Hi, HAProxy 2.0.6 was released on 2019/09/13. It added 36 new commits after version 2.0.5.
A major issue was fixed in the SSL part. When a SSL socket was created, its context was not fully initialized. Because this context is allocated from a memory pool, it was possible to inherit some information from a previous session. Thus, some fetches, related to client's certificate presence or its verify status and errors, was returning erroneous values. So SSL connections without client certificate were able to be accepted by HAProxy from the time a previous one was already accepted with a valid client certificate. This issue was reported on GitHub (#248). An AB/BA locking issue was fixed about the listeners. The functions protocol_enable_all() and delete_listener() were using the same locks in a reverse order. The former being used during startup and the latter during stop, it was possible to have a deadlock during reload floods. Note though, it is pretty hard to hit this issue in 2.0 and above. Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly rejected messages featuring a transfer-encoding header missing the "chunked" value. The impact was limited, but if combined with "http-reuse always", it could be used as an help to construct a content smuggling attack against a vulnerable component employing a lenient parser which would ignore the content-length header as soon as it sees a transfer-encoding one, without even parsing it. An improvement was made on the idle connections management. Now, we don't keep more idle connections than we've ever had outstanding requests on a server. This way the total number of idle connections will never exceed the sum of maximum connections. Thus highly loaded servers will be able to get many connections and slightly loaded servers will keep less. This address performance issues with the option "http-reuse safe" (the default) because of too many idle connections kept opened and never reused. An old bug on legacy HTTP analyzers was fixed. When HAProxy was waiting for a request or a response, the parsing was delayed if the buffer appeared as not rewritable (reserve not fully free), without any other criteria. It might blocked the message analysis for a while, sometime infinitely depending on circumstances. For instance, It was happening when the cache applet used the reserve to added the header "Age" on cached responses. This test was based an old implicit assumption that stated if a buffer was not rewritable, it meant some outgoing data were pending to be sent. On recent versions, this is not true anymore because all outgoing data are sent before starting the analysis of the next transaction. Several bugs was fixed into the H1 multiplexer. The trailers of chunked messages were sometimes truncated on buffer boundary because the parser systematically reported an error when the buffer was full during trailers parsing. Now, an error is only reported if the buffer is full because trailers are too huge. In the same spirit, errors might be reported on transfers ending if the buffer was full because no more space left to add the EOM block. SD termination state was erroneously reported in HAProxy logs for successful transfers. Two bugs was fixed on the cache. Both concerned the way messages with a huge header part were handled by the cache. First, messages with an header part impinging upon the buffer's reserved were stored in the cache. Now these messages are not cached anymore. The reserve must remain available to handle the response processing when a cached object is served, just like any other response. Then, in the cache, messages with an header part stored on several shctx blocks (> 1024 bytes) were not correctly served. Finally, the usual bunch of bug fixes here and there. Some improvements were made on checks to adapt them to recent changes on the connections layer. The sample fetch url32 was fixed to really take the path part into account. A memory leak during configuration parsing was fixed, when an ACL expression was parsed. Response flags are now correctly reset when 1xx messages are handled so it is possible to compress HTTP responses preceded by a 100-Continue. The server weights are now ignored for empty servers to not always pick the same server on low load (thanks to @malsumis and @jaroslawr for this fix). And so on. It is also noticeable that Luca Schimweg added the sample fetch uuid() to get an UUID following the format of version 4 in the RFC4122 standard. The DRAIN/MAINT/NOLB status are now reported for servers by the Prometheus exporter. And the number of idle connections for each server is now reported on the stats page likewise the configuration limit. All users of the 2.0 are encouraged to upgrade, especially those using authentication with SSL client certificate. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.0/src/ Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Adis Nezirovic (1): BUG/MINOR: Missing stat_field_names (since f21d17bb) Christopher Faulet (14): BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data BUG/MINOR: http-ana: Reset response flags when 1xx messages are handled BUG/MINOR: h1: Properly reset h1m when parsing is restarted BUG/MINOR: mux-h1: Fix size evaluation of HTX messages after headers parsing BUG/MINOR: mux-h1: Don't stop anymore input processing when the max is reached BUG/MINOR: mux-h1: Be sure to update the count before adding EOM after trailers BUG/MEDIUM: cache: Properly copy headers splitted on several shctx blocks BUG/MEDIUM: cache: Don't cache objects if the size of headers is too big MINOR: contrib/prometheus-exporter: Report DRAIN/MAINT/NOLB status for servers BUG/MINOR: listener: Fix a possible null pointer dereference BUG/MINOR: ssl: always check for ssl connection before getting its XPRT context BUG/MINOR: filters: Properly set the HTTP status code on analysis error BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed BUG/MINOR: backend: Fix a possible null pointer dereference Emeric Brun (1): BUG/MAJOR: ssl: ssl_sock was not fully initialized. Frédéric Lécaille (1): BUG/MEDIUM: peers: local peer socket not bound. Jerome Magnin (1): BUG/MEDIUM: url32 does not take the path part into account in the returned hash. Luca Schimweg (1): MINOR: sample: Add UUID-fetch Willy Tarreau (16): MINOR: debug: indicate the applet name when the task is task_run_applet() MINOR: tools: add append_prefixed_str() MINOR: lua: export applet and task handlers MEDIUM: debug: make the thread dump code show Lua backtraces BUG/MEDIUM: mux-h1: do not truncate trailing 0CRLF on buffer boundary BUG/MEDIUM: mux-h1: do not report errors on transfers ending on buffer full BUG/MINOR: mworker: disable SIGPROF on re-exec BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in delete_listener() BUG/MINOR: checks: stop polling for write when we have nothing left to send BUG/MINOR: checks: start sending the request right after connect() BUG/MINOR: checks: make __event_chk_srv_r() report success before closing BUG/MINOR: checks: do not uselessly poll for reads before the connection is up BUG/MINOR: lb/leastconn: ignore the server weights for empty servers BUG/MEDIUM: connection: don't keep more idle connections than ever needed MINOR: stats: report the number of idle connections for each server BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding n...@users.noreply.github.com (1): DOC: fixed typo in management.txt -- Christopher Faulet