Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
On Thu, May 28, 2020 at 12:41:44PM +0200, Tim Düsterhus wrote: > My Postfix + Dovecot still works as evidenced by the fact that I am able > read your email and send a reply. My HTTP services also work. Thanks very much, that's exactly what I needed to know! William proposed me to handle the 2.1.5 release. I know we still have a minor fix to do there about the log fix (or revert it if it causes any difficulty) but we can release very soon now. Cheers, Willy
Debian packaging note (was: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45))
Vincent, Am 28.05.20 um 12:41 schrieb Tim Düsterhus: > Okay, I've done what I really wanted to avoid and built my own HAProxy. > I'm now running HAProxy 2.1.5-1~~~timwolla+1 and I hope that it will > smoothly upgrade to Vincent's build once it is released. > While researching how to build a 2.1.5 .deb based off your 2.1.4 sources I noticed that Debian QA complained that HAProxy's compiler flags were hidden [1]. You should be able to fix that by adjusting MAKEARGS in debian/rules to include 'V=1': > MAKEARGS=V=1\ >DESTDIR=debian/haproxy \ >PREFIX=/usr \ >IGNOREGIT=true \ >MANDIR=/usr/share/man \ >DOCDIR=/usr/share/doc/haproxy \ >USE_PCRE2=1 \ >USE_PCRE2_JIT=1 \ >USE_OPENSSL=1 \ >USE_ZLIB=1 \ >USE_LUA=1 \ >LUA_INC=/usr/include/lua5.3 \ >EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" Best regards Tim Düsterhus [1] https://qa.debian.org/bls/packages/h/haproxy.html
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Willy,
Am 28.05.20 um 09:23 schrieb Willy Tarreau:
> Please do me a favor, just check that this pre-release is OK for you:
>
>http://git.haproxy.org/?p=haproxy-2.1.git;a=snapshot;h=HEAD;sf=tgz
>
> I'd really hate having to release it just to have to emit yet another
> one to fix the same issue again :-/
>
Okay, I've done what I really wanted to avoid and built my own HAProxy.
I'm now running HAProxy 2.1.5-1~~~timwolla+1 and I hope that it will
smoothly upgrade to Vincent's build once it is released.
> [root@~]haproxy -vv
> HA-Proxy version 2.1.5-1~~~timwolla+1 2020/05/28 - https://haproxy.org/
> Status: stable branch - will stop receiving fixes around Q1 2021.
> Known bugs: http://www.haproxy.org/bugs/bugs-2.1.5.html
> Running on: Linux 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64
> Build options :
> TARGET = linux-glibc
> CPU = generic
> CC = gcc
> CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/pwd/haproxy-2.1.5=.
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
> -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement
> -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
> -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
> -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value
> -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
> OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1
> USE_ZLIB=1 USE_SYSTEMD=1
>
> Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT
> +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM
> -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT
> +CRYPT_H -VSYSCALL +BACKTRACE +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4
> -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES
> -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
>
> Default settings :
> bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
>
> Built with multi-threading support (MAX_THREADS=64, default=8).
> Built with OpenSSL version : OpenSSL 1.1.0l 10 Sep 2019
> Running on OpenSSL version : OpenSSL 1.1.0l 10 Sep 2019
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
> Built with Lua version : Lua 5.3.3
> Built with network namespace support.
> Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
> IP_FREEBIND
> Built with PCRE2 version : 10.22 2016-07-29
> PCRE2 library supports JIT : yes
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.8
> Running on zlib version : 1.2.8
> Compression algorithms supported : identity("identity"), deflate("deflate"),
> raw-deflate("deflate"), gzip("gzip")
> Built with the Prometheus exporter as a service
>
> Available polling systems :
> epoll : pref=300, test result OK
>poll : pref=200, test result OK
> select : pref=150, test result OK
> Total: 3 (3 usable), will use epoll.
>
> Available multiplexer protocols :
> (protocols marked as cannot be specified using 'proto' keyword)
> h2 : mode=HTTP side=FE|BE mux=H2
> fcgi : mode=HTTP side=BEmux=FCGI
> : mode=HTTP side=FE|BE mux=H1
> : mode=TCPside=FE|BE mux=PASS
>
> Available services :
> prometheus-exporter
>
> Available filters :
> [SPOE] spoe
> [CACHE] cache
> [FCGI] fcgi-app
> [TRACE] trace
> [COMP] compression
My Postfix + Dovecot still works as evidenced by the fact that I am able
read your email and send a reply. My HTTP services also work.
