Hi, HAProxy 2.4.26 was released on 2024/04/05. It added 53 new commits after version 2.4.25.
This maintenance version addresses a few issues discovered after previous release: - an API issue with OpenSSL. The SSL_do_handshake() function returns SSL_ERROR_WANT_READ when it needs more data, but in certain obscure circumstances related to internal error handling, it was found that it may stop trying to read available data and continue to return that status! This results in wakeup loops that prevent the process from sleeping, hence it consumes 100% of the CPU (but it's still working fine). The code does what the doc suggests (but the doc is basically a one-liner), and neither aws-lc nor wolfSSL exhibit this problem. - "option redispatch 0" is documented as disabling redispatch on server connection failure except that it caused it to redispatch at every retry. This was fixed. Note that "no option redispatch" would properly work though. - lua: an issue related to Lua sockets is if the Lua script does not consume data that arrives on a socket because it's busy doing something else, this could waste CPU cycles in endless wakeups until the data is consumed. A subtle locking issue was addressed around exception handling, where the exception code is called with locks released so that code should not try to access stack information. And similarly some code locations were called without the lock when resuming using hlua_ctx_resume(), possibly accessing the stack without any protection. These locking issues could cause crashes as shown in GitHub issue #2467. An previous attempt at addressing mixed usage of "lua-load" and "lua-load-per-thread" from the same stream was not fully fixed. A different approach was taken this time and this fix was revisited. - dynamic servers: The use of the "enabled" keyword when adding a server is currently forbidden but was silently ignored. - server: the "interface" keyword was ignored from "default-server" directives since "source" was taken from there. - fcgi: empty chunked messages on the request path were not properly handled, the stdin record was missing while an empty one ought to have been sent. This may happen when sending POST requests with no payload. - h1: the HTTP/1 chunk and header parsers were strengthened a bit. Indeed, Ben Kallus kindly reminded us that we would still accept the NUL byte in header values and plain LF in chunks, while we were (wrongly) quite certain that these had long been rejected. Ben is currently not aware of situations where this could help convey an attack to any existing component, but given the surprises he certainly faces in his reviews, it's probably only a matter of time before one implementation shows to be too weak and we fail to properly protect it. So it was better to address both at once. In the extremely unlikely case that anyone would discover such an invalid byte on their network with an application that heavily relies on it, *option accept-invalid-http* will work as usual to bypass the check. We'll backport that to older versions as well, and I think it would be prudent for distros to take that as well. - spoe: in some cases, the expiration date could be reset, leading to a non-expirable stream. There could also be a wakeup loop when receiving too small a frame because it was ignored but not consumed instead of raising an error. Also, upon reload, applets that were waiting for a response would stick to idle mode and postpone the release of the old process. Now it's tested again, as well as on any subsequent attempt to use the idle connection. - listener: in some cases it would be possible to refrain from waking up a listener that was previously subject to a rate limit condition, and if that was the last session on the listener, nothing would later wake it up again, leaving a listener in a state where it no longer accepts any traffic, as reported in GitHub issue 2476. - idle conns: a private backend connections could crash in H2 if a new list head cannot be allocated during session_add_conn() because that would leave a NULL owner that is used later on. In practice it should only be reproducible under extremely low memory condition. - random algo: when "balance random" is used, each thread uses its own pseudo-random generator. But for historical (read: stupid) reasons, that PRNG used to be seeded only by the thread number. Given that at low loads, incoming connections are assigned to threads in round robin mode, it resulted in the first server of the farm always being used first after a reload. Usually that's not an issue, until users restart every second or so while running at low loads. The seeding was fixed so as to properly support this condition as well. - a rare deadlock was found on the pools code, it can be triggered at stopping time and crash the old process. It's been there since 2.5, and is difficult to trigger, but a user faced it and that's how we learned about it (GH issue #2427, thanks to user @JB0925). - there was a memroy leak when a proxy was freed if a use_backend rule was based on an expression. - the status of agent checks is returned as-is in the stats CSV output, resulting in mangling the CLI's output if it contains line feeds. It has been there since 2.0. - the previously backported aes_gcm_enc() converter could be subject to a small memory leak. - when deleting a crt-list line from the CLI, a dangling pointer reference could be left, with the possible effect of causing a crash. Apparently it has been the case since 2.4 so it seems that not that many people use "del ssl crt-list" or that the occurrence is quite rare. - Abhijeet Rastogi found that we still didn't recommend to the PCRE2 over PCRE that's no longer maintained. It was just an overlook and the doc was updated. - and other lower importance fixes at various places, such as incorrect line location in certain error messages, etc. - doc updates, namely about the ciphersuite usage, and the CI updates (support for cache API v4, thanks to Tim). And that's about all. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Abhijeet Rastogi (1): DOC: install: recommend pcre2 Amaury Denoyelle (3): BUG/MINOR: ist: allocate nul byte on istdup BUG/MINOR: session: ensure conn owner is set after insert into session BUG/MINOR: server: ignore 'enabled' for dynamic servers Aurelien DARRAGON (11): DEV: makefile: fix POSIX compatibility for "range" target BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP() BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume() BUG/MINOR: cfgparse: report proper location for log-format-sd errors BUG/MINOR: server: 'source' interface ignored from 'default-server' directive DEBUG: lua: precisely identify if stream is stuck inside lua or not MINOR: hlua: use accessors for stream hlua ctx BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) BUG/MINOR: proxy: fix logformat expression leak in use_backend rules Christopher Faulet (15): BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty DOC: config: Update documentation about local haproxy response BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up BUG/MINOR: h1: Don't support LF only at the end of chunks BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel MINOR: hlua: Be able to disable logging from lua BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release BUG/MINOR: listener: Don't schedule frontend without task in listener_release() BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block Dragan Dosen (1): BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm() Emeric Brun (1): BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI Ilia Shipitsin (1): CI: temporarily adjust kernel entropy to work with ASAN/clang Olivier Houchard (1): BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions Remi Tricot-Le Breton (1): BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line Thayne McCombs (1): DOC: configuration: clarify http-request wait-for-body Tim Duesterhus (1): CI: Update to actions/cache@v4 William Lallemand (4): DOC: configuration: typo req.ssl_hello_type BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist DOC: configuration: clarify ciphersuites usage DOC: configuration: clarify ciphersuites usage (V2) Willy Tarreau (12): BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them BUG/MEDIUM: connection: report connection errors even when no mux is installed BUG/MINOR: vars/cli: fix missing LF after "get var" output BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() BUG/MINOR: h1-htx: properly initialize the err_pos field BUG/MEDIUM: h1: always reject the NUL character in header values BUILD: address a few remaining calloc(size, n) cases DOC: internal: update missing data types in peers-v2.0.txt DEV: makefile: add a new "range" target to iteratively build all commits BUG/MINOR: tools: seed the statistical PRNG slightly better BUG/MINOR: backend: properly handle redispatch 0 BUG/MINOR: ist: only store NUL byte on succeeded alloc -- Christopher Faulet