<div class="container">
<h1>Feature update for haproxy</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-FU-2023:2117-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1207181">#1207181</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208132">#1208132</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-0056.html">CVE-2023-0056</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-25725.html">CVE-2023-25725</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-0056</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-0056</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-25725</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-25725</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise High Availability Extension 15 SP1</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP1</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP1</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP1</li>
<li class="list-group-item">SUSE Manager Proxy 4.0</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.0</li>
<li class="list-group-item">SUSE Manager Server 4.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for haproxy fixes the following issues:</p>
<p>Update to version 2.0.31 (jsc#PED-3821):</p>
<ul>
<li>BUG/CRITICAL: http: properly reject empty http header field names</li>
<li>CI: github: don't warn on deprecated openssl functions on windows</li>
<li>DOC: proxy-protocol: fix wrong byte in provided example</li>
<li>DOC: config: 'http-send-name-header' option may be used in default section</li>
<li>DOC: config: fix option spop-check proxy compatibility</li>
<li>BUG/MEDIUM: cache: use the correct time reference when comparing dates</li>
<li>BUG/MEDIUM: stick-table: do not leave entries in end of window during purge</li>
<li>BUG/MEDIUM: ssl: wrong eviction from the session cache tree</li>
<li>BUG/MINOR: http-ana: make set-status also update txn->status</li>
<li>BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state</li>
<li>BUG/MINOR: promex: Don't forget to consume the request on error</li>
<li>BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action</li>
<li>BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned</li>
<li>BUILD: makefile: sort the features list</li>
<li>BUILD: makefile: build the features list dynamically</li>
<li>BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats</li>
<li>BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set</li>
<li>LICENSE: wurfl: clarify the dummy library license.</li>
<li>BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout</li>
<li>BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers</li>
<li>BUG/MINOR: ssl: Fix potential overflow</li>
<li>BUG/MEDIUM: ssl: Verify error codes can exceed 63</li>
<li>CI: github: change "ubuntu-latest" to "ubuntu-20.04"</li>
<li>SCRIPTS: announce-release: add a link to the data plane API</li>
<li>[RELEASE] Released version 2.0.30</li>
<li>Revert "CI: determine actual LibreSSL version dynamically"</li>
<li>DOC: config: clarify the -m dir and -m dom pattern matching methods</li>
<li>DOC: config: clarify the fact that "retries" is not just for connections</li>
<li>DOC: config: explain how default matching method for ACL works</li>
<li>DOC: config: clarify the fact that SNI should not be used in HTTP scenarios</li>
<li>DOC: config: provide some configuration hints for "http-reuse"</li>
<li>BUILD: listener: fix build warning on global_listener_rwlock without threads</li>
<li>BUILD: peers: Remove unused variables</li>
<li>BUG/MEDIUM: peers: messages about unkown tables not correctly ignored</li>
<li>BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists</li>
<li>BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task</li>
<li>CI: emit the compiler's version in the build reports</li>
<li>CI: add monthly gcc cross compile jobs</li>
<li>BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task</li>
<li>BUG/MAJOR: stick-table: don't process store-response rules for applets</li>
<li>DOC: management: add forgotten "show startup-logs"</li>
<li>CI: Replace the deprecated <code>::set-output</code> command by writing to $GITHUB_OUTPUT in workflow definition</li>
<li>CI: Replace the deprecated <code>::set-output</code> command by writing to $GITHUB_OUTPUT in matrix.py</li>
<li>BUG/MAJOR: stick-tables: do not try to index a server name for applets</li>
<li>DOC: configuration: missing 'if' in tcp-request content example</li>
<li>BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os</li>
<li>BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()</li>
<li>BUG/MEDIUM: lua: handle stick table implicit arguments right.</li>
<li>BUILD: cfgparse: Fix GCC warning about a variable used after realloc</li>
<li>BUILD: fix compilation for OpenSSL-3.0.0-alpha17</li>
<li>BUG/MINOR: log: improper behavior when escaping log data</li>
<li>SCRIPTS: announce-release: update some URLs to https</li>
<li>BUG/MEDIUM: captures: free() an error capture out of the proxy lock</li>
<li>BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK</li>
<li>BUG/MINOR: signals/poller: ensure wakeup from signals</li>
<li>BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals</li>
<li>BUG/MINOR: h1: Support headers case adjustment for TCP proxies</li>
<li>REGTESTS: http_request_buffer: Add a barrier to not mix up log messages</li>
<li>BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date</li>
<li>BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress</li>
<li>BUG/MEDIUM: peers: Add connect and server timeut to peers proxy</li>
<li>BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode</li>
<li>DOC: configuration: do-resolve doesn't work with a port in the string</li>
<li>BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()</li>
<li>BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle</li>
<li>BUILD: http: silence an uninitialized warning affecting gcc-5</li>
<li>BUG/MEDIUM: proxy: Perform a custom copy for default server settings</li>
<li>REORG: server: Export srv_settings_cpy() function</li>
<li>MINOR: server: Constify source server to copy its settings</li>
<li>BUG/MINOR: peers: Use right channel flag to consider the peer as connected</li>
<li>BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload</li>
<li>MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer</li>
<li>BUG/MINOR: ssl: free the fields in srv->ssl_ctx</li>
<li>BUG/MINOR: sockpair: wrong return value for fd_send_uxst()</li>
<li>BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible</li>
<li>BUG/MINOR: peers: fix possible NULL dereferences at config parsing</li>
<li>BUG/MINOR: peers/config: always fill the bind_conf's argument</li>
<li>BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch</li>
<li>BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created</li>
<li>BUG/MINOR: server: do not enable DNS resolution on disabled proxies</li>
<li>BUILD: compiler: implement unreachable for older compilers too</li>
<li>REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients</li>
<li>REGTESTS: abortonclose: Add a barrier to not mix up log messages</li>
<li>BUG/MINOR: conn_stream: do not confirm a connection from the frontend path</li>
