SUSE-RU-2020:1185-1: moderate: Recommended update for haproxy
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue May 5 07:31:46 MDT 2020
SUSE Recommended Update: Recommended update for haproxy
______________________________________________________________________________
Announcement ID: SUSE-RU-2020:1185-1
Rating: moderate
References: #1169457
Affected Products:
SUSE Linux Enterprise High Availability 15
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for haproxy fixes the following issues:
- Update from version 2.0.10+git0.ac198b92 to version 2.0.14. (bsc#1169457)
* BUG/CRITICAL: hpack: never index a header into the headroom after
wrapping
* BUG/MAJOR: dns: add minimalist error processing on the Rx path
* BUG/MAJOR: hashes: fix the signedness of the hash inputs
* BUG/MAJOR: http-ana: Always abort the request when a tarpit is
triggered
* BUG/MAJOR: list: fix invalid element address calculation
* BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is
empty.
* BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
* BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing
* BUG/MEDIUM: 0rtt: Only consider the SSL handshake.
* BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response
payload
* BUG/MEDIUM: checks: Make sure we set the task affinity just before
connecting.
* BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is
ready.
* BUG/MEDIUM: cli: _getsocks must send the peers sockets
* BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing
the payload
* BUG/MEDIUM: connection: add a mux flag to indicate splice usability
* BUG/MEDIUM: connections: Don't forget to unlock when killing a
connection.
* BUG/MEDIUM: connections: Hold the lock when wanting to kill a
connection.
* BUG/MEDIUM: debug: make the debug_handler check for the thread in
threads_to_dump
* BUG/MEDIUM: ebtree: don't set attribute packed without unaligned
access support
* BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on
the same fd
* BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is
applied
* BUG/MEDIUM: kqueue: Make sure we report read events even when no data.
* BUG/MEDIUM: listener/thread: fix a race when pausing a listener
* BUG/MEDIUM: listener/threads: fix a remaining race in the listener's
accept()
* BUG/MEDIUM: listener: only consider running threads when resuming
listeners
* BUG/MEDIUM: memory: Add a rwlock before freeing memory.
* BUG/MEDIUM: memory_pool: Update the seq number in pool_flush().
* BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending
* BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary
* BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch
* BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything
but "trailers"
* BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed().
* BUG/MEDIUM: muxes: Use the right argument when calling the destroy
method.
* BUG/MEDIUM: mworker: remain in mworker mode during reload
* BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
* BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error
* BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive.
* BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
* BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
* BUG/MEDIUM: random: initialize the random pool a bit better
* BUG/MEDIUM: session: do not report a failure when rejecting a session
* BUG/MEDIUM: shctx: make sure to keep all blocks aligned
* BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure.
* BUG/MEDIUM: ssl: Don't set the max early data we can receive too early.
* BUG/MEDIUM: ssl: Revamp the way early data are handled.
* BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch
functions
* BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to
flush data
* BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX
stream
* BUG/MEDIUM: tasks: Make sure we switch wait queues in
task_set_affinity().
* BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in
__signal_process_queue().
* BUG/MINOR: 51d: Fix bug when HTX is enabled
* BUG/MINOR: cache: Fix leak of cache name in error path
* BUG/MINOR: channel: inject output data at the end of output
* BUG/MINOR: checks/threads: use ha_random() and not rand()
* BUG/MINOR: checks: refine which errno values are really errors.
* BUG/MINOR: cli/mworker: can't start haproxy with 2 programs
* BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2
* BUG/MINOR: connection: make sure to correctly tag local PROXY
connections
* BUG/MINOR: connections: Make sure we free the connection on failure.
* BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy
ones
* BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only
* BUG/MINOR: dns: Make dns_query_id_seed unsigned
* BUG/MINOR: dns: allow 63 char in hostname
* BUG/MINOR: dns: allow srv record weight set to 0
* BUG/MINOR: dns: ignore trailing dot
* BUG/MINOR: filters: Count HTTP headers as filtered data but don't
forward them
* BUG/MINOR: filters: Forward everything if no data filters are called
* BUG/MINOR: filters: Use filter offset to decude the amount of
forwarded data
* BUG/MINOR: h1: Report the right error position when a header value is
invalid
* BUG/MINOR: haproxy/threads: close a possible race in soft-stop
detection
* BUG/MINOR: haproxy/threads: try to make all threads leave together
* BUG/MINOR: haproxy: always initialize sleeping_thread_mask
* BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all
filters
* BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
* BUG/MINOR: http-ana: Reset request analysers on a response side error
* BUG/MINOR: http-ana: Reset request analysers on error when waiting for
response
* BUG/MINOR: http-htx: Don't make http_find_header() fail if the value
is empty
* BUG/MINOR: http-rules: Fix a typo in the reject action function
* BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
* BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules
* BUG/MINOR: http: http-request replace-path duplicates the query string
* BUG/MINOR: http_act: don't check capture id in backend
* BUG/MINOR: http_ana: make sure redirect flags don't have overlapping
bits
* BUG/MINOR: init: make the automatic maxconn consider the max of
soft/hard limits
* BUG/MINOR: listener/mq: do not dispatch connections to remote threads
when stopping
* BUG/MINOR: listener/threads: always use atomic ops to clear the FD
events
* BUG/MINOR: listener: also clear the error flag on a paused listener
* BUG/MINOR: listener: do not immediately resume on transient error
* BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init
* BUG/MINOR: listener: fix off-by-one in state name check
* BUG/MINOR: log: fix minor resource leaks on logformat error path
* BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
* BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be
added
* BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set
H1C_F_CS_SHUTDOWN
* BUG/MINOR: mux-h1: Fix conditions to know whether or not we may
receive data
* BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send()
* BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers
* BUG/MINOR: namespace: avoid closing fd when socket failed in
my_socketat
* BUG/MINOR: pattern: Do not pass len = 0 to calloc()
* BUG/MINOR: pattern: handle errors from fgets when trying to load
patterns
* BUG/MINOR: peers: Use after free of "peers" section.
* BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
* BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
* BUG/MINOR: proxy: Fix input data copy when an error is captured
* BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state
* BUG/MINOR: rules: Increment be_counters if backend is assigned for a
silent-drop
* BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
* BUG/MINOR: sample: Make sure to return stable IDs in the unique-id
fetch
* BUG/MINOR: sample: always check converters' arguments
* BUG/MINOR: sample: fix the closing bracket and LF in the debug
converter
* BUG/MINOR: sample: fix the json converter's endian-sensitivity
* BUG/MINOR: server: make "agent-addr" work on default-server line
* BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer.
* BUG/MINOR: ssl: certificate choice can be unexpected with openssl >=
1.1.1
* BUG/MINOR: ssl: openssl-compat: Fix getm_ defines
* BUG/MINOR: ssl: we may only ignore the first 64 errors
* BUG/MINOR: stats: Fix color of draining servers on stats page
* BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during
parsing
* BUG/MINOR: stktable: report the current proxy name in error messages
* BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is
already reached
* BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still
possible
* BUG/MINOR: stream: don't mistake match rules for store-request rules
* BUG/MINOR: stream: init variables when the list is empty
* BUG/MINOR: tasks: only requeue a task if it was already in the queue
* BUG/MINOR: tcp-rules: Fix memory releases on error path during action
parsing
* BUG/MINOR: tcp: avoid closing fd when socket failed in
tcp_bind_listener
* BUG/MINOR: tcp: don't try to set defaultmss when value is negative
* BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack
* BUG/MINOR: unix: better catch situations where the unix socket path
length is close to the limit
* BUG/MINOR: wdt: do not return an error when the watchdog couldn't be
enabled
* DOC: Clarify behavior of server maxconn in HTTP mode
* DOC: Improve documentation of http-re(quest|sponse)
replace-(header|value|uri)
* DOC: assorted typo fixes in the documentation
* DOC: assorted typo fixes in the documentation and Makefile
* DOC: clarify matching strings on binary fetches
* DOC: clarify the fact that replace-uri works on a full URI
* DOC: configuration.txt: fix various typos
* DOC: document the listener state transitions
* DOC: fix incorrect indentation of http_auth_*
* DOC: fix typo about no-tls-tickets
* DOC: improve description of no-tls-tickets
* DOC: internals: Fix spelling errors in filters.txt
* DOC: listeners: add a few missing transitions
* DOC: move the "group" keyword at the right place
* DOC: proxies: HAProxy only supports 3 connection modes
* DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
* DOC: remove references to the outdated architecture.txt
* DOC: ssl: clarify security implications of TLS tickets
* DOC: word converter ignores delimiters at the start or end of input
string
* MINOR: acl: Warn when an ACL is named 'or'
* MINOR: backend: use a single call to ha_random32() for the random LB
algo
* MINOR: build: add linux-glibc-legacy build TARGET
* MINOR: compiler: add new alignment macros
* MINOR: compiler: move CPU capabilities definition from config.h and
complete them
* MINOR: config: disable busy polling on old processes
* MINOR: contrib/prometheus-exporter: Add heathcheck status/code in
server metrics
* MINOR: contrib/prometheus-exporter: Add the last heathcheck duration
metric
* MINOR: debug: report the task handler's pointer relative to main
* MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile
attribute
* MINOR: filters: Forward data only if the last filter forwards something
* MINOR: haproxy: export main to ease access from debugger
* MINOR: http-htx: Add a function to retrieve the headers size of an HTX
message
* MINOR: http-rules: Add a flag on redirect rules to know the rule
direction
* MINOR: http-rules: Handle the rule direction when a redirect is
evaluated
* MINOR: http: add a new "replace-path" action
* MINOR: htx: Add a function to return a block at a specific offset
* MINOR: ist: add an iststop() function
* MINOR: listener: add so_name sample fetch
* MINOR: memory: Change the flush_lock to a spinlock, and don't get it
in alloc.
* MINOR: memory: Only init the pool spinlock once.
* MINOR: proxy/http-ana: Add support of extra attributes for the cookie
directive
* MINOR: ssl: Remove unused variable "need_out".
* MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task
* MINOR: tools: add 64-bit rotate operators
* MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into
types/signal.h.
* OPTIM: startup: fast unique_id allocation for acl.
* SCRIPTS: announce-release: allow the user to force to overwrite old
files
* SCRIPTS: announce-release: place the send command in the mail's header
* SCRIPTS: announce-release: use mutt -H instead of -i to include the
draft
* SCRIPTS: make announce-release executable again
Patch Instructions:
To install this SUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise High Availability 15:
zypper in -t patch SUSE-SLE-Product-HA-15-2020-1185=1
Package List:
- SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64):
haproxy-2.0.14-3.22.1
haproxy-debuginfo-2.0.14-3.22.1
haproxy-debugsource-2.0.14-3.22.1
References:
https://bugzilla.suse.com/1169457
More information about the sle-updates
mailing list