diff -Nru haproxy-1.5.4/CHANGELOG haproxy-1.5.14/CHANGELOG
--- haproxy-1.5.4/CHANGELOG 2014-09-02 11:54:16.000000000 +0000
+++ haproxy-1.5.14/CHANGELOG 2015-07-03 15:35:11.000000000 +0000
@@ -1,6 +1,174 @@
ChangeLog :
===========
+2015/07/03 : 1.5.14
+ - BUILD/MINOR: tools: rename popcount to my_popcountl
+ - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
+
+2015/06/26 : 1.5.13
+ - BUG/MINOR: check: fix tcpcheck error message
+ - CLEANUP: deinit: remove codes for cleaning p->block_rules
+ - DOC: Update doc about weight, act and bck fields in the statistics
+ - MINOR: ssl: add a destructor to free allocated SSL ressources
+ - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
+ - MEDIUM: ssl: replace standards DH groups with custom ones
+ - BUG/MINOR: debug: display (null) in place of "meth"
+ - BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
+ - BUG/MEDIUM: cfgparse: segfault when userlist is misused
+ - BUG/MEDIUM: stats: properly initialize the scope before dumping stats
+ - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels
+ - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks
+ - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
+ - CLEANUP: checks: simplify the loop processing of tcp-checks
+ - BUG/MAJOR: checks: always check for end of list before proceeding
+ - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
+ - BUG/MEDIUM: peers: apply a random reconnection timeout
+ - BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
+ - MEDIUM: init: don't stop proxies in parent process when exiting
+ - MINOR: peers: store the pointer to the signal handler
+ - MEDIUM: peers: unregister peers that were never started
+ - MEDIUM: config: propagate the table's process list to the peers sections
+ - MEDIUM: init: stop any peers section not bound to the correct process
+ - MEDIUM: config: validate that peers sections are bound to exactly one process
+ - MAJOR: peers: allow peers section to be used with nbproc > 1
+ - DOC: relax the peers restriction to single-process
+ - CLEANUP: config: fix misleading information in error message.
+ - MINOR: config: report the number of processes using a peers section in the error case
+ - BUG/MEDIUM: config: properly compute the default number of processes for a proxy
+
+2015/05/02 : 1.5.12
+ - BUG/MINOR: ssl: Display correct filename in error message
+ - DOC: Fix L4TOUT typo in documentation
+ - BUG/MEDIUM: Do not consider an agent check as failed on L7 error
+ - BUG/MINOR: pattern: error message missing
+ - BUG/MEDIUM: pattern: some entries are not deleted with case insensitive match
+ - BUG/MEDIUM: buffer: one byte miss in buffer free space check
+ - BUG/MAJOR: http: don't read past buffer's end in http_replace_value
+ - BUG/MEDIUM: http: the function "(req|res)-replace-value" doesn't respect the HTTP syntax
+ - BUG/MEDIUM: peers: correctly configure the client timeout
+ - BUG/MINOR: compression: consider the expansion factor in init
+ - BUG/MEDIUM: http: hdr_cnt would not count any header when called without name
+ - BUG/MEDIUM: listener: don't report an error when resuming unbound listeners
+ - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only
+ - BUG/MEDIUM: stream-int: always reset si->ops when si->end is nullified
+ - BUG/MEDIUM: http: remove content-length from chunked messages
+ - DOC: http: update the comments about the rules for determining transfer-length
+ - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to HTTP/1.1
+ - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad request
+ - BUG/MEDIUM: http: remove content-length form responses with bad transfer-encoding
+ - MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230
+ - MEDIUM: http: add option-ignore-probes to get rid of the floods of 408
+ - BUG/MINOR: config: clear proxy->table.peers.p for disabled proxies
+ - MINOR: stick-table: don't attach to peers in stopped state
+ - MEDIUM: config: initialize stick-tables after peers, not before
+ - MEDIUM: peers: add the ability to disable a peers section
+ - DOC: document option http-ignore-probes
+ - DOC: fix the comments about the meaning of msg->sol in HTTP
+ - BUG/MEDIUM: http: wait for the exact amount of body bytes in wait_for_request_body
+ - BUG/MAJOR: http: prevent risk of reading past end with balance url_param
+ - DOC: update the doc on the proxy protocol
+
+2015/02/01 : 1.5.11
+ - BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used
+ - MINOR: ssl: load certificates in alphabetical order
+ - BUG/MINOR: checks: prevent http keep-alive with http-check expect
+ - BUG/MEDIUM: Do not set agent health to zero if server is disabled in config
+ - MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent health is zero
+ - BUG/MINOR: stats:Fix incorrect printf type.
+ - DOC: add missing entry for log-format and clarify the text
+ - BUG/MEDIUM: http: fix header removal when previous header ends with pure LF
+ - BUG/MEDIUM: channel: fix possible integer overflow on reserved size computation
+ - BUG/MINOR: channel: compare to_forward with buf->i, not buf->size
+ - MINOR: channel: add channel_in_transit()
+ - MEDIUM: channel: make buffer_reserved() use channel_in_transit()
+ - MEDIUM: channel: make bi_avail() use channel_in_transit()
+ - BUG/MEDIUM: channel: don't schedule data in transit for leaving until connected
+ - BUG/MAJOR: log: don't try to emit a log if no logger is set
+ - BUG/MINOR: args: add missing entry for ARGT_MAP in arg_type_names
+ - BUG/MEDIUM: http: make http-request set-header compute the string before removal
+ - BUG/MINOR: http: fix incorrect header value offset in replace-hdr/replace-value
+ - BUG/MINOR: http: abort request processing on filter failure
+
+2014/12/31 : 1.5.10
+ - DOC: fix a few typos
+ - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized"
+ - BUG/MINOR: parse: refer curproxy instead of proxy
+ - DOC: httplog does not support 'no'
+ - MINOR: map/acl/dumpstats: remove the "Done." message
+ - BUG/MEDIUM: sample: fix random number upper-bound
+ - BUG/MEDIUM: patterns: previous fix was incomplete
+ - BUG/MEDIUM: payload: ensure that a request channel is available
+ - BUG/MINOR: tcp-check: don't condition data polling on check type
+ - BUG/MEDIUM: tcp-check: don't rely on random memory contents
+ - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect
+ - BUG/MINOR: config: fix typo in condition when propagating process binding
+ - BUG/MEDIUM: config: do not propagate processes between stopped processes
+ - BUG/MAJOR: stream-int: properly check the memory allocation return
+ - BUG/MEDIUM: memory: fix freeing logic in pool_gc2()
+ - BUG/MEDIUM: compression: correctly report zlib_mem
+
+2014/11/26 : 1.5.9
+ - BUILD: fix "make install" to support spaces in the install dirs
+ - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks
+ - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM.
+ - BUG/MINOR: samples: fix unnecessary memcopy converting binary to string.
+ - BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information
+ - BUG/MEDIUM: pattern: don't load more than once a pattern list.
+ - BUG/MEDIUM: ssl: force a full GC in case of memory shortage
+ - BUG/MINOR: config: don't inherit the default balance algorithm in frontends
+ - BUG/MAJOR: frontend: initialize capture pointers earlier
+ - BUG/MINOR: stats: correctly set the request/response analysers
+ - DOC: fix typo in the body parser documentation for msg.sov
+ - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not trash.size
+ - MINOR: sample: add a few basic internal fetches (nbproc, proc, stopping)
+ - BUG/MAJOR: sessions: unlink session from list on out of memory
+
+2014/10/31 : 1.5.8
+ - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped
+ - BUG/BUILD: revert accidental change in the makefile from latest SSL fix
+
+2014/10/30 : 1.5.7
+ - BUG/MEDIUM: regex: fix pcre_study error handling
+ - BUG/MINOR: log: fix request flags when keep-alive is enabled
+ - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs
+ - MINOR: ssl: add statement to force some ssl options in global.
+ - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
+ - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
+ - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
+ - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
+ - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
+
+2014/10/18 : 1.5.6
+ - BUG/MEDIUM: systemd: set KillMode to 'mixed'
+ - MINOR: systemd: Check configuration before start
+ - BUG/MEDIUM: config: avoid skipping disabled proxies
+ - BUG/MINOR: config: do not accept more track-sc than configured
+ - BUG/MEDIUM: backend: fix URI hash when a query string is present
+
+2014/10/08 : 1.5.5
+ - DOC: Address issue where documentation is excluded due to a gitignore rule.
+ - MEDIUM: Improve signal handling in systemd wrapper.
+ - BUG/MINOR: config: don't propagate process binding for dynamic use_backend
+ - MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper
+ - DOC: clearly state that the "show sess" output format is not fixed
+ - MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer()
+ - DOC: indicate in the doc that track-sc* can wait if data are missing
+ - MEDIUM: http: enable header manipulation for 101 responses
+ - BUG/MEDIUM: config: propagate frontend to backend process binding again.
+ - MEDIUM: config: properly propagate process binding between proxies
+ - MEDIUM: config: make the frontends automatically bind to the listeners' processes
+ - MEDIUM: config: compute the exact bind-process before listener's maxaccept
+ - MEDIUM: config: only warn if stats are attached to multi-process bind directives
+ - MEDIUM: config: report it when tcp-request rules are misplaced
+ - MINOR: config: detect the case where a tcp-request content rule has no inspect-delay
+ - MEDIUM: systemd-wrapper: support multiple executable versions and names
+ - BUG/MEDIUM: remove debugging code from systemd-wrapper
+ - BUG/MEDIUM: http: adjust close mode when switching to backend
+ - BUG/MINOR: config: don't propagate process binding on fatal errors.
+ - BUG/MEDIUM: check: rule-less tcp-check must detect connect failures
+ - BUG/MINOR: tcp-check: report the correct failed step in the status
+ - DOC: indicate that weight zero is reported as DRAIN
+
2014/09/02 : 1.5.4
- BUG: config: error in http-response replace-header number of arguments
- BUG/MINOR: Fix search for -p argument in systemd wrapper.
diff -Nru haproxy-1.5.4/contrib/systemd/haproxy.service.in haproxy-1.5.14/contrib/systemd/haproxy.service.in
--- haproxy-1.5.4/contrib/systemd/haproxy.service.in 2014-09-02 11:54:16.000000000 +0000
+++ haproxy-1.5.14/contrib/systemd/haproxy.service.in 2015-07-03 15:35:11.000000000 +0000
@@ -3,8 +3,10 @@
After=network.target
[Service]
+ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=mixed
Restart=always
[Install]
diff -Nru haproxy-1.5.4/debian/changelog haproxy-1.5.14/debian/changelog
--- haproxy-1.5.4/debian/changelog 2015-08-23 18:45:27.000000000 +0000
+++ haproxy-1.5.14/debian/changelog 2016-02-08 15:09:20.000000000 +0000
@@ -1,31 +1,251 @@
-haproxy (1.5.4-1ubuntu2.1~ubuntu14.04.1) trusty-backports; urgency=medium
+haproxy (1.5.14-1ubuntu0.15.10.1~ubuntu14.04.1) trusty-backports; urgency=medium
- * No-change backport to trusty (LP: #1473162)
+ * No-change backport to trusty (LP: #1494141)
- -- Micah Gersten Sun, 23 Aug 2015 13:45:27 -0500
+ -- Iain Lane Mon, 08 Feb 2016 15:09:20 +0000
-haproxy (1.5.4-1ubuntu2.1) utopic-security; urgency=medium
+haproxy (1.5.14-1ubuntu0.15.10.1) wily; urgency=medium
- * SECURITY UPDATE: information disclosure via uninitialized memory
- - debian/patches/CVE-2015-3281.patch: respect output data in
- src/buffer.c.
- - CVE-2015-3281
+ * Ensure that haproxy processes are terminated correctly when executing
+ stop/restart operations, easing backports to pre-systemd versions of
+ Ubuntu (LP: #1477198, #1481737).
+
+ -- James Page Mon, 09 Nov 2015 16:51:46 +0000
+
+haproxy (1.5.14-1) unstable; urgency=high
+
+ * New upstream version. Fix an information leak (CVE-2015-3281):
+ - BUG/MAJOR: buffers: make the buffer_slow_realign() function
+ respect output data.
+ * Add $named as a dependency for init script. Closes: #790638.
+
+ -- Vincent Bernat Fri, 03 Jul 2015 19:49:02 +0200
+
+haproxy (1.5.13-1) unstable; urgency=medium
+
+ * New upstream stable release including the following fixes:
+ - MAJOR: peers: allow peers section to be used with nbproc > 1
+ - BUG/MAJOR: checks: always check for end of list before proceeding
+ - MEDIUM: ssl: replace standards DH groups with custom ones
+ - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
+ - BUG/MEDIUM: cfgparse: segfault when userlist is misused
+ - BUG/MEDIUM: stats: properly initialize the scope before dumping stats
+ - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER
+ except for tunnels
+ - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
+ - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
+ - BUG/MEDIUM: peers: apply a random reconnection timeout
+ - BUG/MEDIUM: config: properly compute the default number of processes
+ for a proxy
+
+ -- Vincent Bernat Sat, 27 Jun 2015 20:52:07 +0200
+
+haproxy (1.5.12-1) unstable; urgency=medium
+
+ * New upstream stable release including the following fixes:
+ - BUG/MAJOR: http: don't read past buffer's end in http_replace_value
+ - BUG/MAJOR: http: prevent risk of reading past end with balance
+ url_param
+ - BUG/MEDIUM: Do not consider an agent check as failed on L7 error
+ - BUG/MEDIUM: patern: some entries are not deleted with case
+ insensitive match
+ - BUG/MEDIUM: buffer: one byte miss in buffer free space check
+ - BUG/MEDIUM: http: thefunction "(req|res)-replace-value" doesn't
+ respect the HTTP syntax
+ - BUG/MEDIUM: peers: correctly configure the client timeout
+ - BUG/MEDIUM: http: hdr_cnt would not count any header when called
+ without name
+ - BUG/MEDIUM: listener: don't report an error when resuming unbound
+ listeners
+ - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only
+ - BUG/MEDIUM: stream-int: always reset si->ops when si->end is
+ nullified
+ - BUG/MEDIUM: http: remove content-length from chunked messages
+ - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to
+ HTTP/1.1
+ - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad
+ request
+ - BUG/MEDIUM: http: remove content-length form responses with bad
+ transfer-encoding
+ - BUG/MEDIUM: http: wait for the exact amount of body bytes in
+ wait_for_request_body
+
+ -- Vincent Bernat Sat, 02 May 2015 16:38:28 +0200
+
+haproxy (1.5.11-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Vincent Bernat Sun, 26 Apr 2015 17:46:58 +0200
+
+haproxy (1.5.11-1) experimental; urgency=medium
+
+ * New upstream stable release including the following fixes:
+ - BUG/MAJOR: log: don't try to emit a log if no logger is set
+ - BUG/MEDIUM: backend: correctly detect the domain when
+ use_domain_only is used
+ - BUG/MEDIUM: Do not set agent health to zero if server is disabled
+ in config
+ - BUG/MEDIUM: Only explicitly report "DOWN (agent)" if the agent health
+ is zero
+ - BUG/MEDIUM: http: fix header removal when previous header ends with
+ pure LF
+ - BUG/MEDIUM: channel: fix possible integer overflow on reserved size
+ computation
+ - BUG/MEDIUM: channel: don't schedule data in transit for leaving until
+ connected
+ - BUG/MEDIUM: http: make http-request set-header compute the string
+ before removal
+ * Upload to experimental.
+
+ -- Vincent Bernat Sun, 01 Feb 2015 09:22:27 +0100
+
+haproxy (1.5.10-1) experimental; urgency=medium
+
+ * New upstream stable release including the following fixes:
+ - BUG/MAJOR: stream-int: properly check the memory allocation return
+ - BUG/MEDIUM: sample: fix random number upper-bound
+ - BUG/MEDIUM: patterns: previous fix was incomplete
+ - BUG/MEDIUM: payload: ensure that a request channel is available
+ - BUG/MEDIUM: tcp-check: don't rely on random memory contents
+ - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect
+ - BUG/MEDIUM: config: do not propagate processes between stopped
+ processes
+ - BUG/MEDIUM: memory: fix freeing logic in pool_gc2()
+ - BUG/MEDIUM: compression: correctly report zlib_mem
+ * Upload to experimental.
+
+ -- Vincent Bernat Sun, 04 Jan 2015 13:17:56 +0100
+
+haproxy (1.5.9-1) experimental; urgency=medium
+
+ * New upstream stable release including the following fixes:
+ - BUG/MAJOR: sessions: unlink session from list on out
+ of memory
+ - BUG/MEDIUM: pattern: don't load more than once a pattern
+ list.
+ - BUG/MEDIUM: connection: sanitize PPv2 header length before
+ parsing address information
+ - BUG/MAJOR: frontend: initialize capture pointers earlier
+ - BUG/MEDIUM: checks: fix conflicts between agent checks and
+ ssl healthchecks
+ - BUG/MEDIUM: ssl: force a full GC in case of memory shortage
+ - BUG/MEDIUM: ssl: fix bad ssl context init can cause
+ segfault in case of OOM.
+ * Upload to experimental.
+
+ -- Vincent Bernat Sun, 07 Dec 2014 16:37:36 +0100
+
+haproxy (1.5.8-3) unstable; urgency=medium
+
+ * Remove RC4 from the default cipher string shipped in configuration.
+
+ -- Vincent Bernat Fri, 27 Feb 2015 11:29:23 +0100
+
+haproxy (1.5.8-2) unstable; urgency=medium
+
+ * Cherry-pick the following patches from 1.5.9 release:
+ - 8a0b93bde77e BUG/MAJOR: sessions: unlink session from list on out
+ of memory
+ - bae03eaad40a BUG/MEDIUM: pattern: don't load more than once a pattern
+ list.
+ - 93637b6e8503 BUG/MEDIUM: connection: sanitize PPv2 header length before
+ parsing address information
+ - 8ba50128832b BUG/MAJOR: frontend: initialize capture pointers earlier
+ - 1f96a87c4e14 BUG/MEDIUM: checks: fix conflicts between agent checks and
+ ssl healthchecks
+ - 9bcc01ae2598 BUG/MEDIUM: ssl: force a full GC in case of memory shortage
+ - 909514970089 BUG/MEDIUM: ssl: fix bad ssl context init can cause
+ segfault in case of OOM.
+ * Cherry-pick the following patches from future 1.5.10 release:
+ - 1e89acb6be9b BUG/MEDIUM: payload: ensure that a request channel is
+ available
+ - bad3c6f1b6d7 BUG/MEDIUM: patterns: previous fix was incomplete
+
+ -- Vincent Bernat Sun, 07 Dec 2014 11:11:21 +0100
+
+haproxy (1.5.8-1) unstable; urgency=medium
+
+ * New upstream stable release including the following fixes:
+
+ + BUG/MAJOR: buffer: check the space left is enough or not when input
+ data in a buffer is wrapped
+ + BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
+ + BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
+ + BUG/MEDIUM: regex: fix pcre_study error handling
+ + BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
+ + BUG/MINOR: log: fix request flags when keep-alive is enabled
+ + BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
+ + BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
+ * Also includes the following new features:
+ + MINOR: ssl: add statement to force some ssl options in global.
+ + MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER
+ formatted certs
+ * Disable SSLv3 in the default configuration file.
+
+ -- Vincent Bernat Fri, 31 Oct 2014 13:48:19 +0100
+
+haproxy (1.5.6-1) unstable; urgency=medium
+
+ * New upstream stable release including the following fixes:
+ + BUG/MEDIUM: systemd: set KillMode to 'mixed'
+ + MINOR: systemd: Check configuration before start
+ + BUG/MEDIUM: config: avoid skipping disabled proxies
+ + BUG/MINOR: config: do not accept more track-sc than configured
+ + BUG/MEDIUM: backend: fix URI hash when a query string is present
+ * Drop systemd patches:
+ + haproxy.service-also-check-on-start.patch
+ + haproxy.service-set-killmode-to-mixed.patch
+ * Refresh other patches.
+
+ -- Vincent Bernat Mon, 20 Oct 2014 18:10:21 +0200
+
+haproxy (1.5.5-1) unstable; urgency=medium
+
+ [ Vincent Bernat ]
+ * initscript: use start-stop-daemon to reliably terminate all haproxy
+ processes. Also treat stopping a non-running haproxy as success.
+ (Closes: #762608, LP: #1038139)
+
+ [ Apollon Oikonomopoulos ]
+ * New upstream stable release including the following fixes:
+ + DOC: Address issue where documentation is excluded due to a gitignore
+ rule.
+ + MEDIUM: Improve signal handling in systemd wrapper.
+ + BUG/MINOR: config: don't propagate process binding for dynamic
+ use_backend
+ + MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper
+ + DOC: clearly state that the "show sess" output format is not fixed
+ + MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer()
+ + DOC: indicate in the doc that track-sc* can wait if data are missing
+ + MEDIUM: http: enable header manipulation for 101 responses
+ + BUG/MEDIUM: config: propagate frontend to backend process binding again.
+ + MEDIUM: config: properly propagate process binding between proxies
+ + MEDIUM: config: make the frontends automatically bind to the listeners'
+ processes
+ + MEDIUM: config: compute the exact bind-process before listener's
+ maxaccept
+ + MEDIUM: config: only warn if stats are attached to multi-process bind
+ directives
+ + MEDIUM: config: report it when tcp-request rules are misplaced
+ + MINOR: config: detect the case where a tcp-request content rule has no
+ inspect-delay
+ + MEDIUM: systemd-wrapper: support multiple executable versions and names
+ + BUG/MEDIUM: remove debugging code from systemd-wrapper
+ + BUG/MEDIUM: http: adjust close mode when switching to backend
+ + BUG/MINOR: config: don't propagate process binding on fatal errors.
+ + BUG/MEDIUM: check: rule-less tcp-check must detect connect failures
+ + BUG/MINOR: tcp-check: report the correct failed step in the status
+ + DOC: indicate that weight zero is reported as DRAIN
+ * Add a new patch (haproxy.service-set-killmode-to-mixed.patch) to fix the
+ systemctl stop action conflicting with the systemd wrapper now catching
+ SIGTERM.
+ * Bump standards to 3.9.6; no changes needed.
+ * haproxy-doc: link to tracker.debian.org instead of packages.qa.debian.org.
+ * d/copyright: move debian/dconv/* paragraph after debian/*, so that it
+ actually matches the files it is supposed to.
- -- Marc Deslauriers Mon, 06 Jul 2015 16:24:11 -0400
-
-haproxy (1.5.4-1ubuntu2) utopic; urgency=medium
-
- * debian/haproxy.init: Backport of vivid stop routine,
- uses start-stop-daemon to reliable terminate all haproxy processes
- and return the proper exit code. (LP: #1462495)
-
- -- Jorge Niedbalski Mon, 08 Jun 2015 15:52:13 -0500
-
-haproxy (1.5.4-1ubuntu1) utopic; urgency=medium
-
- * haproxy.init: return 0 on stop if haproxy was not running. (LP: #1038139)
-
- -- Serge Hallyn Tue, 23 Sep 2014 12:06:17 -0500
+ -- Apollon Oikonomopoulos Wed, 08 Oct 2014 12:34:53 +0300
haproxy (1.5.4-1) unstable; urgency=high
diff -Nru haproxy-1.5.4/debian/control haproxy-1.5.14/debian/control
--- haproxy-1.5.4/debian/control 2014-09-23 17:06:51.000000000 +0000
+++ haproxy-1.5.14/debian/control 2015-11-09 15:57:24.000000000 +0000
@@ -6,7 +6,7 @@
Uploaders: Apollon Oikonomopoulos ,
Prach Pongpanich ,
Vincent Bernat
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
Build-Depends: debhelper (>= 9), libpcre3-dev, libssl-dev,
dh-systemd (>= 1.5)
Build-Depends-Indep: python, python-mako
diff -Nru haproxy-1.5.4/debian/copyright haproxy-1.5.14/debian/copyright
--- haproxy-1.5.4/debian/copyright 2014-09-02 17:26:00.000000000 +0000
+++ haproxy-1.5.14/debian/copyright 2015-07-03 17:49:12.000000000 +0000
@@ -130,10 +130,6 @@
Copyright: Copyright 2007 Aleksandar Lazic
License: GPL-2+
-Files: debian/dconv/*
-Copyright: Copyright (C) 2012 Cyril Bonté
-License: Apache-2.0
-
Files: debian/*
Copyright: Copyright (C) 2007-2011, Arnaud Cornet
Copyright (C) 2011, Christo Buschek
@@ -141,6 +137,10 @@
Copyright (C) 2013-2014, Apollon Oikonomopoulos
Copyright (C) 2013, Vincent Bernat
License: GPL-2
+
+Files: debian/dconv/*
+Copyright: Copyright (C) 2012 Cyril Bonté
+License: Apache-2.0
License: GPL-2+
This program is free software; you can redistribute it
diff -Nru haproxy-1.5.4/debian/haproxy.cfg haproxy-1.5.14/debian/haproxy.cfg
--- haproxy-1.5.4/debian/haproxy.cfg 2014-09-02 17:26:00.000000000 +0000
+++ haproxy-1.5.14/debian/haproxy.cfg 2015-07-03 17:49:12.000000000 +0000
@@ -13,8 +13,10 @@
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
- # For more information, see ciphers(1SSL).
- ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+ ssl-default-bind-options no-sslv3
defaults
log global
diff -Nru haproxy-1.5.4/debian/haproxy.init haproxy-1.5.14/debian/haproxy.init
--- haproxy-1.5.4/debian/haproxy.init 2015-06-08 20:52:11.000000000 +0000
+++ haproxy-1.5.14/debian/haproxy.init 2015-11-09 15:50:02.000000000 +0000
@@ -1,8 +1,8 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: haproxy
-# Required-Start: $local_fs $network $remote_fs $syslog
-# Required-Stop: $local_fs $remote_fs $syslog
+# Required-Start: $local_fs $network $remote_fs $syslog $named
+# Required-Stop: $local_fs $remote_fs $syslog $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: fast and reliable load balancing reverse proxy
@@ -29,6 +29,13 @@
[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/lsb/init-functions
+tmp_pidfile=$(tempfile -s .haproxy.init)
+
+clean()
+{
+ rm -f $tmp_pidfile
+}
+trap clean EXIT
check_haproxy_config()
{
@@ -62,8 +69,9 @@
ret=0
for pid in $(cat $PIDFILE); do
- start-stop-daemon --quiet --oknodo --stop \
- --retry 5 --pid $pid --exec $HAPROXY || ret=$?
+ echo $pid > $tmp_pidfile
+ start-stop-daemon --quiet --oknodo --stop \
+ --retry 5 --pidfile $tmp_pidfile --exec $HAPROXY || ret=$?
done
[ $ret -eq 0 ] && rm -f $PIDFILE
diff -Nru haproxy-1.5.4/debian/patches/CVE-2015-3281.patch haproxy-1.5.14/debian/patches/CVE-2015-3281.patch
--- haproxy-1.5.4/debian/patches/CVE-2015-3281.patch 2015-07-06 20:24:08.000000000 +0000
+++ haproxy-1.5.14/debian/patches/CVE-2015-3281.patch 1970-01-01 00:00:00.000000000 +0000
@@ -1,138 +0,0 @@
-From: Willy Tarreau
-Date: Thu, 2 Jul 2015 10:50:23 +0000 (+0200)
-Subject: BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
-X-Git-Tag: v1.5.14~1
-X-Git-Url: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff_plain;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4;hp=6de4c2fbaf8b8dc72959a1fd6c51bd0f3aa8204d
-
-BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
-
-The function buffer_slow_realign() was initially designed for requests
-only and did not consider pending outgoing data. This causes a problem
-when called on responses where data remain in the buffer, which may
-happen with pipelined requests when the client is slow to read data.
-
-The user-visible effect is that if less than bytes are
-present in the buffer from a previous response and these bytes cross
-the boundary close to the end of the buffer, then a new
-response will cause a realign and will destroy these pending data and
-move the pointer to what's believed to contain pending output data.
-Thus the client receives the crap that lies in the buffer instead of
-the original output bytes.
-
-This new implementation now properly realigns everything including the
-outgoing data which are moved to the end of the buffer while the input
-data are moved to the beginning.
-
-This implementation still uses a buffer-to-buffer copy which is not
-optimal in terms of performance and which should be replaced by a
-buffer switch later.
-
-Prior to this patch, the following script would return different hashes
-on each round when run from a 100 Mbps-connected machine :
-
- i=0
- while usleep 100000; do
- echo round $((i++))
- set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum)
- if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi
- done
-
-The file contains 1000 times this request with "Connection: close" on the
-last one :
-
- GET /?s=5k&R=1 HTTP/1.1
-
-The config is very simple :
-
- global
- tune.bufsize 16384
- tune.maxrewrite 8192
-
- defaults
- mode http
- timeout client 10s
- timeout server 5s
- timeout connect 3s
-
- listen px
- bind :8001
- option http-server-close
- server s1 127.0.0.1:8000
-
-And httpterm-1.7.2 is used as the server on port 8000.
-
-After the fix, 1 million requests were sent and all returned the same
-contents.
-
-Many thanks to Charlie Smurthwaite of atechmedia.com for his precious
-help on this issue, which would not have been diagnosed without his
-very detailed traces and numerous tests.
-
-The patch must be backported to 1.5 which is where the bug was introduced.
-(cherry picked from commit 27187ab56a2f1104818c2f21c5139c1edd8b838f)
----
-
-Index: haproxy-1.5.4/src/buffer.c
-===================================================================
---- haproxy-1.5.4.orig/src/buffer.c 2015-07-06 16:24:06.218642978 -0400
-+++ haproxy-1.5.4/src/buffer.c 2015-07-06 16:24:06.218642978 -0400
-@@ -102,30 +102,39 @@
- return delta;
- }
-
--/* This function realigns input data in a possibly wrapping buffer so that it
-- * becomes contiguous and starts at the beginning of the buffer area. The
-- * function may only be used when the buffer's output is empty.
-+/* This function realigns a possibly wrapping buffer so that the input part is
-+ * contiguous and starts at the beginning of the buffer and the output part
-+ * ends at the end of the buffer. This provides the best conditions since it
-+ * allows the largest inputs to be processed at once and ensures that once the
-+ * output data leaves, the whole buffer is available at once.
