Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
On Thu, May 28, 2020 at 12:41:44PM +0200, Tim Düsterhus wrote: > My Postfix + Dovecot still works as evidenced by the fact that I am able > read your email and send a reply. My HTTP services also work. Thanks very much, that's exactly what I needed to know! William proposed me to handle the 2.1.5 release. I know we still have a minor fix to do there about the log fix (or revert it if it causes any difficulty) but we can release very soon now. Cheers, Willy
Debian packaging note (was: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45))
Vincent, Am 28.05.20 um 12:41 schrieb Tim Düsterhus: > Okay, I've done what I really wanted to avoid and built my own HAProxy. > I'm now running HAProxy 2.1.5-1~~~timwolla+1 and I hope that it will > smoothly upgrade to Vincent's build once it is released. > While researching how to build a 2.1.5 .deb based off your 2.1.4 sources I noticed that Debian QA complained that HAProxy's compiler flags were hidden [1]. You should be able to fix that by adjusting MAKEARGS in debian/rules to include 'V=1': > MAKEARGS=V=1\ >DESTDIR=debian/haproxy \ >PREFIX=/usr \ >IGNOREGIT=true \ >MANDIR=/usr/share/man \ >DOCDIR=/usr/share/doc/haproxy \ >USE_PCRE2=1 \ >USE_PCRE2_JIT=1 \ >USE_OPENSSL=1 \ >USE_ZLIB=1 \ >USE_LUA=1 \ >LUA_INC=/usr/include/lua5.3 \ >EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" Best regards Tim Düsterhus [1] https://qa.debian.org/bls/packages/h/haproxy.html
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Willy, Am 28.05.20 um 09:23 schrieb Willy Tarreau: > Please do me a favor, just check that this pre-release is OK for you: > >http://git.haproxy.org/?p=haproxy-2.1.git;a=snapshot;h=HEAD;sf=tgz > > I'd really hate having to release it just to have to emit yet another > one to fix the same issue again :-/ > Okay, I've done what I really wanted to avoid and built my own HAProxy. I'm now running HAProxy 2.1.5-1~~~timwolla+1 and I hope that it will smoothly upgrade to Vincent's build once it is released. > [root@~]haproxy -vv > HA-Proxy version 2.1.5-1~~~timwolla+1 2020/05/28 - https://haproxy.org/ > Status: stable branch - will stop receiving fixes around Q1 2021. > Known bugs: http://www.haproxy.org/bugs/bugs-2.1.5.html > Running on: Linux 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 > Build options : > TARGET = linux-glibc > CPU = generic > CC = gcc > CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/pwd/haproxy-2.1.5=. > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement > -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter > -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered > -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value > -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference > OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 > USE_ZLIB=1 USE_SYSTEMD=1 > > Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT > +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM > -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT > +CRYPT_H -VSYSCALL +BACKTRACE +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 > -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES > -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_THREADS=64, default=8). > Built with OpenSSL version : OpenSSL 1.1.0l 10 Sep 2019 > Running on OpenSSL version : OpenSSL 1.1.0l 10 Sep 2019 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 > Built with Lua version : Lua 5.3.3 > Built with network namespace support. > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > Built with PCRE2 version : 10.22 2016-07-29 > PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Running on zlib version : 1.2.8 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") > Built with the Prometheus exporter as a service > > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as cannot be specified using 'proto' keyword) > h2 : mode=HTTP side=FE|BE mux=H2 > fcgi : mode=HTTP side=BEmux=FCGI > : mode=HTTP side=FE|BE mux=H1 > : mode=TCPside=FE|BE mux=PASS > > Available services : > prometheus-exporter > > Available filters : > [SPOE] spoe > [CACHE] cache > [FCGI] fcgi-app > [TRACE] trace > [COMP] compression My Postfix + Dovecot still works as evidenced by the fact that I am able read your email and send a reply. My HTTP services also work. Best regards Tim Düsterhus
