File haproxy.changes of Package haproxy.748

-------------------------------------------------------------------
Tue Jul  7 09:13:04 UTC 2015 - kgronlund@suse.com

- Backport security fixes and related patches (bsc#937202) (bsc#937042) (CVE-2015-3281)
  + BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
  + BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
  + MEDIUM: ssl: replace standards DH groups with custom ones
  + BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
  + MINOR: ssl: add a destructor to free allocated SSL ressources
  + BUG/MINOR: ssl: Display correct filename in error message
  + MINOR: ssl: load certificates in alphabetical order
  + BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks
  + BUG/MEDIUM: ssl: force a full GC in case of memory shortage
  + BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM.
  + BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
  + MINOR: ssl: add statement to force some ssl options in global.
  + MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs
- Added patches:
  + 0001-MINOR-ssl-add-fetchs-ssl_c_der-and-ssl_f_der-to-retu.patch
  + 0002-MINOR-ssl-add-statement-to-force-some-ssl-options-in.patch
  + 0003-BUG-MINOR-ssl-correctly-initialize-ssl-ctx-for-inval.patch
  + 0004-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch
  + 0005-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch
  + 0006-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch
  + 0007-MINOR-ssl-load-certificates-in-alphabetical-order.patch
  + 0008-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch
  + 0009-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch
  + 0010-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch
  + 0011-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch
  + 0012-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch
  + 0013-BUG-MAJOR-buffers-make-the-buffer_slow_realign-funct.patch

-------------------------------------------------------------------
Wed Sep  3 07:35:14 UTC 2014 - kgronlund@suse.com

- update to 1.5.4 (bnc#895849 CVE-2014-6269)
  - BUG: config: error in http-response replace-header number of arguments
  - BUG/MINOR: Fix search for -p argument in systemd wrapper.
  - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm
  - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported
  - MEDIUM: connection: add new bit in Proxy Protocol V2
  - BUG/MINOR: server: move the directive #endif to the end of file
  - BUG/MEDIUM: http: tarpit timeout is reset
  - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc*
  - BUG/MEDIUM: http: fix inverted condition in pat_match_meth()
  - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs
  - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg()
  - BUG/MEDIUM: acl: correctly compute the output type when a converter is used
  - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix
  - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer

- Dropped patches:
  - 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
  - 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
  - 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
  - 0004-BUG-config-error-in-http-response-replace-header-num.patch
  - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch

-------------------------------------------------------------------
Fri Aug 22 14:38:59 UTC 2014 - mrueckert@suse.de

- pull 2 more fixes from git:
  - 0004-BUG-config-error-in-http-response-replace-header-num.patch
    A couple of typo fixed in 'http-response replace-header':
    - an error when counting the number of arguments
    - a typo in the alert message
  - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
    Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b
    (1.5-dev24-8), the tarpit section set timeout and return, after
    this commit, the tarpit section set the timeout, and go to the
    "done" label which reset the timeout.

-------------------------------------------------------------------
Wed Jul 30 09:47:38 UTC 2014 - mrueckert@suse.de

- pull important fixes from git:
  0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
  0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
  0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
  Especially the last patch is important:
  As a consequence of various recent changes on the sample
  conversion, a corner case has emerged where it is possible to
  wait forever for a sample in track-sc*.

-------------------------------------------------------------------
Mon Jul 28 11:33:14 UTC 2014 - kgronlund@suse.com

- update to 1.5.3
  - DOC: fix typo in Unix Socket commands
  - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header
  - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
  - DOC: mention that Squid correctly responds 400 to PPv2 header
  - BUG/MINOR: http: base32+src should use the big endian version of base32
  - BUG/MEDIUM: connection: fix proxy v2 header again!
- Removed backported patches:
  - 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
  - 0002-DOC-fix-typo-in-Unix-Socket-commands.patch
  - 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
  - 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
  - 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
  - 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch

-------------------------------------------------------------------
Mon Jul 21 13:45:40 UTC 2014 - mrueckert@suse.de

- added 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch:
  Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory
  corruption when building a proxy v2 header") was wrong, using
  &cn_trash instead of cn_trash resulting in a warning and the
  client's SSL cert CN not being stored at the proper location.

-------------------------------------------------------------------
Fri Jul 18 15:01:53 UTC 2014 - mrueckert@suse.de

- added
  0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch:
  BUG/MEDIUM: connection: fix memory corruption when building a
  proxy v2 header

-------------------------------------------------------------------
Thu Jul 17 10:45:28 UTC 2014 - mrueckert@suse.de

- pulled a few fixes from the 1.5 branch: most notable the DHE
  memleak fix. Adds the following patches:
  0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
  0002-DOC-fix-typo-in-Unix-Socket-commands.patch
  0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
  0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch

-------------------------------------------------------------------
Sat Jul 12 16:56:27 UTC 2014 - mrueckert@suse.de

- update to 1.5.2
  - BUG/MEDIUM: backend: Update hash to use unsigned int throughout
  - BUG/MINOR: ssl: Fix external function in order not to return a
    pointer on an internal trash buffer.
  - DOC: expand the docs for the provided stats.
  - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets
    upon failure.
  - MINOR: stats: fix minor typo in HTML page
  - BUG/MEDIUM: http: fetch "base" is not compatible with
    set-header
  - BUG/MINOR: counters: do not untrack counters before logging
  - BUG/MAJOR: sample: correctly reinitialize sample fetch context
    before calling sample_process()
  - MINOR: stick-table: make stktable_fetch_key() indicate why it
    failed
  - BUG/MEDIUM: counters: fix track-sc* to wait on unstable
    contents
  - BUILD: remove TODO from the spec file and add README
  - MINOR: log: make MAX_SYSLOG_LEN overridable at build time
  - MEDIUM: log: support a user-configurable max log line length
  - DOC: provide an example of how to use ssl_c_sha1
  - BUILD: http: fix isdigit & isspace warnings on Solaris
  - BUG/MINOR: listener: set the listener's fd to -1 after deletion
  - BUG/MEDIUM: unix: failed abstract socket binding is retryable
  - MEDIUM: listener: implement a per-protocol pause() function
  - MEDIUM: listener: support rebinding during resume()
  - BUG/MEDIUM: unix: completely unbind abstract sockets during a
    pause()
  - DOC: explicitly mention the limits of abstract namespace
    sockets
  - DOC: minor fix on {sc,src}_kbytes_{in,out}
  - DOC: fix alphabetical sort of converters
  - BUG/MAJOR: http: correctly rewind the request body after start
    of forwarding
  - DOC: remove references to CPU=native in the README
  - DOC: mention that "compression offload" is ignored in defaults
    section
- drop patches including in version upgrade.
  - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch
  - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch
  - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch
  - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch
  - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch
  - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch
- use www.haproxy.org now instead of the old domain which is just
  redirecting to haproxy.org now.

-------------------------------------------------------------------
Tue Jul  1 12:13:33 UTC 2014 - kgronlund@suse.com

- BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents
- MINOR: stick-table: make stktable_fetch_key() indicate why it failed
- BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process()
- BUG/MINOR: counters: do not untrack counters before logging
- BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer.
- BUG/MEDIUM: http: fetch "base" is not compatible with set-header

- Add patches:
  - 0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch
  - 0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch
  - 0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch
  - 0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch
  - 0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch
  - 0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch

-------------------------------------------------------------------
Tue Jun 24 15:55:48 UTC 2014 - mrueckert@suse.de

- install the vim file into the versioned directory and dont cover
  the current symlink with a directory

-------------------------------------------------------------------
Tue Jun 24 13:00:39 UTC 2014 - mrueckert@suse.de

- add Requires to vim to make the ownership of the vim directory
  clear and not break any symlink handling the vim package might
  use.

-------------------------------------------------------------------
Tue Jun 24 12:23:55 UTC 2014 - mrueckert@suse.de

- update to 1.5.1
  - BUG/MINOR: config: http-request replace-header arg typo
  - BUG/MINOR: ssl: rejects OCSP response without nextupdate.
  - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses.
  - BUG/MINOR: ssl: Fix OCSP resp update fails with the same
    certificate configured twice.     (cherry picked from commit
    1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f)
  - BUG/MEDIUM: Consistently use 'check' in process_chk
  - BUG/MAJOR: session: revert all the crappy client-side timeout
    changes
  - BUG/MINOR: logs: properly initialize and count log sockets
- drop haproxy-1.5.0_consistently_use_check.patch:
  included upstream

-------------------------------------------------------------------
Tue Jun 24 09:51:25 UTC 2014 - kgronlund@suse.com

- Install vim file to a more appropriate location 

-------------------------------------------------------------------
Mon Jun 23 09:19:04 UTC 2014 - kgronlund@suse.com

- added pre macro for systemd service file 

-------------------------------------------------------------------
Mon Jun 23 08:28:06 UTC 2014 - kgronlund@suse.com

- Use better systemd detection consistently

-------------------------------------------------------------------
Sun Jun 22 19:48:11 UTC 2014 - mrueckert@suse.de

- pull commit 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6:
  Consistently use 'check' in process_chk
  I am not entirely sure that this is a bug, but it seems
  to me that it may cause a problem if there agent-check is
  configured and there is some kind of error making a connection
  for it.
  adds patch haproxy-1.5.0_consistently_use_check.patch

-------------------------------------------------------------------
Fri Jun 20 14:37:21 UTC 2014 - mrueckert@suse.de

- update to 1.5.0
  For people who don't follow the development versions, 1.5 expands
  1.4 with many new features and performance improvements,
  including native SSL support on both sides with SNI/NPN/ALPN and
  OCSP stapling, IPv6 and UNIX sockets are supported everywhere,
  full HTTP keep-alive for better support of NTLM and improved
  efficiency in static farms, HTTP/1.1 compression (deflate, gzip)
  to save bandwidth, PROXY protocol versions 1 and 2 on both sides,
  data sampling on everything in request or response, including
  payload, ACLs can use any matching method with any input sample
  maps and dynamic ACLs updatable from the CLI stick-tables support
  counters to track activity on any input sample custom format for
  logs, unique-id, header rewriting, and redirects, improved health
  checks (SSL, scripted TCP, check agent, ...), much more scalable
  configuration supports hundreds of thousands of backends and
  certificates without sweating.

  For all the details see /usr/share/doc/packages/haproxy/CHANGELOG

- enable tcp fast open if the kernel is recent enough
- enable PCRE JIT if PCRE is recent enough
- enable openssl support!
  - haproxy can finally terminate ssl itself and also talk SSL to
    the backend servers.
  - including SNI/NPN/ALPN support.
  new buildrequires openssl and pkgconfig
- enable deflate support
  new buildrequires zlib-devel
- enable transparent proxy support
- enable usage of accept4. reduces the syscall amount.
- enable building and installing of halog
- install vim file into the correct place
- dropped patches:
  0001-MEDIUM-add-systemd-service.patch
  0002-MEDIUM-add-haproxy-systemd-wrapper.patch
  0003-MEDIUM-New-cli-option-Ds-for-systemd-compatibility.patch
  0004-BUG-MEDIUM-systemd-wrapper-don-t-leak-zombie-process.patch
  0005-BUILD-stdbool-is-not-portable-again.patch
  0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
  0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
  0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
  0009-openSUSE-Configure-haproxy-user.patch
  0010-openSUSE-Fix-path-to-PCRE-library.patch
  0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
  0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
  0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
  0014-MINOR-systemd-wrapper-improve-logging.patch
  0015-MINOR-systemd-wrapper-propagate-exit-status.patch
- added haproxy-1.2.16_config_haproxy_user.patch:
  (replaces 0009-openSUSE-Configure-haproxy-user.patch)
- added haproxy-1.5_check_config_before_start.patch:
  systemd allows us to run other things before we start the final
  daemon. use this to check the configuration before launching.
- added haproxy-makefile_lib.patch
  (replaces 0010-openSUSE-Fix-path-to-PCRE-library.patch)
- added sec-options.patch:
  allow it more easily to build haproxy with PIE, stackprotector
  and relro. all those options are enabled on our build.
- added apparmor profile
  usr.sbin.haproxy.apparmor
  local.usr.sbin.haproxy.apparmor
- change the conditionals for systemd to use bcond_with to make it
  more obvious what we are guarding.

-------------------------------------------------------------------
Wed May 21 10:50:21 UTC 2014 - jsegitz@novell.com

- added necessary macros for systemd files

-------------------------------------------------------------------
Tue May  6 06:12:08 UTC 2014 - kgronlund@suse.com

- update to 1.4.25 (bnc#876438)
   - DOC: typo: nosepoll self reference in config guide
   - BUG/MINOR: deinit: free fdinfo while doing cleanup
   - BUG/MEDIUM: server: set the macro for server's max weight SRV_UWGHT_MAX to SRV_UWGHT_RANGE
   - BUG/MINOR: use the same check condition for server as other algorithms
   - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN for recv()
   - BUG/MINOR: fix forcing fastinter in "on-error"
   - BUG/MEDIUM: http/auth: Sometimes the authentication credentials can be mix between two requests
   - BUG/MAJOR: http: don't emit the send-name-header when no server is available
   - BUG/MEDIUM: http: "option checkcache" fails with the no-cache header
   - MEDIUM: session: disable lingering on the server when the client aborts
   - MINOR: config: warn when a server with no specific port uses rdp-cookie
   - MEDIUM: increase chunk-size limit to 2GB-1
   - DOC: add a mention about the limited chunk size
   - MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection
   - BUILD: proto_tcp: remove a harmless warning
   - BUG/MINOR: acl: remove patterns from the tree before freeing them
   - BUG/MEDIUM: checks: fix slow start regression after fix attempt
   - BUG/MAJOR: server: weight calculation fails for map-based algorithms
   - BUG/MINOR: backend: fix target address retrieval in transparent mode
   - BUG/MEDIUM: stick: completely remove the unused flag from the store entries
   - BUG/MEDIUM: stick-tables: complete the latest fix about store-responses
   - BUG/MEDIUM: checks: tracking servers must not inherit the MAINT flag
   - BUG/MINOR: stats: report correct throttling percentage for servers in slowstart
   - BUG/MINOR: stats: correctly report throttle rate of low weight servers
   - BUG/MINOR: checks: successful check completion must not re-enable MAINT servers
   - BUG/MEDIUM: stats: the web interface must check the tracked servers before enabling
   - BUG/MINOR: channel: initialize xfer_small/xfer_large on new buffers
   - BUG/MINOR: stream-int: also consider ENOTCONN in addition to EAGAIN
   - BUG/MEDIUM: http: don't start to forward request data before the connect
   - DOC: fix misleading information about SIGQUIT
   - BUILD: simplify the date and version retrieval in the makefile
   - BUILD: prepare the makefile to skip format lines in SUBVERS and VERDATE
   - BUILD: use format tags in VERDATE and SUBVERS files

- Reorganized patches and backported fixes for systemd wrapper:
   - Renamed 0006-haproxy-1.2.16_config_haproxy_user.patch to 0009-openSUSE-Configure-haproxy-user.patch
   - Renamed 0007-haproxy-makefile_lib.patch to 0010-openSUSE-Fix-path-to-PCRE-library.patch
   - Removed 0008-MEDIUM-haproxy-systemd-wrapper-Revised-implementatio.patch
   - Added 0006-MEDIUM-haproxy-systemd-wrapper-Use-haproxy-in-same-d.patch
   - Added 0007-MEDIUM-systemd-wrapper-Kill-child-processes-when-int.patch
   - Added 0008-LOW-systemd-wrapper-Write-debug-information-to-stdou.patch
   - Added 0011-BUILD-MINOR-systemd-fix-compiler-warning-about-unuse.patch
   - Added 0012-BUG-MEDIUM-systemd-wrapper-fix-locating-of-haproxy-b.patch
   - Added 0013-MINOR-systemd-wrapper-re-execute-on-SIGUSR2.patch
   - Added 0014-MINOR-systemd-wrapper-improve-logging.patch
   - Added 0015-MINOR-systemd-wrapper-propagate-exit-status.patch

-------------------------------------------------------------------
Fri Nov 22 09:54:48 UTC 2013 - kgronlund@suse.com

- Backport haproxy-systemd-wrapper from upstream
- Patch haproxy-systemd-wrapper to work on openSUSE

-------------------------------------------------------------------
Thu Oct 31 12:46:04 UTC 2013 - kgronlund@suse.com

- Remove duplicate Requires: from .spec file.

-------------------------------------------------------------------
Thu Oct 31 12:41:12 UTC 2013 - kgronlund@suse.com

- Re-enable sysvinit support for older versions
  (server:http still builds for older versions)

-------------------------------------------------------------------
Mon Oct 28 14:32:00 UTC 2013 - p.drouand@gmail.com

- Add systemd support
  Target distributions all support systemd; keep alive sysvinit support
  is useless

-------------------------------------------------------------------
Thu Oct 10 15:16:32 UTC 2013 - cdenicolo@suse.com

- license update:  GPL-2.0+ and  LGPL-2.1+
  only header files are LGPL, the rest is still GPL

-------------------------------------------------------------------
Tue Jun 18 09:14:13 UTC 2013 - mrueckert@suse.de

- update to 1.4.24 (bnc#825412)
  - BUG/MAJOR: backend: consistent hash can loop forever in certain
    circumstances
  - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks
    are used
  - MEDIUM: protocol: implement a "drain" function in protocol
    layers
  - BUG/CRITICAL: fix a possible crash when using negative header
    occurrences CVE-2013-2175

-------------------------------------------------------------------
Wed Apr  3 14:47:43 UTC 2013 - mrueckert@suse.de

- update to 1.4.23 CVE-2013-1912
  - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read
  - BUG: fix garbage data when http-send-name-header replaces an
    existing header
  - BUG/MEDIUM: remove supplementary groups when changing gid
  - BUG/MINOR: Correct logic in cut_crlf()
  - BUG/MINOR: config: use a copy of the file name in proxy
    configurations
  - BUG/MINOR: epoll: correctly disable FD polling in fd_rem()
  - MINOR: halog: sort output by cookie code
  - BUG/MINOR: halog: -ad/-ac report the correct number of output
    lines
  - BUG/MINOR: halog: fix help message for -ut/-uto
  - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel
    mode
  - BUG/MEDIUM: command-line option -D must have precedence over
    "debug"
  - OPTIM: halog: keep a fast path for the lines-count only
  - MINOR: halog: add a parameter to limit output line count
  - BUG: halog: fix broken output limitation
  - MEDIUM: checks: avoid accumulating TIME_WAITs during checks
  - MEDIUM: checks: prevent TIME_WAITs from appearing also on
    timeouts
  - BUG/MAJOR: cli: show sess <id> may randomly corrupt the
    back-ref list
  - BUG/MINOR: http: don't report client aborts as server errors
  - BUG/MINOR: http: don't log a 503 on client errors while waiting
    for requests
  - BUG/MEDIUM: tcp: process could theorically crash on lack of
    source ports
  - BUG/MINOR: http: don't abort client connection on premature
    responses
  - BUILD: no need to clean up when making git-tar
  - MINOR: http: always report PR-- flags for redirect rules
  - BUG/MINOR: time: frequency counters are not totally accurate
  - BUG/MINOR: http: don't process abortonclose when request was
    sent
  - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait()
  - BUG/MINOR: config: fix improper check for failed memory alloc
    in ACL parser
  - BUG/MEDIUM: checks: ensure the health_status is always within
    bounds
  - CLEANUP: http: remove a useless null check
  - BUG/MEDIUM: signal: signal handler does not properly check for
    signal bounds
  - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on
    memory shortage
  - CLEANUP: config: slowstart is never negative
  - BUILD: improve the makefile's support for libpcre
  - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a
  - MEDIUM: halog: add support for counting per source address
    (-ic)
  - DOC: mention the new HTTP 307 and 308 redirect statues
    (cherry picked from commit
    b67fdc4cd8bde202f2805d98683ddab929469a05)
  - MEDIUM: poll: do not use FD_* macros anymore
  - BUG/MAJOR: ev_select: disable the select() poller if maxsock >
    FD_SETSIZE
  - BUILD: enable poll() by default in the makefile
  - BUILD: add explicit support for Mac OS/X
  - BUG/CRITICAL: using HTTP information in tcp-request content may
    crash the process CVE-2013-1912
  - MEDIUM: http: implement redirect 307 and 308
  - MINOR: http: status 301 should not be marked non-cacheable
- adapt haproxy-makefile_lib.patch to the rewritten Makefile

-------------------------------------------------------------------
Mon Nov 12 14:10:33 UTC 2012 - mrueckert@suse.de

- switch license tag to spdx format.

-------------------------------------------------------------------
Mon Nov 12 13:50:46 UTC 2012 - mrueckert@suse.de

- update to 1.4.22
  - BUG/MEDIUM: option forwardfor if-none doesn't work with some
    configurations
  - MINOR: balance uri: added 'whole' parameter to include query
    string in hash calculation
  - DOC: specify the default value for maxconn in the context of a
    proxy
  - BUG/MINOR: checks: expire on timeout.check if smaller than
    timeout.connect
  - REORG/MINOR: use dedicated proxy flags for the cookie handling
  - BUG/MINOR: config: do not report twice the incompatibility
    between cookie and non-http
  - MINOR: http: add support for "httponly" and "secure" cookie
    attributes
  - MEDIUM: stats: add support for soft stop/soft start in the
    admin interface
  - BUILD: add support for linux kernels >= 2.6.28
  - MINOR: contrib/iprange: add a network IP range to mask
    converter
  - BUILD: add an AIX 5.2 (and later) target.
  - MINOR: halog: use the more recent dual-mode fgets2
    implementation
  - BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on
    full-length matches
  - CLEANUP: halog: make clean should also remove .o files
    (cherry picked from commit
    8ad4193100aafa19f04929670371bf823dbe11d0)
  - OPTIM: halog: make use of memchr() on platforms which provide a
    fast one
  - OPTIM: halog: improve cold-cache behaviour when loading a file
  - [MINOR] config: make it possible to specify a cookie even
    without a server
  - MINOR: config: tolerate server "cookie" setting in non-HTTP
    mode
  - BUG/MINOR: tarpit: fix condition to return the HTTP 500 message

-------------------------------------------------------------------
Tue Oct 30 16:02:03 UTC 2012 - mrueckert@suse.de

- fix description in the init script

-------------------------------------------------------------------
Tue May 22 16:47:45 UTC 2012 - pascal.bleser@opensuse.org

- update to 1.4.21 (bnc#763833) CVE-2012-2391
  - MINOR: patch for minor typo (ressources/resources)
  - CLEANUP: fix typo in findserver() log message
  - DOC: cleanup indentation, alignment, columns and chapters
  - DOC: fix some keywords arguments documentation
  - MINOR: stats admin: allow unordered parameters in POST requests
  - MINOR: stats admin: use the backend id instead of its name in
    the form
  - BUG/MAJOR: trash must always be the size of a buffer
  - DOC: fix minor regex example issue and improve doc on stats
  - BUG/MAJOR: possible crash when using capture headers on TCP
    frontends
  - MINOR: config: disable header captures in TCP mode and complain
  - BUG/MEDIUM: balance source did not properly hash IPv6 addresses
  - CLEANUP: http: message parser must ignore HTTP_MSG_ERROR
  - CLEANUP: remove a few warning about unchecked return values in
    debug code
  - CLEANUP: http: remove unused http_msg->col
  - BUG/MINOR: http: error snapshots are wrong if buffer wraps
  - BUG/MAJOR: checks: don't call set_server_status_* when no LB
    algo is set
  - MINOR: proxy: make findproxy() return proxies from numeric IDs
    too
  - BUILD: http: stop gcc-4.1.2 from complaining about possibly
    uninitialized values
  - BUG/MINOR: stop connect timeout when connect succeeds

-------------------------------------------------------------------
Sun Mar 11 19:16:20 UTC 2012 - pascal.bleser@opensuse.org

- update to 1.4.20:
  - BUG/MINOR: fix typo in processing of http-send-name-header
  - BUG/MEDIUM: correctly disable servers tracking another disabled servers.
  - BUG/MEDIUM: zero-weight servers must not dequeue requests from the backend
  - MINOR: halog: add some help on the command line     (cherry picked from
    commit 615674cdec067066a42f53f5d55628ab7b207e6c)
  - BUG: queue: fix dequeueing sequence on HTTP keep-alive sessions
  - BUG: http: disable TCP delayed ACKs when forwarding content-length data
  - BUG: checks: fix server maintenance exit sequence
  - BUG/MINOR: stream_sock: don't remove BF_EXPECT_MORE and BF_SEND_DONTWAIT on
    partial writes
  - DOC: enumerate valid status codes for "observe layer7"

-------------------------------------------------------------------
Wed Feb  8 15:30:58 UTC 2012 - mrueckert@suse.de

- update to 1.4.19
  - MEDIUM: http: add support for sending the server's name in the
    outgoing request
  - BUG/MINOR: fix options forwardfor if-none when an alternative
    header name is specified
  - MINOR: task: new function task_schedule() to schedule a wake up
  - BUG/MEDIUM: checks: fix slowstart behaviour when server
    tracking is in use
  - BUG: tcp: option nolinger does not work on backends
  - BUG: ebtree: ebst_lookup() could return the wrong entry
  - BUG: http: re-enable TCP quick-ack upon incomplete HTTP
    requests
  - CLEANUP: ebtree: remove a few annoying signedness warnings
  - CLEANUP: ebtree: remove 4-year old harmless typo in duplicates
    insertion code
  - CLEANUP: ebtree: remove another typo, a wrong initialization in
    insertion code
  - BUG: proto_tcp: set AF_INET on tproxy for use with recent
    kernels
  - MINOR: halog: add support for matching queued requests
  - BUG: http: tighten the list of allowed characters in a URI

-------------------------------------------------------------------
Wed Nov  9 12:09:33 UTC 2011 - mrueckert@suse.de

- update to 1.4.18
  - [MINOR] http: *_dom matching header functions now also split on
    ":"
  - [MINOR] halog: support backslash-escaped quotes
  - BUILD/MINOR: fix the source URL in the spec file
  - DOC: acl is http_first_req, not http_req_first
  - BUG/MEDIUM: don't trim last spaces from headers consisting only
    of spaces
  - MINOR: acl: add new matches for header/path/url length
  - [MINOR] halog: do not consider byte 0x8A as end of line
  - [OPTIM] halog: make fgets parse more bytes by blocks
  - [OPTIM] halog: add assembly version of the field lookup code
  - [CLEANUP] startup: report only the basename in the usage
    message
  - [DOC] update the README file to reflect new naming rules for
    patches

-------------------------------------------------------------------
Mon Sep 05 22:26:59 UTC 2011 - pascal.bleser@opensuse.org

- update to 1.4.17:
  - [MINOR] halog: add support for termination code matching (-tcn/-TCN)
  - [MINOR] halog: make SKIP_CHAR stop on field delimiters
  - [MINOR] halog: add support for HTTP log matching (-H)
  - [MINOR] halog: gain back performance before SKIP_CHAR fix
  - [OPTIM] halog: cache some common fields positions
  - [OPTIM] halog: check once for correct line format and reuse the pointer
  - [OPTIM] halog: remove many 'if' by using a function pointer for the filters
  - [OPTIM] halog: remove support for tab delimiters in input data
  - [MINOR] halog: add -hs/-HS to filter by HTTP status code range
  - [CLEANUP] update the year in the copyright banner
  - [BUG] check: http-check expect + regex would crash in defaults section
  - [MEDIUM] http: make x-forwarded-for addition conditional
  - [DOC] fixed a few "sensible" -> "sensitive" errors
  - [MINOR] stats: display "<NONE>" instead of the frontend name when unknown
  - [BUG] http: trailing white spaces must also be trimmed after headers
  - [MINOR] http: take a capture of too large requests and responses
  - [MINOR] http: take a capture of truncated responses
  - [MINOR] http: take a capture of bad content-lengths.

-------------------------------------------------------------------
Sat Aug 13 22:49:36 UTC 2011 - mrueckert@suse.de

- update to version 1.4.16
  - [BUG] checks: fix support of Mysqld >= 5.5 for mysql-check
  - [DOC] Minor spelling fixes and grammatical enhancements
  - [CLEANUP] Remove assigned but unused variables
  - [BUG] checks: http-check expect could fail a check on
    multi-packet responses
  - [DOC] fix minor typo in the "dispatch" doc
  - [MINOR] http: make the "HTTP 200" status code configurable.
  - [MINOR] http: partially revert the chunking optimization for
    now
  - [MINOR] stream_sock: always clear BF_EXPECT_MORE upon complete
    transfer
  - [CLEANUP] stream_sock: remove unneeded FL_TCP and factor out
    test
  - [MEDIUM] http: add support for "http-no-delay"
  - [OPTIM] http: optimize chunking again in non-interactive mode
  - [OPTIM] stream_sock: avoid fast-forwarding of partial data
  - [OPTIM] stream_sock: don't use splice on too small payloads
  - [BUG] stats: support url-encoded forms
  - [BUG] halog: correctly handle truncated last line
  - [DOC] fix typos, "#" is a sharp, not a dash

-------------------------------------------------------------------
Fri Apr 15 22:14:24 UTC 2011 - pascal.bleser@opensuse.org

- revert splitting out the documentation

-------------------------------------------------------------------
Thu Apr 14 19:18:45 UTC 2011 - pascal.bleser@opensuse.org

- split out documentation and examples into haproxy-doc
- add rpmlintrc to suppress false positive warnings about
  script examples in documentation files (without exec flag)
- fix license

-------------------------------------------------------------------
Tue Apr 12 15:31:38 UTC 2011 - mrueckert@suse.de

- update to version 1.4.15
  - [CRITICAL] fix risk of crash when dealing with space in
    response cookies
- additional changes from 1.4.14
  - [MINOR] config: fix endianness of server check port
  - [BUG] http: fix possible incorrect forwarded wrapping chunk
    size (take 2)
  - [MINOR] tools: add two macros MID_RANGE and MAX_RANGE
  - [BUG] http: fix content-length handling on 32-bit platforms
  - [OPTIM] buffers: uninline buffer_forward()

-------------------------------------------------------------------
Wed Mar  9 12:00:23 UTC 2011 - mrueckert@suse.de

- update to 1.4.13
  - config: don't crash on empty pattern files.
- additional changes from 1.4.12
  - stats: add support for several packets in stats admin
  - stats: admin commands must check the proxy state
  - stats: admin web interface must check the proxy state
  - http: update the header list's tail when removing the last
    header
  - fix typos (http-request instead of http-check)     (cherry
    picked from commit 8f2a1e72bebea700f37add40997b716fdfd86b9c)
  - http: use correct ACL pointer when evaluating authentication
  - cfgparse: correctly count one socket per port in ranges
  - startup: set the rlimits before binding ports, not after.
  - acl: srv_id must return no match when the server is NULL
  - acl: fd leak when reading patterns from file
  - fix minor typo in "usesrc"
  - http: fix possible incorrect forwarded wrapping chunk size
  - http: fix computation of message body length after forwarding
    has started
  - http: balance url_param did not work with first parameters on
    POST
  - update the url_param regression test to test check_post too

-------------------------------------------------------------------
>>>>>>> ./haproxy.changes.r40
Tue Feb 15 14:30:53 UTC 2011 - mrueckert@suse.de

- update to 1.4.11
  - cfgparse: Check whether the path given for the stats socket
    actually fits into the sockaddr_un structure to avoid
    truncation.
  - fix a minor typo
  - fix ignore-persist documentation
  - http: fix http-pretend-keepalive and httpclose/tunnel mode
  - add warnings on features not compatible with multi-process mode
  - acl: add be_id/srv_id to match backend's and server's id
  - log: add support for passing the forwarded hostname
  - log: ability to override the syslog tag
  - fix minor typos in the doc
  - fix another typo in the doc
  - http chunking: don't report a parsing error on connection
    errors
  - stream_interface: truncate buffers when sending error messages
  - http: fix incorrect error reporting during data transfers
  - session: correctly leave turn-around and queue states on abort
  - session: release slot before processing pending connections
  - stats: report HTTP message state and buffer flags in error
    dumps
  - http: support wrapping messages in error captures
  - http: capture incorrectly chunked message bodies
  - stats: add global event ID and count
  - http: don't send each chunk in a separate packet
  - acl: fix handling of empty lines in pattern files
  - ebtree: fix ebmb_lookup() with len smaller than the tree's keys
  - ebtree: ebmb_lookup: reduce stack usage by moving the return
    code out of the loop

-------------------------------------------------------------------
Mon Nov 29 13:57:37 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.10:
  * a possible crash when using Cookie-based persistence with
    appsessions was fixed
  * header processing could become wrong after a single reqidel
    rule removed exactly two headers
  * some out-of-memory conditions were not correctly handled in
    appsession or cookie captures
  * users of appsessions are strongly encouraged to upgrade

-------------------------------------------------------------------
Tue Nov  2 13:11:15 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.9:
  * the Web interface now allows you to enable or disable servers
  * the ECV and LDAPv3 checks were merged
  * the MySQL check was improved to support a real login sequence
  * persistence cookies can now be timestamped to support a maximum
    idle time and a maximum life time, and can be removed by the
    server if needed (e.g. logout)
  * the SNMP plugin was improved to report socket stats
  * some Cacti templates were merged
  * the halog tool can now instantly report per-URL response times

-------------------------------------------------------------------
Tue Aug 17 15:46:13 UTC 2010 - mrueckert@suse.de

- implement graceful restart in the init script

-------------------------------------------------------------------
Tue Jun 22 14:49:12 UTC 2010 - mrueckert@suse.de

- update to 1.4.8:
  * mention 'option http-server-close' effect in Tq section
  * summarize and highlight persistent connections behaviour
  * add configuration samples
  * stick_table: the fix for the memory leak caused a regression
  * client: don't add a new session to the list too early

-------------------------------------------------------------------
Thu Jun 10 09:03:34 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.7:
  * fixes problems where consistent hashing was broken when no
    server ID was specified in the configuration
  * some errors were incorrectly reported as failed instead of
    denied in the statistics
  * the dispatch and http_proxy modes were fixed
  * a few termination flags in the logs used for troubleshooting
    were corrected
  * a few other minor issues were fixed
  * upgrading is recommended

-------------------------------------------------------------------
Mon May 17 20:29:02 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.6:
  * a minor precision about RDP cookies was added to the
    documentation
  * a new ACL keyword was added
  * those who had no problem building and running 1.4.5 don't need
    to upgrade

- drop haproxy-fix_dprintf.patch, merged upstream

-------------------------------------------------------------------
Fri May 14 07:18:03 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.5:
  * Haproxy can now read huge ACL pattern lists from files and
    match inputs against them without any noticeable performance
    impact, making geolocation possible
  * adds a new "ignore-persist" directive, allowing it to ignore
    the persistence cookie if an ACL-based condition is matched
    (which is useful for static objects in stateful farms)
  * a few other minor improvements
  * a nice performance boost of the log analyzer, which can now
    process more than 1 GB of logs per second and report request
    counts by status codes

-------------------------------------------------------------------
Thu Apr  8 09:41:51 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.4:
  * brings a new option to work around optimization issues with
    Tomcat and Jetty in server close mode, and for a bug in Jetty's
    handling of Expect: 100-continue
  * a very old appsession unexpected match of shorter cookie names
    was also fixed
  * a new feature to make it possible to connect to a server from
    an IP found in a header was merged: it allows you to run
    stunnel+haproxy in transparent mode together

-------------------------------------------------------------------
Fri Apr  2 23:42:44 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.3:
  * fxes a regression introduced in 1.4.2 which could cause a
    connection to still be attempted on the server side in case of
    an error on the client side; this issue could even lead to a
    crash if a Layer7 hash algorithm was used, so this code was
    strengthened
  * the configuration parser now detects many more inappropriate
    options in TCP mode and emits related warnings
  * it is now possible to indicate in the configuration that a
    server will start in the "disabled" state
  * other very minor issues were fixed

-------------------------------------------------------------------
Thu Mar 18 12:00:49 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.2:
  * fixes a very rare case of stuck client sessions when using
    keep-alive
  * fixes a url_param hash bug which could result in a dead server
    in very rare situations
  * fixes status codes 501 and 505 which could cause a server to be
    marked down if on-error was used
  * fixes a risk of getting truncated HTTP responses when
    chunk-encoding was used
  * fixes an issue with anonymous ACLs
  * improvements on health checks

-------------------------------------------------------------------
Fri Mar  5 00:45:12 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.1:
  * some errors were incorrectly reported as 502 with the flags
   "SL" in the logs; this is now fixed
  * other minor issues were fixed
  * documentation was updated

-------------------------------------------------------------------
Fri Feb 26 20:44:34 UTC 2010 - pascal.bleser@opensuse.org

- update to 1.4.0:
  * new features:
    + keep-alive
    + IP-based stickiness
    + consistent hashing
    + support for the RDP protocol
    + a much nicer stats interface
    + a much-improved performance level
  * add -fno-strict-aliasing

- changes from 1.4rc1:
  * new features:
    + server maintenance mode
    + HTTP authentication (server and proxy)
    + secure passwords
    + conditional request/response header rewriting using ACLs
    + anonymous ACLs that can be declared inline
    + support for HTTP/1.1 101+Upgrade status code to support non-
      HTTP protocols such as WebSocket

-------------------------------------------------------------------
Thu Feb 11 15:20:01 UTC 2010 - mrueckert@suse.de

- update to 1.3.23

-------------------------------------------------------------------
Tue Sep 15 14:09:34 CEST 2009 - mrueckert@suse.de

- update to 1.3.20

-------------------------------------------------------------------
Fri Apr  3 13:54:40 CEST 2009 - mrueckert@suse.de

- update to 1.3.17

-------------------------------------------------------------------
Mon Mar  9 16:40:38 CET 2009 - mrueckert@suse.de

- update to 1.3.15.8

-------------------------------------------------------------------
Wed Feb  4 15:13:15 CET 2009 - mrueckert@suse.de

- update to 1.3.15.7

-------------------------------------------------------------------
Mon Sep 15 15:52:45 CEST 2008 - mrueckert@suse.de

- update to 1.3.15.4

-------------------------------------------------------------------
Sun Nov  4 21:21:35 CET 2007 - mrueckert@suse.de

- update to 1.3.13.1:
  too many changes see changelog file

-------------------------------------------------------------------
Mon Apr  2 00:53:38 CEST 2007 - mrueckert@suse.de

- prepared spec for easy split out of -snapshot packages.
- added vim syntax file

-------------------------------------------------------------------
Mon Mar 19 17:50:33 CET 2007 - mrueckert@suse.de

- update to 1.2.17:
  - replaced the linked-list with a faster rbtree in the scheduler
  - add user/group support (Marcus Rueckert)
  - add the "except" keyword to the "forwardfor" option (Bryan
    Germann)
  - re-implemented support for multi-line headers (was
    incidently reverted)
  - fixed possible crash when no cookie was set on a server
  - fixed various length checks in appsession
  - fixed unlikely memory leak in appsession in case of memory
    shortage
  - updates to the architecture guide
- remove haproxy-1.2.16_username_groupname_support.patch:
  patch included upstream

-------------------------------------------------------------------
Mon Jan  8 00:27:17 CET 2007 - mrueckert@suse.de

- initial package of 1.2.16
- added 2 patches:
  haproxy-1.2.16_config_haproxy_user.patch
  haproxy-1.2.16_username_groupname_support.patch
  the patches allow to specify username and groupname instead of
  uid/gid. The patches are needed as we do not have a static
  uid/gid for the haproxy user/group.
openSUSE Build Service is sponsored by