Best regards
Tim Düsterhus
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi again Tim, On Thu, May 28, 2020 at 06:15:04AM +0200, Willy Tarreau wrote: > Hi Tim, > > On Wed, May 27, 2020 at 04:33:47PM +0200, Tim Düsterhus wrote: > > I already asked 2 weeks ago [1], but I'll ask again: > > > > > Is there any date planned for 2.1.5? I'm still running 2.1.3 on one > > > machine, because I use Dovecot. > > > > And I only just realize that 2.1.3 is affected by CVE-2020-11100 which > > makes the current situation especially ugly. Either I run a version with > > a critical bug without workaround, I break Dovecot or I compile my own > > HAProxy. > > Thanks for the ping. I'm trying :-/ I've been stuck doing only janitor > work for the last 3 months with zero development at all and am still > having a number of things to do before the release. I'll try to emit a > new one today or tomorrow. Please do me a favor, just check that this pre-release is OK for you: http://git.haproxy.org/?p=haproxy-2.1.git;a=snapshot;h=HEAD;sf=tgz I'd really hate having to release it just to have to emit yet another one to fix the same issue again :-/ Thanks! Willy
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi Tim, On Wed, May 27, 2020 at 04:33:47PM +0200, Tim Düsterhus wrote: > I already asked 2 weeks ago [1], but I'll ask again: > > > Is there any date planned for 2.1.5? I'm still running 2.1.3 on one > > machine, because I use Dovecot. > > And I only just realize that 2.1.3 is affected by CVE-2020-11100 which > makes the current situation especially ugly. Either I run a version with > a critical bug without workaround, I break Dovecot or I compile my own > HAProxy. Thanks for the ping. I'm trying :-/ I've been stuck doing only janitor work for the last 3 months with zero development at all and am still having a number of things to do before the release. I'll try to emit a new one today or tomorrow. Willy
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi List, Willy, Am 27.05.20 um 02:00 schrieb stable-...@haproxy.com: > Last release 2.1.4 was issued on 2020-04-02. There are currently 52 patches > in the queue cut down this way: > - 1 MAJOR, first one merged on 2020-05-20 > - 20 MEDIUM, first one merged on 2020-05-01 > - 31 MINOR, first one merged on 2020-04-02 > > Thus the computed ideal release date for 2.1.5 would be 2020-04-30, which was > four weeks ago. > > Last release 2.0.14 was issued on 2020-04-02. There are currently 45 patches > in the queue cut down this way: > - 1 MAJOR, first one merged on 2020-05-22 > - 18 MEDIUM, first one merged on 2020-05-07 > - 26 MINOR, first one merged on 2020-04-02 > > Thus the computed ideal release date for 2.0.15 would be 2020-04-30, which > was four weeks ago. I already asked 2 weeks ago [1], but I'll ask again: > Is there any date planned for 2.1.5? I'm still running 2.1.3 on one > machine, because I use Dovecot. And I only just realize that 2.1.3 is affected by CVE-2020-11100 which makes the current situation especially ugly. Either I run a version with a critical bug without workaround, I break Dovecot or I compile my own HAProxy. Best regards Tim Düsterhus [1] https://www.mail-archive.com/haproxy@formilux.org/msg37344.html
stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi,
This is a friendly bot that watches fixes pending for the next haproxy-stable
release! One such e-mail is sent periodically once patches are waiting in the
last maintenance branch, and an ideal release date is computed based on the
severity of these fixes and their merge date. Responses to this mail must be
sent to the mailing list.
Last release 2.1.4 was issued on 2020-04-02. There are currently 52 patches in
the queue cut down this way:
- 1 MAJOR, first one merged on 2020-05-20
- 20 MEDIUM, first one merged on 2020-05-01
- 31 MINOR, first one merged on 2020-04-02
Thus the computed ideal release date for 2.1.5 would be 2020-04-30, which was
four weeks ago.