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi again Tim, On Thu, May 28, 2020 at 06:15:04AM +0200, Willy Tarreau wrote: > Hi Tim, > > On Wed, May 27, 2020 at 04:33:47PM +0200, Tim Düsterhus wrote: > > I already asked 2 weeks ago [1], but I'll ask again: > > > > > Is there any date planned for 2.1.5? I'm still running 2.1.3 on one > > > machine, because I use Dovecot. > > > > And I only just realize that 2.1.3 is affected by CVE-2020-11100 which > > makes the current situation especially ugly. Either I run a version with > > a critical bug without workaround, I break Dovecot or I compile my own > > HAProxy. > > Thanks for the ping. I'm trying :-/ I've been stuck doing only janitor > work for the last 3 months with zero development at all and am still > having a number of things to do before the release. I'll try to emit a > new one today or tomorrow. Please do me a favor, just check that this pre-release is OK for you: http://git.haproxy.org/?p=haproxy-2.1.git;a=snapshot;h=HEAD;sf=tgz I'd really hate having to release it just to have to emit yet another one to fix the same issue again :-/ Thanks! Willy
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi Tim, On Wed, May 27, 2020 at 04:33:47PM +0200, Tim Düsterhus wrote: > I already asked 2 weeks ago [1], but I'll ask again: > > > Is there any date planned for 2.1.5? I'm still running 2.1.3 on one > > machine, because I use Dovecot. > > And I only just realize that 2.1.3 is affected by CVE-2020-11100 which > makes the current situation especially ugly. Either I run a version with > a critical bug without workaround, I break Dovecot or I compile my own > HAProxy. Thanks for the ping. I'm trying :-/ I've been stuck doing only janitor work for the last 3 months with zero development at all and am still having a number of things to do before the release. I'll try to emit a new one today or tomorrow. Willy
Re: stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi List, Willy, Am 27.05.20 um 02:00 schrieb stable-...@haproxy.com: > Last release 2.1.4 was issued on 2020-04-02. There are currently 52 patches > in the queue cut down this way: > - 1 MAJOR, first one merged on 2020-05-20 > - 20 MEDIUM, first one merged on 2020-05-01 > - 31 MINOR, first one merged on 2020-04-02 > > Thus the computed ideal release date for 2.1.5 would be 2020-04-30, which was > four weeks ago. > > Last release 2.0.14 was issued on 2020-04-02. There are currently 45 patches > in the queue cut down this way: > - 1 MAJOR, first one merged on 2020-05-22 > - 18 MEDIUM, first one merged on 2020-05-07 > - 26 MINOR, first one merged on 2020-04-02 > > Thus the computed ideal release date for 2.0.15 would be 2020-04-30, which > was four weeks ago. I already asked 2 weeks ago [1], but I'll ask again: > Is there any date planned for 2.1.5? I'm still running 2.1.3 on one > machine, because I use Dovecot. And I only just realize that 2.1.3 is affected by CVE-2020-11100 which makes the current situation especially ugly. Either I run a version with a critical bug without workaround, I break Dovecot or I compile my own HAProxy. Best regards Tim Düsterhus [1] https://www.mail-archive.com/haproxy@formilux.org/msg37344.html
stable-bot: Bugfixes waiting for a release 2.1 (52), 2.0 (45)
