Hi, HAProxy 2.4.18 was released on 2022/07/27. It added 77 new commits after version 2.4.17.
Here is the unsorted list of main issues fixed in this released, cut-pasted from the 2.5.8 announce: * On HTTP/2, the maintainer of the Lighttpd web server reported a nasty case that he observed between curl and lighttpd which is very similar to the so called "Silly Window Syndrom" in TCP where a difference of one byte between a buffer size and a window size may progressively make the transfer degenerate until almost all frames are 1-byte in size. It's not a bug in any product, just a consequence of making certain standard-compliant stacks interoperate. Some workarounds were placed in various components that allowed the issue to appear. We did careful testing on HAProxy and couldn't produce it there, in part due to our buffer management that makes it difficult to read exactly the sizes that produce the issue. But there's nothing either that can strictly prevent it from happening (e.g. with a sender using smaller frames maybe). So we implemented the workaround as well, which will also result in sending slightly less frames during uploads. * The protocol matching for HTTP/1.X is now strict. Non-HTTP/1.X protocols are now rejected by default. This can be relaxed by adding "accept-invalid-http-request" option. * The CLI commands set to manage SSL certificates has been improved. Message/error reporting for "commit ssl" commands may have been lost if HAProxy internal output buffer is full. Also, "show ssl" commands might have produced a loop when issued in parallel with a running certificate transaction. Finally, a crash was reproduced on "add ssl crt-list" but this was encountered only in the dubious case where it referenced a certificate used both by a bind and a server instance. * HAProxy might rewrite some parts of an HTTP request outside of http-rules, for an example to add an X-Forwarded-For header when "option forwardfor" is set. Previously, failures on these rewrites operations were reported as internal errors in logs. Now, this appears as rewrite failure, which is consistent with http-rules error reporting. * New option "http-restrict-req-hdr-names" was added at the proxy level. It can be used to inspect HTTP header names and decide what to do with those having any character other than alphanumerical or dash ("-"), either delete the header or reject the request. The purpose is to help protect application servers that map dash to underscore due to CGI inheritance, or worse, which crash when passed such characters. The option is automatically set to the delete mode in backends having FastCGI configured. * Tunneled H1 sessions could be blocked when raw data were received before the end of the request analysis because of a wrong assumption on the request buffer emptiness. * A bug in the "method" sample fetch could lead to a crash if it was used in logs for errors triggered at the mux level. This sample requires a stream, witch does not yet exist when an early error is reported by a mux. Now, a non-matching is returned in this case. * Invalid 103-early-hints messages could be generated when some "early-hint" rules were conditioned by ACLs. * Some sessions could leak because connection errors were ignored by the H1 multiplexer during a synchronous send. It is only a transient leakage but could be quite long, depending on the client or server timeout values. * Unexpected FD close using SSL async engine could be experienced because the engine and HAProxy both closed it. To fix the issue a flag is now used to instruct HAProxy to not close the FD when the it is removed from the fdtab array. * Crashes could be experienced during hot-upgrade from 2.4 to 2.6 because old worker was still identified as a running worker. * An internal error was reported when loadbalancing on source IP address was impossible. It could happens with SPOE applets or with clients connected to HAPRoxy via a unix socket. Now, when this happens, a fallback to round-robin is performed. * The HTTP scheme based normalization did not properly handle the URIs with userinfo. They were not preserved after the normalization process. * Duplicate certificates in ca-file directories were not properly handled because of an OpenSSL error. The error is now ignored. * Lookup for a private key in extra files was not ignored when it was already found in the pem file, while it should. * HAProxy could crash on old Glibc on dlsym() function call if it is statically built. Now, we avoid to call it in static builds. * Depending on the declaration order of "http-check send" and "option httpchk" directives, the configured headers could be ignored. Now a previous list of headers is replaced by a new one only if it is not empty. * It was possible to crash HAProxy by defining multiple bind lines in a peers section. An error is now reported during configuration parsing. * A warning is now reported when some unsupported keywords are used in peers section instead of silently ignoring them. init_addr, resolvers, check, agent-check are concerned. * The DNS resolution is now ignored for disabled proxies preventing some crashes. Thanks everyone for your help and your contributions! Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.4/src/ Git repository : http://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages --- Complete changelog : Brad Smith (1): BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX Christian Ruppert (1): BUILD: Makefile: Add Lua 5.4 autodetect Christopher Faulet (35): MEDIUM: http-ana: Add a proxy option to restrict chars in request header names REGTESTS: abortonclose: Fix some race conditions BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile() BUG/MINOR: check: Reinit the buffer wait list at the end of a check BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs REGTESTS: abortonclose: Add a barrier to not mix up log messages REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler REGTESTS: http_abortonclose: Extend supported versions REGTESTS: restrict_req_hdr_names: Extend supported versions BUG/MEDIUM: mailers: Set the object type for check attached to an email alert BUG/MINOR: trace: Test server existence for health-checks to get proxy BUG/MINOR: checks: Properly handle email alerts in trace messages REGTESTS: healthcheckmail: Update the test to be functionnal again REGTESTS: healthcheckmail: Relax health-check failure condition BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule BUG/MINOR: http-act: Properly generate 103 responses when several rules are used BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream REGTEESTS: filters: Fix CONNECT request in random-forwarding script BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send REGTESTS: Fix some scripts to be compatible with 2.4 and prior BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible David CARLIER (1): BUILD/MINOR: cpuset fix build for FreeBSD 13.1 David Carlier (2): BUILD: fix build warning on solaris based systems with __maybe_unused. MINOR: tools: add get_exec_path implementation for solaris based systems. Emeric Brun (7): BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section DOC: peers: clarify when entry expiration date is renewed. DOC: peers: fix port number and addresses on new peers section format MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD BUG/MEDIUM: ssl/fd: unexpected fd close using async engine MINOR: fd: Add BUG_ON checks on fd_insert() Ilya Shipitsin (3): CI: determine actual LibreSSL version dynamically CI: determine actual OpenSSL version dynamically CI: re-enable gcc asan builds Remi Tricot-Le Breton (2): BUG/MINOR: ssl: Fix crash when no private key is found in pem BUG/MINOR: ssl: Do not look for key in extra files if already in pem Thayne McCombs (1): BUG/MEDIUM: sample: Fix adjusting size in word converter Tim Duesterhus (3): BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2) William Lallemand (5): BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list BUG/MINOR: peers: fix possible NULL dereferences at config parsing MEDIUM: mworker: set the iocb of the socketpair without using fd_insert() BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload BUG/MINOR: sockpair: wrong return value for fd_send_uxst() Willy Tarreau (16): BUG/MINOR: cfgparse: abort earlier in case of allocation error BUG/MINOR: peers: fix error reporting of "bind" lines SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs SCRIPTS: make publish-release try to launch make-releases-json DOC: peers: indicate that some server settings are not usable DOC: intro: adjust the numbering of paragrams to keep the output ordered BUILD: compiler: implement unreachable for older compilers too BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs BUG/MINOR: server: do not enable DNS resolution on disabled proxies BUG/MINOR: cli/stats: add missing trailing LF after "show info json" MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames BUG/MINOR: peers/config: always fill the bind_conf's argument BUG/MEDIUM: tools: avoid calling dlsym() in static builds BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2) BUG/MINOR: tools: fix statistical_prng_range()'s output range BUILD: add detection for unsupported compiler models -- Christopher Faulet