Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2026-04-25 21:36:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Sat Apr 25 21:36:20 2026 rev:181 rq:1349028 version:3.3.7+git0.a32bce2da Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2026-04-20 16:14:06.144134272 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new.11940/haproxy.changes 2026-04-25 21:36:49.736444763 +0200 @@ -1,0 +2,43 @@ +Thu Apr 23 20:14:13 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to version 3.3.7+git0.a32bce2da: + * [RELEASE] Released version 3.3.7 + * BUG/MEDIUM: mux-h1: Force close mode for bodyless message announcing a C-L + * BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well + * BUG/MINOR: server: fix a possible leak of an error message in dynamic servers + * BUG/MINOR: debug: properly mark the entire libs archive read-only + * BUG/MINOR: compression: properly disable request when setting response + * CI: github: only enable OS X on development branches + * CI: VTest build with git clone + cache + * SCRIPTS: build-vtest: allow to set a TMPDIR and a DESTDIR + +------------------------------------------------------------------- +Thu Apr 23 09:48:25 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to version 3.3.6+git110.27ea9dccd: + * REGTESTS: ssl: mark ssl_dh.vtc as broken + * REGTESTS: Never reuse server connection in server/cli_delete_dynamic_server.vtc + * REGTESTS: Never reuse server connection in jwt/jws_verify.vtc + * DOC: config: Fix a typo for "external-check" directive + * BUG/MINOR: mux-h1: Fix test to skip trailers from chunked messages + * BUG/MINOR: mux-h1: Fix condition to send null-chunk for bodyless message + * BUG/MINOR: log: also wait for the response when logging response headers + * BUG/MINOR: H2: Don't forget to free shared_rx_bufs on failure + * BUG/MINOR: h2: Don't look at the exclusive bit for PRIORITY frame + * BUG/MINOR: h2: make tune.h2.log-errors actually work + * BUG/MEDIUM: tasks: Make sure we don't schedule a task already running + * BUG/MINOR: mux-h2: count a proto error when rejecting a stream on parsing error + * BUG/MINOR: mux-h2: count a protocol error when failing to parse a trailer + * reg-tests/ssl/ssl_dh.vtc: fix syntax error + * BUG/MAJOR: sched: protect task->expire on 32-bit platforms + +------------------------------------------------------------------- +Tue Apr 21 09:35:30 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to version 3.3.6+git95.410f6cbff: + * BUG/MINOR: sample: adjust dependencies for channel output bytes counters + * MINOR: sample: make RQ/RS stats available everywhere + * BUG/MINOR: log: consider format expression dependencies to decide when to log + * BUG/MINOR: mux_quic: limit avail_streams() to 2^62 + +------------------------------------------------------------------- Old: ---- haproxy-3.3.6+git91.af5637e93.tar.gz New: ---- haproxy-3.3.7+git0.a32bce2da.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.x2ZJtf/_old 2026-04-25 21:36:52.736566199 +0200 +++ /var/tmp/diff_new_pack.x2ZJtf/_new 2026-04-25 21:36:52.744566522 +0200 @@ -35,7 +35,7 @@ %bcond_with ech Name: haproxy -Version: 3.3.6+git91.af5637e93 +Version: 3.3.7+git0.a32bce2da Release: 0 # Summary: The Reliable, High Performance TCP/HTTP Load Balancer ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.x2ZJtf/_old 2026-04-25 21:36:53.288588543 +0200 +++ /var/tmp/diff_new_pack.x2ZJtf/_new 2026-04-25 21:36:53.324590000 +0200 @@ -5,7 +5,7 @@ </service> <service name="tar_scm"> <param name="url">http://git.haproxy.org/git/haproxy-3.3.git/</param> - <param name="changesrevision">af5637e93f7aeab7718b4f45c7bf7377d31f576b</param> + <param name="changesrevision">a32bce2da931b0e5b0ef5c630a3a53f37c32733b</param> </service> </servicedata> (No newline at EOF) ++++++ haproxy-3.3.6+git91.af5637e93.tar.gz -> haproxy-3.3.7+git0.a32bce2da.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/.github/actions/setup-vtest/action.yml new/haproxy-3.3.7+git0.a32bce2da/.github/actions/setup-vtest/action.yml --- old/haproxy-3.3.6+git91.af5637e93/.github/actions/setup-vtest/action.yml 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/.github/actions/setup-vtest/action.yml 2026-04-23 21:32:22.000000000 +0200 @@ -20,7 +20,21 @@ ulimit -n 65536 ulimit -c unlimited + - name: Get VTest latest commit SHA + id: vtest-sha + shell: bash + run: | + echo "sha=$(git ls-remote https://code.vinyl-cache.org/vtest/VTest2 HEAD | cut -f1)" >> $GITHUB_OUTPUT + + - name: Cache VTest + id: cache-vtest + uses: actions/cache@v4 + with: + path: ${{ github.workspace }}/../vtest + key: vtest-${{ runner.os }}-${{ steps.vtest-sha.outputs.sha }} + - name: Install VTest + if: steps.cache-vtest.outputs.cache-hit != 'true' shell: bash run: | scripts/build-vtest.