<li>DOC: peers: fix port number and addresses on new peers section format</li>
<li>DOC: peers: clarify when entry expiration date is renewed.</li>
<li>DOC: peers: indicate that some server settings are not usable</li>
<li>SCRIPTS: make publish-release try to launch make-releases-json</li>
<li>SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs</li>
<li>BUG/MEDIUM: sample: Fix adjusting size in word converter</li>
<li>BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section</li>
<li>BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections</li>
<li>BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols</li>
<li>BUG/MINOR: peers: fix error reporting of "bind" lines</li>
<li>REGTESTS: abortonclose: Fix some race conditions</li>
<li>BUILD: fix build warning on solaris based systems with __maybe_unused.</li>
<li>CI: determine actual LibreSSL version dynamically</li>
<li>[RELEASE] Released version 2.0.29</li>
<li>BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x</li>
<li>CLEANUP: mux-h1: Fix comments and error messages for global options</li>
<li>BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized</li>
<li>BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).</li>
<li>DOC: fix typo "ant" for "and" in INSTALL</li>
<li>BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init</li>
<li>BUG/MINOR: map/cli: protect the backref list during "show map" errors</li>
<li>BUG/MEDIUM: cli: make "show cli sockets" really yield</li>
<li>BUG/MINOR: mux-h2: mark the stream as open before processing it not after</li>
<li>SCRIPTS: announce-release: add URL of dev packages</li>
<li>CI: github actions: update LibreSSL to 3.5.2</li>
<li>BUILD: sockpair: do not set unused flag</li>
<li>BUILD: proto_uxst: do not set unused flag</li>
<li>BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()</li>
<li>REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc</li>
<li>DOC: remove my name from the config doc</li>
<li>BUG/MINOR: cache: Disable cache if applet creation fails</li>
<li>SCRIPTS: announce-release: add shortened links to pending issues</li>
<li>DOC: lua: update a few doc URLs</li>
<li>SCRIPTS: announce-release: update the doc's URL</li>
<li>BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags</li>
<li>BUG/MEDIUM: mux-h1: Don't request more room on partial trailers</li>
<li>BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive</li>
<li>BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side</li>
<li>BUG/MINOR: cache: do not display expired entries in "show cache"</li>
<li>BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent</li>
<li>CI: Update to actions/cache@v3</li>
<li>CI: Update to actions/checkout@v3</li>
<li>BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid</li>
<li>BUG/MAJOR: mux_pt: always report the connection error to the conn_stream</li>
<li>DOC: reflect H2 timeout changes</li>
<li>BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts</li>
<li>MEDIUM: mux-h2: slightly relax timeout management rules</li>
<li>BUG/MEDIUM: stream-int: do not rely on the connection error once established</li>
<li>BUG/MINOR: tools: url2sa reads too far when no port nor path</li>
<li>BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf</li>
<li>CI: github actions: switch to LibreSSL-3.5.1</li>
<li>BUILD: dns: fix backport of previous dns fix</li>
<li>BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket</li>
<li>Revert "BUG/MAJOR: mux-pt: Always destroy the backend connection on detach"</li>
<li>BUG/MINOR: tools: fix url2sa return value with IPv4</li>
<li>[RELEASE] Released version 2.0.28</li>
<li>DOC: Fix usage/examples of deprecated ACLs</li>
<li>BUG/MINOR: stream: make the call_rate only count the no-progress calls</li>
<li>DOC: use the req.ssl_sni in examples</li>
<li>DOC: ssl: req_ssl_sni needs implicit TLS</li>
<li>BUG/MAJOR: mux-pt: Always destroy the backend connection on detach</li>
<li>BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing</li>
<li>DEBUG: cache: Update underlying buffer when loading HTX message in cache applet</li>
<li>BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request</li>
<li>BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request</li>
<li>BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request</li>
<li>BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request</li>
<li>BUG/MINOR: cli: shows correct mode in "show sess"</li>
<li>BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks</li>
<li>CLEANUP: atomic: add a fetch-and-xxx variant for common operations</li>
<li>CI: github actions: use cache for SSL libs</li>
<li>CI: github actions: add the output of $CC -dM -E-</li>
<li>BUG/MEDIUM: stream: Abort processing if response buffer allocation fails</li>
<li>BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer</li>
<li>BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer</li>
<li>BUG/MINOR: tools: url2sa reads ipv4 too far</li>
<li>BUG/MINOR: mailers: negotiate SMTP, not ESMTP</li>
<li>CI: ssl: keep the old method for ancient OpenSSL versions</li>
<li>CI: ssl: do not needlessly build the OpenSSL docs</li>
<li>CI: ssl: enable parallel builds for OpenSSL on Linux</li>
<li>BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names</li>
<li>BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload</li>
<li>BUG/MEDIUM: mworker: close unused transferred FDs on load failure</li>
<li>MINOR: sock: move the unused socket cleaning code into its own function</li>
<li>BUG/MAJOR: spoe: properly detach all agents when releasing the applet</li>
<li>BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies</li>
<li>BUG/MINOR: mworker: does not erase the pidfile upon reload</li>
<li>BUG/MEDIUM: mworker: don't lose the stats socket on failed reload</li>
<li>BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them</li>
<li>BUG/MEDIUM: mcli: do not try to parse empty buffers</li>
<li>BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands</li>
<li>MINOR: channel: add new function co_getdelim() to support multiple delimiters</li>
<li>MEDIUM: cli: yield between each pipelined command</li>
<li>[RELEASE] Released version 2.0.27</li>
<li>BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer</li>
<li>BUG/MEDIUM: cli: Never wait for more data on client shutdown</li>
<li>BUILD/MINOR: fix solaris build with clang.</li>
<li>BUG/MEDIUM: mworker: don't use _getsocks in wait mode</li>
<li>BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry</li>
<li>BUG/MINOR: cli: fix _getsocks with musl libc</li>
<li>CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free</li>
<li>BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning</li>
<li>DOC: fix misspelled keyword "resolve_retries" in resolvers</li>
<li>BUILD: ssl: unbreak the build with newer libressl</li>
<li>BUILD: cli: clear a maybe-unused warning on some older compilers</li>
<li>BUG/MINOR: http: fix recent regression on authorization in legacy mode</li>
<li>Revert "BUG/MEDIUM: resolvers: always check a valid item in query_list"</li>
<li>BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose</li>
<li>BUG/MINOR: backend: do not set sni on connection reuse</li>
<li>BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode</li>
<li>DOC: config: Specify %Ta is only available in HTTP mode</li>
<li>DOC: spoe: Clarify use of the event directive in spoe-message section</li>
<li>MINOR: ssl: make tlskeys_list_get_next() take a list element</li>
<li>CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()</li>
<li>CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()</li>
<li>BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time</li>
<li>MINOR: cli: "show version" displays the current process version</li>
<li>BUILD: general: always pass unsigned chars to is* functions</li>
<li>CLEANUP: peers: Remove unused static function <code>free_dcache_tx</code></li>
<li>CLEANUP: peers: Remove unused static function <code>free_dcache</code></li>
<li>REGTESTS: mark the abns test as broken again</li>
<li>BUILD: scripts/build-ssl.sh: use "uname" instead of ${TRAVIS_OS_NAME}</li>
<li>BUILD: makefile: add entries to build common debugging tools</li>
<li>CI: Github Actions: temporarily disable BoringSSL builds</li>
<li>CI: Github Actions: switch to LibreSSL-3.3.3</li>
<li>CI: github actions: update LibreSSL to 3.2.5</li>
<li>Revert "CI: Pin VTest to a known good commit"</li>
<li>CI: github actions: switch to stable LibreSSL release</li>
<li>CI: Fix the coverity builds</li>
<li>CI: Fix DEBUG_STRICT definition for Coverity</li>
<li>CI: Pin VTest to a known good commit</li>
<li>CI: github actions: build several popular "contrib" tools</li>
<li>CI: GitHub Actions: enable daily Coverity scan</li>
<li>CI: github actions: enable 51degrees feature</li>
<li>CI: github actions: update LibreSSL to 3.3.0</li>
<li>CI: Clean up Windows CI</li>
<li>CI: Pass the github.event_name to matrix.py</li>
<li>CI: Github Action: run "apt-get update" before packages restore</li>
<li>CI: Github Actions: enable BoringSSL builds</li>
<li>CI: Github Actions: remove LibreSSL-3.0.2 builds</li>
<li>CI: Github Actions: enable prometheus exporter</li>
<li>CI: Stop hijacking the hosts file</li>
<li>CI: Expand use of GitHub Actions for CI</li>
<li>[RELEASE] Released version 2.0.26</li>
<li>BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found</li>
<li>BUG/MINOR: shctx: do not look for available blocks when the first one is enough</li>
<li>BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found</li>
<li>BUG/MEDIUM: mux-h2: always process a pending shut read</li>
<li>BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3</li>
<li>CLEANUP: ssl: Release cached SSL sessions on deinit</li>
<li>MINOR: mux-h2: perform a full cycle shutdown+drain on close</li>
<li>MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close</li>
<li>BUG/MINOR: stick-table/cli: Check for invalid ipv6 key</li>
<li>BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent</li>
<li>BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value</li>
<li>BUG/MINOR: mworker: doesn't launch the program postparser</li>
<li>BUG/MEDIUM: conn-stream: Don't reset CS flags on close</li>
<li>BUG/MINOR: http-ana: Apply stop to the current section for http-response rules</li>
<li>DOC: config: Fix typo in ssl_fc_unique_id description</li>
<li>BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value</li>
<li>BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary</li>
<li>MINOR: htx: Add a function to know if the free space wraps</li>
<li>MINOR: htx: Add an HTX flag to know when a message is fragmented</li>
<li>BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check</li>
<li>MINOR: stream: Improve dump of bogus streams</li>
<li>DOC: config: Fix alphabetical order of fc_* samples</li>
<li>BUG/MINOR: http: Authorization value can have multiple spaces after the scheme</li>
<li>BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration</li>
<li>CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT</li>
<li>CLEANUP: always initialize the answer_list</li>
<li>CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()</li>
<li>BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released</li>
<li>BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed</li>
<li>BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame</li>
<li>BUG/MEDIUM: resolvers: always check a valid item in query_list</li>
<li>BUILD: resolvers: avoid a possible warning on null-deref</li>
<li>MINOR: resolvers: merge address and target into a union "data"</li>
<li>BUG/MEDIUM: resolvers: use correct storage for the target address</li>
<li>BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix</li>
<li>MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero</li>
<li>BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records</li>
<li>BUG/MEDIUM: resolver: make sure to always use the correct hostname length</li>
<li>MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero</li>
<li>BUG/MEDIUM: sample: properly verify that variables cast to sample</li>
<li>MINOR: sample: provide a generic var-to-sample conversion function</li>
<li>CLEANUP: sample: uninline sample_conv_var2smp_str()</li>
<li>CLEANUP: sample: rename sample_conv_var2smp() to *_sint</li>
<li>BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error</li>
<li>BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames</li>
<li>BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule</li>
<li>BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release</li>
<li>BUG/MINOR: filters: Set right FLT_END analyser depending on channel</li>
<li>BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set</li>
<li>BUG/MEDIUM: http-ana: Reset channels analysers when returning an error</li>
<li>BUG/MINOR: stream: Don't release a stream if FLT_END is still registered</li>
<li>BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input</li>
<li>BUG/MAJOR: lua: use task_wakeup() to properly run a task once</li>
<li>BUG/MEDIUM: lua: fix wakeup condition from sleep()</li>
<li>DOC: peers: fix doc "enable" statement on "peers" sections</li>
<li>BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers"</li>
<li>BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM</li>
<li>BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data</li>
<li>BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer</li>
<li>BUG/MINOR: server: allow 'enable health' only if check configured</li>
<li>Revert "REGTESTS: mark http_abortonclose as broken"</li>
<li>BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached</li>
<li>MEDIUM: actions: Fix block ACL.</li>
<li>BUG/MINOR: stats: fix the POST requests processing in legacy mode</li>
<li>BUG/MEDIUM: http: check for a channel pending data before waiting</li>
<li>BUG/MINOR: cli/payload: do not search for args inside payload</li>
<li>BUG/MINOR: compat: make sure __WORDSIZE is always defined</li>
<li>BUG/MINOR: systemd: ExecStartPre must use -Ws</li>
<li>[RELEASE] Released version 2.0.25</li>
<li>REGTESTS: mark http_abortonclose as broken</li>
<li>MINOR: action: Use a generic function to check validity of an action rule list</li>
<li>Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive"</li>
<li>BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer</li>
<li>CLEANUP: htx: remove comments about "must be < 256 MB"</li>
<li>BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB</li>
<li>DOC: configuration: remove wrong tcp-request examples in tcp-response</li>
<li>CLEANUP: Add missing include guard to signal.h</li>
<li>BUG/MINOR: tools: Fix loop condition in dump_text()</li>
<li>BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time</li>
<li>BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long</li>
<li>BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords</li>
<li>MINOR: compiler: implement an ONLY_ONCE() macro</li>
<li>BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}</li>
<li>REGTESTS: abortonclose: after retries, 503 is expected, not close</li>
<li>BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-</li>
<li>[RELEASE] Released version 2.0.24</li>
<li>REGTESTS: add a test to prevent h2 desync attacks</li>
<li>BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header</li>
<li>DOC/MINOR: fix typo in management document</li>
<li>MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade</li>
<li>DOC: config: Fix 'http-response send-spoe-group' documentation</li>
<li>DOC: Improve the lua documentation</li>
<li>BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued</li>
<li>BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released</li>
<li>MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure</li>
<li>BUG/MINOR: server: update last_change on maint->ready transitions too</li>
<li>BUG/MINOR: connection: Add missing error labels to conn_err_code_str</li>
<li>BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames</li>
<li>BUG/MINOR: mux-h2: Obey dontlognull option during the preface</li>
<li>BUG/MINOR: systemd: must check the configuration using -Ws</li>
<li>BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs</li>
<li>BUG/MEDIUM: mworker: do not register an exit handler if exit is expected</li>
<li>BUILD: add detection of missing important CFLAGS</li>
<li>BUG/MEDIUM: tcp-check: Do not dereference inexisting connection</li>
<li>[RELEASE] Released version 2.0.23</li>
<li>BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled</li>
<li>BUG/MINOR: server-state: load SRV resolution only if params match the config</li>
<li>CLEANUP: pools: remove now unused seq and pool_free_list</li>
<li>BUG/MAJOR: pools: fix possible race with free() in the lockless variant</li>
<li>MEDIUM: pools: use a single pool_gc() function for locked and lockless</li>
<li>MEDIUM: memory: make pool_gc() run under thread isolation</li>
<li>BUG/MEDIUM: pools: Always update free_list in pool_gc().</li>
<li>MINOR: pools: do not maintain the lock during pool_flush()</li>
<li>BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()</li>
<li>MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS</li>
<li>Revert "MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules"</li>
<li>BUG/MINOR: peers: fix data_type bit computation more than 32 data_types</li>
<li>MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()</li>
<li>BUG/MINOR: resolvers: Reset server IP when no ip is found in the response</li>
<li>DOC: config: use CREATE USER for mysql-check</li>
<li>DOC: peers: fix the protocol tag name in the doc</li>
<li>DOC: stick-table: add missing documentation about gpt0 stored type</li>
<li>BUG/MINOR: stick-table: fix several printf sign errors dumping tables</li>
<li>BUG/MINOR: cli: fix server name output in "show fd"</li>
<li>BUG/MEDIUM: sock: make sure to never miss early connection failures</li>
<li>BUG/MINOR: server/cli: Fix locking in function processing "set server" command</li>
<li>BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI</li>
<li>BUG/MINOR: resolvers: answser item list was randomly purged or errors</li>
<li>DOC: config: Add missing actions in "tcp-request session" documentation</li>
<li>MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules</li>
<li>BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check</li>
<li>BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function</li>
<li>BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken</li>
<li>MINOR: mux-h2: obey http-ignore-probes during the preface</li>
<li>BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue</li>
<li>BUG/MINOR: mworker: fix typo in chroot error message</li>
<li>BUG/MINOR: ssl: use atomic ops to update global shctx stats</li>
<li>BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE</li>
<li>BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id</li>
<li>DOC: lua: Add a warning about buffers modification in HTTP</li>
<li>BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded</li>
<li>BUG/MEDIUM: dns: reset file descriptor if send returns an error</li>
<li>BUG/MEDIUM: compression: Add a flag to know the filter is still processing data</li>
<li>BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future</li>
<li>BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree</li>
<li>BUG/MINOR: http: Missing calloc return value check in make_arg_list</li>
<li>BUG/MINOR: http: Missing calloc return value check while parsing redirect rule</li>
<li>BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list</li>
<li>BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo</li>
<li>BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule</li>
<li>BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response</li>
<li>BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy</li>
<li>BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare</li>
<li>BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture</li>
<li>BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine</li>
<li>BUG/MINOR: peers: Missing calloc return value check in peers_register_table</li>
<li>BUG/MINOR: server: Missing calloc return value check in srv_parse_source</li>
<li>BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts</li>
<li>BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response</li>
<li>BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter</li>
<li>BUG/MAJOR: server: prevent deadlock when using 'set maxconn server'</li>
<li>BUG/MEDIUM: ebtree: Invalid read when looking for dup entry</li>
<li>REGTESTS: Add script to test abortonclose option</li>
<li>MEDIUM: mux-h1: Don't block reads when waiting for the other side</li>
<li>BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive</li>
<li>MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()</li>
<li>BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port</li>
<li>BUG/MINOR: stream: Reset stream final state and si error type on L7 retry</li>
<li>BUG/MINOR: stream: properly clear the previous error mask on L7 retries</li>
<li>BUG/MINOR: stream: Decrement server current session counter on L7 retry</li>
<li>BUG/MEDIUM: cli: prevent memory leak on write errors</li>
<li>BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers</li>
<li>MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode</li>
<li>MINOR: peers: add informative flags about resync process for debugging</li>
<li>BUG/MEDIUM: peers: reset tables stage flags stages on new conns</li>
<li>BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly</li>
<li>BUG/MEDIUM: peers: reset commitupdate value in new conns</li>
