SUSE-RU-2020:1184-1: moderate: Recommended update for haproxy

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue May 5 07:16:42 MDT 2020


   SUSE Recommended Update: Recommended update for haproxy
______________________________________________________________________________

Announcement ID:    SUSE-RU-2020:1184-1
Rating:             moderate
References:         #1169457 
Affected Products:
                    SUSE Linux Enterprise High Availability 15-SP1
______________________________________________________________________________

   An update that has one recommended fix can now be installed.

Description:

   This update for haproxy fixes the following issues:

   - Update from version 2.0.10+git0.ac198b92 to version 2.0.14. (bsc#1169457)
     * BUG/CRITICAL: hpack: never index a header into the headroom after
       wrapping
     * BUG/MAJOR: dns: add minimalist error processing on the Rx path
     * BUG/MAJOR: hashes: fix the signedness of the hash inputs
     * BUG/MAJOR: http-ana: Always abort the request when a tarpit is
       triggered
     * BUG/MAJOR: list: fix invalid element address calculation
     * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is
       empty.
     * BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
     * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing
     * BUG/MEDIUM: 0rtt: Only consider the SSL handshake.
     * BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response
       payload
     * BUG/MEDIUM: checks: Make sure we set the task affinity just before
       connecting.
     * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is
       ready.
     * BUG/MEDIUM: cli: _getsocks must send the peers sockets
     * BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing
       the payload
     * BUG/MEDIUM: connection: add a mux flag to indicate splice usability
     * BUG/MEDIUM: connections: Don't forget to unlock when killing a
       connection.
     * BUG/MEDIUM: connections: Hold the lock when wanting to kill a
       connection.
     * BUG/MEDIUM: debug: make the debug_handler check for the thread in
       threads_to_dump
     * BUG/MEDIUM: ebtree: don't set attribute packed without unaligned
       access support
     * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on
       the same fd
     * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is
       applied
     * BUG/MEDIUM: kqueue: Make sure we report read events even when no data.
     * BUG/MEDIUM: listener/thread: fix a race when pausing a listener
     * BUG/MEDIUM: listener/threads: fix a remaining race in the listener's
       accept()
     * BUG/MEDIUM: listener: only consider running threads when resuming
       listeners
     * BUG/MEDIUM: memory: Add a rwlock before freeing memory.
     * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush().
     * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending
     * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary
     * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch
     * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything
       but "trailers"
     * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed().
     * BUG/MEDIUM: muxes: Use the right argument when calling the destroy
       method.
     * BUG/MEDIUM: mworker: remain in mworker mode during reload
     * BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
     * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error
     * BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive.
     * BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
     * BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
     * BUG/MEDIUM: random: initialize the random pool a bit better
     * BUG/MEDIUM: session: do not report a failure when rejecting a session
     * BUG/MEDIUM: shctx: make sure to keep all blocks aligned
     * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure.
     * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early.
     * BUG/MEDIUM: ssl: Revamp the way early data are handled.
     * BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch
       functions
     * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to
       flush data
     * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX
       stream
     * BUG/MEDIUM: tasks: Make sure we switch wait queues in
       task_set_affinity().
     * BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in
       __signal_process_queue().
     * BUG/MINOR: 51d: Fix bug when HTX is enabled
     * BUG/MINOR: cache: Fix leak of cache name in error path
     * BUG/MINOR: channel: inject output data at the end of output
     * BUG/MINOR: checks/threads: use ha_random() and not rand()
     * BUG/MINOR: checks: refine which errno values are really errors.
     * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs
     * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2
     * BUG/MINOR: connection: make sure to correctly tag local PROXY
       connections
     * BUG/MINOR: connections: Make sure we free the connection on failure.
     * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy
       ones
     * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only
     * BUG/MINOR: dns: Make dns_query_id_seed unsigned
     * BUG/MINOR: dns: allow 63 char in hostname
     * BUG/MINOR: dns: allow srv record weight set to 0
     * BUG/MINOR: dns: ignore trailing dot
     * BUG/MINOR: filters: Count HTTP headers as filtered data but don't
       forward them
     * BUG/MINOR: filters: Forward everything if no data filters are called
     * BUG/MINOR: filters: Use filter offset to decude the amount of
       forwarded data
     * BUG/MINOR: h1: Report the right error position when a header value is
       invalid
     * BUG/MINOR: haproxy/threads: close a possible race in soft-stop
       detection
     * BUG/MINOR: haproxy/threads: try to make all threads leave together
     * BUG/MINOR: haproxy: always initialize sleeping_thread_mask
     * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all
       filters
     * BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
     * BUG/MINOR: http-ana: Reset request analysers on a response side error
     * BUG/MINOR: http-ana: Reset request analysers on error when waiting for
       response
     * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value
       is empty
     * BUG/MINOR: http-rules: Fix a typo in the reject action function
     * BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
     * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules
     * BUG/MINOR: http: http-request replace-path duplicates the query string
     * BUG/MINOR: http_act: don't check capture id in backend
     * BUG/MINOR: http_ana: make sure redirect flags don't have overlapping
       bits
     * BUG/MINOR: init: make the automatic maxconn consider the max of
       soft/hard limits
     * BUG/MINOR: listener/mq: do not dispatch connections to remote threads
       when stopping
     * BUG/MINOR: listener/threads: always use atomic ops to clear the FD
       events
     * BUG/MINOR: listener: also clear the error flag on a paused listener
     * BUG/MINOR: listener: do not immediately resume on transient error
     * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init
     * BUG/MINOR: listener: fix off-by-one in state name check
     * BUG/MINOR: log: fix minor resource leaks on logformat error path
     * BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
     * BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be
       added
     * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set
       H1C_F_CS_SHUTDOWN
     * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may
       receive data
     * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send()
     * BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers
     * BUG/MINOR: namespace: avoid closing fd when socket failed in
       my_socketat
     * BUG/MINOR: pattern: Do not pass len = 0 to calloc()
     * BUG/MINOR: pattern: handle errors from fgets when trying to load
       patterns
     * BUG/MINOR: peers: Use after free of "peers" section.
     * BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
     * BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
     * BUG/MINOR: proxy: Fix input data copy when an error is captured
     * BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state
     * BUG/MINOR: rules: Increment be_counters if backend is assigned for a
       silent-drop
     * BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
     * BUG/MINOR: sample: Make sure to return stable IDs in the unique-id
       fetch
     * BUG/MINOR: sample: always check converters' arguments
     * BUG/MINOR: sample: fix the closing bracket and LF in the debug
       converter
     * BUG/MINOR: sample: fix the json converter's endian-sensitivity
     * BUG/MINOR: server: make "agent-addr" work on default-server line
     * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer.
     * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >=
       1.1.1
     * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines
     * BUG/MINOR: ssl: we may only ignore the first 64 errors
     * BUG/MINOR: stats: Fix color of draining servers on stats page
     * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during
       parsing
     * BUG/MINOR: stktable: report the current proxy name in error messages
     * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is
       already reached
     * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still
       possible
     * BUG/MINOR: stream: don't mistake match rules for store-request rules
     * BUG/MINOR: stream: init variables when the list is empty
     * BUG/MINOR: tasks: only requeue a task if it was already in the queue
     * BUG/MINOR: tcp-rules: Fix memory releases on error path during action
       parsing
     * BUG/MINOR: tcp: avoid closing fd when socket failed in
       tcp_bind_listener
     * BUG/MINOR: tcp: don't try to set defaultmss when value is negative
     * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack
     * BUG/MINOR: unix: better catch situations where the unix socket path
       length is close to the limit
     * BUG/MINOR: wdt: do not return an error when the watchdog couldn't be
       enabled
     * CONTRIB: debug: add missing flags SF_HTX and SF_MUX
     * CONTRIB: debug: add the possibility to decode the value as certain
       types only
     * CONTRIB: debug: also support reading values from stdin
     * CONTRIB: debug: support reporting multiple values at once
     * DOC: Clarify behavior of server maxconn in HTTP mode
     * DOC: Improve documentation of http-re(quest|sponse)
       replace-(header|value|uri)
     * DOC: assorted typo fixes in the documentation
     * DOC: assorted typo fixes in the documentation and Makefile
     * DOC: clarify matching strings on binary fetches
     * DOC: clarify the fact that replace-uri works on a full URI
     * DOC: configuration.txt: fix various typos
     * DOC: document the listener state transitions
     * DOC: fix incorrect indentation of http_auth_*
     * DOC: fix typo about no-tls-tickets
     * DOC: improve description of no-tls-tickets
     * DOC: internals: Fix spelling errors in filters.txt
     * DOC: listeners: add a few missing transitions
     * DOC: move the "group" keyword at the right place
     * DOC: proxies: HAProxy only supports 3 connection modes
     * DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
     * DOC: remove references to the outdated architecture.txt
     * DOC: ssl: clarify security implications of TLS tickets
     * DOC: word converter ignores delimiters at the start or end of input
       string
     * MINOR: acl: Warn when an ACL is named 'or'
     * MINOR: backend: use a single call to ha_random32() for the random LB
       algo
     * MINOR: build: add linux-glibc-legacy build TARGET
     * MINOR: compiler: add new alignment macros
     * MINOR: compiler: move CPU capabilities definition from config.h and
       complete them
     * MINOR: config: disable busy polling on old processes
     * MINOR: contrib/prometheus-exporter: Add heathcheck status/code in
       server metrics
     * MINOR: contrib/prometheus-exporter: Add the last heathcheck duration
       metric
     * MINOR: debug: report the task handler's pointer relative to main
     * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile
       attribute
     * MINOR: filters: Forward data only if the last filter forwards something
     * MINOR: haproxy: export main to ease access from debugger
     * MINOR: http-htx: Add a function to retrieve the headers size of an HTX
       message
     * MINOR: http-rules: Add a flag on redirect rules to know the rule
       direction
     * MINOR: http-rules: Handle the rule direction when a redirect is
       evaluated
     * MINOR: http: add a new "replace-path" action
     * MINOR: htx: Add a function to return a block at a specific offset
     * MINOR: ist: add an iststop() function
     * MINOR: listener: add so_name sample fetch
     * MINOR: memory: Change the flush_lock to a spinlock, and don't get it
       in alloc.
     * MINOR: memory: Only init the pool spinlock once.
     * MINOR: proxy/http-ana: Add support of extra attributes for the cookie
       directive
     * MINOR: ssl: Remove unused variable "need_out".
     * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task
     * MINOR: tools: add 64-bit rotate operators
     * MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into
       types/signal.h.
     * OPTIM: startup: fast unique_id allocation for acl.
     * SCRIPTS: announce-release: allow the user to force to overwrite old
       files
     * SCRIPTS: announce-release: place the send command in the mail's header
     * SCRIPTS: announce-release: use mutt -H instead of -i to include the
       draft
     * SCRIPTS: make announce-release executable again


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise High Availability 15-SP1:

      zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1184=1



Package List:

   - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64):

      haproxy-2.0.14-8.15.1
      haproxy-debuginfo-2.0.14-8.15.1
      haproxy-debugsource-2.0.14-8.15.1


References:

   https://bugzilla.suse.com/1169457



More information about the sle-updates mailing list