Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-11-04 17:28:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-10-25 11:11:35.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-11-04 17:28:57.000000000 +0100
@@ -1,0 +2,42 @@
+Fri Oct 31 22:24:27 UTC 2014 - mrueckert@suse.de
+
+- update to 1.5.8
+ - BUG/MAJOR: buffer: check the space left is enough or not when
+ input data in a buffer is wrapped
+ - BUG/BUILD: revert accidental change in the makefile from latest
+ SSL fix
+- changes in 1.5.7
+ - BUG/MEDIUM: regex: fix pcre_study error handling
+ - BUG/MINOR: log: fix request flags when keep-alive is enabled
+ - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return
+ DER formatted certs
+ - MINOR: ssl: add statement to force some ssl options in global.
+ - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid
+ certificates
+ - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
+ - BUG/MAJOR: cli: explicitly call cli_release_handler() upon
+ error
+ - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
+ - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET
+ sockets
+- Dropped patches:
+ - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch
+ - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch
+ - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch
+ - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch
+
+-------------------------------------------------------------------
+Wed Oct 29 08:07:07 UTC 2014 - kgronlund@suse.com
+
+- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
+- BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
+- BUG/MINOR: log: fix request flags when keep-alive is enabled
+- BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
+
+- Added patches:
+ - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch
+ - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch
+ - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch
+ - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch
+
+-------------------------------------------------------------------
Old:
----
haproxy-1.5.6.tar.gz
New:
----
haproxy-1.5.8.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.MrHlD8/_old 2014-11-04 17:28:58.000000000 +0100
+++ /var/tmp/diff_new_pack.MrHlD8/_new 2014-11-04 17:28:58.000000000 +0100
@@ -33,7 +33,7 @@
%bcond_without apparmor
Name: haproxy
-Version: 1.5.6
+Version: 1.5.8
Release: 0
#
#
@@ -60,6 +60,7 @@
Patch1: haproxy-1.2.16_config_haproxy_user.patch
Patch2: haproxy-makefile_lib.patch
Patch3: sec-options.patch
+
Source99: haproxy-rpmlintrc
#
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
++++++ haproxy-1.5.6.tar.gz -> haproxy-1.5.8.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.6/CHANGELOG new/haproxy-1.5.8/CHANGELOG
--- old/haproxy-1.5.6/CHANGELOG 2014-10-18 17:48:02.000000000 +0200
+++ new/haproxy-1.5.8/CHANGELOG 2014-10-31 10:06:53.000000000 +0100
@@ -1,6 +1,21 @@
ChangeLog :
===========
+2014/10/31 : 1.5.8
+ - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped
+ - BUG/BUILD: revert accidental change in the makefile from latest SSL fix
+
+2014/10/30 : 1.5.7
+ - BUG/MEDIUM: regex: fix pcre_study error handling
+ - BUG/MINOR: log: fix request flags when keep-alive is enabled
+ - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs
+ - MINOR: ssl: add statement to force some ssl options in global.
+ - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
+ - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
+ - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
+ - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
+ - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
+
2014/10/18 : 1.5.6
- BUG/MEDIUM: systemd: set KillMode to 'mixed'
- MINOR: systemd: Check configuration before start
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.6/README new/haproxy-1.5.8/README
--- old/haproxy-1.5.6/README 2014-10-18 17:48:02.000000000 +0200
+++ new/haproxy-1.5.8/README 2014-10-31 10:06:53.000000000 +0100
@@ -1,9 +1,9 @@
----------------------
HAProxy how-to
----------------------
- version 1.5.6
+ version 1.5.8
willy tarreau
- 2014/10/18
+ 2014/10/31
1) How to build it
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.6/VERDATE new/haproxy-1.5.8/VERDATE
--- old/haproxy-1.5.6/VERDATE 2014-10-18 17:48:02.000000000 +0200
+++ new/haproxy-1.5.8/VERDATE 2014-10-31 10:06:53.000000000 +0100
@@ -1,2 +1,2 @@
$Format:%ci$
-2014/10/18
+2014/10/31
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.6/VERSION new/haproxy-1.5.8/VERSION
--- old/haproxy-1.5.6/VERSION 2014-10-18 17:48:02.000000000 +0200
+++ new/haproxy-1.5.8/VERSION 2014-10-31 10:06:53.000000000 +0100
@@ -1 +1 @@
-1.5.6
+1.5.8
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.6/doc/configuration.txt new/haproxy-1.5.8/doc/configuration.txt
--- old/haproxy-1.5.6/doc/configuration.txt 2014-10-18 17:48:02.000000000 +0200
+++ new/haproxy-1.5.8/doc/configuration.txt 2014-10-31 10:06:53.000000000 +0100
@@ -2,9 +2,9 @@
HAProxy
Configuration Manual
----------------------
- version 1.5.6
+ version 1.5.8
willy tarreau
- 2014/10/18
+ 2014/10/31
This document covers the configuration language as implemented in the version
@@ -657,6 +657,15 @@
as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
"bind" keyword for more information.