<li>BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected</li>
<li>BUG/MEDIUM: peers: stop considering ack messages teaching a full resync</li>
<li>BUG/MEDIUM: peers: register last acked value as origin receiving a resync req</li>
<li>BUG/MEDIUM: peers: initialize resync timer to get an initial full resync</li>
<li>BUG/MINOR: applet: Notify the other side if data were consumed by an applet</li>
<li>BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message</li>
<li>BUG/MEDIUM: peers: re-work refcnt on table to protect against flush</li>
<li>BUG/MEDIUM: peers: re-work connection to new process during reload.</li>
<li>BUG/MINOR: peers: remove useless table check if initial resync is finished</li>
<li>BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data</li>
<li>BUG/MINOR: mworker: don't use oldpids[] anymore for reload</li>
<li>BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases</li>
<li>BUG/MEDIUM: config: fix cpu-map notation with both process and threads</li>
<li>BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames</li>
<li>BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers</li>
<li>BUG/MINOR: server: free srv.lb_nodes in free_server</li>
<li>BUG/MINOR: mux-h1: Release idle server H1 connection if data are received</li>
<li>BUG/MINOR: logs: Report the true number of retries if there was no connection</li>
<li>BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function</li>
<li>BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded</li>
<li>BUG/MEDIUM: threads: Ignore current thread to end its harmless period</li>
<li>BUG/MEDIUM: sample: Fix adjusting size in field converter</li>
<li>DOC: clarify that compression works for HTTP/2</li>
<li>BUG/MINOR: tools: fix parsing "us" unit for timers</li>
<li>DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options</li>
<li>[RELEASE] Released version 2.0.22</li>
<li>BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks</li>
<li>MINOR: resolvers: Directly call srvrq_update_srv_state() when possible</li>
<li>MINOR: resolvers: Add function to change the srv status based on SRV resolution</li>
<li>MINOR: resolvers: Purge answer items when a SRV resolution triggers an error</li>
<li>MINOR: resolvers: Use a function to remove answers attached to a resolution</li>
<li>BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution</li>
<li>BUG/MAJOR: dns: disabled servers through SRV records never recover</li>
<li>BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status</li>
<li>BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields</li>
<li>BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS</li>
<li>BUG/MINOR: tcp: fix silent-drop workaround for IPv6</li>
<li>BUG/MINOR: stats: Apply proper styles in HTML status page.</li>
<li>BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent</li>
<li>BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters</li>
<li>MINOR: tools: make url2ipv4 return the exact number of bytes parsed</li>
<li>BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless</li>
<li>BUG/MEDIUM: time: make sure to always initialize the global tick</li>
<li>BUG/MEDIUM: lua: Always init the lua stack before referencing the context</li>
<li>BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback</li>
<li>MINOR: lua: Slightly improve function dumping the lua traceback</li>
<li>MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket</li>
<li>BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable</li>
<li>MINOR: time: also provide a global, monotonic global_now_ms timer</li>
<li>[RELEASE] Released version 2.0.21</li>
<li>BUG/MINOR: freq_ctr/threads: make use of the last updated global time</li>
<li>MINOR: time: export the global_now variable</li>
<li>BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames</li>
<li>BUG/MINOR: resolvers: Reset server address on DNS error only on status change</li>
<li>BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error</li>
<li>CLEANUP: tcp-rules: add missing actions in the tcp-request error message</li>
<li>BUG/MINOR: session: Add some forgotten tests on session's listener</li>
<li>BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters</li>
<li>BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached</li>
<li>BUG/MEDIUM: session: NULL dereference possible when accessing the listener</li>
<li>BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode</li>
<li>BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring()</li>
<li>BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive</li>
<li>BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout</li>
<li>DOC: spoe: Add a note about fragmentation support in HAProxy</li>
<li>BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1</li>
<li>BUG/MINOR: connection: Use the client's dst family for adressless servers</li>
<li>BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule</li>
<li>BUG/MINOR: http-ana: Only consider dst address to process originalto option</li>
<li>BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()</li>
<li>BUG/MEDIUM: resolvers: Reset address for unresolved servers</li>
<li>BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records</li>
<li>BUG/MINOR: resolvers: new callback to properly handle SRV record errors</li>
<li>BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal</li>
<li>BUG/MEDIUM: cli/shutdown sessions: make it thread-safe</li>
<li>BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop</li>
<li>BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe</li>
<li>BUG/MINOR: sample: secure convs that accept base64 string and var name as args</li>
<li>BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok</li>
<li>BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line</li>
<li>BUG/MINOR: server: Init params before parsing a new server-state line</li>
<li>BUG/MINOR: sample: Always consider zero size string samples as unsafe</li>
<li>BUG/MINOR: checks: properly handle wrapping time in __health_adjust()</li>
<li>BUG/MINOR: session: atomically increment the tracked sessions counter</li>
<li>BUG/MINOR: server: Remove RMAINT from admin state when loading server state</li>
<li>CLEANUP: channel: fix comment in ci_putblk.</li>
<li>BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL</li>
<li>BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines</li>
<li>BUG/MEDIUM: config: don't pick unset values from last defaults section</li>
<li>CLEANUP: deinit: release global and per-proxy server-state variables on deinit</li>
<li>BUG/MINOR: server: Fix server-state-file-name directive</li>
<li>BUG/MINOR: backend: hold correctly lock when killing idle conn</li>
<li>BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()</li>
<li>BUG/MINOR: server: re-align state file fields number</li>
<li>BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state</li>
<li>BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty</li>
<li>BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED</li>
<li>BUG/MEDIUM: mux-h2: handle remaining read0 cases</li>
<li>BUILD: Makefile: move REGTESTST_TYPE default setting</li>
<li>BUG/MINOR: xxhash: make sure armv6 uses memcpy()</li>
