diff -Nru haproxy-1.5.4/CHANGELOG haproxy-1.5.14/CHANGELOG --- haproxy-1.5.4/CHANGELOG 2014-09-02 11:54:16.000000000 +0000 +++ haproxy-1.5.14/CHANGELOG 2015-07-03 15:35:11.000000000 +0000 @@ -1,6 +1,174 @@ ChangeLog : =========== +2015/07/03 : 1.5.14 + - BUILD/MINOR: tools: rename popcount to my_popcountl + - BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data + +2015/06/26 : 1.5.13 + - BUG/MINOR: check: fix tcpcheck error message + - CLEANUP: deinit: remove codes for cleaning p->block_rules + - DOC: Update doc about weight, act and bck fields in the statistics + - MINOR: ssl: add a destructor to free allocated SSL ressources + - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten + - MEDIUM: ssl: replace standards DH groups with custom ones + - BUG/MINOR: debug: display (null) in place of "meth" + - BUG/MINOR: cfgparse: fix typo in 'option httplog' error message + - BUG/MEDIUM: cfgparse: segfault when userlist is misused + - BUG/MEDIUM: stats: properly initialize the scope before dumping stats + - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels + - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks + - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end + - CLEANUP: checks: simplify the loop processing of tcp-checks + - BUG/MAJOR: checks: always check for end of list before proceeding + - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct + - BUG/MEDIUM: peers: apply a random reconnection timeout + - BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id + - MEDIUM: init: don't stop proxies in parent process when exiting + - MINOR: peers: store the pointer to the signal handler + - MEDIUM: peers: unregister peers that were never started + - MEDIUM: config: propagate the table's process list to the peers sections + - MEDIUM: init: stop any peers section not bound to the correct process + - MEDIUM: config: validate that peers sections are bound to exactly one process + - MAJOR: peers: allow peers section to be used with nbproc > 1 + - DOC: relax the peers restriction to single-process + - CLEANUP: config: fix misleading information in error message. + - MINOR: config: report the number of processes using a peers section in the error case + - BUG/MEDIUM: config: properly compute the default number of processes for a proxy + +2015/05/02 : 1.5.12 + - BUG/MINOR: ssl: Display correct filename in error message + - DOC: Fix L4TOUT typo in documentation + - BUG/MEDIUM: Do not consider an agent check as failed on L7 error + - BUG/MINOR: pattern: error message missing + - BUG/MEDIUM: pattern: some entries are not deleted with case insensitive match + - BUG/MEDIUM: buffer: one byte miss in buffer free space check + - BUG/MAJOR: http: don't read past buffer's end in http_replace_value + - BUG/MEDIUM: http: the function "(req|res)-replace-value" doesn't respect the HTTP syntax + - BUG/MEDIUM: peers: correctly configure the client timeout + - BUG/MINOR: compression: consider the expansion factor in init + - BUG/MEDIUM: http: hdr_cnt would not count any header when called without name + - BUG/MEDIUM: listener: don't report an error when resuming unbound listeners + - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only + - BUG/MEDIUM: stream-int: always reset si->ops when si->end is nullified + - BUG/MEDIUM: http: remove content-length from chunked messages + - DOC: http: update the comments about the rules for determining transfer-length + - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to HTTP/1.1 + - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad request + - BUG/MEDIUM: http: remove content-length form responses with bad transfer-encoding + - MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230 + - MEDIUM: http: add option-ignore-probes to get rid of the floods of 408 + - BUG/MINOR: config: clear proxy->table.peers.p for disabled proxies + - MINOR: stick-table: don't attach to peers in stopped state + - MEDIUM: config: initialize stick-tables after peers, not before + - MEDIUM: peers: add the ability to disable a peers section + - DOC: document