Recommended update for haproxy

Announcement ID: SUSE-RU-2020:1185-1
Rating: moderate
References:
Affected Products:
  • SUSE Linux Enterprise High Availability Extension 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15

An update that has one fix can now be installed.

Description:

This update for haproxy fixes the following issues:

  • Update from version 2.0.10+git0.ac198b92 to version 2.0.14. (bsc#1169457)
  • BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
  • BUG/MAJOR: dns: add minimalist error processing on the Rx path
  • BUG/MAJOR: hashes: fix the signedness of the hash inputs
  • BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
  • BUG/MAJOR: list: fix invalid element address calculation
  • BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty.
  • BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
  • BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing
  • BUG/MEDIUM: 0rtt: Only consider the SSL handshake.
  • BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload
  • BUG/MEDIUM: checks: Make sure we set the task affinity just before connecting.
  • BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready.
  • BUG/MEDIUM: cli: _getsocks must send the peers sockets
  • BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload
  • BUG/MEDIUM: connection: add a mux flag to indicate splice usability
  • BUG/MEDIUM: connections: Don't forget to unlock when killing a connection.
  • BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection.
  • BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump
  • BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support
  • BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd
  • BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied
  • BUG/MEDIUM: kqueue: Make sure we report read events even when no data.
  • BUG/MEDIUM: listener/thread: fix a race when pausing a listener
  • BUG/MEDIUM: listener/threads: fix a remaining race in the listener's accept()
  • BUG/MEDIUM: listener: only consider running threads when resuming listeners
  • BUG/MEDIUM: memory: Add a rwlock before freeing memory.
  • BUG/MEDIUM: memory_pool: Update the seq number in pool_flush().
  • BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending
  • BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary
  • BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch
  • BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers"
  • BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed().
  • BUG/MEDIUM: muxes: Use the right argument when calling the destroy method.
  • BUG/MEDIUM: mworker: remain in mworker mode during reload
  • BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
  • BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error
  • BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive.
  • BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
  • BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
  • BUG/MEDIUM: random: initialize the random pool a bit better
  • BUG/MEDIUM: session: do not report a failure when rejecting a session
  • BUG/MEDIUM: shctx: make sure to keep all blocks aligned
  • BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure.
  • BUG/MEDIUM: ssl: Don't set the max early data we can receive too early.
  • BUG/MEDIUM: ssl: Revamp the way early data are handled.
  • BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions
  • BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data
  • BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream
  • BUG/MEDIUM: tasks: Make sure we switch wait queues in task_set_affinity().
  • BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue().
  • BUG/MINOR: 51d: Fix bug when HTX is enabled
  • BUG/MINOR: cache: Fix leak of cache name in error path
  • BUG/MINOR: channel: inject output data at the end of output
  • BUG/MINOR: checks/threads: use ha_random() and not rand()
  • BUG/MINOR: checks: refine which errno values are really errors.
  • BUG/MINOR: cli/mworker: can't start haproxy with 2 programs
  • BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2
  • BUG/MINOR: connection: make sure to correctly tag local PROXY connections
  • BUG/MINOR: connections: Make sure we free the connection on failure.
  • BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones
  • BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only
  • BUG/MINOR: dns: Make dns_query_id_seed unsigned
  • BUG/MINOR: dns: allow 63 char in hostname
  • BUG/MINOR: dns: allow srv record weight set to 0
  • BUG/MINOR: dns: ignore trailing dot
  • BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them
  • BUG/MINOR: filters: Forward everything if no data filters are called
  • BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data
  • BUG/MINOR: h1: Report the right error position when a header value is invalid
  • BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection
  • BUG/MINOR: haproxy/threads: try to make all threads leave together
  • BUG/MINOR: haproxy: always initialize sleeping_thread_mask
  • BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters
  • BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
  • BUG/MINOR: http-ana: Reset request analysers on a response side error
  • BUG/MINOR: http-ana: Reset request analysers on error when waiting for response
  • BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty
  • BUG/MINOR: http-rules: Fix a typo in the reject action function
  • BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
  • BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules
  • BUG/MINOR: http: http-request replace-path duplicates the query string
  • BUG/MINOR: http_act: don't check capture id in backend
  • BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits
  • BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits
  • BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping
  • BUG/MINOR: listener/threads: always use atomic ops to clear the FD events
  • BUG/MINOR: listener: also clear the error flag on a paused listener
