diff --git a/backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch b/backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch deleted file mode 100644 index 0febdc8c05b32acb0d659e1dbb60e488ae9967e3..0000000000000000000000000000000000000000 --- a/backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 365378bfdf283650ce1ac152348ca59b6d4c32c1 Mon Sep 17 00:00:00 2001 -From: Olivier Houchard -Date: Mon, 23 Dec 2024 14:17:25 +0000 -Subject: [PATCH] BUG/MEDIUM: queue: Make process_srv_queue return the number - of streams - -Make process_srv_queue() return the number of streams unqueued, as -pendconn_grab_from_px() did, as that number is used by -srv_update_status() to generate logs. - -This should be backported up to 2.6 with -111ea83ed4e13ac3ab028ed5e95201a1b4aa82b8 - -(cherry picked from commit 5b8899b6ccc7dab3a54a51dcb8ba1512bd0c886c) -Signed-off-by: Christopher Faulet -(cherry picked from commit 70588a16903002709cf3c84255ad8ded73f8e584) -Signed-off-by: Christopher Faulet - -Conflict:NA -Reference:https://git.haproxy.org/?p=haproxy-3.0.git;a=patch;h=365378bfdf283650ce1ac152348ca59b6d4c32c1 ---- - include/haproxy/queue.h | 2 +- - src/queue.c | 3 ++- - src/server.c | 4 ++-- - 3 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/include/haproxy/queue.h b/include/haproxy/queue.h -index e4201fb..4896f71 100644 ---- a/include/haproxy/queue.h -+++ b/include/haproxy/queue.h -@@ -34,7 +34,7 @@ extern struct pool_head *pool_head_pendconn; - - struct pendconn *pendconn_add(struct stream *strm); - int pendconn_dequeue(struct stream *strm); --void process_srv_queue(struct server *s); -+int process_srv_queue(struct server *s); - unsigned int srv_dynamic_maxconn(const struct server *s); - int pendconn_redistribute(struct server *s); - int pendconn_grab_from_px(struct server *s); -diff --git a/src/queue.c b/src/queue.c -index a5537fc..892c942 100644 ---- a/src/queue.c -+++ b/src/queue.c -@@ -354,7 +354,7 @@ static int pendconn_process_next_strm(struct server *srv, struct proxy *px, int - /* Manages a server's connection queue. This function will try to dequeue as - * many pending streams as possible, and wake them up. - */ --void process_srv_queue(struct server *s) -+int process_srv_queue(struct server *s) - { - struct server *ref = s->track ? s->track : s; - struct proxy *p = s->proxy; -@@ -413,6 +413,7 @@ void process_srv_queue(struct server *s) - if (p->lbprm.server_take_conn) - p->lbprm.server_take_conn(s); - } -+ return done; - } - - /* Adds the stream to the pending connection queue of server ->srv -diff --git a/src/server.c b/src/server.c -index 95a8b67..281db13 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -6396,7 +6396,7 @@ static int _srv_update_status_op(struct server *s, enum srv_op_st_chg_cause caus - /* check if we can handle some connections queued. - * We will take as many as we can handle. - */ -- process_srv_queue(s); -+ xferred = process_srv_queue(s); - - tmptrash = alloc_trash_chunk(); - if (tmptrash) { -@@ -6582,7 +6582,7 @@ static int _srv_update_status_adm(struct server *s, enum srv_adm_st_chg_cause ca - /* check if we can handle some connections queued. - * We will take as many as we can handle. - */ -- process_srv_queue(s); -+ xferred = process_srv_queue(s); - } - else if (s->next_admin & SRV_ADMF_MAINT) { - /* remaining in maintenance mode, let's inform precisely about the --- -1.7.10.4 - diff --git a/backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch b/backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch deleted file mode 100644 index 81ba2d8a874a838288bfb25e98eeeab311ebf87a..0000000000000000000000000000000000000000 --- a/backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch +++ /dev/null @@ -1,87 +0,0 @@ -From b495692898072d6a843d36d4e66aae42e88a7c95 Mon Sep 17 00:00:00 2001 -From: Olivier Houchard -Date: Tue, 17 Dec 2024 15:39:21 +0100 -Subject: [PATCH] BUG/MEDIUM: queues: Do not use pendconn_grab_from_px(). - -pendconn_grab_from_px() was called when a server was brought back up, to -get some streams waiting in the proxy's queue and get them to run on the -newly available server. It is very similar to process_srv_queue(), -except it only goes through the proxy's queue, which can be a problem, -because there is a small race condition that could lead us to add more -streams to the server queue just as it's going down. If that happens, -the server would just be ignored when back up by new streams, as its -queue is not empty, and it would never try to process its queue. -The other problem with pendconn_grab_from_px() is that it is very -liberal with how it dequeues streams, and it is not very good at -enforcing maxconn, it could lead to having 3*maxconn connections. -For both those reasons, just get rid of pendconn_grab_from_px(), and -just use process_srv_queue(). -Both problems are easy to reproduce, especially on a 64 threads machine, -set a maxconn to 100, inject in H2 with 1000 concurrent connections -containing up to 100 streams each, and after a few seconds/minutes the -max number of concurrent output streams will be much higher than -maxconn, and eventually the server will stop processing connections. - -It may be related to github issue #2744. Note that it doesn't totally -fix the problem, we can occasionally see a few more connections than -maxconn, but the max that have been observed is 4 more connections, we -no longer get multiple times maxconn. - -have more outgoing connections than maxconn, -This should be backported up to 2.6. - -(cherry picked from commit 111ea83ed4e13ac3ab028ed5e95201a1b4aa82b8) -Signed-off-by: Christopher Faulet -(cherry picked from commit ab4ff1b7a6c7685f28fbdea01b38caf7e816fddf) -Signed-off-by: Christopher Faulet - -Conflict:NA -Reference:https://git.haproxy.org/?p=haproxy-3.0.git;a=patch;h=b495692898072d6a843d36d4e66aae42e88a7c95 ---- - src/server.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/server.c b/src/server.c -index 5b0f9f3..95a8b67 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -5587,7 +5587,7 @@ static struct task *server_warmup(struct task *t, void *context, unsigned int st - server_recalc_eweight(s, 1); - - /* probably that we can refill this server with a bit more connections */ -- pendconn_grab_from_px(s); -+ process_srv_queue(s); - - HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock); - -@@ -6393,10 +6393,10 @@ static int _srv_update_status_op(struct server *s, enum srv_op_st_chg_cause caus - !(s->flags & SRV_F_BACKUP) && s->next_eweight) - srv_shutdown_backup_streams(s->proxy, SF_ERR_UP); - -- /* check if we can handle some connections queued at the proxy. We -- * will take as many as we can handle. -+ /* check if we can handle some connections queued. -+ * We will take as many as we can handle. - */ -- xferred = pendconn_grab_from_px(s); -+ process_srv_queue(s); - - tmptrash = alloc_trash_chunk(); - if (tmptrash) { -@@ -6579,10 +6579,10 @@ static int _srv_update_status_adm(struct server *s, enum srv_adm_st_chg_cause ca - !(s->flags & SRV_F_BACKUP) && s->next_eweight) - srv_shutdown_backup_streams(s->proxy, SF_ERR_UP); - -- /* check if we can handle some connections queued at the proxy. We -- * will take as many as we can handle. -+ /* check if we can handle some connections queued. -+ * We will take as many as we can handle. - */ -- xferred = pendconn_grab_from_px(s); -+ process_srv_queue(s); - } - else if (s->next_admin & SRV_ADMF_MAINT) { - /* remaining in maintenance mode, let's inform precisely about the --- -1.7.10.4 - diff --git a/backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch b/backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch deleted file mode 100644 index 1ef1b5c406888990486f81e291a32ef9b88945fb..0000000000000000000000000000000000000000 --- a/backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 2de073ef00ee7d87aa82064dd2977645ec694730 Mon Sep 17 00:00:00 2001 -From: Olivier Houchard -Date: Fri, 13 Dec 2024 17:11:05 +0000 -Subject: [PATCH] BUG/MEDIUM: queues: Make sure we call process_srv_queue() - when leaving - -In stream_free(), make sure we call process_srv_queue() each time we -call sess_change_server(), otherwise a server may end up not dequeuing -any stream when it could do so. In some extreme cases it could lead to -an infinite loop, as the server would appear to be available, as its -"served" parameter would be < maxconn, but would end up not being used, -as there are elements still in its queue. - -This should be backported up to 2.6. - -(cherry picked from commit dc9ce9c26469e00ab71fe6387dbd13010d4930f0) -Signed-off-by: Christopher Faulet -(cherry picked from commit 1385e4ca16b3797b0091a959b626935cd7f29b38) -Signed-off-by: Christopher Faulet - -Conflict:NA -Reference:https://git.haproxy.org/?p=haproxy-3.0.git;a=patch;h=2de073ef00ee7d87aa82064dd2977645ec694730 ---- - src/stream.