Last release 2.0.14 was issued on 2020-04-02. There are currently 45 patches
in the queue cut down this way:
- 1 MAJOR, first one merged on 2020-05-22
- 18 MEDIUM, first one merged on 2020-05-07
- 26 MINOR, first one merged on 2020-04-02
Thus the computed ideal release date for 2.0.15 would be 2020-04-30, which was
four weeks ago.
The current list of patches in the queue is:
- 2.0 - MAJOR : stream-int: always detach a faulty
endpoint on connect failure
- 2.1 - MAJOR : mux-fcgi: Stop sending loop if FCGI
stream is blocked for any reason
- 2.0, 2.1 - MEDIUM : lua: Fix dumping of stick table
entries for STD_T_DICT
- 2.0, 2.1 - MEDIUM : shctx: bound the number of loops that
can happen around the lock
- 2.1 - MEDIUM : h1: Don't compare host and authority
if only h1 headers are parsed
- 2.0, 2.1 - MEDIUM : streams: Remove SF_ADDR_SET if we're
retrying due to L7 retry.
- 2.0, 2.1 - MEDIUM : http: the "unique-id" sample fetch
could crash without a steeam
- 2.0 - MEDIUM : backend: don't access a non-existing
mux from a previous connection
- 2.0, 2.1 - MEDIUM : http_ana: make the detection of NTLM
variants safer
- 2.0, 2.1 - MEDIUM : http: the "http_first_req" sample
fetch could crash without a steeam
- 2.0, 2.1 - MEDIUM : http-ana: Handle NTLM messages
correctly.
- 2.0, 2.1 - MEDIUM : shctx: really check the lock's value
while waiting
- 2.0, 2.1 - MEDIUM : capture: capture-req/capture-res
converters crash without a stream
- 2.0, 2.1 - MEDIUM : capture: capture.{req,res}.* crash
without a stream
- 2.0 - MEDIUM : checks: Always initialize checks
before starting them
- 2.0, 2.1 - MEDIUM : server/checks: Init server check
during config validity check
- 2.1 - MEDIUM : mux-fcgi: Fix wrong test on
FCGI_CF_KEEP_CONN in fcgi_detach()
- 2.1 - MEDIUM : ring: write-lock the ring while
attaching/detaching
- 2.0, 2.1 - MEDIUM : sample: make the CPU and latency
sample fetches check for a stream
- 2.1 - MEDIUM : mux_fcgi: Free the FCGI connection at
the end of fcgi_release()
- 2.0, 2.1 - MEDIUM : connections: force connections cleanup
on server changes
- 2.0, 2.1 - MEDIUM : listener: mark the thread as not stuck
inside the loop
- 2.0, 2.1 - MEDIUM : ssl: fix the id length check within
smp_fetch_ssl_fc_session_id()
- 2.0, 2.1 - MEDIUM : stream: Only allow L7 retries when
using HTTP.
- 2.0, 2.1 - MINOR : checks: Respect check-ssl param when a
port or an addr is specified
- 2.0, 2.1 - MINOR : checks: Remove a warning about http
health checks
- 2.0, 2.1 - MINOR : obj_type: Handle stream object in
obj_base_ptr() function
- 2.0, 2.1 - MINOR : checks/server: use_ssl member must be
signed
- 2.0, 2.1 - MINOR : connection: make sure to correctly tag
local PROXY connections"
- 2.0, 2.1 - MINOR : checks: Respect the no-check-ssl option
- 2.0, 2.1 - MINOR : pollers: remove uneeded free in global
init
- 2.0, 2.1 - MINOR : checks: Compute the right HTTP request
length for HTTP health checks
- 2.0, 2.1 - MINOR : soft-stop: always wake up waiting
threads on stopping
- 2.0, 2.1 - MINOR : ssl: default settings for ssl server
options are not used
- 2.0, 2.1 - MINOR : sample: Set the correct type when a
binary is converted to a string
- 2.0, 2.1 - MINOR : tools: fix the i386 version of the
div64_32 function
- 2.0, 2.1 - MINOR : cfgparse: Abort parsing the current
line if an invalid \x sequence is encountered
- 2.0, 2.1 - MINOR : threads: fix multiple use of argument
inside HA_ATOMIC_UPDATE_{MIN,MAX}()
- 2.1 - MINOR : ssl:
