Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-08-01 Thread Salvatore Bonaccorso 
Hi Vincent,

On Sat, Aug 01, 2020 at 03:11:22PM +0200, Vincent Bernat wrote:
>  ❦ 31 juillet 2020 10:14 +02, Salvatore Bonaccorso:
> 
> >> > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released
> >> > > > as
> >> > > > DSA 4577-1 AFAICT.
> >> > > 
> >> > > Oh, sorry. Here is the updated patch.
> >> > 
> >> > Please go ahead.
> >> 
> >> Too late for buster 10.4 but actually this would need to be rebased to
> >> the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not
> >> including this CVE fix). So the version will be 1.8.19-1+deb10u3 by
> >> now.
> >> 
> >> If before the next point release will be another haproxy update this
> >> fix for the CVE can be included as well, IMHO.
> >
> > Did you saw the acknowledgement from vom Adam? Could you upload to
> > buster-proposed-updates?
> 
> Hello Salvatore,
> 
> I've just uploaded it.

Thank you!

Regards,
Salvatore

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-08-01 Thread Vincent Bernat 
 ❦ 31 juillet 2020 10:14 +02, Salvatore Bonaccorso:

>> > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released
>> > > > as
>> > > > DSA 4577-1 AFAICT.
>> > > 
>> > > Oh, sorry. Here is the updated patch.
>> > 
>> > Please go ahead.
>> 
>> Too late for buster 10.4 but actually this would need to be rebased to
>> the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not
>> including this CVE fix). So the version will be 1.8.19-1+deb10u3 by
>> now.
>> 
>> If before the next point release will be another haproxy update this
>> fix for the CVE can be included as well, IMHO.
>
> Did you saw the acknowledgement from vom Adam? Could you upload to
> buster-proposed-updates?

Hello Salvatore,

I've just uploaded it.
-- 
Each module should do one thing well.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-07-31 Thread Salvatore Bonaccorso 
Hi Vincent,

On Fri, May 08, 2020 at 02:03:41PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sun, Apr 12, 2020 at 10:34:27PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote:
> > >  ❦  8 février 2020 08:43 +01, Salvatore Bonaccorso  > > >:
> > > 
> > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released
> > > > as
> > > > DSA 4577-1 AFAICT.
> > > 
> > > Oh, sorry. Here is the updated patch.
> > 
> > Please go ahead.
> 
> Too late for buster 10.4 but actually this would need to be rebased to
> the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not
> including this CVE fix). So the version will be 1.8.19-1+deb10u3 by
> now.
> 
> If before the next point release will be another haproxy update this
> fix for the CVE can be included as well, IMHO.

Did you saw the acknowledgement from vom Adam? Could you upload to
buster-proposed-updates?

Regards,
Salvatore

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-05-08 Thread Salvatore Bonaccorso 
Hi,

On Sun, Apr 12, 2020 at 10:34:27PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote:
> >  ❦  8 février 2020 08:43 +01, Salvatore Bonaccorso  > >:
> > 
> > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released
> > > as
> > > DSA 4577-1 AFAICT.
> > 
> > Oh, sorry. Here is the updated patch.
> 
> Please go ahead.

Too late for buster 10.4 but actually this would need to be rebased to
the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not
including this CVE fix). So the version will be 1.8.19-1+deb10u3 by
now.

If before the next point release will be another haproxy update this
fix for the CVE can be included as well, IMHO.

Regards,
Salvatore

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-04-12 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote:
>  ❦  8 février 2020 08:43 +01, Salvatore Bonaccorso  >:
> 
> > This needs to be rebased to the 1.8.19-1+deb10u1 which was released
> > as
> > DSA 4577-1 AFAICT.
> 
> Oh, sorry. Here is the updated patch.

Please go ahead.

Regards,

Adam

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-02-08 Thread Vincent Bernat 
 ❦  8 février 2020 08:43 +01, Salvatore Bonaccorso :

> This needs to be rebased to the 1.8.19-1+deb10u1 which was released as
> DSA 4577-1 AFAICT.

Oh, sorry. Here is the updated patch.

diff --git a/debian/changelog b/debian/changelog
index a3182ea0fdb9..6719f450553f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+haproxy (1.8.19-1+deb10u2) buster; urgency=medium
+
+  * d/logrotate.conf: use rsyslog helper instead of SysV init script.
+Closes: #946973.
+  * d/patches: reject messages where "chunked" is missing from
+transfer-encoding. CVE-2019-18277.
+
+ -- Vincent Bernat   Sun, 26 Jan 2020 12:54:30 +0100
+
 haproxy (1.8.19-1+deb10u1) buster-security; urgency=high
 
   * Apply two patches around HTTP/2 header validation allowing an attacker
diff --git a/debian/logrotate.conf b/debian/logrotate.conf
index 442dc4e01e79..ad2031f198e6 100644
--- a/debian/logrotate.conf
+++ b/debian/logrotate.conf
@@ -6,6 +6,6 @@
 compress
 delaycompress
 postrotate
-invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
+/usr/lib/rsyslog/rsyslog-rotate
 endscript
 }
diff --git a/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
new file mode 100644
index ..a623dc9f373a
--- /dev/null
+++ b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
@@ -0,0 +1,66 @@
+From 3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau 
+Date: Thu, 12 Sep 2019 14:01:40 +0200
+Subject: [PATCH] BUG/MEDIUM: http: also reject messages where "chunked" is
+ missing from transfer-enoding
+
+Nathan Davison (@ndavison) reported that in legacy mode we don't
+correctly reject requests or responses featuring a transfer-encoding
+header missing the "chunked" value. As mandated in the protocol spec,
+the test verifies that "chunked" is the last one, but only does so when
+it is present. As such, "transfer-encoding: foobar" is not rejected,
+only "transfer-encoding: chunked, foobar" will be.
+
+The impact is limited, but if combined with "http-reuse always", it
+could be used as a help to construct a content smuggling attack against
+a vulnerable component employing a lenient parser which would ignore
+the content-length header as soon as it sees a transfer-encoding one,
+without even parsing it. In this case haproxy would fail to protect it.
+
+The fix consists in completing the existing checks to verify that
+"chunked" was present if any "transfer-encoding" header was met,
+otherwise either reject the request message or make the response
+end on a close.
+
+This fix is only for 2.0 and older versions as legacy mode was
+removed from 2.1. It should be backported to all maintained versions.
+
+(cherry picked from commit 196a7df44d8129d1adc795da020b722614d6a581)
+Signed-off-by: Christopher Faulet 
+(cherry picked from commit 5513fcaa601dd344be548430fc1760dbedebf4f2)
+Signed-off-by: Willy Tarreau 
+---
+ src/proto_http.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 411eb69899df..3c65606325e2 100644
+--- a/src/proto_http.c
 b/src/proto_http.c
+@@ -2110,6 +2110,10 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
+ 		}
+ 	}
+ 
++	/* "chunked" mandatory if transfer-encoding is used */
++	if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK))
++		goto return_bad_req;
++
+ 	/* Chunked requests must have their content-length removed */
+ 	ctx.idx = 0;
+ 	if (msg->flags & HTTP_MSGF_TE_CHNK) {
+@@ -5568,6 +5572,12 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
+ 		}
+ 	}
+ 
++	/* "chunked" mandatory if transfer-encoding is used */
++	if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) {
++		use_close_only = 1;
++		msg->flags &= ~(HTTP_MSGF_TE_CHNK | HTTP_MSGF_XFER_LEN);
++	}
++
+ 	/* Chunked responses must have their content-length removed */
+ 	ctx.idx = 0;
+ 	if (use_close_only || (msg->flags & HTTP_MSGF_TE_CHNK)) {
+-- 
+2.25.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 4b5471161f57..504fb00c3dab 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
 0002-Use-dpkg-buildflags-to-build-halog.patch
 haproxy.service-start-after-syslog.patch
 haproxy.service-add-documentation.patch
-- 
Always do right.  This will gratify some people and astonish the rest.
-- Mark Twain


signature.asc
Description: PGP signature

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-02-07 Thread Salvatore Bonaccorso 
Hi,

On Sun, Jan 26, 2020 at 01:00:31PM +0100, Vincent Bernat wrote:
>  ❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff :
> 
> >> The logrotate configuration file for HAProxy doesn't signal rsyslog
> >> correctly. Therefore, logs are not really rotated and on a moderately
> >> busy site, this can fill up a log partition. When running with
> >> systemd, rsyslog doesn't write a PID file and there fore, the SysV
> >> init script invoked to rotate logs does not work. Instead, rsyslog
> >> package provides an helper for this purpose.
> >> 
> >> The change has been applied to 2.0.12-1 currently in unstable and
> >> testing. I would like to push it for the next point release next week.
> >
> > If we're doing a Buster update anyway, could we also piggyback the fix
> > for https://nathandavison.com/blog/haproxy-http-request-smuggling 
> > (CVE-2019-18277),
> > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
> > ?
> 
> Ack! I have pulled the patch from the 1.8 branch. Here is the updated
> debdiff. It compiles and simple tests pass too. I'll be checking with
> upstream if they have an opinion around this.
> 

> diff --git a/debian/changelog b/debian/changelog
> index 978702081baa..7139318a49cf 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +haproxy (1.8.19-1+deb10u1) buster; urgency=medium
> +
> +  * d/logrotate.conf: use rsyslog helper instead of SysV init script.
> +Closes: #946973.
> +  * d/patches: reject messages where "chunked" is missing from
> +transfer-encoding. CVE-2019-18277.
> +
> + -- Vincent Bernat   Sun, 26 Jan 2020 12:54:30 +0100

This needs to be rebased to the 1.8.19-1+deb10u1 which was released as
DSA 4577-1 AFAICT.

Regards,
Salvatore

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-01-26 Thread Vincent Bernat 
 ❦ 26 janvier 2020 13:00 +01, Vincent Bernat :

>>> The logrotate configuration file for HAProxy doesn't signal rsyslog
>>> correctly. Therefore, logs are not really rotated and on a moderately
>>> busy site, this can fill up a log partition. When running with
>>> systemd, rsyslog doesn't write a PID file and there fore, the SysV
>>> init script invoked to rotate logs does not work. Instead, rsyslog
>>> package provides an helper for this purpose.
>>> 
>>> The change has been applied to 2.0.12-1 currently in unstable and
>>> testing. I would like to push it for the next point release next week.
>>
>> If we're doing a Buster update anyway, could we also piggyback the fix
>> for https://nathandavison.com/blog/haproxy-http-request-smuggling 
>> (CVE-2019-18277),
>> https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
>> ?
>
> Ack! I have pulled the patch from the 1.8 branch. Here is the updated
> debdiff. It compiles and simple tests pass too. I'll be checking with
> upstream if they have an opinion around this.

Upstream is OK to apply the patch on top of 1.8.19.
-- 
Don't use conditional branches as a substitute for a logical expression.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-01-26 Thread Vincent Bernat 
 ❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff :

>> The logrotate configuration file for HAProxy doesn't signal rsyslog
>> correctly. Therefore, logs are not really rotated and on a moderately
>> busy site, this can fill up a log partition. When running with
>> systemd, rsyslog doesn't write a PID file and there fore, the SysV
>> init script invoked to rotate logs does not work. Instead, rsyslog
>> package provides an helper for this purpose.
>> 
>> The change has been applied to 2.0.12-1 currently in unstable and
>> testing. I would like to push it for the next point release next week.
>
> If we're doing a Buster update anyway, could we also piggyback the fix
> for https://nathandavison.com/blog/haproxy-http-request-smuggling 
> (CVE-2019-18277),
> https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
> ?

Ack! I have pulled the patch from the 1.8 branch. Here is the updated
debdiff. It compiles and simple tests pass too. I'll be checking with
upstream if they have an opinion around this.

diff --git a/debian/changelog b/debian/changelog
index 978702081baa..7139318a49cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+haproxy (1.8.19-1+deb10u1) buster; urgency=medium
+
+  * d/logrotate.conf: use rsyslog helper instead of SysV init script.
+Closes: #946973.
+  * d/patches: reject messages where "chunked" is missing from
+transfer-encoding. CVE-2019-18277.
+
+ -- Vincent Bernat   Sun, 26 Jan 2020 12:54:30 +0100
+
 haproxy (1.8.19-1) unstable; urgency=medium
 
   * New upstream version 1.8.19
diff --git a/debian/logrotate.conf b/debian/logrotate.conf
index 442dc4e01e79..ad2031f198e6 100644
--- a/debian/logrotate.conf
+++ b/debian/logrotate.conf
@@ -6,6 +6,6 @@
 compress
 delaycompress
 postrotate
-invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
+/usr/lib/rsyslog/rsyslog-rotate
 endscript
 }
diff --git a/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
new file mode 100644
index ..a623dc9f373a
--- /dev/null
+++ b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
@@ -0,0 +1,66 @@
+From 3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau 
+Date: Thu, 12 Sep 2019 14:01:40 +0200
+Subject: [PATCH] BUG/MEDIUM: http: also reject messages where "chunked" is
+ missing from transfer-enoding
+
+Nathan Davison (@ndavison) reported that in legacy mode we don't
+correctly reject requests or responses featuring a transfer-encoding
+header missing the "chunked" value. As mandated in the protocol spec,
+the test verifies that "chunked" is the last one, but only does so when
+it is present. As such, "transfer-encoding: foobar" is not rejected,
+only "transfer-encoding: chunked, foobar" will be.
+
+The impact is limited, but if combined with "http-reuse always", it
+could be used as a help to construct a content smuggling attack against
+a vulnerable component employing a lenient parser which would ignore
+the content-length header as soon as it sees a transfer-encoding one,
+without even parsing it. In this case haproxy would fail to protect it.
+
+The fix consists in completing the existing checks to verify that
+"chunked" was present if any "transfer-encoding" header was met,
+otherwise either reject the request message or make the response
+end on a close.
+
+This fix is only for 2.0 and older versions as legacy mode was
+removed from 2.1. It should be backported to all maintained versions.
+
+(cherry picked from commit 196a7df44d8129d1adc795da020b722614d6a581)
+Signed-off-by: Christopher Faulet 
+(cherry picked from commit 5513fcaa601dd344be548430fc1760dbedebf4f2)
+Signed-off-by: Willy Tarreau 
+---
+ src/proto_http.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 411eb69899df..3c65606325e2 100644
+--- a/src/proto_http.c
 b/src/proto_http.c
+@@ -2110,6 +2110,10 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
+ 		}
+ 	}
+ 
++	/* "chunked" mandatory if transfer-encoding is used */
++	if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK))
++		goto return_bad_req;
++
+ 	/* Chunked requests must have their content-length removed */
+ 	ctx.idx = 0;
+ 	if (msg->flags & HTTP_MSGF_TE_CHNK) {
+@@ -5568,6 +5572,12 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
+ 		}
+ 	}
+ 
++	/* "chunked" mandatory if transfer-encoding is used */
++	if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) {
++		use_close_only = 1;
++		msg->flags &= ~(HTTP_MSGF_TE_CHNK | HTTP_MSGF_XFER_LEN);
++	}
++
+ 	/* Chunked responses must have their content-length removed */
+ 	ctx.idx = 0;
+ 	if (use_close_only || (msg->flags & HTTP_MSGF_TE_CHNK)) {
+-- 
+2.25.0
+
diff --git a/debian/patches/series b/debian/patches/series
index

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-01-25 Thread Moritz Mühlenhoff 
On Sat, Jan 25, 2020 at 02:39:04PM +0100, Vincent Bernat wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hey!
> 
> The logrotate configuration file for HAProxy doesn't signal rsyslog
> correctly. Therefore, logs are not really rotated and on a moderately
> busy site, this can fill up a log partition. When running with
> systemd, rsyslog doesn't write a PID file and there fore, the SysV
> init script invoked to rotate logs does not work. Instead, rsyslog
> package provides an helper for this purpose.
> 
> The change has been applied to 2.0.12-1 currently in unstable and
> testing. I would like to push it for the next point release next week.