<li>BUG/MEDIUM: ssl: check a connection's status before computing a handshake</li>
<li>BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list</li>
<li>DOC: management: fix "show resolvers" alphabetical ordering</li>
<li>BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name</li>
<li>BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown</li>
<li>BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition</li>
<li>BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX</li>
<li>BUG/MEDIUM: mux-h2: fix read0 handling on partial frames</li>
<li>BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()</li>
<li>BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command.</li>
<li>BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable</li>
<li>BUG/MINOR: sample: Memory leak of sample_expr structure in case of error</li>
<li>BUG/MINOR: sample: check alloc_trash_chunk return value in concat()</li>
<li>[RELEASE] Released version 2.0.20</li>
<li>BUG/MINOR: sample: fix concat() converter's corruption with non-string variables</li>
<li>DOC: Add maintainers for the Prometheus exporter</li>
<li>SCRIPTS: announce-release: fix typo in help message</li>
<li>DOC: fix some spelling issues over multiple files</li>
<li>MINOR: contrib/prometheus-exporter: export build_info</li>
<li>BUILD: Makefile: exclude broken tests by default</li>
<li>BUG/MINOR: srv: do not init address if backend is disabled</li>
<li>SCRIPTS: make announce release support preparing announces before tag exists</li>
<li>SCRIPTS: improve announce-release to support different tag and versions</li>
<li>BUG/MINOR: cfgparse: Fail if the strdup() for <code>rule->be.name</code> for <code>use_backend</code> fails</li>
<li>MINOR: atomic: don't use ; to separate instruction on aarch64.</li>
<li>BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h</li>
<li>BUILD: plock: remove dead code that causes a warning in gcc 11</li>
<li>CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps</li>
<li>CONTRIB: halog: mark the has_zero* functions unused</li>
<li>CONTRIB: halog: fix build issue caused by %L printf format</li>
<li>BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode</li>
<li>BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests</li>
<li>BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well</li>
<li>REGTESTS: make use of HAPROXY_ARGS and pass -dM by default</li>
<li>CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric</li>
<li>CLEANUP: lua: Remove declaration of an inexistant function</li>
<li>BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight</li>
<li>BUG/MINOR: tools: Reject size format not starting by a digit</li>
<li>BUG/MINOR: tools: make parse_time_err() more strict on the timer validity</li>
<li>DOC: email change of the DeviceAtlas maintainer</li>
<li>BUG/MEDIUM: spoa/python: Fixing references to None</li>
<li>BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments</li>
<li>BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails</li>
<li>BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations</li>
<li>DOC: spoa/python: Fixing typos in comments</li>
<li>DOC: spoa/python: Rephrasing memory related error messages</li>
<li>DOC: spoa/python: Fixing typo in IP related error messages</li>
<li>BUG/MAJOR: spoa/python: Fixing return None</li>
<li>DOC/MINOR: Fix formatting in Management Guide</li>
<li>BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times</li>
<li>MINOR: cli: add a function to look up a CLI service description</li>
<li>MINOR: actions: add a function returning a service pointer from its name</li>
<li>MINOR: actions: Export actions lookup functions</li>
<li>BUG/MINOR: lua: Some lua init operation are processed unsafe</li>
<li>BUG/MINOR: lua: Post init register function are not executed beyond the first one</li>
<li>BUG/MINOR: lua: lua-load doesn't check its parameters</li>
<li>MINOR: plock: use an ARMv8 instruction barrier for the pause instruction</li>
<li>DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section</li>
<li>BUG/MAJOR: peers: fix partial message decoding</li>
<li>BUG/MAJOR: filters: Always keep all offsets up to date during data filtering</li>
<li>BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests</li>
<li>BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering</li>
<li>BUILD: http-htx: fix build warning regarding long type in printf</li>
<li>MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.</li>
<li>MINOR: spoe: Don't close connection in sync mode on processing timeout</li>
<li>BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet</li>
<li>BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches</li>
<li>BUG/MINOR: http-fetch: Extract cookie value even when no cookie name</li>
<li>BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages</li>
<li>BUG/MINOR: peers: Missing TX cache entries reset.</li>
<li>BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.</li>
<li>BUG/MINOR: lua: set buffer size during map lookups</li>
<li>BUG/MINOR: pattern: a sample marked as const could be written</li>
<li>[RELEASE] Released version 2.0.19</li>
<li>BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L</li>
<li>MINOR: http-htx: Add understandable errors for the errorfiles parsing</li>
<li>BUG/MEDIUM: stick-table: limit the time spent purging old entries</li>
<li>BUG/MINOR: filters: Skip disabled proxies during startup only</li>
<li>BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade</li>
<li>MINOR: server: Copy configuration file and line for server templates</li>
<li>BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup</li>
<li>BUG/MEDIUM: filters: Don't try to init filters for disabled proxies</li>
<li>BUG/MINOR: cache: Inverted variables in http_calc_maxage function</li>
<li>BUG/MINOR: lua: initialize sample before using it</li>
<li>BUG/MINOR: server: fix down_time report for stats</li>
<li>BUG/MINOR: server: fix srv downtime calcul on starting</li>
<li>BUG/MINOR: log: fix memory leak on logsrv parse error</li>
<li>BUG/MINOR: extcheck: add missing checks on extchk_setenv()</li>
<li>BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible</li>
<li>BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests</li>
<li>BUG/MEDIUM: server: support changing the slowstart value from state-file</li>
<li>BUG/MINOR: queue: properly report redistributed connections</li>
<li>BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.</li>
<li>BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn</li>
<li>BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages</li>
<li>BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided</li>
<li>BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once</li>
<li>MINOR: fd: report an error message when failing initial allocations</li>
<li>BUG/MINOR: mux-h2: do not stop outgoing connections on stopping</li>
<li>BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited</li>
<li>BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().</li>
<li>BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses</li>
<li>BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams</li>
<li>BUG/MINOR: mux-h1: Always set the session on frontend h1 stream</li>