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/.github/matrix.py new/haproxy-3.3.7+git0.a32bce2da/.github/matrix.py --- old/haproxy-3.3.6+git91.af5637e93/.github/matrix.py 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/.github/matrix.py 2026-04-23 21:32:22.000000000 +0200 @@ -293,24 +293,21 @@ } ) - # macOS - - if is_stable: - os = "macos-13" # stable branch - else: + # macOS on dev branches + if "haproxy-" not in ref_name: os = "macos-26" # development branch - TARGET = "osx" - for CC in ["clang"]: - matrix.append( - { - "name": "{}, {}, no features".format(os, CC), - "os": os, - "TARGET": TARGET, - "CC": CC, - "FLAGS": [], - } - ) + TARGET = "osx" + for CC in ["clang"]: + matrix.append( + { + "name": "{}, {}, no features".format(os, CC), + "os": os, + "TARGET": TARGET, + "CC": CC, + "FLAGS": [], + } + ) # Print matrix diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/CHANGELOG new/haproxy-3.3.7+git0.a32bce2da/CHANGELOG --- old/haproxy-3.3.6+git91.af5637e93/CHANGELOG 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/CHANGELOG 2026-04-23 21:32:22.000000000 +0200 @@ -1,6 +1,126 @@ ChangeLog : =========== +2026/04/23 : 3.3.7 + - BUG/MINOR: mworker: fix sort order of mworker_proc in 'show proc' + - BUG/MINOR: sock: adjust accept() error messages for ENFILE and ENOMEM + - BUG/MINOR: qpack: fix 62-bit overflow and 1-byte OOB reads in decoding + - MEDIUM: sched: do not run a same task multiple times in series + - MINOR: sched: do not requeue a tasklet into the current queue + - MINOR: sched: do not punish self-waking tasklets anymore + - MEDIUM: sched: do not punish self-waking tasklets if TASK_WOKEN_ANY + - MEDIUM: sched: change scheduler budgets to lower TL_BULK + - MINOR: mux-h2: assign a limited frames processing budget + - BUILD: sched: fix leftover of debugging test in single-run changes + - BUG/MEDIUM: acme: fix multiple resource leaks in acme_x509_req() + - BUG/MINOR: acme: leak of ext_san upon insertion error + - BUG/MINOR: acme: wrong error when checking for duplicate section + - BUG/MINOR: acme/cli: wrong argument check in 'acme renew' + - Revert "BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream" + - DOC: config: Fix alphabetical ordering of proxy options + - DOC: config: Fix alphabetical ordering of external-check directives + - DOC: config: Add missing 'status-code' param for 'http-check expect' directive + - DOC: config: Reorder params for 'tcp-check expect' directive + - BUG/MINOR: stats-file: manipulate shm-stats-file heartbeat using unsigned int + - BUG/MEDIUM: stats-file: detect and fix inconsistent shared clock when resuming from shm-stats-file + - BUG/MINOR: proxy: detect strdup error on server auto SNI + - BUG/MINOR: server: set auto SNI for dynamic servers + - BUG/MINOR: server: enable no-check-sni-auto for dynamic servers + - BUG/MINOR: quic: fix counters used on BE side + - BUG/MINOR: quic/h3: display QUIC/H3 backend module on HTML stats + - BUG/MINOR: acme: acme_ctx_destroy() leaks auth->dns + - BUG/MINOR: acme: wrong labels logic always memprintf errmsg + - BUG/MINOR: acme: fix incorrect number of arguments allowed in config + - BUG/MEDIUM: spoe: Acquire context buffer in applet before consuming a frame + - MINOR: ncbmbuf: improve itbmap_next() code + - BUG/MINOR: quic: missing app ops init during backend 0-RTT sessions + - BUG/MINOR: acme: free() DER buffer on a2base64url error path + - BUG/MINOR: acme: replace atol with len-bounded __strl2uic() for retry-after + - BUG/MINOR: acme/cli: fix argument check and error in 'acme challenge_ready' + - BUILD: tools: potential null pointer dereference in dl_collect_libs_cb + - BUG/MINOR: ech: permission checks on the CLI + - BUG/MINOR: acme: permission checks on the CLI + - BUG/MINOR: config: Properly test warnif_misplaced_* return values + - BUG/MINOR: http-ana: Only consider client abort for abortonclose + - BUG/MEDIUM: acme: skip doing challenge if it is already valid + - BUG/MINOR: acme: fix task allocation leaked upon error + - CI: github: fix tag listing by implementing proper API pagination + - BUG/MINOR: quic: close conn on packet reception with incompatible frame + - BUG/MINOR: stconn: Always declare the SC created from healthchecks as a back SC + - MINOR: stconn: flag the stream endpoint descriptor when the app has started + - MINOR: mux-h2: report glitches on early RST_STREAM + - SCRIPTS: git-show-backports: list new commits and how to review them with -L + - BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level + - BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level + - BUG/MEDIUM: map/cli: map/acl commands warn when accessed without admin level + - BUG/MEDIUM: ssl/cli: tls-keys commands are missing permission checks + - BUG/MEDIUM: ssl/ocsp: ocsp commands are missing permission checks + - BUG/MEDIUM: map/cli: CLI commands lack admin permission checks + - DOC: configuration: mention QUIC server support + - BUG/MEDIUM: mux-h1: Don't set MSG_MORE on bodyless responses forwarded to client + - BUG/MINOR: tcpcheck: Remove unexpected flag on tcpcheck rules for httchck option + - BUG/MINOR: tcpcheck: Don't enable http_needed when parsing HTTP samples + - BUG/MINOR: tcpcheck: Use tcpcheck context for expressions parsing + - BUG/MINOR: quic: fix documentation for transport params decoding + - BUG/MINOR: cfgcond: properly set the error pointer on evaluation error + - BUG/MINOR: cfgcond: always set the error string on openssl_version checks + - BUG/MINOR: cfgcond: always set the error string on awslc_api checks + - BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature" + - DOC: config: fix ambiguous info in log-steps directive description + - BUG/MEDIUM: mux-h1: Disable 0-copy forwarding when draining the request + - BUG/MINOR: http-act: fix a typo in the "pause" action error message + - BUG/MINOR: counters: fix unexpected 127 char GUID truncation for shm-stats-file objects + - BUG/MEDIUM: payload: validate SNI name_len in req.ssl_sni + - BUG/MEDIUM: jwt: fix heap overflow in ECDSA signature DER conversion + - BUG: hlua: fix stack overflow in httpclient headers conversion + - BUG/MINOR: hlua: fix stack overflow in httpclient headers conversion + - BUG/MINOR: hlua: fix format-string vulnerability in Patref error path + - BUG/MINOR: peers: fix OOB heap write in dictionary cache update + - BUG/MAJOR: slz: always make sure to limit fixed output to less than worst case literals + - BUG/MINOR: resolvers: fix memory leak on AAAA additional records + - BUG/MINOR: spoe: fix pointer arithmetic overflow in spoe_decode_buffer() + - BUG/MEDIUM: samples: Fix handling of SMP_T_METH samples + - BUG/MINOR: sample: fix info leak in regsub when exp_replace fails + - BUG/MEDIUM: mux-fcgi: prevent record-length truncation with large bufsize + - BUG/MINOR: hlua: fix use-after-free of HTTP reason string + - BUG/MINOR: ot: fixed wrong NULL check in flt_ot_parse_cfg_group() + - BUG/MINOR: log: Fix error message when using unavailable fetch in logfmt + - BUG/MEDIUM: cli: Properly handle too big payload on a command line + - BUG/MEDIUM: htx: Fix function used to change part of a block value when defrag + - BUG/MEDIUM: htx: Don't count delta twice when block value is replaced + - BUG/MINOR: acme: don't pass NULL into format string + - BUG/MEDIUM: peers: trash of expired entries delayed after fullresync + - BUG/MINOR: threads: properly set the number of tgroups when non using policy + - BUG/MEDIUM: mux-h2: ignore conn->owner when deciding if a connection is dead + - BUG/MINOR: task: fix uninitialised read in run_tasks_from_lists() + - BUG/MINOR: mux_quic: limit avail_streams() to 2^62 + - BUG/MINOR: log: consider format expression dependencies to decide when to log + - MINOR: sample: make RQ/RS stats available everywhere + - BUG/MINOR: sample: adjust dependencies for channel output bytes counters + - BUG/MAJOR: sched: protect task->expire on 32-bit platforms + - reg-tests/ssl/ssl_dh.vtc: fix syntax error + - BUG/MINOR: mux-h2: count a protocol error when failing to parse a trailer + - BUG/MINOR: mux-h2: count a proto error when rejecting a stream on parsing error + - BUG/MEDIUM: tasks: Make sure we don't schedule a task already running + - BUG/MINOR: h2: make tune.h2.log-errors actually work + - BUG/MINOR: h2: Don't look at the exclusive bit for PRIORITY frame + - BUG/MINOR: H2: Don't forget to free shared_rx_bufs on failure + - BUG/MINOR: log: also wait for the response when logging response headers + - BUG/MINOR: mux-h1: Fix condition to send null-chunk for bodyless message + - BUG/MINOR: mux-h1: Fix test to skip trailers from chunked messages + - DOC: config: Fix a typo for "external-check" directive + - REGTESTS: Never reuse server connection in jwt/jws_verify.vtc + - REGTESTS: Never reuse server connection in server/cli_delete_dynamic_server.vtc + - REGTESTS: ssl: mark ssl_dh.vtc as broken + - SCRIPTS: build-vtest: allow to set a TMPDIR and a DESTDIR + - CI: VTest build with git clone + cache + - CI: github: only enable OS X on development branches + - BUG/MINOR: compression: properly disable request when setting response + - BUG/MINOR: debug: properly mark the entire libs archive read-only + - BUG/MINOR: server: fix a possible leak of an error message in dynamic servers + - BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well + - BUG/MEDIUM: mux-h1: Force close mode for bodyless message announcing a C-L + 2026/03/19 : 3.3.6 - BUG/MEDIUM: shctx: Use the next block when data exactly filled a block - BUG/MINOR: mworker: don't set the PROC_O_LEAVING flag on master process diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/VERDATE new/haproxy-3.3.7+git0.a32bce2da/VERDATE --- old/haproxy-3.3.6+git91.af5637e93/VERDATE 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/VERDATE 2026-04-23 21:32:22.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2026/03/19 +2026/04/23 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/VERSION new/haproxy-3.3.7+git0.a32bce2da/VERSION --- old/haproxy-3.3.6+git91.af5637e93/VERSION 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/VERSION 2026-04-23 21:32:22.000000000 +0200 @@ -1 +1 @@ -3.3.6 +3.3.7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/doc/configuration.txt new/haproxy-3.3.7+git0.a32bce2da/doc/configuration.txt --- old/haproxy-3.3.6+git91.af5637e93/doc/configuration.txt 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/doc/configuration.txt 2026-04-23 21:32:22.000000000 +0200 @@ -3,7 +3,7 @@ Configuration Manual ---------------------- version 3.3 - 2026/03/19 + 2026/04/23 This document covers the configuration language as implemented in the version @@ -7580,7 +7580,7 @@ Arguments : <command> is the external command to run - The arguments passed to the to the command are: + The arguments passed to the command are: <proxy_address> <proxy_port> <server_address> <server_port> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/include/haproxy/mux_quic.h new/haproxy-3.3.7+git0.a32bce2da/include/haproxy/mux_quic.h --- old/haproxy-3.3.6+git91.af5637e93/include/haproxy/mux_quic.h 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/include/haproxy/mux_quic.h 2026-04-23 21:32:22.000000000 +0200 @@ -59,6 +59,9 @@ /* This bit is set for unidirectional streams */ #define QCS_ID_DIR_BIT 0x2 +/* Maximum bidirectional stream ID that a client can opened. */ +#define QCS_ID_MAX_STRM_CL_BIDI (QUIC_VARINT_8_BYTE_MAX - 3) + static inline enum qcs_type qcs_id_type(uint64_t id) { return id & QCS_ID_TYPE_MASK; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/include/haproxy/task-t.h new/haproxy-3.3.7+git0.a32bce2da/include/haproxy/task-t.h --- old/haproxy-3.3.6+git91.af5637e93/include/haproxy/task-t.h 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/include/haproxy/task-t.h 2026-04-23 21:32:22.000000000 +0200 @@ -128,6 +128,12 @@ * pointer if the task/tasklet remains valid, and return NULL if it has been * deleted. The scheduler relies on this to know if it should update its state * on return. + * + * Keep in mind that tasks can be cast to tasklets while in the final tasklet + * queues, and will be listed via the tasklet's <list> instead of the task's + * <rq>. However other fields (wq, common) must remain totally valid for the + * task during this time. This explains why certain elements are present in + * the common part even though pure tasklets do not need them. */ #define TASK_COMMON \ unsigned int state; /* task state : bitfield of TASK_ */ \ @@ -138,14 +144,14 @@ uint32_t wake_date; /* date of the last task wakeup */ \ unsigned int calls; /* number of times process was called */ \ TASK_DEBUG_STORAGE; \ - short last_run; /* 16-bit now_ms of last run */ - /* a 16- or 48-bit hole remains here and is used by task */ + short last_run; /* 16-bit now_ms of last run */ \ + short nice; /* task prio from -1024 to +1024 */ \ + int expire; /* next expiration date for this task, in ticks */ + /* total: 36 or 48 bytes on 32/64 bit platforms */ /* The base for all tasks */ struct task { TASK_COMMON; /* must be at the