  • BUG/MINOR: listener: do not immediately resume on transient error
  • BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init
  • BUG/MINOR: listener: fix off-by-one in state name check
  • BUG/MINOR: log: fix minor resource leaks on logformat error path
  • BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
  • BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be added
  • BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN
  • BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data
  • BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send()
  • BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers
  • BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat
  • BUG/MINOR: pattern: Do not pass len = 0 to calloc()
  • BUG/MINOR: pattern: handle errors from fgets when trying to load patterns
  • BUG/MINOR: peers: Use after free of "peers" section.
  • BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
  • BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
  • BUG/MINOR: proxy: Fix input data copy when an error is captured
  • BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state
  • BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop
  • BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
  • BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
  • BUG/MINOR: sample: always check converters' arguments
  • BUG/MINOR: sample: fix the closing bracket and LF in the debug converter
  • BUG/MINOR: sample: fix the json converter's endian-sensitivity
  • BUG/MINOR: server: make "agent-addr" work on default-server line
  • BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer.
  • BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1
  • BUG/MINOR: ssl: openssl-compat: Fix getm_ defines
  • BUG/MINOR: ssl: we may only ignore the first 64 errors
  • BUG/MINOR: stats: Fix color of draining servers on stats page
  • BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing
  • BUG/MINOR: stktable: report the current proxy name in error messages
  • BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached
  • BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible
  • BUG/MINOR: stream: don't mistake match rules for store-request rules
  • BUG/MINOR: stream: init variables when the list is empty
  • BUG/MINOR: tasks: only requeue a task if it was already in the queue
  • BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing
  • BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener
  • BUG/MINOR: tcp: don't try to set defaultmss when value is negative
  • BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack
  • BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit
  • BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled
  • DOC: Clarify behavior of server maxconn in HTTP mode
  • DOC: Improve documentation of http-re(quest|sponse) replace-(header|value|uri)
  • DOC: assorted typo fixes in the documentation
  • DOC: assorted typo fixes in the documentation and Makefile
  • DOC: clarify matching strings on binary fetches
  • DOC: clarify the fact that replace-uri works on a full URI
  • DOC: configuration.txt: fix various typos
  • DOC: document the listener state transitions
  • DOC: fix incorrect indentation of http_auth_*
  • DOC: fix typo about no-tls-tickets
  • DOC: improve description of no-tls-tickets
  • DOC: internals: Fix spelling errors in filters.txt
  • DOC: listeners: add a few missing transitions
  • DOC: move the "group" keyword at the right place
  • DOC: proxies: HAProxy only supports 3 connection modes
  • DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
  • DOC: remove references to the outdated architecture.txt
  • DOC: ssl: clarify security implications of TLS tickets
  • DOC: word converter ignores delimiters at the start or end of input string
  • MINOR: acl: Warn when an ACL is named 'or'
  • MINOR: backend: use a single call to ha_random32() for the random LB algo
  • MINOR: build: add linux-glibc-legacy build TARGET
  • MINOR: compiler: add new alignment macros
  • MINOR: compiler: move CPU capabilities definition from config.h and complete them
  • MINOR: config: disable busy polling on old processes
  • MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics
  • MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric
  • MINOR: debug: report the task handler's pointer relative to main
  • MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute
  • MINOR: filters: Forward data only if the last filter forwards something
  • MINOR: haproxy: export main to ease access from debugger
  • MINOR: http-htx: Add a function to retrieve the headers size of an HTX message
  • MINOR: http-rules: Add a flag on redirect rules to know the rule direction
  • MINOR: http-rules: Handle the rule direction when a redirect is evaluated
  • MINOR: http: add a new "replace-path" action
  • MINOR: htx: Add a function to return a block at a specific offset
  • MINOR: ist: add an iststop() function
  • MINOR: listener: add so_name sample fetch
  • MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc.
  • MINOR: memory: Only init the pool spinlock once.
  • MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive
  • MINOR: ssl: Remove unused variable "need_out".
  • MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task
  • MINOR: tools: add 64-bit rotate operators
  • MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h.
  • OPTIM: startup: fast unique_id allocation for acl.
  • SCRIPTS: announce-release: allow the user to force to overwrite old files
  • SCRIPTS: announce-release: place the send command in the mail's header
  • SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
  • SCRIPTS: make announce-release executable again

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise High Availability Extension 15
    zypper in -t patch SUSE-SLE-Product-HA-15-2020-1185=1

Package List:

  • SUSE Linux Enterprise High Availability Extension 15 (aarch64 ppc64le s390x x86_64)
    • haproxy-2.0.14-3.22.1
    • haproxy-debugsource-2.0.14-3.22.1
    • haproxy-debuginfo-2.0.14-3.22.1

References: