Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked
in at 2025-07-09 17:29:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new.7373 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Wed Jul 9 17:29:29 2025 rev:163 rq:1291449 version:3.2.3+git0.1844da7c6
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2025-07-02
17:30:58.111397575 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new.7373/haproxy.changes
2025-07-09 17:30:06.919822613 +0200
@@ -1,0 +2,17 @@
+Wed Jul 09 09:19:41 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- Update to version 3.2.3+git0.1844da7c6:
+ * [RELEASE] Released version 3.2.3
+ * BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.
+ * BUG/MINOR: http-act: Fix parsing of the expression argument for pause
action
+ * BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle
connections
+ * BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
+ * BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits
(OpenSSL 3.5 QUIC API)
+ * CI: github: update to OpenSSL 3.5.1
+ * BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
+ * BUILD: quic: QUIC build against OpenSSL 3.5 broken
+ * CI: github: update the stable CI to ubuntu-24.04
+ * CI: github: add an OpenSSL 3.5.0 job
+ * CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
+
+-------------------------------------------------------------------
Old:
----
haproxy-3.2.2+git0.a55102f09.tar.gz
New:
----
haproxy-3.2.3+git0.1844da7c6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.NEdB2O/_old 2025-07-09 17:30:10.651978336 +0200
+++ /var/tmp/diff_new_pack.NEdB2O/_new 2025-07-09 17:30:10.667979004 +0200
@@ -72,7 +72,7 @@
%endif
Name: haproxy
-Version: 3.2.2+git0.a55102f09
+Version: 3.2.3+git0.1844da7c6
Release: 0
#
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
++++++ _service ++++++
--- /var/tmp/diff_new_pack.NEdB2O/_old 2025-07-09 17:30:11.135998532 +0200
+++ /var/tmp/diff_new_pack.NEdB2O/_new 2025-07-09 17:30:11.159999533 +0200
@@ -6,7 +6,7 @@
<param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
- <param name="revision">v3.2.2</param>
+ <param name="revision">v3.2.3</param>
<param name="changesgenerate">enable</param>
</service>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.NEdB2O/_old 2025-07-09 17:30:11.280004540 +0200
+++ /var/tmp/diff_new_pack.NEdB2O/_new 2025-07-09 17:30:11.320006209 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param name="url">http://git.haproxy.org/git/haproxy-3.2.git/</param>
- <param
name="changesrevision">a55102f095b9fa9cc02e29207740d9ca7ac72af0</param>
+ <param
name="changesrevision">1844da7c65c5655d93c79925ed2244ca8cda9822</param>
</service>
</servicedata>
(No newline at EOF)
++++++ haproxy-3.2.2+git0.a55102f09.tar.gz ->
haproxy-3.2.3+git0.1844da7c6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/.github/matrix.py
new/haproxy-3.2.3+git0.1844da7c6/.github/matrix.py
--- old/haproxy-3.2.2+git0.a55102f09/.github/matrix.py 2025-07-02
11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/.github/matrix.py 2025-07-09
10:25:50.000000000 +0200
@@ -125,7 +125,7 @@
# Ubuntu
if "haproxy-" in ref_name:
- os = "ubuntu-22.04" # stable branch
+ os = "ubuntu-24.04" # stable branch
else:
os = "ubuntu-24.04" # development branch
@@ -218,6 +218,7 @@
"stock",
"OPENSSL_VERSION=1.0.2u",
"OPENSSL_VERSION=1.1.1s",
+ "OPENSSL_VERSION=3.5.1",
"QUICTLS=yes",
"WOLFSSL_VERSION=5.7.0",
"AWS_LC_VERSION=1.39.0",
@@ -232,8 +233,6 @@
for ssl in ssl_versions:
flags = ["USE_OPENSSL=1"]
- if ssl == "BORINGSSL=yes" or ssl == "QUICTLS=yes" or "LIBRESSL" in
ssl or "WOLFSSL" in ssl or "AWS_LC" in ssl:
- flags.append("USE_QUIC=1")
if "WOLFSSL" in ssl:
flags.append("USE_OPENSSL_WOLFSSL=1")
if "AWS_LC" in ssl:
@@ -246,6 +245,15 @@
if "OPENSSL" in ssl and "latest" in ssl:
ssl = determine_latest_openssl(ssl)
+ openssl_supports_quic = False
+ try:
+ openssl_supports_quic =
version.Version(ssl.split("OPENSSL_VERSION=",1)[1]) >= version.Version("3.5.0")
+ except:
+ pass
+
+ if ssl == "BORINGSSL=yes" or ssl == "QUICTLS=yes" or "LIBRESSL" in
ssl or "WOLFSSL" in ssl or "AWS_LC" in ssl or openssl_supports_quic:
+ flags.append("USE_QUIC=1")
+
matrix.append(
{
"name": "{}, {}, ssl={}".format(os, CC, clean_ssl(ssl)),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/CHANGELOG
new/haproxy-3.2.3+git0.1844da7c6/CHANGELOG
--- old/haproxy-3.2.2+git0.a55102f09/CHANGELOG 2025-07-02 11:58:27.000000000
+0200
+++ new/haproxy-3.2.3+git0.1844da7c6/CHANGELOG 2025-07-09 10:25:50.000000000
+0200
@@ -1,6 +1,19 @@
ChangeLog :
===========
+2025/07/09 : 3.2.3
+ - CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
+ - CI: github: add an OpenSSL 3.5.0 job
+ - CI: github: update the stable CI to ubuntu-24.04
+ - BUILD: quic: QUIC build against OpenSSL 3.5 broken
+ - BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
+ - CI: github: update to OpenSSL 3.5.1
+ - BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits
(OpenSSL 3.5 QUIC API)
+ - BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
+ - BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle
connections
+ - BUG/MINOR: http-act: Fix parsing of the expression argument for pause
action
+ - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.
+
2025/07/02 : 3.2.2
- BUG/MINOR: config/server: reject QUIC addresses
- BUG/MINOR: http-ana: Properly handle keep-query redirect option if no QS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/VERDATE
new/haproxy-3.2.3+git0.1844da7c6/VERDATE
--- old/haproxy-3.2.2+git0.a55102f09/VERDATE 2025-07-02 11:58:27.000000000
+0200
+++ new/haproxy-3.2.3+git0.1844da7c6/VERDATE 2025-07-09 10:25:50.000000000
+0200
@@ -1,2 +1,2 @@
$Format:%ci$
-2025/07/02
+2025/07/09
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/VERSION
new/haproxy-3.2.3+git0.1844da7c6/VERSION
--- old/haproxy-3.2.2+git0.a55102f09/VERSION 2025-07-02 11:58:27.000000000
+0200
+++ new/haproxy-3.2.3+git0.1844da7c6/VERSION 2025-07-09 10:25:50.000000000
+0200
@@ -1 +1 @@
-3.2.2
+3.2.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/haproxy-3.2.2+git0.a55102f09/addons/deviceatlas/Makefile.inc
new/haproxy-3.2.3+git0.1844da7c6/addons/deviceatlas/Makefile.inc
--- old/haproxy-3.2.2+git0.a55102f09/addons/deviceatlas/Makefile.inc
2025-07-02 11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/addons/deviceatlas/Makefile.inc
2025-07-09 10:25:50.000000000 +0200
@@ -5,7 +5,8 @@
CXXLIB := -lstdc++
ifeq ($(DEVICEATLAS_SRC),)
-OPTIONS_LDFLAGS += -lda
+OPTIONS_CFLAGS += -I$(DEVICEATLAS_INC)
+OPTIONS_LDFLAGS += -Wl,-rpath,$(DEVICEATLAS_LIB) -L$(DEVICEATLAS_LIB) -lda
else
DEVICEATLAS_INC = $(DEVICEATLAS_SRC)
DEVICEATLAS_LIB = $(DEVICEATLAS_SRC)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/doc/configuration.txt
new/haproxy-3.2.3+git0.1844da7c6/doc/configuration.txt
--- old/haproxy-3.2.2+git0.a55102f09/doc/configuration.txt 2025-07-02
11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/doc/configuration.txt 2025-07-09
10:25:50.000000000 +0200
@@ -3,7 +3,7 @@
Configuration Manual
----------------------
version 3.2
- 2025/07/02
+ 2025/07/09
This document covers the configuration language as implemented in the version
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/haproxy-3.2.2+git0.a55102f09/include/haproxy/openssl-compat.h
new/haproxy-3.2.3+git0.1844da7c6/include/haproxy/openssl-compat.h
--- old/haproxy-3.2.2+git0.a55102f09/include/haproxy/openssl-compat.h
2025-07-02 11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/include/haproxy/openssl-compat.h
2025-07-09 10:25:50.000000000 +0200
@@ -63,6 +63,9 @@
ssl_encryption_application
};
+#else
+/* QUIC TLS API */
+#define HAVE_OPENSSL_QUICTLS
#endif
#endif /* USE_QUIC_OPENSSL_COMPAT */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/src/http_act.c
new/haproxy-3.2.3+git0.1844da7c6/src/http_act.c
--- old/haproxy-3.2.2+git0.a55102f09/src/http_act.c 2025-07-02
11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/src/http_act.c 2025-07-09
10:25:50.000000000 +0200
@@ -1822,8 +1822,12 @@
memprintf(err, "null value is not valid for a 'pause' rule");
return ACT_RET_PRS_ERR;
}
+ else {
+ /* a time volue was successfully parsed */
+ cur_arg++;
+ }
- *orig_arg = cur_arg + 1;
+ *orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/src/quic_ssl.c
new/haproxy-3.2.3+git0.1844da7c6/src/quic_ssl.c
--- old/haproxy-3.2.2+git0.a55102f09/src/quic_ssl.c 2025-07-02
11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/src/quic_ssl.c 2025-07-09
10:25:50.000000000 +0200
@@ -11,6 +11,14 @@
#include <haproxy/trace.h>
DECLARE_POOL(pool_head_quic_ssl_sock_ctx, "quic_ssl_sock_ctx", sizeof(struct
ssl_sock_ctx));
+const char *quic_ciphers = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
+
":TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256";
+#ifdef HAVE_OPENSSL_QUIC
+const char *quic_groups = "X25519:P-256:P-384:P-521:X25519MLKEM768";