beginning! */ - short nice; /* task prio from -1024 to +1024 */ - int expire; /* next expiration date for this task, in ticks */ struct eb32_node rq; /* ebtree node used to hold the task in the run queue */ /* WARNING: the struct task is often aliased as a struct tasklet when * it is NOT in the run queue. The tasklet has its struct list here @@ -158,7 +164,6 @@ /* lightweight tasks, without priority, mainly used for I/Os */ struct tasklet { TASK_COMMON; /* must be at the beginning! */ - /* 48-bit hole here */ struct list list; /* WARNING: the struct task is often aliased as a struct tasklet when * it is not in the run queue. The task has its struct rq here where diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/include/haproxy/task.h new/haproxy-3.3.7+git0.a32bce2da/include/haproxy/task.h --- old/haproxy-3.3.6+git91.af5637e93/include/haproxy/task.h 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/include/haproxy/task.h 2026-04-23 21:32:22.000000000 +0200 @@ -713,12 +713,27 @@ #ifdef USE_THREAD if (task->tid < 0) { + int was_running; + /* + * Make sure the task is not already running before changing + * its expire, otherwise it could overwrite our modification + */ + if (task == th_ctx->current) + was_running = 1; + else { + was_running = 0; + while (HA_ATOMIC_FETCH_OR(&task->state, TASK_RUNNING) & TASK_RUNNING) + __ha_cpu_relax(); + } + /* FIXME: is it really needed to lock the WQ during the check ? */ HA_RWLOCK_WRLOCK(TASK_WQ_LOCK, &wq_lock); if (task_in_wq(task)) when = tick_first(when, task->expire); task->expire = when; + if (!was_running) + task_drop_running(task, 0); if (!task_in_wq(task) || tick_is_lt(task->expire, task->wq.key)) { if (likely(caller)) { caller = HA_ATOMIC_XCHG(&task->caller, caller); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/reg-tests/jwt/jws_verify.vtc new/haproxy-3.3.7+git0.a32bce2da/reg-tests/jwt/jws_verify.vtc --- old/haproxy-3.3.6+git91.af5637e93/reg-tests/jwt/jws_verify.vtc 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/reg-tests/jwt/jws_verify.vtc 2026-04-23 21:32:22.000000000 +0200 @@ -18,7 +18,7 @@ server s1 -repeat 27 { rxreq - txresp + txresp -hdr "Connection: close" } -start haproxy h1 -conf { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/reg-tests/server/cli_delete_dynamic_server.vtc new/haproxy-3.3.7+git0.a32bce2da/reg-tests/server/cli_delete_dynamic_server.vtc --- old/haproxy-3.3.6+git91.af5637e93/reg-tests/server/cli_delete_dynamic_server.vtc 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/reg-tests/server/cli_delete_dynamic_server.vtc 2026-04-23 21:32:22.000000000 +0200 @@ -8,14 +8,14 @@ # static server server s1 -repeat 3 { rxreq - txresp \ + txresp -hdr "Connection: close" \ -body "resp from s1" } -start # use as a dynamic server, added then deleted via CLI server s2 -repeat 3 { rxreq - txresp \ + txresp -hdr "Connection: close" \ -body "resp from s2" } -start diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/reg-tests/ssl/ssl_dh.vtc new/haproxy-3.3.7+git0.a32bce2da/reg-tests/ssl/ssl_dh.vtc --- old/haproxy-3.3.6+git91.af5637e93/reg-tests/ssl/ssl_dh.vtc 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/reg-tests/ssl/ssl_dh.vtc 2026-04-23 21:32:22.000000000 +0200 @@ -1,4 +1,6 @@ -#REGTEST_TYPE=devel +#REGTEST_TYPE=broken + +# test seems broken since it was fixed in 3610a767 # This reg-tests checks that the DH-related mechanisms works properly. # When no DH is specified, either directly in the server's PEM or through a @@ -19,7 +21,7 @@ varnishtest "Test the DH related SSL options" # AWS-LC does not support any FFDH ciphersuites -feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(AWS-LC)' && !ssllib_name_startswith(wolfSSL)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(AWS-LC) && !ssllib_name_startswith(wolfSSL)'" feature cmd "command -v openssl && command -v grep && command -v socat" feature ignore_unknown_macro diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/scripts/build-vtest.sh new/haproxy-3.3.7+git0.a32bce2da/scripts/build-vtest.sh --- old/haproxy-3.3.6+git91.af5637e93/scripts/build-vtest.sh 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/scripts/build-vtest.sh 2026-04-23 21:32:22.000000000 +0200 @@ -1,10 +1,10 @@ #!/bin/sh +DESTDIR=${DESTDIR:-${PWD}/../vtest/} +TMPDIR=${TMPDIR:-$(mktemp -d)} set -eux -curl -fsSL "https://code.vinyl-cache.org/vtest/VTest2/archive/main.tar.gz"; -o VTest.tar.gz -mkdir ../vtest -tar xvf VTest.tar.gz -C ../vtest --strip-components=1 +git clone https://code.vinyl-cache.org/vtest/VTest2 "${TMPDIR}/vtest" # Special flags due to: https://github.com/vtest/VTest/issues/12 # Note: do not use "make -C ../vtest", otherwise MAKEFLAGS contains "w" @@ -13,7 +13,7 @@ # MFLAGS works on BSD but misses variable definitions on GNU Make. # Better just avoid the -C and do the cd ourselves then. -cd ../vtest +cd "${TMPDIR}/vtest" set +e CPUS=${CPUS:-$(nproc 2>/dev/null)} @@ -28,3 +28,6 @@ else make -j${CPUS} FLAGS="-O2 -s -Wall" fi + +mkdir -p "${DESTDIR}" +cp "${TMPDIR}/vtest/vtest" "${DESTDIR}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/flt_http_comp.c new/haproxy-3.3.7+git0.a32bce2da/src/flt_http_comp.c --- old/haproxy-3.3.6+git91.af5637e93/src/flt_http_comp.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/flt_http_comp.c 2026-04-23 21:32:22.000000000 +0200 @@ -940,7 +940,7 @@ comp->flags &= ~COMP_FL_DIR_RES; comp->flags |= COMP_FL_DIR_REQ; } else if (strcmp(args[2], "response") == 0) { - comp->flags &= COMP_FL_DIR_REQ; + comp->flags &= ~COMP_FL_DIR_REQ; comp->flags |= COMP_FL_DIR_RES; } else if (strcmp(args[2], "both") == 0) comp->flags |= COMP_FL_DIR_REQ | COMP_FL_DIR_RES; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/log.c new/haproxy-3.3.7+git0.a32bce2da/src/log.c --- old/haproxy-3.3.6+git91.af5637e93/src/log.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/log.c 2026-04-23 21:32:22.000000000 +0200 @@ -1091,6 +1091,14 @@ px->to_log |= LW_XPRT; if (px->http_needed) px->to_log |= LW_REQ; + + /* anything involving the response needs to happen at response time */ + if (expr->fetch->use & (SMP_USE_HRSHP|SMP_USE_HRSHV|SMP_USE_HRSBO)) + px->to_log |= LW_RESP; + + /* anything involving the end of the response needs to happen after final bytes */ + if (expr->fetch->use & (SMP_USE_HRSBO|SMP_USE_RQFIN|SMP_USE_RSFIN|SMP_USE_TXFIN|SMP_USE_SSFIN)) + px->to_log |= LW_BYTES; } else if (lf->type == LOG_FMT_ALIAS) { if (!default_px && !http_mode && diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/mux_h1.c new/haproxy-3.3.7+git0.a32bce2da/src/mux_h1.c --- old/haproxy-3.3.6+git91.af5637e93/src/mux_h1.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/mux_h1.c 2026-04-23 21:32:22.000000000 +0200 @@ -2811,6 +2811,13 @@ h1s->flags = (h1s->flags & ~H1S_F_WANT_MSK) | H1S_F_WANT_CLO; TRACE_STATE("force close mode (T-E + HTTP/1.0)", H1_EV_TX_DATA|H1_EV_TX_HDRS, h1s->h1c->conn, h1s); } + else if ((h1m->flags & H1_MF_CLEN) && h1m->body_len != 0 && + htx_is_unique_blk(htx, blk) && (htx->flags & HTX_FL_EOM) && + (!(h1m->flags & H1_MF_RESP) || !(h1s->flags & H1S_F_BODYLESS_RESP))) { + /* C-L but no data for non-bodyless response or for a request: force close */ + h1s->flags = (h1s->flags & ~H1S_F_WANT_MSK) | H1S_F_WANT_CLO; + TRACE_STATE("force close mode (C-L without data)", H1_EV_TX_DATA|H1_EV_TX_HDRS, h1s->h1c->conn, h1s); + } /* the conn_mode must be processed. So do it */ n = ist("connection"); @@ -2935,7 +2942,8 @@ * payload. If cannot be removed now. We must emit the end of * the message first to be sure the output buffer is not full */ - if ((h1m->flags & H1_MF_CHNK) && !(h1s->flags & H1S_F_BODYLESS_RESP)) { + if ((h1m->flags & H1_MF_CHNK) && (!(h1m->flags & H1_MF_RESP) || !(h1s->flags & H1S_F_BODYLESS_RESP))) { + /* Send null-chunk except for bodyless reasponses */ if (!chunk_memcat(&outbuf, "\r\n0\r\n\r\n", 7)) goto full; } @@ -3415,8 +3423,8 @@ goto nextblk; /* Skip the trailers because the corresponding conf option was set */ - if ((!(h1m->flags & H1_MF_RESP) && (h1c->px->options & PR_O_HTTP_DROP_RES_TRLS)) || - ((h1m->flags & H1_MF_RESP) && (h1c->px->options & PR_O_HTTP_DROP_REQ_TRLS))) + if ((!(h1m->flags & H1_MF_RESP) && (h1c->px->options & PR_O_HTTP_DROP_REQ_TRLS)) || + ((h1m->flags & H1_MF_RESP) && (h1c->px->options & PR_O_HTTP_DROP_RES_TRLS))) goto nextblk; n = htx_get_blk_name(htx, blk); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/mux_h2.c new/haproxy-3.3.7+git0.a32bce2da/src/mux_h2.c --- old/haproxy-3.3.6+git91.af5637e93/src/mux_h2.