option http-ignore-probes + - DOC: fix the comments about the meaning of msg->sol in HTTP + - BUG/MEDIUM: http: wait for the exact amount of body bytes in wait_for_request_body + - BUG/MAJOR: http: prevent risk of reading past end with balance url_param + - DOC: update the doc on the proxy protocol + +2015/02/01 : 1.5.11 + - BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used + - MINOR: ssl: load certificates in alphabetical order + - BUG/MINOR: checks: prevent http keep-alive with http-check expect + - BUG/MEDIUM: Do not set agent health to zero if server is disabled in config + - MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent health is zero + - BUG/MINOR: stats:Fix incorrect printf type. + - DOC: add missing entry for log-format and clarify the text + - BUG/MEDIUM: http: fix header removal when previous header ends with pure LF + - BUG/MEDIUM: channel: fix possible integer overflow on reserved size computation + - BUG/MINOR: channel: compare to_forward with buf->i, not buf->size + - MINOR: channel: add channel_in_transit() + - MEDIUM: channel: make buffer_reserved() use channel_in_transit() + - MEDIUM: channel: make bi_avail() use channel_in_transit() + - BUG/MEDIUM: channel: don't schedule data in transit for leaving until connected + - BUG/MAJOR: log: don't try to emit a log if no logger is set + - BUG/MINOR: args: add missing entry for ARGT_MAP in arg_type_names + - BUG/MEDIUM: http: make http-request set-header compute the string before removal + - BUG/MINOR: http: fix incorrect header value offset in replace-hdr/replace-value + - BUG/MINOR: http: abort request processing on filter failure + +2014/12/31 : 1.5.10 + - DOC: fix a few typos + - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized" + - BUG/MINOR: parse: refer curproxy instead of proxy + - DOC: httplog does not support 'no' + - MINOR: map/acl/dumpstats: remove the "Done." message + - BUG/MEDIUM: sample: fix random number upper-bound + - BUG/MEDIUM: patterns: previous fix was incomplete + - BUG/MEDIUM: payload: ensure that a request channel is available + - BUG/MINOR: tcp-check: don't condition data polling on check type + - BUG/MEDIUM: tcp-check: don't rely on random memory contents + - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect + - BUG/MINOR: config: fix typo in condition when propagating process binding + - BUG/MEDIUM: config: do not propagate processes between stopped processes + - BUG/MAJOR: stream-int: properly check the memory allocation return + - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() + - BUG/MEDIUM: compression: correctly report zlib_mem + +2014/11/26 : 1.5.9 + - BUILD: fix "make install" to support spaces in the install dirs + - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks + - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. + - BUG/MINOR: samples: fix unnecessary memcopy converting binary to string. + - BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information + - BUG/MEDIUM: pattern: don't load more than once a pattern list. + - BUG/MEDIUM: ssl: force a full GC in case of memory shortage + - BUG/MINOR: config: don't inherit the default balance algorithm in frontends + - BUG/MAJOR: frontend: initialize capture pointers earlier + - BUG/MINOR: stats: correctly set the request/response analysers + - DOC: fix typo in the body parser documentation for msg.sov + - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not trash.size + - MINOR: sample: add a few basic internal fetches (nbproc, proc, stopping) + - BUG/MAJOR: sessions: unlink session from list on out of memory + +2014/10/31 : 1.5.8 + - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped + - BUG/BUILD: revert accidental change in the makefile from latest SSL fix + +2014/10/30 : 1.5.7 + - BUG/MEDIUM: regex: fix pcre_study error handling + - BUG/MINOR: log: fix request flags when keep-alive is enabled + - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs + - MINOR: ssl: add statement to force some ssl options in global. + - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates + - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR + - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error + - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets + +2014/10/18 : 1.5.6 + - BUG/MEDIUM: systemd: set KillMode to 'mixed' + - MINOR: systemd: Check configuration before start + - BUG/MEDIUM: config: avoid skipping disabled proxies + - BUG/MINOR: config: do not accept more track-sc than configured + - BUG/MEDIUM: backend: fix URI hash when a query string is present + +2014/10/08 : 1.5.5 + - DOC: Address issue where documentation is excluded due to a gitignore rule. + - MEDIUM: Improve signal handling in systemd wrapper. + - BUG/MINOR: config: don't propagate process binding for dynamic use_backend + - MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper + - DOC: clearly state that the "show sess" output format is not fixed + - MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer() + - DOC: indicate in the doc that track-sc* can wait if data are missing + - MEDIUM: http: enable header manipulation for 101 responses + - BUG/MEDIUM: config: propagate frontend to backend process binding again. + - MEDIUM: config: properly propagate process binding between proxies + - MEDIUM: config: make the frontends automatically bind to the listeners' processes + - MEDIUM: config: compute the exact bind-process before listener's maxaccept + - MEDIUM: config: only warn if stats are attached to multi-process bind directives + - MEDIUM: config: report it when tcp-request rules are misplaced + - MINOR: config: detect the case where a tcp-request content rule has no inspect-delay + - MEDIUM: systemd-wrapper: support multiple executable versions and names + - BUG/MEDIUM: remove debugging code from systemd-wrapper + - BUG/MEDIUM: http: adjust close mode when switching to backend + - BUG/MINOR: config: don't propagate process binding on fatal errors. + - BUG/MEDIUM: check: rule-less tcp-check must detect connect failures + - BUG/MINOR: tcp-check: report the correct failed step in the status + - DOC: indicate that weight zero is reported as DRAIN + 2014/09/02 : 1.5.4 - BUG: config: error in http-response replace-header number of arguments - BUG/MINOR: Fix search for -p argument in systemd wrapper. diff -Nru haproxy-1.5.4/contrib/systemd/haproxy.service.in haproxy-1.5.14/contrib/systemd/haproxy.service.in --- haproxy-1.5.4/contrib/systemd/haproxy.service.in 2014-09-02 11:54:16.000000000 +0000 +++ haproxy-1.5.14/contrib/systemd/haproxy.service.in 2015-07-03 15:35:11.000000000 +0000 @@ -3,8 +3,10 @@ After=network.target [Service] +ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ExecReload=/bin/kill -USR2 $MAINPID +KillMode=mixed Restart=always [Install] diff -Nru haproxy-1.5.4/debian/changelog haproxy-1.5.14/debian/changelog --- haproxy-1.5.4/debian/changelog 2015-08-23 18:45:27.000000000 +0000 +++ haproxy-1.5.14/debian/changelog 2016-02-08 15:09:20.000000000 +0000 @@ -1,31 +1,251 @@ -haproxy (1.5.4-1ubuntu2.1~ubuntu14.04.1) trusty-backports; urgency=medium +haproxy (1.5.14-1ubuntu0.15.10.1~ubuntu14.04.1) trusty-backports; urgency=medium - * No-change backport to trusty (LP: #1473162) + * No-change backport to trusty (LP: #1494141) - -- Micah Gersten Sun, 23 Aug 2015 13:45:27 -0500 + -- Iain Lane Mon, 08 Feb 2016 15:09:20 +0000 -haproxy (1.5.4-1ubuntu2.1) utopic-security; urgency=medium +haproxy (1.5.14-1ubuntu0.15.10.1) wily; urgency=medium - * SECURITY UPDATE: information disclosure via uninitialized memory - - debian/patches/CVE-2015-3281.patch: respect output data in - src/buffer.c. - - CVE-2015-3281 + * Ensure that haproxy processes are terminated correctly when executing + stop/restart operations, easing backports to pre-systemd versions of + Ubuntu (LP: #1477198, #1481737). + + -- James Page Mon, 09 Nov 2015 16:51:46 +0000 + +haproxy (1.5.14-1) unstable; urgency=high + + * New upstream version. Fix an information leak (CVE-2015-3281): + - BUG/MAJOR: buffers: make the buffer_slow_realign() function + respect output data. + * Add $named as a dependency for init script. Closes: #790638. + + -- Vincent Bernat Fri, 03 Jul 2015 19:49:02 +0200 + +haproxy (1.5.13-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + - MAJOR: peers: allow peers section to be used with nbproc > 1 + - BUG/MAJOR: checks: always check for end of list before proceeding + - MEDIUM: ssl: replace standards DH groups with custom ones + - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten + - BUG/MEDIUM: cfgparse: segfault when userlist is misused + - BUG/MEDIUM: stats: properly initialize the scope before dumping stats + - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER + except for tunnels + - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end + - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct + - BUG/MEDIUM: peers: apply a random reconnection timeout + - BUG/MEDIUM: config: properly compute the default number of processes + for a proxy + + -- Vincent Bernat Sat, 27 Jun 2015 20:52:07 +0200 + +haproxy (1.5.12-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: http: don't read past buffer's end in http_replace_value + - BUG/MAJOR: http: prevent risk of reading past end with balance + url_param + - BUG/MEDIUM: Do not consider an agent check as failed on L7 error + - BUG/MEDIUM: patern: some entries are not deleted with case + insensitive match + - BUG/MEDIUM: buffer: one byte miss in buffer free space check + - BUG/MEDIUM: http: thefunction "(req|res)-replace-value" doesn't + respect the HTTP syntax + - BUG/MEDIUM: peers: correctly configure the client timeout + - BUG/MEDIUM: http: hdr_cnt would not count any header when called + without name + - BUG/MEDIUM: listener: don't report an error when resuming unbound + listeners + - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only + - BUG/MEDIUM: stream-int: always reset si->ops when si->end is + nullified + - BUG/MEDIUM: http: remove content-length from chunked messages + - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to + HTTP/1.1 + - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad + request + - BUG/MEDIUM: http: remove content-length form responses with bad + transfer-encoding + - BUG/MEDIUM: http: wait for the exact amount of body bytes in + wait_for_request_body + + -- Vincent Bernat Sat, 02 May 2015 16:38:28 +0200 + +haproxy (1.5.11-2) unstable; urgency=medium + + * Upload to unstable. + + -- Vincent Bernat Sun, 26 Apr 2015 17:46:58 +0200 + +haproxy (1.5.11-1) experimental; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: log: don't try to emit a log if no logger is set + - BUG/MEDIUM: backend: correctly detect the domain when + use_domain_only is used + - BUG/MEDIUM: Do not set agent health to zero if server is disabled + in config + - BUG/MEDIUM: Only explicitly report "DOWN (agent)" if the agent health + is zero + - BUG/MEDIUM: http: fix header removal when previous header ends with + pure LF + - BUG/MEDIUM: channel: fix possible integer overflow on reserved size + computation + - BUG/MEDIUM: channel: don't schedule data in transit for leaving until + connected + - BUG/MEDIUM: http: make http-request set-header compute the string + before removal + * Upload to experimental. + + -- Vincent Bernat Sun, 01 Feb 2015 09:22:27 +0100 + +haproxy (1.5.10-1) experimental; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: stream-int: properly check the memory allocation return + - BUG/MEDIUM: sample: fix random number upper-bound + - BUG/MEDIUM: patterns: previous fix was incomplete + - BUG/MEDIUM: payload: ensure that a request channel is available + - BUG/MEDIUM: tcp-check: don't rely on random memory contents + - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect + - BUG/MEDIUM: config: do not propagate processes between stopped + processes + - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() + - BUG/MEDIUM: compression: correctly report zlib_mem + * Upload to experimental. + + -- Vincent Bernat Sun, 04 Jan 2015 13:17:56 +0100 + +haproxy (1.5.9-1) experimental; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: sessions: unlink session from list on out + of memory + - BUG/MEDIUM: pattern: don't load more than once a pattern + list. + - BUG/MEDIUM: connection: sanitize PPv2 header length before + parsing address information + - BUG/MAJOR: frontend: initialize capture pointers earlier + - BUG/MEDIUM: checks: fix conflicts between agent checks and + ssl healthchecks + - BUG/MEDIUM: ssl: force a full GC in case of memory shortage + - BUG/MEDIUM: ssl: fix bad ssl context init can cause + segfault in case of OOM. + * Upload to experimental. + + -- Vincent Bernat Sun, 07 Dec 2014 16:37:36 +0100 + +haproxy (1.5.8-3) unstable; urgency=medium + + * Remove RC4 from the default cipher string shipped in configuration. + + -- Vincent Bernat Fri, 27 Feb 2015 11:29:23 +0100 + +haproxy (1.5.8-2) unstable; urgency=medium + + * Cherry-pick the following patches from 1.5.9 release: + - 8a0b93bde77e BUG/MAJOR: sessions: unlink session from list on out + of memory + - bae03eaad40a BUG/MEDIUM: pattern: don't load more than once a pattern + list. + - 93637b6e8503 BUG/MEDIUM: connection: sanitize PPv2 header length before + parsing address information + - 8ba50128832b BUG/MAJOR: frontend: initialize capture pointers earlier + - 1f96a87c4e14 BUG/MEDIUM: checks: fix conflicts between agent checks and + ssl healthchecks + - 9bcc01ae2598 BUG/MEDIUM: ssl: force a full GC in case of memory shortage + - 909514970089 BUG/MEDIUM: ssl: fix bad ssl context init can cause + segfault in case of OOM. + * Cherry-pick the following patches from future 1.5.10 release: + - 1e89acb6be9b BUG/MEDIUM: payload: ensure that a request channel is + available + - bad3c6f1b6d7 BUG/MEDIUM: patterns: previous fix was incomplete + + -- Vincent Bernat Sun, 07 Dec 2014 11:11:21 +0100 + +haproxy (1.5.8-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + + + BUG/MAJOR: buffer: check the space left is enough or not when input + data in a buffer is wrapped + + BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates + + BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets + + BUG/MEDIUM: regex: fix pcre_study error handling + + BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + + BUG/MINOR: log: fix request flags when keep-alive is enabled + + BUG/MAJOR: cli: explicitly call cli_release_handler() upon error + + BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR + * Also includes the following new features: + + MINOR: ssl: add statement to force some ssl options in global. + + MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER + formatted certs + * Disable SSLv3 in the default configuration file. + + -- Vincent Bernat Fri, 31 Oct 2014 13:48:19 +0100 + +haproxy (1.5.6-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + + BUG/MEDIUM: systemd: set KillMode to 'mixed' + + MINOR: systemd: Check configuration before start + + BUG/MEDIUM: config: avoid skipping disabled proxies + + BUG/MINOR: config: do not accept more track-sc than configured + + BUG/MEDIUM: backend: fix URI hash when a query string is present + * Drop systemd patches: + + haproxy.service-also-check-on-start.patch + + haproxy.service-set-killmode-to-mixed.patch + * Refresh other patches. + + -- Vincent Bernat Mon, 20 Oct 2014 18:10:21 +0200 + +haproxy (1.5.5-1) unstable; urgency=medium + + [ Vincent Bernat ] + * initscript: use start-stop-daemon to reliably terminate all haproxy + processes. Also treat stopping a non-running haproxy as success. + (Closes: #762608, LP: #1038139) + + [ Apollon Oikonomopoulos ] + * New upstream stable release including the following fixes: + + DOC: Address issue where documentation is excluded due to a gitignore + rule. + + MEDIUM: Improve signal handling in systemd wrapper. + + BUG/MINOR: config: don't propagate process binding for dynamic + use_backend + + MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper + + DOC: clearly state that the "show sess" output format is not fixed + + MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer() + + DOC: indicate in the doc that track-sc* can wait if data are missing + + MEDIUM: http: enable header manipulation for 101 responses + + BUG/MEDIUM: config: propagate frontend to backend process binding again. + + MEDIUM: config: properly propagate process binding between proxies + + MEDIUM: config: make the frontends automatically bind to the listeners' + processes + + MEDIUM: config: compute the exact bind-process before listener's + maxaccept + + MEDIUM: config: only warn if stats are attached to multi-process bind + directives + + MEDIUM: config: report it when tcp-request rules are misplaced + + MINOR: config: detect the case where a tcp-request content rule has no + inspect-delay + + MEDIUM: systemd-wrapper: support multiple executable versions and names + + BUG/MEDIUM: remove debugging code from systemd-wrapper + + BUG/MEDIUM: http: adjust close mode when switching to backend + + BUG/MINOR: config: don't propagate process binding on fatal errors. + + BUG/MEDIUM: check: rule-less tcp-check must detect connect failures + + BUG/MINOR: tcp-check: report the correct failed step in the status + + DOC: indicate that weight zero is reported as DRAIN + * Add a new patch (haproxy.service-set-killmode-to-mixed.patch) to fix the + systemctl stop action conflicting with the systemd wrapper now catching + SIGTERM. + * Bump standards to 3.9.6; no changes needed. + * haproxy-doc: link to tracker.debian.org instead of packages.qa.debian.org. + * d/copyright: move debian/dconv/* paragraph after debian/*, so that it + actually matches the files it is supposed to. - -- Marc Deslauriers Mon, 06 Jul 2015 16:24:11 -0400 - -haproxy (1.5.4-1ubuntu2) utopic; urgency=medium - - * debian/haproxy.init: Backport of vivid stop routine, - uses start-stop-daemon to reliable terminate all haproxy processes - and return the proper exit code. (LP: #1462495) - - -- Jorge Niedbalski Mon, 08 Jun 2015 15:52:13 -0500 - -haproxy (1.5.4-1ubuntu1) utopic; urgency=medium - - * haproxy.init: return 0 on stop if haproxy was not running. (LP: #1038139) - - -- Serge Hallyn Tue, 23 Sep 2014 12:06:17 -0500 + -- Apollon Oikonomopoulos Wed, 08 Oct 2014 12:34:53 +0300 haproxy (1.5.4-1) unstable; urgency=high diff -Nru haproxy-1.5.4/debian/control haproxy-1.5.14/debian/control --- haproxy-1.5.4/debian/control 2014-09-23 17:06:51.000000000 +0000 +++ haproxy-1.5.14/debian/control 2015-11-09 15:57:24.000000000 +0000 @@ -6,7 +6,7 @@ Uploaders: Apollon Oikonomopoulos , Prach Pongpanich , Vincent Bernat -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Build-Depends: debhelper (>= 9), libpcre3-dev, libssl-dev, dh-systemd (>= 1.5) Build-Depends-Indep: python, python-mako diff -Nru haproxy-1.5.4/debian/copyright haproxy-1.5.14/debian/copyright --- haproxy-1.5.4/debian/copyright 2014-09-02 17:26:00.000000000 +0000 +++ haproxy-1.5.14/debian/copyright 2015-07-03 17:49:12.000000000 +0000 @@ -130,10 +130,6 @@ Copyright: Copyright 2007 Aleksandar Lazic License: GPL-2+ -Files: debian/dconv/* -Copyright: Copyright (C) 2012 Cyril Bonté -License: Apache-2.0 - Files: debian/* Copyright: Copyright (C) 2007-2011, Arnaud Cornet Copyright (C) 2011, Christo Buschek @@ -141,6 +137,10 @@ Copyright (C) 2013-2014, Apollon Oikonomopoulos Copyright (C) 2013, Vincent Bernat License: GPL-2 + +Files: debian/dconv/* +Copyright: Copyright (C) 2012 Cyril Bonté +License: Apache-2.0 License: GPL-2+ This program is free software; you can redistribute it diff -Nru haproxy-1.5.4/debian/haproxy.cfg haproxy-1.5.14/debian/haproxy.cfg --- haproxy-1.5.4/debian/haproxy.cfg 2014-09-02 17:26:00.000000000 +0000 +++ haproxy-1.5.14/debian/haproxy.cfg 2015-07-03 17:49:12.000000000 +0000 @@ -13,8 +13,10 @@ crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). - ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 defaults log global diff -Nru haproxy-1.5.4/debian/haproxy.init haproxy-1.5.14/debian/haproxy.init --- haproxy-1.5.4/debian/haproxy.init 2015-06-08 20:52:11.000000000 +0000 +++ haproxy-1.5.14/debian/haproxy.init 2015-11-09 15:50:02.000000000 +0000 @@ -1,8 +1,8 @@ #!/bin/sh ### BEGIN INIT INFO # Provides: haproxy -# Required-Start: $local_fs $network $remote_fs $syslog -# Required-Stop: $local_fs $remote_fs $syslog +# Required-Start: $local_fs $network $remote_fs $syslog $named +# Required-Stop: $local_fs $remote_fs $syslog $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: fast and reliable load balancing reverse proxy @@ -29,6 +29,13 @@ [ -f /etc/default/rcS ] && . /etc/default/rcS . /lib/lsb/init-functions +tmp_pidfile=$(tempfile -s .haproxy.init) + +clean() +{ + rm -f $tmp_pidfile +} +trap clean EXIT check_haproxy_config() { @@ -62,8 +69,9 @@ ret=0 for pid in $(cat $PIDFILE); do - start-stop-daemon --quiet --oknodo --stop \ - --retry 5 --pid $pid --exec $HAPROXY || ret=$? + echo $pid > $tmp_pidfile + start-stop-daemon --quiet --oknodo --stop \ + --retry 5 --pidfile $tmp_pidfile --exec $HAPROXY || ret=$? done [ $ret -eq 0 ] && rm -f $PIDFILE diff -Nru haproxy-1.5.4/debian/patches/CVE-2015-3281.patch haproxy-1.5.14/debian/patches/CVE-2015-3281.patch --- haproxy-1.5.4/debian/patches/CVE-2015-3281.patch 2015-07-06 20:24:08.000000000 +0000 +++ haproxy-1.5.14/debian/patches/CVE-2015-3281.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,138 +0,0 @@ -From: Willy Tarreau -Date: Thu, 2 Jul 2015 10:50:23 +0000 (+0200) -Subject: BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data -X-Git-Tag: v1.5.14~1 -X-Git-Url: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff_plain;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4;hp=6de4c2fbaf8b8dc72959a1fd6c51bd0f3aa8204d - -BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data - -The function buffer_slow_realign() was initially designed for requests -only and did not consider pending outgoing data. This causes a problem -when called on responses where data remain in the buffer, which may -happen with pipelined requests when the client is slow to read data. - -The user-visible effect is that if less than bytes are -present in the buffer from a previous response and these bytes cross -the boundary close to the end of the buffer, then a new -response will cause a realign and will destroy these pending data and -move the pointer to what's believed to contain pending output data. -Thus the client receives the crap that lies in the buffer instead of -the original output bytes. - -This new implementation now properly realigns everything including the -outgoing data which are moved to the end of the buffer while the input -data are moved to the beginning. - -This implementation still uses a buffer-to-buffer copy which is not -optimal in terms of performance and which should be replaced by a -buffer switch later. - -Prior to this patch, the following script would return different hashes -on each round when run from a 100 Mbps-connected machine : - - i=0 - while usleep 100000; do - echo round $((i++)) - set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum) - if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi - done - -The file contains 1000 times this request with "Connection: close" on the -last one : - - GET /?s=5k&R=1 HTTP/1.1 - -The config is very simple : - - global - tune.bufsize 16384 - tune.maxrewrite 8192 - - defaults - mode http - timeout client 10s - timeout server 5s - timeout connect 3s - - listen px - bind :8001 - option http-server-close - server s1 127.0.0.1:8000 - -And httpterm-1.7.2 is used as the server on port 8000. - -After the fix, 1 million requests were sent and all returned the same -contents. - -Many thanks to Charlie Smurthwaite of atechmedia.com for his precious -help on this issue, which would not have been diagnosed without his -very detailed traces and numerous tests. - -The patch must be backported to 1.5 which is where the bug was introduced. -(cherry picked from commit 27187ab56a2f1104818c2f21c5139c1edd8b838f) ---- - -Index: haproxy-1.5.4/src/buffer.c -=================================================================== ---- haproxy-1.5.4.orig/src/buffer.c 2015-07-06 16:24:06.218642978 -0400 -+++ haproxy-1.5.4/src/buffer.c 2015-07-06 16:24:06.218642978 -0400 -@@ -102,30 +102,39 @@ - return delta; - } - --/* This function realigns input data in a possibly wrapping buffer so that it -- * becomes contiguous and