If we're doing a Buster update anyway, could we also piggyback the fix
for https://nathandavison.com/blog/haproxy-http-request-smuggling 
(CVE-2019-18277),
https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
 ?

Cheers,
Moritz

Bug#949826: buster-pu: package haproxy/1.8.19-1

2020-01-25 Thread Vincent Bernat 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hey!

The logrotate configuration file for HAProxy doesn't signal rsyslog
correctly. Therefore, logs are not really rotated and on a moderately
busy site, this can fill up a log partition. When running with
systemd, rsyslog doesn't write a PID file and there fore, the SysV
init script invoked to rotate logs does not work. Instead, rsyslog
package provides an helper for this purpose.

The change has been applied to 2.0.12-1 currently in unstable and
testing. I would like to push it for the next point release next week.

Thanks.


- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (101, 
'experimental-debug'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), 
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAl4sRPgSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5EzsP/AzdClF5G4t3FI4qXyVULb8bAuMYQqtK
CYrV6LoMg9OSnQeN99EdP28anmgaTMhhaMs0vTs39DTxaUK6a9rIPYuxrzoqyF1q
2thYNdArHyTkSObW8yHQWal02wQ7S/rh14ryp+mgdZ6NbuduSiS8UZwB9gYIBJl6
0dGsWv7mKTTQvOMvRZEwoAHivM+mdY4z/RgXH9Pz1yhQ8RCsT2B1UcPuI+d6kolH
g2QKE8ZrQ3Jp9L8CXNBhUxABqQnkOZjcBdKhYujuKEjhxIfZBAIg5P5DHhtZvmlj
8ikE8k7bRoTPp8zI7MMhRNZL6IO1yTFEyJJnL56GNMnSOhkN+Qupu2KrAAwYYTQB
0d1ccPuDEdxdDQdmyRISx9tl+6jkB6RK1gxbOFUQSmBpY7Xv9qCp9avl7RKUA/HC
+hZDkRcmEyN2/GhKVAo5+HGpdaJIn3seF7Cc4ne0TVd+f4ZL/R/EopZ+WppAyIpU
eBvMefcHLaTIA3YFGhfLepflzIeNJ/WoqjdzypEdsFtnjHQxilErYIIfKQi7qiRr
pLfKyM/ju5azO4DjBTXKoLCgrjyEoCrQEZTNoQVVTiAXiFiqffoC/SK0o7W9kOvq
WQ0iH3AD0Z05tISVUWtcasQYhfg0+PZc9JxrRWKX/9bV19bXB6Z0oeOi+CRy7d13
DK0Oc43IFOb+
=+pm7
-END PGP SIGNATURE-
>From bcf26bb2d684d793792742e30fd66c5b4018b53f Mon Sep 17 00:00:00 2001
From: Vincent Bernat 
Date: Fri, 20 Dec 2019 08:20:40 +0100
Subject: [PATCH] d/logrotate.conf: use rsyslog helper instead of SysV init
 script

---
 debian/changelog  | 7 +++
 debian/logrotate.conf | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 978702081baa..b996863ea351 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+haproxy (1.8.19-1+deb10u1) buster; urgency=medium
+
+  * d/logrotate.conf: use rsyslog helper instead of SysV init script.
+Closes: #946973.
+
+ -- Vincent Bernat   Sat, 25 Jan 2020 14:33:51 +0100
+
 haproxy (1.8.19-1) unstable; urgency=medium
 
   * New upstream version 1.8.19
diff --git a/debian/logrotate.conf b/debian/logrotate.conf
index 442dc4e01e79..ad2031f198e6 100644
--- a/debian/logrotate.conf
+++ b/debian/logrotate.conf
@@ -6,6 +6,6 @@
 compress
 delaycompress
 postrotate
-invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
+/usr/lib/rsyslog/rsyslog-rotate
 endscript
 }
-- 
2.25.0