Bug 947987 - haproxy: Rebase to upstream version 1.4.24
Summary: haproxy: Rebase to upstream version 1.4.24
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: haproxy
Version: 6.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Ryan O'Hara
QA Contact: Brandon Perkins
Keywords: Rebase, TechPreview
Depends On:
Blocks: 903303 947701 974263
TreeView+ depends on / blocked
Reported: 2013-04-03 17:25 UTC by Ryan O'Hara
Modified: 2013-11-21 11:27 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2013-11-21 11:27:44 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1619 normal SHIPPED_LIVE haproxy bug fix and enhancement update 2013-11-20 21:38:43 UTC

Description Ryan O'Hara 2013-04-03 17:25:13 UTC
A new upstream release of haproxy has been release that contains several bug fixes, including fixes for rhbz#947701 (CVE-2013-1912) and rhbz#903303. Recommend that we rebase haproxy in rhel-6.5 to upstream release 1.4.23.

Comment 1 Ryan O'Hara 2013-04-03 17:26:20 UTC
Changelog for haproxy 1.4.23:

2013/04/03 : 1.4.23
    - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read
    - BUG: fix garbage data when http-send-name-header replaces an existing header
    - BUG/MEDIUM: remove supplementary groups when changing gid
    - BUG/MINOR: Correct logic in cut_crlf()
    - BUG/MINOR: config: use a copy of the file name in proxy configurations
    - BUG/MINOR: epoll: correctly disable FD polling in fd_rem()
    - MINOR: halog: sort output by cookie code
    - BUG/MINOR: halog: -ad/-ac report the correct number of output lines
    - BUG/MINOR: halog: fix help message for -ut/-uto
    - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode
    - BUG/MEDIUM: command-line option -D must have precedence over "debug"
    - OPTIM: halog: keep a fast path for the lines-count only
    - MINOR: halog: add a parameter to limit output line count
    - BUG: halog: fix broken output limitation
    - MEDIUM: checks: avoid accumulating TIME_WAITs during checks
    - MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts
    - BUG/MAJOR: cli: show sess <id> may randomly corrupt the back-ref list
    - BUG/MINOR: http: don't report client aborts as server errors
    - BUG/MINOR: http: don't log a 503 on client errors while waiting for requests
    - BUG/MEDIUM: tcp: process could theorically crash on lack of source ports
    - BUG/MINOR: http: don't abort client connection on premature responses
    - BUILD: no need to clean up when making git-tar
    - MINOR: http: always report PR-- flags for redirect rules
    - BUG/MINOR: time: frequency counters are not totally accurate
    - BUG/MINOR: http: don't process abortonclose when request was sent
    - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait()
    - BUG/MINOR: config: fix improper check for failed memory alloc in ACL parser
    - BUG/MEDIUM: checks: ensure the health_status is always within bounds
    - CLEANUP: http: remove a useless null check
    - BUG/MEDIUM: signal: signal handler does not properly check for signal bounds
    - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage
    - CLEANUP: config: slowstart is never negative
    - BUILD: improve the makefile's support for libpcre
    - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a
    - MEDIUM: halog: add support for counting per source address (-ic)
    - DOC: mention the new HTTP 307 and 308 redirect statues     (cherry picked from commit b67fdc4cd8bde202f2805d98683ddab929469a05)
    - MEDIUM: poll: do not use FD_* macros anymore
    - BUG/MAJOR: ev_select: disable the select() poller if maxsock > FD_SETSIZE
    - BUILD: enable poll() by default in the makefile
    - BUILD: add explicit support for Mac OS/X
    - BUG/CRITICAL: using HTTP information in tcp-request content may crash the process
    - MEDIUM: http: implement redirect 307 and 308
    - MINOR: http: status 301 should not be marked non-cacheable

Comment 2 Ryan O'Hara 2013-04-03 17:27:36 UTC
Also note that haproxy is considered "Tech Preview" in rhel-6.4.

Comment 5 Ryan O'Hara 2013-06-17 19:02:22 UTC
(In reply to Ryan O'Hara from comment #0)
> A new upstream release of haproxy has been release that contains several bug
> fixes, including fixes for rhbz#947701 (CVE-2013-1912) and rhbz#903303.
> Recommend that we rebase haproxy in rhel-6.5 to upstream release 1.4.23.

Changing to target rebase of upstream release 1.4.24, which contains fix for rhbz#974263 (CVE-2013-2175).

Changelog for haproxy 1.4.24:

2013/06/17 : 1.4.24
    - BUG/MAJOR: backend: consistent hash can loop forever in certain circumstances
    - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used
    - MEDIUM: protocol: implement a "drain" function in protocol layers
    - BUG/CRITICAL: fix a possible crash when using negative header occurrences

Comment 10 michal novacek 2013-09-02 15:36:02 UTC
I have verified that haproxy version is 1.4.24.

# yum install haproxy
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package haproxy.x86_64 0:1.4.24-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package    Arch                  Version                     Repository                          Size
 haproxy                x86_64                1.4.24-2.el6                beaker-LoadBalancer                456 k

Transaction Summary
Install       1 Package(s)

Total download size: 456 k
Installed size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
haproxy-1.4.24-2.el6.x86_64.rpm                                                             | 456 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : haproxy-1.4.24-2.el6.x86_64                         1/1 
  Verifying  : haproxy-1.4.24-2.el6.x86_64                         1/1 

  haproxy.x86_64 0:1.4.24-2.el6                                             


# rpm -ql haproxy | grep bin

# /usr/sbin/haproxy -v
HA-Proxy version 1.4.24 2013/06/17
Copyright 2000-2013 Willy Tarreau <w@1wt.eu>

# service haproxy start
Starting haproxy: [  OK  ]

# ps axf | grep haproxy
 5712 pts/0    S+     0:00          \_ grep haproxy
 5696 ?        Ss     0:00 /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg \
-p /var/run/haproxy.pid

Comment 11 errata-xmlrpc 2013-11-21 11:27:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.