Re: [*EXT*] Important HAProxy releases to come next week
On 2023-02-13 19:34, Vincent Bernat wrote: That's a pretty sneaky way to ruin one's Valentine dinner. :-D Sure, but we have to compose between disclosing too early, ruining the west coast's morning and too late, ruining eastern dinners :-) Maybe this one will be remembered as the Valentine's bug. I think we're mostly good as it is now, but I'm still having some backports to finish for now. Do you know if Vincent Bernat will be publishing his PPA quickly afterwards ? Yes, I'll be ready. For the Ubuntu PPA, there will be a small delay until the packages are built (I'll push the source at the disclosure time, but Launchpad will take a few minutes to build them). So, you should expect them a bit later.
Re: [*EXT*] Important HAProxy releases to come next week
On 2023-02-13 14:08, Thomas Pedoussaut wrote: That's a pretty sneaky way to ruin one's Valentine dinner. :-D Sure, but we have to compose between disclosing too early, ruining the west coast's morning and too late, ruining eastern dinners :-) Maybe this one will be remembered as the Valentine's bug. I think we're mostly good as it is now, but I'm still having some backports to finish for now. Do you know if Vincent Bernat will be publishing his PPA quickly afterwards ? Yes, I'll be ready.
Re: [*EXT*] Important HAProxy releases to come next week
On Mon, Feb 13, 2023 at 02:08:46PM +0100, Thomas Pedoussaut wrote: > On 13/02/2023 13:53, Willy Tarreau wrote: > > On Mon, Feb 13, 2023 at 12:45:36PM +0100, Ionel GARDAIS wrote: > > > That's a pretty sneaky way to ruin one's Valentine dinner. :-D > > Sure, but we have to compose between disclosing too early, ruining > > the west coast's morning and too late, ruining eastern dinners :-) > > Maybe this one will be remembered as the Valentine's bug. > > > > I think we're mostly good as it is now, but I'm still having some > > backports to finish for now. > > Do you know if Vincent Bernat will be publishing his PPA quickly afterwards > ? Usually Vincent is pretty fast, but here it might request a bit of time due to the number of builds involved. Regardless, do not stress too much, the situation is not good but your systems won't crash in the hour after the release. And in the worst case you'll just have to temporarily copy- paste a workaround rule in your public frontends and wait for the next day to look at this calmly. My goal with the upfront announce is to make most users see it so that they still have time to reserve an update slot if needed, it was not to trigger an unjustified panic wave. Thanks, Willy
Re: [*EXT*] Important HAProxy releases to come next week
On 13/02/2023 13:53, Willy Tarreau wrote: On Mon, Feb 13, 2023 at 12:45:36PM +0100, Ionel GARDAIS wrote: That's a pretty sneaky way to ruin one's Valentine dinner. :-D Sure, but we have to compose between disclosing too early, ruining the west coast's morning and too late, ruining eastern dinners :-) Maybe this one will be remembered as the Valentine's bug. I think we're mostly good as it is now, but I'm still having some backports to finish for now. Do you know if Vincent Bernat will be publishing his PPA quickly afterwards ? -- Thomas
Re: [*EXT*] Important HAProxy releases to come next week
On Mon, Feb 13, 2023 at 12:45:36PM +0100, Ionel GARDAIS wrote: > That's a pretty sneaky way to ruin one's Valentine dinner. :-D Sure, but we have to compose between disclosing too early, ruining the west coast's morning and too late, ruining eastern dinners :-) Maybe this one will be remembered as the Valentine's bug. I think we're mostly good as it is now, but I'm still having some backports to finish for now. Willy
Re: [*EXT*] Important HAProxy releases to come next week
That's a pretty sneaky way to ruin one's Valentine dinner. :-D - Mail original - De: "Willy Tarreau" À: "haproxy" Envoyé: Vendredi 10 Février 2023 17:28:27 Objet: [*EXT*] Important HAProxy releases to come next week Hello, we've been notified of a vulnerability in haproxy that will deserve a new series of releases for all branches. As such I'm not going to issue 2.7.3 today and will postpone it a bit to avoid confusion. The releases for 2.7, 2.6, 2.5, 2.4, 2.2, and 2.0 are planned for Tuesday 14th around 5pm CET. We do have a config workaround for the vulnerability that works with all versions, though it's not pretty (as any workaround). I'll share it with the announce on Tuesday, but as always it's better to update rather than start to accumulate config hacks. I wanted to mention this to raise awareness and help to speed up deployment once the issue is fully disclosed. Thanks for your understanding, and have a nice week-end. Willy PS: don't worry, your process will not crash over the week-end :-) -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