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/stream.c b/src/stream.c -index 72d0f37..1a801b2 100644 ---- a/src/stream.c -+++ b/src/stream.c -@@ -624,11 +624,14 @@ void stream_free(struct stream *s) - } - - if (unlikely(s->srv_conn)) { -+ struct server *oldsrv = s->srv_conn; - /* the stream still has a reserved slot on a server, but - * it should normally be only the same as the one above, - * so this should not happen in fact. - */ - sess_change_server(s, NULL); -+ if (may_dequeue_tasks(oldsrv, s->be)) -+ process_srv_queue(oldsrv); - } - - /* We may still be present in the buffer wait queue */ --- -1.7.10.4 - diff --git a/backport-CVE-2025-32464.patch b/backport-CVE-2025-32464.patch deleted file mode 100644 index 5fc678ca2d91280ecf9cde51ac26a97de7bf6992..0000000000000000000000000000000000000000 --- a/backport-CVE-2025-32464.patch +++ /dev/null @@ -1,61 +0,0 @@ -From ee1a64c2a04cc2cb38efb7e44f7ea7386d627bf6 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 7 Apr 2025 15:30:43 +0200 -Subject: [PATCH] BUG/MEDIUM: sample: fix risk of overflow when replacing - multiple regex back-refs - -Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs -reported a bug in sample_conv_regsub(), which can cause replacements -of multiple back-references to overflow the temporary trash buffer. - -The problem happens when doing "regsub(match,replacement,g)": we're -replacing every occurrence of "match" with "replacement" in the input -sample, which requires a length check. For this, a max is applied, so -that a replacement may not use more than the remaining length in the -buffer. However, the length check is made on the replaced pattern and -not on the temporary buffer used to carry the new string. This results -in the remaining size to be usable for each input match, which can go -beyond the temporary buffer size if more than one occurrence has to be -replaced with something that's larger than the remaining room. - -The fix proposed by Aleandro and Edoardo is the correct one (check on -"trash" not "output"), and is the one implemented in this patch. - -While it is very unlikely that a config will replace multiple short -patterns each with a larger one in a request, this possibility cannot -be entirely ruled out (e.g. mask a known, short IP address using -"XXX.XXX.XXX.XXX"). However when this happens, the replacement pattern -will be static, and not be user-controlled, which is why this patch is -marked as medium. - -The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample: -regsub now supports backreferences"), so it must be backported to all -versions. - -Special thanks go to Aleandro and Edoardo for reporting this bug with -a simple reproducer and a fix. - -(cherry picked from commit 3e3b9eebf871510aee36c3a3336faac2f38c9559) -Signed-off-by: Aurelien DARRAGON -(cherry picked from commit db87c8d9fe621539531f6f915ba9e1755a2a26cb) -Signed-off-by: Aurelien DARRAGON - -Conflict: NA -Reference: https://github.com/haproxy/haproxy/commit/ee1a64c2a04cc2cb38efb7e44f7ea7386d627bf6 ---- - src/sample.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sample.c b/src/sample.c -index 7f0ce353f21f1..811d81ee4b09c 100644 ---- a/src/sample.c -+++ b/src/sample.c -@@ -3163,7 +3163,7 @@ static int sample_conv_regsub(const struct arg *arg_p, struct sample *smp, void - output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch); - - /* replace the matching part */ -- max = output->size - output->data; -+ max = trash->size - trash->data; - if (max) { - if (max > output->data) - max = output->data; diff --git a/haproxy-3.0.7.tar.gz b/haproxy-3.0.11.tar.gz similarity index 39% rename from haproxy-3.0.7.tar.gz rename to haproxy-3.0.11.tar.gz index ab70bba664e958103ad616971381cbcbfc715efe..d7cccd8a68d0151e28b58e145cbb32889a905059 100644 Binary files a/haproxy-3.0.7.tar.gz and b/haproxy-3.0.11.tar.gz differ diff --git a/haproxy.spec b/haproxy.spec index ec68fd16b6af56793265269209e21d9e10bdcbbd..cee6dd8a0264be4c61951f5b49d3026d1641da87 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -4,8 +4,8 @@ %global _hardened_build 1 Name: haproxy -Version: 3.0.7 -Release: 3 +Version: 3.0.11 +Release: 1 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPL-2.0-or-later @@ -16,12 +16,8 @@ Source2: %{name}.cfg Source3: %{name}.logrotate Source4: %{name}.sysconfig -Patch1: backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch -Patch2: backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch -Patch3: backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch -Patch4: backport-CVE-2025-32464.patch -BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic +BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic libxcrypt-devel Requires(pre): shadow-utils %{?systemd_requires} @@ -119,6 +115,12 @@ exit 0 %{_mandir}/man1/* %changelog +* Fri Aug 01 2025 xinghe - 3.0.11-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:Update to 3.0.11 + * Tue Apr 29 2025 xinghe - 3.0.7-3 - Type:cves - CVE:CVE-2025-32464