Recommended update for haproxy

SUSE Recommended Update: Recommended update for haproxy
Announcement ID: SUSE-RU-2020:1184-1
Rating: moderate
References: #1169457
Affected Products:
  • SUSE Linux Enterprise High Availability 15-SP1

An update that has one recommended fix can now be installed.

Description:

This update for haproxy fixes the following issues:

  • Update from version 2.0.10+git0.ac198b92 to version 2.0.14. (bsc#1169457) * BUG/CRITICAL: hpack: never index a header into the headroom after wrapping * BUG/MAJOR: dns: add minimalist error processing on the Rx path * BUG/MAJOR: hashes: fix the signedness of the hash inputs * BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered * BUG/MAJOR: list: fix invalid element address calculation * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. * BUG/MAJOR: proxy_protocol: Properly validate TLV lengths * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. * BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload * BUG/MEDIUM: checks: Make sure we set the task affinity just before connecting. * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. * BUG/MEDIUM: cli: _getsocks must send the peers sockets * BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload * BUG/MEDIUM: connection: add a mux flag to indicate splice usability * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. * BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump * BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied * BUG/MEDIUM: kqueue: Make sure we report read events even when no data. * BUG/MEDIUM: listener/thread: fix a race when pausing a listener * BUG/MEDIUM: listener/threads: fix a remaining race in the listener's accept() * BUG/MEDIUM: listener: only consider running threads when resuming listeners * BUG/MEDIUM: memory: Add a rwlock before freeing memory. * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). * BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. * BUG/MEDIUM: mworker: remain in mworker mode during reload * BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error * BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive. * BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 * BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG * BUG/MEDIUM: random: initialize the random pool a bit better * BUG/MEDIUM: session: do not report a failure when rejecting a session * BUG/MEDIUM: shctx: make sure to keep all blocks aligned * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. * BUG/MEDIUM: ssl: Revamp the way early data are handled. * BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream * BUG/MEDIUM: tasks: Make sure we switch wait queues in task_set_affinity(). * BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). * BUG/MINOR: 51d: Fix bug when HTX is enabled * BUG/MINOR: cache: Fix leak of cache name in error path * BUG/MINOR: channel: inject output data at the end of output * BUG/MINOR: checks/threads: use ha_random() and not rand() * BUG/MINOR: checks: refine which errno values are really errors. * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 * BUG/MINOR: connection: make sure to correctly tag local PROXY connections * BUG/MINOR: connections: Make sure we free the connection on failure. * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only * BUG/MINOR: dns: Make dns_query_id_seed unsigned * BUG/MINOR: dns: allow 63 char in hostname * BUG/MINOR: dns: allow srv record weight set to 0 * BUG/MINOR: dns: ignore trailing dot * BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them * BUG/MINOR: filters: Forward everything if no data filters are called * BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data * BUG/MINOR: h1: Report the right error position when a header value is invalid * BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection * BUG/MINOR: haproxy/threads: try to make all threads leave together * BUG/MINOR: haproxy: always initialize sleeping_thread_mask * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters * BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive * BUG/MINOR: http-ana: Reset request analysers on a response side error * BUG/MINOR: http-ana: Reset request analysers on error when waiting for response * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty * BUG/MINOR: http-rules: Fix a typo in the reject action function * BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules * BUG/MINOR: http: http-request replace-path duplicates the query string * BUG/MINOR: http_act: don't check capture id in backend * BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits * BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits * BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping * BUG/MINOR: listener/threads: always use atomic ops to clear the FD events * BUG/MINOR: listener: also clear the error flag on a paused listener * BUG/MINOR: listener: do not immediately resume on transient error * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init * BUG/MINOR: listener: fix off-by-one in state name check * BUG/MINOR: log: fix minor resource leaks on logformat error path * BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not * BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be added * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() * BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers * BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat * BUG/MINOR: pattern: Do not pass len = 0 to calloc() * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns * BUG/MINOR: peers: Use after free of "peers" section. * BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL * BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized * BUG/MINOR: proxy: Fix input data copy when an error is captured * BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state * BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop * BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action * BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch * BUG/MINOR: sample: always check converters' arguments * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter * BUG/MINOR: sample: fix the json converter's endian-sensitivity * BUG/MINOR: server: make "agent-addr" work on default-server line * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines * BUG/MINOR: ssl: we may only ignore the first 64 errors * BUG/MINOR: stats: Fix color of draining servers on stats page * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing * BUG/MINOR: stktable: report the current proxy name in error messages * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible * BUG/MINOR: stream: don't mistake match rules for store-request rules * BUG/MINOR: stream: init variables when the list is empty * BUG/MINOR: tasks: only requeue a task if it was already in the queue * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener * BUG/MINOR: tcp: don't try to set defaultmss when value is negative * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit * BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled * CONTRIB: debug: add missing flags SF_HTX and SF_MUX * CONTRIB: debug: add the possibility to decode the value as certain types only * CONTRIB: debug: also support reading values from stdin * CONTRIB: debug: support reporting multiple values at once * DOC: Clarify behavior of server maxconn in HTTP mode * DOC: Improve documentation of http-re(quest|sponse) replace-(header|value|uri) * DOC: assorted typo fixes in the documentation * DOC: assorted typo fixes in the documentation and Makefile * DOC: clarify matching strings on binary fetches * DOC: clarify the fact that replace-uri works on a full URI * DOC: configuration.txt: fix various typos * DOC: document the listener state transitions * DOC: fix incorrect indentation of http_auth_* * DOC: fix typo about no-tls-tickets * DOC: improve description of no-tls-tickets * DOC: internals: Fix spelling errors in filters.txt * DOC: listeners: add a few missing transitions * DOC: move the "group" keyword at the right place * DOC: proxies: HAProxy only supports 3 connection modes * DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID * DOC: remove references to the outdated architecture.txt * DOC: ssl: clarify security implications of TLS tickets * DOC: word converter ignores delimiters at the start or end of input string * MINOR: acl: Warn when an ACL is named 'or' * MINOR: backend: use a single call to ha_random32() for the random LB algo * MINOR: build: add linux-glibc-legacy build TARGET * MINOR: compiler: add new alignment macros * MINOR: compiler: move CPU capabilities definition from config.h and complete them * MINOR: config: disable busy polling on old processes * MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics * MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric * MINOR: debug: report the task handler's pointer relative to main * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute * MINOR: filters: Forward data only if the last filter forwards something * MINOR: haproxy: export main to ease access from debugger * MINOR: http-htx: Add a function to retrieve the headers size of an HTX message * MINOR: http-rules: Add a flag on redirect rules to know the rule direction * MINOR: http-rules: Handle the rule direction when a redirect is evaluated * MINOR: http: add a new "replace-path" action * MINOR: htx: Add a function to return a block at a specific offset * MINOR: ist: add an iststop() function * MINOR: listener: add so_name sample fetch * MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. * MINOR: memory: Only init the pool spinlock once. * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive * MINOR: ssl: Remove unused variable "need_out". * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task * MINOR: tools: add 64-bit rotate operators * MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. * OPTIM: startup: fast unique_id allocation for acl. * SCRIPTS: announce-release: allow the user to force to overwrite old files * SCRIPTS: announce-release: place the send command in the mail's header * SCRIPTS: announce-release: use mutt -H instead of -i to include the draft * SCRIPTS: make announce-release executable again

Patch Instructions:

To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise High Availability 15-SP1:
    zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1184=1

Package List:

  • SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64):
    • haproxy-2.0.14-8.15.1
    • haproxy-debuginfo-2.0.14-8.15.1
    • haproxy-debugsource-2.0.14-8.15.1

References: