** Description changed: This bug tracks an update for the HAProxy package in the following Ubuntu releases to the versions below: * questing (25.10): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12). * plucky (25.04): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12). * noble (24.04): HAProxy 2.8.16. * jammy (22.04): HAProxy 2.4.30. These updates include bugfixes only following the SRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception-HAProxy-Updates [Upstream changes] HAProxy 3.0.12: https://www.haproxy.org/download/3.0/src/CHANGELOG HAProxy 2.8.16: https://www.haproxy.org/download/2.8/src/CHANGELOG HAProxy 2.4.30: https://www.haproxy.org/download/2.4/src/CHANGELOG Important bug fixes include: * questing (25.10) and plucky (25.04) - HAProxy 3.0.12: - BUG/MAJOR: quic: fix INITIAL padding with probing packet only - BUG/MAJOR: mux-quic: fix crash on reload during emission - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval - BUG/MAJOR: stream: Force channel analysis on successful synchronous send - BUG/MAJOR: listeners: transfer connection accounting when switching listeners - BUG/MAJOR: cache: Crash because of wrong cache entry deleted * noble (24.04) - HAProxy 2.8.16: - BUG/MAJOR: listeners: transfer connection accounting when switching Also, all the new releases being introduced here include a CVE fix: - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers already inapplied by security However, this CVE was already introduced in the security pocket by the security team, so we will be just dropping the Ubuntu patch there. [Test Plan] Since the upstream CI piplines do not run (publicly) for HAProxy 2.4, 2.8, and 3.0, we triggered those using the upstream project github workflows: HAproxy 2.4.30 (jammy): https://github.com/athos-ribeiro/haproxy-2.4/actions HAproxy 2.8.16 (noble): https://github.com/athos-ribeiro/haproxy-2.8/actions HAproxy 3.0.12 (plucky/questing): https://github.com/athos-ribeiro/haproxy-3.0/actions TBD: Result analysis A test build set is available at https://launchpad.net/~athos/+archive/ubuntu/haproxy/+packages. We ran the haproxy DEP8 test suite for the packages built in that PPA. Here are the results: * Results: - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [amd64] + ✅ haproxy on jammy for amd64 @ 04.12.25 10:33:02 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [arm64] + ✅ haproxy on jammy for arm64 @ 04.12.25 10:33:56 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [armhf] + ✅ haproxy on jammy for armhf @ 04.12.25 10:36:41 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [ppc64el] + ✅ haproxy on jammy for ppc64el @ 04.12.25 10:51:14 Log️ 🗒️ - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [s390x] + ✅ haproxy on jammy for s390x @ 04.12.25 11:19:32 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [amd64] + ✅ haproxy on noble for amd64 @ 04.12.25 10:35:07 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [arm64] + ✅ haproxy on noble for arm64 @ 04.12.25 10:44:40 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [armhf] + ✅ haproxy on noble for armhf @ 04.12.25 10:36:22 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [ppc64el] + ✅ haproxy on noble for ppc64el @ 04.12.25 10:35:49 Log️ 🗒️ - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [s390x] + ✅ haproxy on noble for s390x @ 04.12.25 10:32:47 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [amd64] + ✅ haproxy on plucky for amd64 @ 04.12.25 10:34:25 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [arm64] + ✅ haproxy on plucky for arm64 @ 04.12.25 10:33:38 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [armhf] + ✅ haproxy on plucky for armhf @ 04.12.25 10:35:54 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [ppc64el] + ✅ haproxy on plucky for ppc64el @ 04.12.25 10:34:12 Log️ 🗒️ - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [s390x] + ✅ haproxy on plucky for s390x @ 04.12.25 10:33:14 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [amd64] + ✅ haproxy on questing for amd64 @ 04.12.25 10:43:49 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [arm64] + ✅ haproxy on questing for arm64 @ 04.12.25 10:54:32 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [armhf] + ✅ haproxy on questing for armhf @ 04.12.25 10:35:43 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [ppc64el] + ✅ haproxy on questing for ppc64el @ 04.12.25 10:35:28 Log️ 🗒️ - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [s390x] + ✅ haproxy on questing for s390x @ 04.12.25 10:53:24 Log️ 🗒️ [Regression Potential] HAProxy itself does not have many reverse dependencies, however, any upgrade is a risk to introduce some breakage to other packages. Whenever a test failure is detected, we will be on top of it and make sure it doesn't affect existing users. [Regression Potential - Changes Analysis (CA)] There are some low regression risk (as per upstream classification) functional changes. Moreover, some (fewer) bug fixes have a possible medium regression risk (again, as per upstream classification). The functional changes mentioned above were included because they are, in majority, needed by other entries which are bug fixes, i.e., these are functional changes needed to fix specific bugs. [Regression Potential - CA - Upstream changes classification criteria] https://github.com/haproxy/haproxy/blob/master/CONTRIBUTING#L632 describes the upstream guidelines for tagging the entries in the upstream changelog based on their purpose, importance, severity, etc. Below, I summarize the relevant bits of such guidelines. Patches "fixing a bug must have the 'BUG' tag", e.g., "BUG/MAJOR: description" "When the patch cannot be categorized, [...] only use a risk or complexity information [...]. This is commonly the case for new features". For instance, "MINOR: description" For MINOR tags, the patch "is safe enough to be backported to stable branches". Patches tagged MEDIUM "may cause unexpected regressions of low importance [...], the patch is safe but touches working areas". Patches tagged MAJOR carry a "major risk of hidden regression". No changes are tagged MAJOR without a bug classifier, i.e., all of the patches classified as MAJOR are BUG/MAJOR and will be discussed below. There is also a CRITICAL tag but no changes are tagged with it in the new candidate versions other than the CVE patch which was already available in the security pocket. [Regression Potential - CA - Impact] For the next Jammy update, we would upgrade HAPRoxy from 2.4.29 to 2.4.30. Since the CVE fix introduced in this new upstream version is already applied in jammy, this new version is only introducing a couple minor bug fixes which should have very little regression impact. For the next Noble update, we would upgrade HAPRoxy from 2.8.15 to 2.8.16. Among the changes, there is 1 bug fix tagged as BUG/MAJOR and 8 uncategorized changes (potentially functional), where 7 are tagged as MINOR and 1 is tagged as MEDIUM. For the next Plucky and Questing updates, we would upgrade HAPRoxy from 3.0.10 to 3.0.12. Among the changes, there are 6 bug fixes tagged as BUG/MAJOR and 17 uncategorized changes (potentially functional), where 15 are tagged as MINOR and 2 are tagged as MEDIUM. [Regression Potential - CA - Assessment] - TBD + Below we discuss the changes with the greater regression potential (and + the most relevant uncategorized ones, which may contain functional + changes) + + All uncategorized MINOR changes are either adding new internal functions + used by other bug fixes, or other internal changes where regressions are + not expected. Hence, they will not be discussed. + + Unless they are discussed below changes tagged BUG/MAJOR had the MAJOR + tag chosen due to the severity of the bugs and not due to the regression + potential (and that is why they are not being discussed). + + Plucky (25.04) and Questing (25.10): HAProxy 3.0.12: + + - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory + Since + + Since the name stored in a certificate tree can be an alias and not a path, + requiring full paths in the certificate name when when adding it through a CLI + was a bug. This is now fixed. It also means that The tool or user inserting the + certificate must now check itself that the certificate was placed at the right + spot on the filesystem. + + - BUG/MAJOR: stream: Remove READ/WRITE events on channels after + analysers eval + + A couple flags are being removed after evaluation. Although this is supposed + to be a safe/internal only change, It is tagged a MAJOR because this area is + really sensitive to any changes. FWIW, this change caused a regression during + development and was reverted in this same released version. + + - BUG/MAJOR: stream: Force channel analysis on successful synchronous + send + + This reverts the change above due to a regression and fixes the underlying + issue by adding a different flag instead of removing flags. This is set as + MAJOR due to the fixed regression. + + - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers + + This was already applied by the security team + + - MEDIUM: hlua: Add function to change the body length of an HTTP + Message + + This adds a new function for a lua filter to change the body length of + an HTTP Message. + + Noble (24.04): HAProxy 2.8.16: + + Both entries here were already discussed above for Plucky/Questing: + + - MEDIUM: hlua: Add function to change the body length of an HTTP Message + - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers + + Jammy (22.04): HAProxy 2.4.30: + + The only entry here was already discussed above for Plucky/Questing: + + - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers [Previous updates] - LP: #2012557 - LP: #2028418 - LP: #2112526
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127664 Title: New HAProxy upstream microreleases 2.4.30, 2.8.16, and 3.0.12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2127664/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
