Hi, HAProxy 1.8.18 was released on 2019/02/06. It added 39 new commits after version 1.8.17.
The changes here are fairly limited but worth a release, in an effort to clean the net from previous versions which were affected by the TLS 1.3 KeyUpdate bug that currently prevents browsers from using these. Other mostly relevant fixes include : - a stability issue for the cache when a key used to hash to zero ; - validation of the process chain for track-sc/stick tables and SPOE - a number of small H2 problems which used to abusively result in some connection aborts (please note that 1.8 will never be as good as 1.9 regarding H2, so if you heavily depend on it, you may want to give 1.9 a try). - 0-RTT was fixed again; some defaults regarding the anti-replay protection changed when openssl 1.1.1 was released, breaking 0-RTT. - unique-id memory leak on TCP proxies due to defaults sections. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (1): BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() Dirkjan Bussink (1): BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages Emeric Brun (1): BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file Jarno Huuskonen (1): DOC: http-request cache-use / http-response cache-store expects cache name Jérôme Magnin (1): BUG/MINOR: server: don't always trust srv_check_health when loading a server state Kevin Zhu (1): BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit Miroslav Zagorac (1): BUG/MINOR: spoe: corrected fragmentation string size Olivier Houchard (4): BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. DOC: Be a bit more explicit about allow-0rtt security implications. MINOR: xref: Add missing barriers. BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). Tim Duesterhus (1): BUG/MINOR: stick_table: Prevent conn_cur from underflowing Willy Tarreau (27): BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH BUG/MINOR: backend: balance uri specific options were lost across defaults BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit DOC: mention the effect of nf_conntrack_tcp_loose on src/dst MINOR: h2: add a bit-based frame type representation MINOR: h2: declare new sets of frame types BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream BUG/MINOR: hpack: return a compression error on invalid table size updates DOC: nbthread is no longer experimental. SCRIPTS: add the slack channel URL to the announce script SCRIPTS: add the issue tracker URL to the announce script BUG/MINOR: stream: don't close the front connection when facing a backend error BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection MINOR: stream-int: expand the flags to 32-bit MINOR: stream-int: add a new flag to mention that we want the connection to be killed MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection BUG/MEDIUM: mux-h2: do not close the connection on aborted streams BUG/MINOR: config: fix bind line thread mask validation BUG/MAJOR: config: verify that targets of track-sc and stick rules are present BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules ---