** Description changed: This bug tracks an update for the HAProxy package in the following Ubuntu releases to the versions below: * questing (25.10): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12). * plucky (25.04): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12). * noble (24.04): HAProxy 2.8.16. * jammy (22.04): HAProxy 2.4.30. These updates include bugfixes only following the SRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception-HAProxy-Updates [Upstream changes] HAProxy 3.0.12: https://www.haproxy.org/download/3.0/src/CHANGELOG HAProxy 2.8.16: https://www.haproxy.org/download/2.8/src/CHANGELOG HAProxy 2.4.30: https://www.haproxy.org/download/2.4/src/CHANGELOG Important bug fixes include: * questing (25.10) and plucky (25.04) - HAProxy 3.0.12: - BUG/MAJOR: quic: fix INITIAL padding with probing packet only - BUG/MAJOR: mux-quic: fix crash on reload during emission - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval - BUG/MAJOR: stream: Force channel analysis on successful synchronous send - BUG/MAJOR: listeners: transfer connection accounting when switching listeners - BUG/MAJOR: cache: Crash because of wrong cache entry deleted * noble (24.04) - HAProxy 2.8.16: - BUG/MAJOR: listeners: transfer connection accounting when switching Also, all the new releases being introduced here include a CVE fix: - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers already inapplied by security However, this CVE was already introduced in the security pocket by the security team, so we will be just dropping the Ubuntu patch there. [Test Plan] Since the upstream CI piplines do not run (publicly) for HAProxy 2.4, 2.8, and 3.0, we triggered those using the upstream project github workflows: HAproxy 2.4.30 (jammy): https://github.com/athos-ribeiro/haproxy-2.4/actions HAproxy 2.8.16 (noble): https://github.com/athos-ribeiro/haproxy-2.8/actions HAproxy 3.0.12 (plucky/questing): https://github.com/athos-ribeiro/haproxy-3.0/actions TBD: Result analysis A test build set is available at https://launchpad.net/~athos/+archive/ubuntu/haproxy/+packages. We ran the haproxy DEP8 test suite for the packages built in that PPA. Here are the results: * Results: - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [amd64] + ✅ haproxy on jammy for amd64 @ 04.12.25 10:33:02 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [arm64] + ✅ haproxy on jammy for arm64 @ 04.12.25 10:33:56 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [armhf] + ✅ haproxy on jammy for armhf @ 04.12.25 10:36:41 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [ppc64el] + ✅ haproxy on jammy for ppc64el @ 04.12.25 10:51:14 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [s390x] + ✅ haproxy on jammy for s390x @ 04.12.25 11:19:32 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [amd64] + ✅ haproxy on noble for amd64 @ 04.12.25 10:35:07 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [arm64] + ✅ haproxy on noble for arm64 @ 04.12.25 10:44:40 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [armhf] + ✅ haproxy on noble for armhf @ 04.12.25 10:36:22 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [ppc64el] + ✅ haproxy on noble for ppc64el @ 04.12.25 10:35:49 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [s390x] + ✅ haproxy on noble for s390x @ 04.12.25 10:32:47 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [amd64] + ✅ haproxy on plucky for amd64 @ 04.12.25 10:34:25 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [arm64] + ✅ haproxy on plucky for arm64 @ 04.12.25 10:33:38 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [armhf] + ✅ haproxy on plucky for armhf @ 04.12.25 10:35:54 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [ppc64el] + ✅ haproxy on plucky for ppc64el @ 04.12.25 10:34:12 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [s390x] + ✅ haproxy on plucky for s390x @ 04.12.25 10:33:14 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [amd64] + ✅ haproxy on questing for amd64 @ 04.12.25 10:43:49 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [arm64] + ✅ haproxy on questing for arm64 @ 04.12.25 10:54:32 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [armhf] + ✅ haproxy on questing for armhf @ 04.12.25 10:35:43 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [ppc64el] + ✅ haproxy on questing for ppc64el @ 04.12.25 10:35:28 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [s390x] + ✅ haproxy on questing for s390x @ 04.12.25 10:53:24 Log️ 🗒️ [Regression Potential] HAProxy itself does not have many reverse dependencies, however, any upgrade is a risk to introduce some breakage to other packages. Whenever a test failure is detected, we will be on top of it and make sure it doesn't affect existing users. [Regression Potential - Changes Analysis (CA)] - TBD + There are some low regression risk (as per upstream classification) + functional changes. + + Moreover, some (fewer) bug fixes have a possible medium regression risk + (again, as per upstream classification). + + The functional changes mentioned above were included because they are, + in majority, needed by other entries which are bug fixes, i.e., these + are functional changes needed to fix specific bugs. [Regression Potential - CA - Upstream changes classification criteria] https://github.com/haproxy/haproxy/blob/master/CONTRIBUTING#L632 describes the upstream guidelines for tagging the entries in the upstream changelog based on their purpose, importance, severity, etc. Below, I summarize the relevant bits of such guidelines. Patches "fixing a bug must have the 'BUG' tag", e.g., "BUG/MAJOR: description" "When the patch cannot be categorized, [...] only use a risk or complexity information [...]. This is commonly the case for new features". For instance, "MINOR: description" For MINOR tags, the patch "is safe enough to be backported to stable branches". Patches tagged MEDIUM "may cause unexpected regressions of low importance [...], the patch is safe but touches working areas". Patches tagged MAJOR carry a "major risk of hidden regression". No changes are tagged MAJOR without a bug classifier, i.e., all of the patches classified as MAJOR are BUG/MAJOR and will be discussed below. There is also a CRITICAL tag but no changes are tagged with it in the new candidate versions other than the CVE patch which was already available in the security pocket. [Regression Potential - CA - Impact] - TBD + For the next Jammy update, we would upgrade HAPRoxy from 2.4.29 to + 2.4.30. Since the CVE fix introduced in this new upstream version is + already applied in jammy, this new version is only introducing a couple + minor bug fixes which should have very little regression impact. + + For the next Noble update, we would upgrade HAPRoxy from 2.8.15 to + 2.8.16. Among the changes, there is 1 bug fix tagged as BUG/MAJOR and 8 + uncategorized changes (potentially functional), where 7 are tagged as + MINOR and 1 is tagged as MEDIUM. + + For the next Plucky and Questing updates, we would upgrade HAPRoxy from + 3.0.10 to 3.0.12. Among the changes, there are 6 bug fixes tagged as + BUG/MAJOR and 17 uncategorized changes (potentially functional), where + 15 are tagged as MINOR and 2 are tagged as MEDIUM. [Regression Potential - CA - Assessment] TBD [Previous updates] - LP: #2012557 - LP: #2028418 - LP: #2112526
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127664 Title: New HAProxy upstream microreleases 2.4.30, 2.8.16, and 3.0.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2127664/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
