
* BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup
* BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
* BUG/MINOR: cache: Inverted variables in http_calc_maxage function
* BUG/MINOR: lua: initialize sample before using it
* BUG/MINOR: server: fix down_time report for stats
* BUG/MINOR: server: fix srv downtime calcul on starting
* BUG/MINOR: log: fix memory leak on logsrv parse error
* BUG/MINOR: extcheck: add missing checks on extchk_setenv()
* BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible
* BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests
* BUG/MEDIUM: server: support changing the slowstart value from state-file
* BUG/MINOR: queue: properly report redistributed connections
* BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.
* BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn
* BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages
* BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided
* BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once
* MINOR: fd: report an error message when failing initial allocations
* BUG/MINOR: mux-h2: do not stop outgoing connections on stopping
* BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited
* BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().
* BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses
* BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams
* BUG/MINOR: mux-h1: Always set the session on frontend h1 stream
* BUG/MINOR: peers: Inconsistency when dumping peer status codes.
* MINOR: hlua: Display debug messages on stderr only in debug mode
* BUG/MINOR: stats: fix validity of the json schema
* MINOR: counters: fix a typo in comment
* BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe
* BUG/MINOR: Fix several leaks of 'log_tag' in init().
* BUILD: makefile: Fix building with closefrom() support enabled
* DOC: ssl: crt-list negative filters are only a hint
* [RELEASE] Released version 2.0.18
* REGTEST: make map_regm_with_backref require 1.7
* REGTEST: make abns_socket.vtc require 1.8
* REGTEST: fix host part in balance-uri-path-only.vtc
* REGTESTS: add a few load balancing tests
* DOC: agent-check: fix typo in 'fail' word expected reply
* DOC: spoa-server: fix false friends `actually`
* BUG/MEDIUM: listeners: do not pause foreign listeners
* BUG/MINOR: config: Fix memory leak on config parse listen
* BUG/MINOR: Fix memory leaks cfg_parse_peers
* BUG/MEDIUM: h2: report frame bits only for handled types
* BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch
* BUG/MINOR: server: report correct error message for invalid port on 'socks4'
* BUG/MINOR: ssl: verifyhost is case sensitive
* BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
* BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers
* BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned
* BUILD: threads: better workaround for late loading of libgcc_s
* BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections
* BUG/MINOR: auth: report valid crypto(3) support depending on build options
* CLEANUP: Update .gitignore
* MINOR: Commit .gitattributes
* BUILD: thread: limit the libgcc_s workaround to glibc only
* BUG/MINOR: threads: work around a libgcc_s issue with chrooting
* BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
* BUG/MEDIUM: doc: Fix replace-path action description
* BUG/MINOR: startup: haproxy -s cause 100% cpu
* BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address
* BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure
* BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
* BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
* BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak
* DOC: cache: Use '<name>' instead of '<id>' in error message
* BUG/MINOR: reload: do not fail when no socket is sent
* BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
* BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
* BUG/MINOR: snapshots: leak of snapshots on deinit()
* BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation
* BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation
* BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
* BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
* BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response
* SCRIPTS: git-show-backports: emit the shell command to backport a commit
* SCRIPTS: git-show-backports: make -m most only show the left branch
* [RELEASE] Released version 2.0.17
* SCRIPTS: announce-release: add the link to the wiki in the announce messages
* MINOR: stream-int: Be sure to have a mux to do sends and receives
* MINOR: connection: Preinstall the mux for non-ssl connect
* BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields
* BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation
* MEDIUM: lua: Add support for the Lua 5.4
* BUG/MINOR: debug: Don't dump the lua stack if it is not initialized
* BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received
* BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected
* BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
* BUG/MAJOR: dns: Make the do-resolve action thread-safe
* BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete
* BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
* BUG/MINOR: cfgparse: don't increment linenum on incomplete lines
* BUILD: thread: add parenthesis around values of locking macros
* MINOR: pools: increase MAX_BASE_POOLS to 64
* BUG/MINOR: threads: Don't forget to init each thread toremove_lock.
* REGEST: Add reg tests about error files
* BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()
* [RELEASE] Released version 2.0.16
* BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked
* BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
* BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode
* CONTRIB: da: fix memory leak in dummy function da_atlas_open()
* BUG/MINOR: sample: Free str.area in smp_check_const_meth
* BUG/MINOR: sample: Free str.area in smp_check_const_bool
* DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x
* BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode
* BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection
* MINOR: http: Add support for http 413 status
* BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server
* BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready
* MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
* BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
* BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received
* BUG/MINOR: mux-h1: Disable splicing only if input data was processed
* BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive
* BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
* BUG/MINOR: http_act: don't check capture id in backend (2)
* DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio
* DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio
* BUG/MINOR: proxy: always initialize the trash in show servers state
* BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
* BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
* DOC: ssl: add 'allow-0rtt' and 'ciphersuites' in crt-list
* MINOR: cli: make 'show sess' stop at the last known session
* BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
* REGTEST: ssl: add some ssl_c_* sample fetches test
* REGTEST: ssl: tests the ssl_f_* sample fetches
* MINOR: spoe: Don't systematically create new applets if processing rate is low
* BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
* BUG/MINOR: spoe: correction of setting bits for analyzer
* REGTEST: Add a simple script to tests errorfile directives in proxy sections
* BUG/MINOR: systemd: Wait for network to be online
* MEDIUM: map: make the 'clear map' operation yield
* REGTEST: http-rules: test spaces in ACLs with master CLI
* REGTEST: http-rules: test spaces in ACLs
* BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
* BUG/MINOR: mworker/cli: fix the escaping in the master CLI
* BUG/MINOR: cli: allow space escaping on the CLI
* BUG/MINOR: spoe: add missing key length check before checking key names
* BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
* BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
* MINOR: http: Add 404 to http-request deny
* MINOR: http: Add 410 to http-request deny
* [RELEASE] Released version 2.0.15
* REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used
* BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation
* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv
* BUG/MEDIUM: pattern: fix thread safety of pattern matching
* BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor
* BUG/MINOR: mworker: fix a memleak when execvp() failed
* BUG/MEDIUM: mworker: fix the reload with an -- option
* BUG/MINOR: init: -S can have a parameter starting with a dash
* BUG/MINOR: init: -x can have a parameter starting with a dash
* BUG/MEDIUM: mworker: fix the copy of options in copy_argv()
* BUILD: makefile: adjust the sed expression of 'make help' for solaris
* BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version
* BUG/MEDIUM: logs: fix trailing zeros on log message.
* BUG/MINOR: logs: prevent double line returns in some events.
* BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics
* BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations
* BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action
* BUG/MINOR: peers: fix internal/network key type mapping.
* SCRIPTS: publish-release: pass -n to gzip to remove timestamp
* Revert 'BUG/MEDIUM: connections: force connections cleanup on server changes'
* BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf
* BUG/MINOR: lua: Add missing string length for lua sticktable lookup
* BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable
* BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified
* BUG/MINOR: cache: Don't needlessly test 'cache' keyword in parse_cache_flt()
* BUILD: select: only declare existing local labels to appease clang
* BUG/MINOR: soft-stop: always wake up waiting threads on stopping
* BUG/MINOR: pollers: remove uneeded free in global init
* BUG/MINOR: pools: use %u not %d to report pool stats in 'show pools'
* BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered
* BUG/MEDIUM: http_ana: make the detection of NTLM variants safer
* BUG/MINOR: http-ana: fix NTLM response parsing again
* BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur
* BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT
* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
* BUG/MINOR: sample: Set the correct type when a binary is converted to a string
* CLEANUP: connections: align function declaration
* BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
* BUG/MEDIUM: connections: force connections cleanup on server changes
* BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure
* BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.
* BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry.
* BUG/MINOR: checks: Remove a warning about http health checks
* BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks
* BUG/MEDIUM: checks: Always initialize checks before starting them
* BUG/MINOR: checks/server: use_ssl member must be signed
* BUG/MEDIUM: server/checks: Init server check during config validity check
* Revert 'BUG/MINOR: connection: make sure to correctly tag local PROXY connections'
* BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection
* REGTEST: ssl: test the client certificate authentication
* MINOR: stream: report the list of active filters on stream crashes
* BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock
* BUG/MEDIUM: shctx: really check the lock's value while waiting
* BUG/MINOR: debug: properly use long long instead of long for the thread ID
* MINOR: threads: export the POSIX thread ID in panic dumps
* BUG/MEDIUM: listener: mark the thread as not stuck inside the loop
* BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream
* BUG/MEDIUM: http: the 'unique-id' sample fetch could crash without a steeam
* BUG/MEDIUM: http: the 'http_first_req' sample fetch could crash without a steeam
* BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream
* BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream
* BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function
* BUG/MINOR: checks: chained expect will not properly wait for enough data
* BUG/MINOR: checks: Respect the no-check-ssl option
* MINOR: checks: Add a way to send custom headers and payload during http chekcs
* BUG/MINOR: check: Update server address and port to execute an external check
* DOC: option logasap does not depend on mode
* BUG/MINOR: http: make url_decode() optionally convert '+' to SP
* BUG/MINOR: tools: fix the i386 version of the div64_32 function
* BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
* BUG/MINOR: ssl: default settings for ssl server options are not used
* DOC: Improve documentation on http-request set-src
* DOC: hashing: update link to hashing functions
* BUG/MINOR: peers: Incomplete peers sections should be validated.
* BUG/MINOR: protocol_buffer: Wrong maximum shifting.

The following package changes have been done:

- glibc-2.31-150300.46.1 updated
- haproxy-2.0.31-150200.11.20.1 updated
- libcurl4-7.66.0-150200.4.52.1 updated
- libdw1-0.177-150300.11.6.1 updated
- libebl-plugins-0.177-150300.11.6.1 updated
- libelf1-0.177-150300.11.6.1 updated
- libgcc_s1-12.2.1+git416-150000.1.7.1 updated
- libglib-2_0-0-2.62.6-150200.3.15.1 updated
- libncurses6-6.1-150000.5.15.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.62.1 updated
- libopenssl1_1-1.1.1d-150200.11.62.1 updated
- libprocps7-3.3.15-150000.7.31.1 updated
- libsolv-tools-0.7.23-150200.15.1 updated
- libstdc++6-12.2.1+git416-150000.1.7.1 updated
- libxml2-2-2.9.7-150000.3.57.1 updated
- libzstd1-1.4.4-150000.1.9.1 updated
- libzypp-17.31.8-150200.50.1 updated
- login_defs-4.8.1-150300.4.6.1 updated
- ncurses-utils-6.1-150000.5.15.1 updated
- openssl-1_1-1.1.1d-150200.11.62.1 updated
- procps-3.3.15-150000.7.31.1 updated
- rpm-ndb-4.14.3-150300.55.1 updated
- shadow-4.8.1-150300.4.6.1 updated
- systemd-presets-common-SUSE-15-150100.8.20.1 updated
- terminfo-base-6.1-150000.5.15.1 updated
- timezone-2023c-150000.75.23.1 updated
- vim-data-common-9.0.1443-150000.5.40.1 updated
- vim-9.0.1443-150000.5.40.1 updated
- xxd-9.0.1443-150000.5.40.1 added
- zypper-1.14.59-150200.42.2 updated
- container:sles15-image-15.0.0-17.20.133 updated

More information about the sle-security-updates mailing list