+#else
+const char *quic_groups = "X25519:P-256:P-384:P-521";
+#endif
+
/* Set the encoded version of the transport parameter into the TLS
* stack depending on <ver> QUIC version and <server> boolean which must
@@ -558,7 +566,6 @@
{
int ret = 0;
struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
- struct listener *l = objt_listener(qc->target);
TRACE_ENTER(QUIC_EV_TRANSP_PARAMS, qc);
@@ -567,7 +574,7 @@
QUIC_EV_TRANSP_PARAMS, qc);
ret = 1;
}
- else if (!quic_transport_params_store(qc, !l, params, params +
params_len)) {
+ else if (!quic_transport_params_store(qc, 0, params, params +
params_len)) {
goto err;
}
@@ -718,6 +725,26 @@
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+ if (SSL_CTX_set_ciphersuites(ctx, quic_ciphers) != 1) {
+ ha_warning("Binding [%s:%d] for %s %s: default QUIC cipher"
+ " suites setting failed.\n",
+ bind_conf->file, bind_conf->line,
+ proxy_type_str(bind_conf->frontend),
+ bind_conf->frontend->id);
+ cfgerr++;
+ }
+
+#ifndef HAVE_OPENSSL_QUICTLS
+ /* TODO: this should also work with QUICTLS */
+ if (SSL_CTX_set1_groups_list(ctx, quic_groups) != 1) {
+ ha_warning("Binding [%s:%d] for %s %s: default QUIC cipher"
+ " groups setting failed.\n",
+ bind_conf->file, bind_conf->line,
+ proxy_type_str(bind_conf->frontend),
+ bind_conf->frontend->id);
+ cfgerr++;
+ }
+#endif
if (bind_conf->ssl_conf.early_data) {
#if !defined(HAVE_SSL_0RTT_QUIC)
@@ -1023,6 +1050,12 @@
/* Simple helper to set the specifig OpenSSL/quictls QUIC API callbacks */
int quic_ssl_set_tls_cbs(SSL *ssl)
{
+ struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
+
+ /* Ignore the TCP connections */
+ if (!qc)
+ return 1;
+
#ifdef HAVE_OPENSSL_QUIC
return SSL_set_quic_tls_cbs(ssl, ha_quic_dispatch, NULL);
#else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/src/ssl_ocsp.c
new/haproxy-3.2.3+git0.1844da7c6/src/ssl_ocsp.c
--- old/haproxy-3.2.2+git0.a55102f09/src/ssl_ocsp.c 2025-07-02
11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/src/ssl_ocsp.c 2025-07-09
10:25:50.000000000 +0200
@@ -2070,7 +2070,7 @@
return 0;
}
-int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli,
char **err)
+int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli,
char *filename, int linenum, char **err)
{
int ocsp_update_mode = *(int *)value;
int ret = 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.2.2+git0.a55102f09/src/ssl_sock.c
new/haproxy-3.2.3+git0.1844da7c6/src/ssl_sock.c
--- old/haproxy-3.2.2+git0.a55102f09/src/ssl_sock.c 2025-07-02
11:58:27.000000000 +0200
+++ new/haproxy-3.2.3+git0.1844da7c6/src/ssl_sock.c 2025-07-09
10:25:50.000000000 +0200
@@ -5759,13 +5759,11 @@
struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
{
struct tasklet *tl = (struct tasklet *)t;
- struct ssl_sock_ctx *ctx = context;
+ struct ssl_sock_ctx *ctx;
struct connection *conn;
int conn_in_list;
int ret = 0;
- TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
-
if (state & TASK_F_USR1) {
/* the tasklet was idling on an idle connection, it might have
* been stolen, let's be careful!
@@ -5776,16 +5774,20 @@
tasklet_free(tl);
return NULL;
}
+ ctx = context;
conn = ctx->conn;
conn_in_list = conn->flags & CO_FL_LIST_MASK;
if (conn_in_list)
conn_delete_from_tree(conn);
HA_SPIN_UNLOCK(IDLE_CONNS_LOCK,
&idle_conns[tid].idle_conns_lock);
} else {
+ ctx = context;
conn = ctx->conn;
conn_in_list = 0;
}
+ TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
+
/* First if we're doing an handshake, try that */
if (ctx->conn->flags & CO_FL_SSL_WAIT_HS) {
ssl_sock_handshake(ctx->conn, CO_FL_SSL_WAIT_HS);