- */
- void buffer_slow_realign(struct buffer *buf)
- {
-- /* two possible cases :
-- * - the buffer is in one contiguous block, we move it in-place
-- * - the buffer is in two blocks, we move it via the swap_buffer
-- */
-- if (buf->i) {
-- int block1 = buf->i;
-- int block2 = 0;
-- if (buf->p + buf->i > buf->data + buf->size) {
-- /* non-contiguous block */
-- block1 = buf->data + buf->size - buf->p;
-- block2 = buf->p + buf->i - (buf->data + buf->size);
-- }
-- if (block2)
-- memcpy(swap_buffer, buf->data, block2);
-- memmove(buf->data, buf->p, block1);
-- if (block2)
-- memcpy(buf->data + block1, swap_buffer, block2);
-+ int block1 = buf->o;
-+ int block2 = 0;
-+
-+ /* process output data in two steps to cover wrapping */
-+ if (block1 > buf->p - buf->data) {
-+ block2 = buf->p - buf->data;
-+ block1 -= block2;
- }
-+ memcpy(swap_buffer + buf->size - buf->o, bo_ptr(buf), block1);
-+ memcpy(swap_buffer + buf->size - block2, buf->data, block2);
-+
-+ /* process input data in two steps to cover wrapping */
-+ block1 = buf->i;
-+ block2 = 0;
-+
-+ if (block1 > buf->data + buf->size - buf->p) {
-+ block1 = buf->data + buf->size - buf->p;
-+ block2 = buf->i - block1;
-+ }
-+ memcpy(swap_buffer, bi_ptr(buf), block1);
-+ memcpy(swap_buffer + block1, buf->data, block2);
-+
-+ /* reinject changes into the buffer */
-+ memcpy(buf->data, swap_buffer, buf->i);
-+ memcpy(buf->data + buf->size - buf->o, swap_buffer + buf->size - buf->o, buf->o);
-
- buf->p = buf->data;
- }
diff -Nru haproxy-1.5.4/debian/patches/debianize-dconv.patch haproxy-1.5.14/debian/patches/debianize-dconv.patch
--- haproxy-1.5.4/debian/patches/debianize-dconv.patch 2014-09-02 17:26:00.000000000 +0000
+++ haproxy-1.5.14/debian/patches/debianize-dconv.patch 2015-07-03 17:49:12.000000000 +0000
@@ -1,12 +1,19 @@
-Author: Apollon Oikonomopoulos
-Date: Sun Apr 27 11:56:44 2014 +0300
+From 90b0c858804a61a34e2c2ff82eaeea89561792e3 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos
+Date: Wed, 29 Apr 2015 13:51:49 +0300
+Subject: [PATCH] dconv: debianize
- dconv: debianize
-
- - Use Debian bootstrap and jquery packages
- - Add Debian-related resources to the template
- - Use the package's version instead of HAProxy's git version
- - Move all assets under static/
+ - Use Debian bootstrap and jquery packages
+ - Add Debian-related resources to the template
+ - Use the package's version instead of HAProxy's git version
+ - Move all assets under static/
+ - Strip the conversion date from the output to ensure reproducible
+ build.
+---
+ debian/dconv/haproxy-dconv.py | 20 +++++++------
+ debian/dconv/templates/parser/table/row.tpl | 6 ++--
+ debian/dconv/templates/template.html | 44 +++++++++--------------------
+ 3 files changed, 27 insertions(+), 43 deletions(-)
diff --git a/debian/dconv/haproxy-dconv.py b/debian/dconv/haproxy-dconv.py
index a43907c..3185b94 100755
@@ -93,7 +100,7 @@
style = "class=\"pagination-centered\""
data = ' '
diff --git a/debian/dconv/templates/template.html b/debian/dconv/templates/template.html
-index 21e6ff2..abf5488 100644
+index 21e6ff2..9372808 100644
--- a/debian/dconv/templates/template.html
+++ b/debian/dconv/templates/template.html
@@ -3,44 +3,27 @@
@@ -144,7 +151,7 @@
-
+ Bug Tracking System
+ Package page
-+ Package Tracking System
++ Package Tracking System
+
+ Package Git Repository
@@ -155,7 +162,7 @@
- Converted with haproxy-dconv v${version} on ${date}
-+ Converted with haproxy-dconv on ${date}
++ Converted with haproxy-dconv
@@ -181,3 +188,6 @@