starts at the beginning of the buffer area. The -- * function may only be used when the buffer's output is empty. -+/* This function realigns a possibly wrapping buffer so that the input part is -+ * contiguous and starts at the beginning of the buffer and the output part -+ * ends at the end of the buffer. This provides the best conditions since it -+ * allows the largest inputs to be processed at once and ensures that once the -+ * output data leaves, the whole buffer is available at once. - */ - void buffer_slow_realign(struct buffer *buf) - { -- /* two possible cases : -- * - the buffer is in one contiguous block, we move it in-place -- * - the buffer is in two blocks, we move it via the swap_buffer -- */ -- if (buf->i) { -- int block1 = buf->i; -- int block2 = 0; -- if (buf->p + buf->i > buf->data + buf->size) { -- /* non-contiguous block */ -- block1 = buf->data + buf->size - buf->p; -- block2 = buf->p + buf->i - (buf->data + buf->size); -- } -- if (block2) -- memcpy(swap_buffer, buf->data, block2); -- memmove(buf->data, buf->p, block1); -- if (block2) -- memcpy(buf->data + block1, swap_buffer, block2); -+ int block1 = buf->o; -+ int block2 = 0; -+ -+ /* process output data in two steps to cover wrapping */ -+ if (block1 > buf->p - buf->data) { -+ block2 = buf->p - buf->data; -+ block1 -= block2; - } -+ memcpy(swap_buffer + buf->size - buf->o, bo_ptr(buf), block1); -+ memcpy(swap_buffer + buf->size - block2, buf->data, block2); -+ -+ /* process input data in two steps to cover wrapping */ -+ block1 = buf->i; -+ block2 = 0; -+ -+ if (block1 > buf->data + buf->size - buf->p) { -+ block1 = buf->data + buf->size - buf->p; -+ block2 = buf->i - block1; -+ } -+ memcpy(swap_buffer, bi_ptr(buf), block1); -+ memcpy(swap_buffer + block1, buf->data, block2); -+ -+ /* reinject changes into the buffer */ -+ memcpy(buf->data, swap_buffer, buf->i); -+ memcpy(buf->data + buf->size - buf->o, swap_buffer + buf->size - buf->o, buf->o); - - buf->p = buf->data; - } diff -Nru haproxy-1.5.4/debian/patches/debianize-dconv.patch haproxy-1.5.14/debian/patches/debianize-dconv.patch --- haproxy-1.5.4/debian/patches/debianize-dconv.patch 2014-09-02 17:26:00.000000000 +0000 +++ haproxy-1.5.14/debian/patches/debianize-dconv.patch 2015-07-03 17:49:12.000000000 +0000 @@ -1,12 +1,19 @@ -Author: Apollon Oikonomopoulos -Date: Sun Apr 27 11:56:44 2014 +0300 +From 90b0c858804a61a34e2c2ff82eaeea89561792e3 Mon Sep 17 00:00:00 2001 +From: Apollon Oikonomopoulos +Date: Wed, 29 Apr 2015 13:51:49 +0300 +Subject: [PATCH] dconv: debianize - dconv: debianize - - - Use Debian bootstrap and jquery packages - - Add Debian-related resources to the template - - Use the package's version instead of HAProxy's git version - - Move all assets under static/ + - Use Debian bootstrap and jquery packages + - Add Debian-related resources to the template + - Use the package's version instead of HAProxy's git version + - Move all assets under static/ + - Strip the conversion date from the output to ensure reproducible + build. +--- + debian/dconv/haproxy-dconv.py | 20 +++++++------ + debian/dconv/templates/parser/table/row.tpl | 6 ++-- + debian/dconv/templates/template.html | 44 +++++++++-------------------- + 3 files changed, 27 insertions(+), 43 deletions(-) diff --git a/debian/dconv/haproxy-dconv.py b/debian/dconv/haproxy-dconv.py index a43907c..3185b94 100755 @@ -93,7 +100,7 @@ style = "class=\"pagination-centered\"" data = ' ' diff --git a/debian/dconv/templates/template.html b/debian/dconv/templates/template.html -index 21e6ff2..abf5488 100644 +index 21e6ff2..9372808 100644 --- a/debian/dconv/templates/template.html +++ b/debian/dconv/templates/template.html @@ -3,44 +3,27 @@ @@ -144,7 +151,7 @@ - +
  • Bug Tracking System
    • +
  • Package page
    • -+
  • Package Tracking System
    • ++
  • Package Tracking System
    • +
  • +
  • Package Git Repository
    • @@ -155,7 +162,7 @@

    - Converted with haproxy-dconv v${version} on ${date} -+ Converted with haproxy-dconv on ${date} ++ Converted with haproxy-dconv

    @@ -181,3 +188,6 @@