+ssl-default-bind-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+ default ssl-options to force on all "bind" lines. Please check the "bind"
+ keyword to see available options.
+
+ Example:
+ global
+ ssl-default-bind-options no-sslv3 no-tls-tickets
+
ssl-default-server-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It
sets the default string describing the list of cipher algorithms that are
@@ -665,6 +674,11 @@
defined in "man 1 ciphers". Please check the "server" keyword for more
information.
+ssl-default-server-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+ default ssl-options to force on all "server" lines. Please check the "server"
+ keyword to see available options.
+
ssl-server-verify [none|required]
The default behavior for SSL verify on servers side. If specified to 'none',
servers certificates are not verified. The default is 'required' except if
@@ -8379,19 +8393,23 @@
force-sslv3
This option enforces use of SSLv3 only on SSL connections instantiated from
this listener. SSLv3 is generally less expensive than the TLS counterparts
- for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
+ for high connection rates. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv10
This option enforces use of TLSv1.0 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv11
This option enforces use of TLSv1.1 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
force-tlsv12
This option enforces use of TLSv1.2 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
gid <gid>
Sets the group of the UNIX sockets to the designated system gid. It can also
@@ -8484,35 +8502,40 @@
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instantiated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option. See also "force-tls*",
+ be enabled using any configuration option. This option is also available on
+ global statement "ssl-default-bind-options". See also "force-tls*",
and "force-sslv3".
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
- session resumption is more expensive in CPU usage.
+ session resumption is more expensive in CPU usage. This option is also
+ available on global statement "ssl-default-bind-options".
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.0 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
no-tlsv11
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.1 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
no-tlsv12
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.2 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
npn <protocols>
This enables the NPN TLS extension and advertises the specified protocol list
@@ -8845,25 +8868,29 @@
force-sslv3
This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for
- high connection rates. See also "no-tlsv*", "no-sslv3".
+ high connection rates. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
@@ -8951,7 +8978,8 @@
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
- session resumption is more expensive in CPU usage for servers.
+ session resumption is more expensive in CPU usage for servers. This option
+ is also available on global statement "ssl-default-server-options".
Supported in default-server: No
@@ -8959,8 +8987,9 @@
This option disables support for TLSv1.0 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -8968,8 +8997,9 @@
This option disables support for TLSv1.1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -8977,8 +9007,9 @@
This option disables support for TLSv1.2 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -10681,6 +10712,11 @@
verification of the client certificate. If no error is encountered, 0 is
returned.
+ssl_c_der : binary
+ Returns the DER formatted certificate presented by the client when the
+ incoming connection was made over an SSL/TLS transport layer. When used for
+ an ACL, the value(s) to match against can be passed in hexadecimal form.
+
ssl_c_err : integer
When the incoming connection was made over an SSL/TLS transport layer,
returns the ID of the first error detected during verification at depth 0, or
@@ -10756,6 +10792,11 @@
Returns the version of the certificate presented by the client when the
incoming connection was made over an SSL/TLS transport layer.
+ssl_f_der : binary
+ Returns the DER formatted certificate presented by the frontend when the
+ incoming connection was made over an SSL/TLS transport layer. When used for
+ an ACL, the value(s) to match against can be passed in hexadecimal form.
+
ssl_f_i_dn([<entry>[,<occ>]]) : string
When the incoming connection was made over an SSL/TLS transport layer,
returns the full distinguished name of the issuer of the certificate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.6/examples/haproxy.spec new/haproxy-1.5.8/examples/haproxy.spec
--- old/haproxy-1.5.6/examples/haproxy.spec 2014-10-18 17:48:02.000000000 +0200
+++ new/haproxy-1.5.8/examples/haproxy.spec 2014-10-31 10:06:53.000000000 +0100
@@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.5.6
+Version: 1.5.8
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -76,6 +76,12 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Fri Oct 31 2014 Willy Tarreau