<li>BUG/MINOR: peers: Inconsistency when dumping peer status codes.</li>
<li>MINOR: hlua: Display debug messages on stderr only in debug mode</li>
<li>BUG/MINOR: stats: fix validity of the json schema</li>
<li>MINOR: counters: fix a typo in comment</li>
<li>BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe</li>
<li>BUG/MINOR: Fix several leaks of 'log_tag' in init().</li>
<li>BUILD: makefile: Fix building with closefrom() support enabled</li>
<li>DOC: ssl: crt-list negative filters are only a hint</li>
<li>[RELEASE] Released version 2.0.18</li>
<li>REGTEST: make map_regm_with_backref require 1.7</li>
<li>REGTEST: make abns_socket.vtc require 1.8</li>
<li>REGTEST: fix host part in balance-uri-path-only.vtc</li>
<li>REGTESTS: add a few load balancing tests</li>
<li>DOC: agent-check: fix typo in "fail" word expected reply</li>
<li>DOC: spoa-server: fix false friends <code>actually</code></li>
<li>BUG/MEDIUM: listeners: do not pause foreign listeners</li>
<li>BUG/MINOR: config: Fix memory leak on config parse listen</li>
<li>BUG/MINOR: Fix memory leaks cfg_parse_peers</li>
<li>BUG/MEDIUM: h2: report frame bits only for handled types</li>
<li>BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch</li>
<li>BUG/MINOR: server: report correct error message for invalid port on "socks4"</li>
<li>BUG/MINOR: ssl: verifyhost is case sensitive</li>
<li>BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate</li>
<li>BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers</li>
<li>BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned</li>
<li>BUILD: threads: better workaround for late loading of libgcc_s</li>
<li>BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections</li>
<li>BUG/MINOR: auth: report valid crypto(3) support depending on build options</li>
<li>CLEANUP: Update .gitignore</li>
<li>MINOR: Commit .gitattributes</li>
<li>BUILD: thread: limit the libgcc_s workaround to glibc only</li>
<li>BUG/MINOR: threads: work around a libgcc_s issue with chrooting</li>
<li>BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()</li>
<li>BUG/MEDIUM: doc: Fix replace-path action description</li>
<li>BUG/MINOR: startup: haproxy -s cause 100% cpu</li>
<li>BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address</li>
<li>BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure</li>
<li>BUG/MINOR: contrib/spoa-server: Do not free reference to NULL</li>
<li>BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed</li>
<li>BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak</li>
<li>DOC: cache: Use '<name>' instead of '<id>' in error message</li>
<li>BUG/MINOR: reload: do not fail when no socket is sent</li>
<li>BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction</li>
<li>BUG/MINOR: stats: use strncmp() instead of memcmp() on health states</li>
<li>BUG/MINOR: snapshots: leak of snapshots on deinit()</li>
<li>BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation</li>
<li>BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation</li>
<li>BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime</li>
<li>BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send</li>
<li>BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response</li>
<li>SCRIPTS: git-show-backports: emit the shell command to backport a commit</li>
<li>SCRIPTS: git-show-backports: make -m most only show the left branch</li>
<li>[RELEASE] Released version 2.0.17</li>
<li>SCRIPTS: announce-release: add the link to the wiki in the announce messages</li>
<li>MINOR: stream-int: Be sure to have a mux to do sends and receives</li>
<li>MINOR: connection: Preinstall the mux for non-ssl connect</li>
<li>BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields</li>
<li>BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation</li>
<li>MEDIUM: lua: Add support for the Lua 5.4</li>
<li>BUG/MINOR: debug: Don't dump the lua stack if it is not initialized</li>
<li>BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received</li>
<li>BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected</li>
<li>BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed</li>
<li>BUG/MAJOR: dns: Make the do-resolve action thread-safe</li>
<li>BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete</li>
<li>BUG/MEDIUM: resolve: fix init resolving for ring and peers section.</li>
<li>BUG/MINOR: cfgparse: don't increment linenum on incomplete lines</li>
<li>BUILD: thread: add parenthesis around values of locking macros</li>
<li>MINOR: pools: increase MAX_BASE_POOLS to 64</li>
<li>BUG/MINOR: threads: Don't forget to init each thread toremove_lock.</li>
<li>REGEST: Add reg tests about error files</li>
<li>BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()</li>
<li>[RELEASE] Released version 2.0.16</li>
<li>BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked</li>
<li>BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.</li>
<li>BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode</li>
<li>CONTRIB: da: fix memory leak in dummy function da_atlas_open()</li>
<li>BUG/MINOR: sample: Free str.area in smp_check_const_meth</li>
<li>BUG/MINOR: sample: Free str.area in smp_check_const_bool</li>
<li>DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x</li>
<li>BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode</li>
<li>BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection</li>
<li>MINOR: http: Add support for http 413 status</li>
<li>BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server</li>
<li>BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready</li>
<li>MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only</li>
<li>BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()</li>
<li>BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received</li>
<li>BUG/MINOR: mux-h1: Disable splicing only if input data was processed</li>
<li>BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive</li>
<li>BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode</li>
<li>BUG/MINOR: http_act: don't check capture id in backend (2)</li>
<li>DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio</li>
<li>DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio</li>
<li>BUG/MINOR: proxy: always initialize the trash in show servers state</li>
<li>BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash</li>
<li>BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible</li>
<li>DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list</li>
<li>MINOR: cli: make "show sess" stop at the last known session</li>
<li>BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL</li>
<li>REGTEST: ssl: add some ssl_c_* sample fetches test</li>
<li>REGTEST: ssl: tests the ssl_f_* sample fetches</li>
<li>MINOR: spoe: Don't systematically create new applets if processing rate is low</li>
<li>BUG/MINOR: http_ana: clarify connection pointer check on L7 retry</li>
<li>BUG/MINOR: spoe: correction of setting bits for analyzer</li>
<li>REGTEST: Add a simple script to tests errorfile directives in proxy sections</li>
<li>BUG/MINOR: systemd: Wait for network to be online</li>
<li>MEDIUM: map: make the "clear map" operation yield</li>
