Hi,

HAProxy 2.2.3 was released on 2020/09/08. It added 59 new commits
after version 2.2.2, in about 5 weeks.

There were not that many issues but they were grouped by subsystem and
likely affect some users.

First, a number of issues were addressed on SSL. The negative filters in
crt-lists didn't work, and the SNI lookups were incomplete when a pair of
certificates wouldn't cover the same server names using all algorithms. A
few other less important issues such as occasional memory leaks in OCSP
were addressed.

Second, there were issues in the DNS code in the way servers learned from
SRV records were updated. If multiple info would change at once (e.g. weight
and address), not all were applied and a server could for example continue
to use its old address or even never recover.

Third, Lua calls to the native fetch functions and converters didn't always
map arguments correctly to their target types, often resulting in leaks of
allocated strings. Other limitations in the way arguments were handled used
to limit the number of sample fetch and converter keywords to those taking
no argument or trivial arguments. This caused a few of them to disappear
from Lua when they were slightly extended (such as date() and http_date()).
All of this was reworked so that they're now all passed as strings, parsed
and processed on the fly, meaning that all keywords are now available again.

Fourth, there were some issues around replace-path which was documented as
replacing the query string while its brothers (set-path, path etc) did not
use it, according to the terminology used in HTTP. But in practice
replace-path didn't act on it either. Given that the action was only fairly
recently introduced and the "fix" would add a lot more confusion, it was
preferred as, an exception, to fix the doc instead of risking to break
working setups, and to provide a new pair of actions "set-pathq" and
"replace-pathq" and a new sample fetch function "pathq" which all act both
on the path and the query string.

Fifth, the reference spoa-server the contrib directory received a number of
fixes and was apparently severely affected by memory leaks, or freeing the
wrong element. So those who wrote their own agents based on it may want to
double-check or rebase their work.

Aside this, 100-continue responses were needlesly delayed on output causing
some slowdowns of small POST requests, and HTTP/1 send timeouts were not
always updated when performing synchronous sends, occasionally resulting in
aborted connections in the middle of a transfer. A bug in the command line
parser caused "haproxy -s" to spin at 100% CPU on startup while parsing the
command line. An occasional crash on deinit() due to the impossibility for
libpthread to access libgcc_s.so from within a chroot was worked around.
Various harmless memory leaks on deinit() were addressed. And the rest is
pretty minor.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.2/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.2.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
   Changelog        : http://www.haproxy.org/download/2.2/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Baptiste Assmann (2):
      CLEANUP: dns: typo in reported error message
      BUG/MAJOR: dns: disabled servers through SRV records never recover

Christopher Faulet (23):
      BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
      BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
      MINOR: arg: Add an argument type to keep a reference on opaque data
      BUG/MINOR: converters: Store the sink in an arg pointer for debug() 
converter
      BUG/MINOR: lua: Duplicate map name to load it when a new Map object is 
created
      BUG/MINOR: arg: Fix leaks during arguments validation for 
fetches/converters
      BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg 
validation
      BUG/MINOR: lua: Check argument type to convert it to IP mask in arg 
validation
      MINOR: hlua: Don't needlessly copy lua strings in trash during args 
validation
      BUG/MINOR: lua: Duplicate lua strings in sample fetches/converters arg 
array
      MEDIUM: lua: Don't filter exported fetches and converters
      BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from 
servers
      MINOR: http-htx: Add an option to eval query-string when the path is 
replaced
      BUG/MINOR: http-rules: Replace path and query-string in "replace-path" 
action
      Revert "BUG/MINOR: http-rules: Replace path and query-string in 
"replace-path" action"
      BUG/MEDIUM: doc: Fix replace-path action description
      MINOR: http-rules: Add set-pathq and replace-pathq actions
      MINOR: http-fetch: Add pathq sample fetch
      REGTEST: Add a test for request path manipulations, with and without the 
QS
      MINOR: arg: Use chunk_destroy() to release string arguments
      BUG/MEDIUM: dns: Don't store additional records in a linked-list
      BUG/MEDIUM: dns: Be sure to renew IP address for already known servers
      MINOR: server: Improve log message sent when server address is updated

Gilchrist Dadaglo (5):
      BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to 
memory leak
      BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
      BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
      BUG/MINOR: contrib/spoa-server: Updating references to free in case of 
failure
      BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of 
ipv6_address

Jerome Magnin (1):
      DOC: ssl-load-extra-files only applies to certificates on bind lines

Tim Duesterhus (4):
      DOC: cache: Use '<name>' instead of '<id>' in error message
      MINOR: cache: Reject duplicate cache names
      MINOR: Commit .gitattributes
      CLEANUP: Update .gitignore

William Dauchy (2):
      BUG/MINOR: spoa-server: fix size_t format printing
      DOC: spoa-server: fix false friends `actually`

William Lallemand (11):
      BUG/MINOR: ssl: fix memory leak at OCSP loading
      BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free()
      BUG/MINOR: snapshots: leak of snapshots on deinit()
      BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option
      BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2
      BUG/MEDIUM: ssl: never generates the chain from the verify store
      BUG/MEDIUM: ssl: fix ssl_bind_conf double free w/ wildcards
      BUG/MEDIUM: ssl: crt-list negative filters don't work
      BUG/MINOR: startup: haproxy -s cause 100% cpu
      BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
      BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate

Willy Tarreau (11):
      SCRIPTS: git-show-backports: make -m most only show the left branch
      SCRIPTS: git-show-backports: emit the shell command to backport a commit
      BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
      BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
      BUG/MINOR: reload: do not fail when no socket is sent
      BUILD: tools: include auxv a bit later
      BUILD: task: work around a bogus warning in gcc 4.7/4.8 at -O1
      BUG/MINOR: threads: work around a libgcc_s issue with chrooting
      BUILD: thread: limit the libgcc_s workaround to glibc only
      CLEANUP: dns: remove 45 "return" statements from 
dns_validate_dns_response()
      BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections

---

Reply via email to