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/mux_h2.c 2026-04-23 21:32:22.000000000 +0200 @@ -1492,6 +1492,7 @@ fail: task_destroy(t); tasklet_free(h2c->wait_event.tasklet); + pool_free(pool_head_h2_rx_bufs, h2c->shared_rx_bufs); pool_free(pool_head_h2c, h2c); fail_no_h2c: if (!conn_is_back(conn)) @@ -3403,7 +3404,11 @@ return 0; } - if (h2_get_n32(&h2c->dbuf, 0) == h2c->dsi) { + /* + * Bit 31 is the "exclusive" bit, it is not part of the stream id, + * so ignore it when checking if the stream id is ours. + */ + if ((h2_get_n32(&h2c->dbuf, 0) & 0x7fffffff) == h2c->dsi) { /* 7540#5.3 : can't depend on itself */ h2c_report_glitch(h2c, 1, "PRIORITY depends on itself"); TRACE_ERROR("PRIORITY depends on itself", H2_EV_RX_FRAME|H2_EV_RX_WU, h2c->conn); @@ -3532,8 +3537,10 @@ /* Failed to decode this frame (e.g. too large request) * but the HPACK decompressor is still synchronized. */ + session_inc_http_err_ctr(h2c->conn->owner); + HA_ATOMIC_INC(&h2c->px_counters->strm_proto_err); h2_sess_log_strm(h2c->conn->owner); - h2s_error(h2s, H2_ERR_INTERNAL_ERROR); + h2s_error(h2s, H2_ERR_PROTOCOL_ERROR); TRACE_USER("Stream error decoding H2 trailers", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_STRM_NEW|H2_EV_STRM_END, h2c->conn, 0, h2s_rxbuf_tail(h2s)); h2c->st0 = H2_CS_FRAME_E; goto out; @@ -3617,6 +3624,7 @@ } /* recoverable stream error (e.g. too large request) */ + HA_ATOMIC_INC(&h2c->px_counters->strm_proto_err); h2_sess_log_strm(h2c->conn->owner); TRACE_USER("rcvd unparsable H2 request", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_STRM_NEW|H2_EV_STRM_END, h2c->conn, h2s, &rxbuf); goto strm_err; @@ -6314,6 +6322,15 @@ TRACE_STATE("invalid interim response with ES flag", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); goto fail; } + /* Note that bodyless only applies to responses, even when + * reported on the request (e.g. HEAD). + */ + if ((msgf & H2_MSGF_BODY_CL) && *body_len > 0 && + (!(h2c->flags & H2_CF_IS_BACK) || !(*flags & H2_SF_BODYLESS_RESP))) { + h2c_report_glitch(h2c, 1, "ES on HEADERS before end of content-length"); + TRACE_STATE("ES on HEADERS before end of content-length", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); + goto fail; + } /* no more data are expected for this message */ htx->flags |= HTX_FL_EOM; *flags |= H2_SF_ES_RCVD; @@ -8727,11 +8744,11 @@ /* backend/frontend/default */ vptr = &h2_settings_log_errors; - if (strcmp(args[1], "none")) + if (strcmp(args[1], "none") == 0) *vptr = H2_ERR_LOG_ERR_NONE; - else if (strcmp(args[1], "connection")) + else if (strcmp(args[1], "connection") == 0) *vptr = H2_ERR_LOG_ERR_CONN; - else if (strcmp(args[1], "stream")) + else if (strcmp(args[1], "stream") == 0) *vptr = H2_ERR_LOG_ERR_STRM; else { memprintf(err, "'%s' expects 'none', 'connection', or 'stream'", args[0]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/mux_quic.c new/haproxy-3.3.7+git0.a32bce2da/src/mux_quic.c --- old/haproxy-3.3.6+git91.af5637e93/src/mux_quic.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/mux_quic.c 2026-04-23 21:32:22.000000000 +0200 @@ -3145,18 +3145,21 @@ { struct server *srv = __objt_server(conn->target); struct qcc *qcc = conn->ctx; - int max_fctl, max_reuse = 0; + int ret, max_reuse = 0; - max_fctl = qcc_fctl_avail_streams(qcc, 1); + ret = qcc_fctl_avail_streams(qcc, 1); if (srv->max_reuse >= 0) { max_reuse = qcc->tot_sc <= srv->max_reuse ? srv->max_reuse - qcc->tot_sc + 1: 0; - return MIN(max_fctl, max_reuse); - } - else { - return max_fctl; + ret = MIN(ret, max_reuse); } + + /* Ensure we do not exceed the maximum usable stream ID. */ + if (unlikely(ret > QCS_ID_MAX_STRM_CL_BIDI - qcc->next_bidi_l)) + ret = QCS_ID_MAX_STRM_CL_BIDI - qcc->next_bidi_l; + + return ret; } /* Returns the number of streams currently attached into <conn> connection. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/sample.c new/haproxy-3.3.7+git0.a32bce2da/src/sample.c --- old/haproxy-3.3.6+git91.af5637e93/src/sample.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/sample.c 2026-04-23 21:32:22.000000000 +0200 @@ -266,39 +266,39 @@ SMP_VAL___________ | SMP_VAL_BE_CHK_RUL | SMP_VAL___________ | SMP_VAL___________ ), - [SMP_SRC_RQFIN] = (SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | + [SMP_SRC_RQFIN] = (SMP_VAL___________ | SMP_VAL___________ | SMP_VAL_FE_REQ_CNT | + SMP_VAL_FE_HRQ_HDR | SMP_VAL_FE_HRQ_BDY | SMP_VAL_FE_SET_BCK | + SMP_VAL_BE_REQ_CNT | SMP_VAL_BE_HRQ_HDR | SMP_VAL_BE_HRQ_BDY | + SMP_VAL_BE_SET_SRV | SMP_VAL_BE_SRV_CON | SMP_VAL_BE_RES_CNT | + SMP_VAL_BE_HRS_HDR | SMP_VAL_BE_HRS_BDY | SMP_VAL_BE_STO_RUL | + SMP_VAL_FE_RES_CNT | SMP_VAL_FE_HRS_HDR | SMP_VAL_FE_HRS_BDY | SMP_VAL_FE_LOG_END | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ ), [SMP_SRC_RSFIN] = (SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | + SMP_VAL_BE_SET_SRV | SMP_VAL_BE_SRV_CON | SMP_VAL_BE_RES_CNT | + SMP_VAL_BE_HRS_HDR | SMP_VAL_BE_HRS_BDY | SMP_VAL_BE_STO_RUL | + SMP_VAL_FE_RES_CNT | SMP_VAL_FE_HRS_HDR | SMP_VAL_FE_HRS_BDY | SMP_VAL_FE_LOG_END | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ ), - [SMP_SRC_TXFIN] = (SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | + [SMP_SRC_TXFIN] = (SMP_VAL___________ | SMP_VAL___________ | SMP_VAL_FE_REQ_CNT | + SMP_VAL_FE_HRQ_HDR | SMP_VAL_FE_HRQ_BDY | SMP_VAL_FE_SET_BCK | + SMP_VAL_BE_REQ_CNT | SMP_VAL_BE_HRQ_HDR | SMP_VAL_BE_HRQ_BDY | + SMP_VAL_BE_SET_SRV | SMP_VAL_BE_SRV_CON | SMP_VAL_BE_RES_CNT | + SMP_VAL_BE_HRS_HDR | SMP_VAL_BE_HRS_BDY | SMP_VAL_BE_STO_RUL | + SMP_VAL_FE_RES_CNT | SMP_VAL_FE_HRS_HDR | SMP_VAL_FE_HRS_BDY | SMP_VAL_FE_LOG_END | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ ), - [SMP_SRC_SSFIN] = (SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | - SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ | + [SMP_SRC_SSFIN] = (SMP_VAL_FE_CON_ACC | SMP_VAL_FE_SES_ACC | SMP_VAL_FE_REQ_CNT | + SMP_VAL_FE_HRQ_HDR | SMP_VAL_FE_HRQ_BDY | SMP_VAL_FE_SET_BCK | + SMP_VAL_BE_REQ_CNT | SMP_VAL_BE_HRQ_HDR | SMP_VAL_BE_HRQ_BDY | + SMP_VAL_BE_SET_SRV | SMP_VAL_BE_SRV_CON | SMP_VAL_BE_RES_CNT | + SMP_VAL_BE_HRS_HDR | SMP_VAL_BE_HRS_BDY | SMP_VAL_BE_STO_RUL | + SMP_VAL_FE_RES_CNT | SMP_VAL_FE_HRS_HDR | SMP_VAL_FE_HRS_BDY | SMP_VAL_FE_LOG_END | SMP_VAL___________ | SMP_VAL___________ | SMP_VAL___________ ), }; @@ -5516,8 +5516,8 @@ } static struct sample_fetch_kw_list smp_logs_kws = {ILH, { - { "bytes_in", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_INTRN }, - { "bytes_out", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_INTRN }, + { "bytes_in", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_RQFIN }, + { "bytes_out", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_RSFIN }, { "txn.timer.total", smp_fetch_txn_timers, 0, NULL, SMP_T_SINT, SMP_USE_TXFIN }, /* "Ta" */ { "txn.timer.user", smp_fetch_txn_timers, 0, NULL, SMP_T_SINT, SMP_USE_TXFIN }, /* "Tu" */ @@ -5529,14 +5529,14 @@ { "fc.timer.handshake", smp_fetch_conn_timers, 0, NULL, SMP_T_SINT, SMP_USE_L4CLI }, /* "Th" */ { "fc.timer.total", smp_fetch_conn_timers, 0, NULL, SMP_T_SINT, SMP_USE_SSFIN }, /* "Tt" */ - { "req.bytes_in", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_INTRN }, - { "req.bytes_out", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_INTRN }, + { "req.bytes_in", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_RQFIN }, + { "req.bytes_out", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_RQFIN }, { "req.timer.idle", smp_fetch_reX_timers, 0, NULL, SMP_T_SINT, SMP_USE_HRQHV }, /* "Ti" */ { "req.timer.tq", smp_fetch_reX_timers, 0, NULL, SMP_T_SINT, SMP_USE_HRQHV }, /* "Tq" */ { "req.timer.hdr", smp_fetch_reX_timers, 0, NULL, SMP_T_SINT, SMP_USE_HRQHV }, /* "TR" */ { "req.timer.queue", smp_fetch_reX_timers, 0, NULL, SMP_T_SINT, SMP_USE_L4SRV }, /* "Tw" */ - { "res.bytes_in", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_INTRN }, - { "res.bytes_out", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_INTRN }, + { "res.bytes_in", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_RSFIN }, + { "res.bytes_out", smp_fetch_bytes, 0, NULL, SMP_T_SINT, SMP_USE_RSFIN }, { "res.timer.data", smp_fetch_reX_timers, 0, NULL, SMP_T_SINT, SMP_USE_RSFIN }, /* "Td" */ { "res.timer.hdr", smp_fetch_reX_timers, 0, NULL, SMP_T_SINT, SMP_USE_HRSHV }, /* "Tr" */ { /* END */ }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/server.c new/haproxy-3.3.7+git0.a32bce2da/src/server.c --- old/haproxy-3.3.6+git91.af5637e93/src/server.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/server.c 2026-04-23 21:32:22.000000000 +0200 @@ -6265,6 +6265,7 @@ !srv->sni_expr && !(srv->ssl_ctx.options & SRV_SSL_O_NO_AUTO_SNI)) { if (srv_configure_auto_sni(srv, &errcode, &errmsg)) { ha_alert("%s.\n", errmsg); + ha_free(&errmsg); goto out; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-3.3.6+git91.af5637e93/src/tools.c new/haproxy-3.3.7+git0.a32bce2da/src/tools.c --- old/haproxy-3.3.6+git91.af5637e93/src/tools.c 2026-04-17 10:06:23.000000000 +0200 +++ new/haproxy-3.3.7+git0.a32bce2da/src/tools.c 2026-04-23 21:32:22.000000000 +0200 @@ -6085,7 +6085,7 @@ page += pagesize; /* copy and make read-only */ memcpy(page, ctx.storage, ctx.size); - mprotect(page, lib_size, PROT_READ); + mprotect(page, new_size, PROT_READ); vma_set_name(page, new_size, "archive", "boot-libs"); lib_storage = page;