<li>REGTEST: http-rules: test spaces in ACLs with master CLI</li>
<li>REGTEST: http-rules: test spaces in ACLs</li>
<li>BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI</li>
<li>BUG/MINOR: mworker/cli: fix the escaping in the master CLI</li>
<li>BUG/MINOR: cli: allow space escaping on the CLI</li>
<li>BUG/MINOR: spoe: add missing key length check before checking key names</li>
<li>BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks</li>
<li>BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness</li>
<li>MINOR: http: Add 404 to http-request deny</li>
<li>MINOR: http: Add 410 to http-request deny</li>
<li>[RELEASE] Released version 2.0.15</li>
<li>REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used</li>
<li>BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0</li>
<li>REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation</li>
<li>REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv</li>
<li>BUG/MEDIUM: pattern: fix thread safety of pattern matching</li>
<li>BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor</li>
<li>BUG/MINOR: mworker: fix a memleak when execvp() failed</li>
<li>BUG/MEDIUM: mworker: fix the reload with an -- option</li>
<li>BUG/MINOR: init: -S can have a parameter starting with a dash</li>
<li>BUG/MINOR: init: -x can have a parameter starting with a dash</li>
<li>BUG/MEDIUM: mworker: fix the copy of options in copy_argv()</li>
<li>BUILD: makefile: adjust the sed expression of "make help" for solaris</li>
<li>BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version</li>
<li>BUG/MEDIUM: logs: fix trailing zeros on log message.</li>
<li>BUG/MINOR: logs: prevent double line returns in some events.</li>
<li>BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics</li>
<li>BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations</li>
<li>BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action</li>
<li>BUG/MINOR: peers: fix internal/network key type mapping.</li>
<li>SCRIPTS: publish-release: pass -n to gzip to remove timestamp</li>
<li>Revert "BUG/MEDIUM: connections: force connections cleanup on server changes"</li>
<li>BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf</li>
<li>BUG/MINOR: lua: Add missing string length for lua sticktable lookup</li>
<li>BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable</li>
<li>BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified</li>
<li>BUG/MINOR: cache: Don't needlessly test "cache" keyword in parse_cache_flt()</li>
<li>BUILD: select: only declare existing local labels to appease clang</li>
<li>BUG/MINOR: soft-stop: always wake up waiting threads on stopping</li>
<li>BUG/MINOR: pollers: remove uneeded free in global init</li>
<li>BUG/MINOR: pools: use %u not %d to report pool stats in "show pools"</li>
<li>BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered</li>
<li>BUG/MEDIUM: http_ana: make the detection of NTLM variants safer</li>
<li>BUG/MINOR: http-ana: fix NTLM response parsing again</li>
<li>BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur</li>
<li>BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT</li>
<li>BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()</li>
<li>BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()</li>
<li>BUG/MINOR: sample: Set the correct type when a binary is converted to a string</li>
<li>CLEANUP: connections: align function declaration</li>
<li>BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()</li>
<li>BUG/MEDIUM: connections: force connections cleanup on server changes</li>
<li>BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure</li>
<li>BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.</li>
<li>BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry.</li>
<li>BUG/MINOR: checks: Remove a warning about http health checks</li>
<li>BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks</li>
<li>BUG/MEDIUM: checks: Always initialize checks before starting them</li>
<li>BUG/MINOR: checks/server: use_ssl member must be signed</li>
<li>BUG/MEDIUM: server/checks: Init server check during config validity check</li>
<li>Revert "BUG/MINOR: connection: make sure to correctly tag local PROXY connections"</li>
<li>BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection</li>
<li>REGTEST: ssl: test the client certificate authentication</li>
<li>MINOR: stream: report the list of active filters on stream crashes</li>
<li>BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock</li>
<li>BUG/MEDIUM: shctx: really check the lock's value while waiting</li>
<li>BUG/MINOR: debug: properly use long long instead of long for the thread ID</li>
<li>MINOR: threads: export the POSIX thread ID in panic dumps</li>
<li>BUG/MEDIUM: listener: mark the thread as not stuck inside the loop</li>
<li>BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream</li>
<li>BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam</li>
<li>BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam</li>
<li>BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream</li>
<li>BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream</li>
<li>BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function</li>
<li>BUG/MINOR: checks: chained expect will not properly wait for enough data</li>
<li>BUG/MINOR: checks: Respect the no-check-ssl option</li>
<li>MINOR: checks: Add a way to send custom headers and payload during http chekcs</li>
<li>BUG/MINOR: check: Update server address and port to execute an external check</li>
<li>DOC: option logasap does not depend on mode</li>
<li>BUG/MINOR: http: make url_decode() optionally convert '+' to SP</li>
<li>BUG/MINOR: tools: fix the i386 version of the div64_32 function</li>
<li>BUG/MEDIUM: http-ana: Handle NTLM messages correctly.</li>
<li>BUG/MINOR: ssl: default settings for ssl server options are not used</li>
<li>DOC: Improve documentation on http-request set-src</li>
<li>DOC: hashing: update link to hashing functions</li>
<li>BUG/MINOR: peers: Incomplete peers sections should be validated.</li>
<li>BUG/MINOR: protocol_buffer: Wrong maximum shifting.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Moderate update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise High Availability Extension 15 SP1
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2023-2117=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise High Availability Extension 15 SP1 (aarch64 ppc64le s390x x86_64)
<ul>
<li>haproxy-debuginfo-2.0.31-150100.8.31.1</li>
<li>haproxy-debugsource-2.0.31-150100.8.31.1</li>
<li>haproxy-2.0.31-150100.8.31.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-0056.html">https://www.suse.com/security/cve/CVE-2023-0056.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-25725.html">https://www.suse.com/security/cve/CVE-2023-25725.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1207181">https://bugzilla.suse.com/show_bug.cgi?id=1207181</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208132">https://bugzilla.suse.com/show_bug.cgi?id=1208132</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-3821">https://jira.suse.com/browse/PED-3821</a>
</li>
</ul>
</div>