Hi, This is a friendly bot that watches fixes pending for the next haproxy-stable release! One such e-mail is sent periodically once patches are waiting in the last maintenance branch, and an ideal release date is computed based on the severity of these fixes and their merge date. Responses to this mail must be sent to the mailing list. Last release 2.1.4 was issued on 2020-04-02. There are currently 52 patches in the queue cut down this way: - 1 MAJOR, first one merged on 2020-05-20 - 20 MEDIUM, first one merged on 2020-05-01 - 31 MINOR, first one merged on 2020-04-02 Thus the computed ideal release date for 2.1.5 would be 2020-04-30, which was four weeks ago. Last release 2.0.14 was issued on 2020-04-02. There are currently 45 patches in the queue cut down this way: - 1 MAJOR, first one merged on 2020-05-22 - 18 MEDIUM, first one merged on 2020-05-07 - 26 MINOR, first one merged on 2020-04-02 Thus the computed ideal release date for 2.0.15 would be 2020-04-30, which was four weeks ago. The current list of patches in the queue is: - 2.0 - MAJOR : stream-int: always detach a faulty endpoint on connect failure - 2.1 - MAJOR : mux-fcgi: Stop sending loop if FCGI stream is blocked for any reason - 2.0, 2.1 - MEDIUM : lua: Fix dumping of stick table entries for STD_T_DICT - 2.0, 2.1 - MEDIUM : shctx: bound the number of loops that can happen around the lock - 2.1 - MEDIUM : h1: Don't compare host and authority if only h1 headers are parsed - 2.0, 2.1 - MEDIUM : streams: Remove SF_ADDR_SET if we're retrying due to L7 retry. - 2.0, 2.1 - MEDIUM : http: the "unique-id" sample fetch could crash without a steeam - 2.0 - MEDIUM : backend: don't access a non-existing mux from a previous connection - 2.0, 2.1 - MEDIUM : http_ana: make the detection of NTLM variants safer - 2.0, 2.1 - MEDIUM : http: the "http_first_req" sample fetch could crash without a steeam - 2.0, 2.1 - MEDIUM : http-ana: Handle NTLM messages correctly. - 2.0, 2.1 - MEDIUM : shctx: really check the lock's value while waiting - 2.0, 2.1 - MEDIUM : capture: capture-req/capture-res converters crash without a stream - 2.0, 2.1 - MEDIUM : capture: capture.{req,res}.* crash without a stream - 2.0 - MEDIUM : checks: Always initialize checks before starting them - 2.0, 2.1 - MEDIUM : server/checks: Init server check during config validity check - 2.1 - MEDIUM : mux-fcgi: Fix wrong test on FCGI_CF_KEEP_CONN in fcgi_detach() - 2.1 - MEDIUM : ring: write-lock the ring while attaching/detaching - 2.0, 2.1 - MEDIUM : sample: make the CPU and latency sample fetches check for a stream - 2.1 - MEDIUM : mux_fcgi: Free the FCGI connection at the end of fcgi_release() - 2.0, 2.1 - MEDIUM : connections: force connections cleanup on server changes - 2.0, 2.1 - MEDIUM : listener: mark the thread as not stuck inside the loop - 2.0, 2.1 - MEDIUM : ssl: fix the id length check within smp_fetch_ssl_fc_session_id() - 2.0, 2.1 - MEDIUM : stream: Only allow L7 retries when using HTTP. - 2.0, 2.1 - MINOR : checks: Respect check-ssl param when a port or an addr is specified - 2.0, 2.1 - MINOR : checks: Remove a warning about http health checks - 2.0, 2.1 - MINOR : obj_type: Handle stream object in obj_base_ptr() function - 2.0, 2.1 - MINOR : checks/server: use_ssl member must be signed - 2.0, 2.1 - MINOR : connection: make sure to correctly tag local PROXY connections" - 2.0, 2.1 - MINOR : checks: Respect the no-check-ssl option - 2.0, 2.1 - MINOR : pollers: remove uneeded free in global init - 2.0, 2.1 - MINOR : checks: Compute the right HTTP request length for HTTP health checks - 2.0, 2.1 - MINOR : soft-stop: always wake up waiting threads on stopping - 2.0, 2.1 - MINOR : ssl: default settings for ssl server options are not used - 2.0, 2.1 - MINOR : sample: Set the correct type when a binary is converted to a string - 2.0, 2.1 - MINOR : tools: fix the i386 version of the div64_32 function - 2.0, 2.1 - MINOR : cfgparse: Abort parsing the current line if an invalid \x sequence is encountered - 2.0, 2.1 - MINOR : threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}() - 2.1 - MINOR : ssl: memlea