Hi, HAProxy 2.2.3 was released on 2020/09/08. It added 59 new commits after version 2.2.2, in about 5 weeks.
There were not that many issues but they were grouped by subsystem and likely affect some users. First, a number of issues were addressed on SSL. The negative filters in crt-lists didn't work, and the SNI lookups were incomplete when a pair of certificates wouldn't cover the same server names using all algorithms. A few other less important issues such as occasional memory leaks in OCSP were addressed. Second, there were issues in the DNS code in the way servers learned from SRV records were updated. If multiple info would change at once (e.g. weight and address), not all were applied and a server could for example continue to use its old address or even never recover. Third, Lua calls to the native fetch functions and converters didn't always map arguments correctly to their target types, often resulting in leaks of allocated strings. Other limitations in the way arguments were handled used to limit the number of sample fetch and converter keywords to those taking no argument or trivial arguments. This caused a few of them to disappear from Lua when they were slightly extended (such as date() and http_date()). All of this was reworked so that they're now all passed as strings, parsed and processed on the fly, meaning that all keywords are now available again. Fourth, there were some issues around replace-path which was documented as replacing the query string while its brothers (set-path, path etc) did not use it, according to the terminology used in HTTP. But in practice replace-path didn't act on it either. Given that the action was only fairly recently introduced and the "fix" would add a lot more confusion, it was preferred as, an exception, to fix the doc instead of risking to break working setups, and to provide a new pair of actions "set-pathq" and "replace-pathq" and a new sample fetch function "pathq" which all act both on the path and the query string. Fifth, the reference spoa-server the contrib directory received a number of fixes and was apparently severely affected by memory leaks, or freeing the wrong element. So those who wrote their own agents based on it may want to double-check or rebase their work. Aside this, 100-continue responses were needlesly delayed on output causing some slowdowns of small POST requests, and HTTP/1 send timeouts were not always updated when performing synchronous sends, occasionally resulting in aborted connections in the middle of a transfer. A bug in the command line parser caused "haproxy -s" to spin at 100% CPU on startup while parsing the command line. An occasional crash on deinit() due to the impossibility for libpthread to access libgcc_s.so from within a chroot was worked around. Various harmless memory leaks on deinit() were addressed. And the rest is pretty minor. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.2/src/ Git repository : http://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Baptiste Assmann (2): CLEANUP: dns: typo in reported error message BUG/MAJOR: dns: disabled servers through SRV records never recover Christopher Faulet (23): BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime MINOR: arg: Add an argument type to keep a reference on opaque data BUG/MINOR: converters: Store the sink in an arg pointer for debug() converter BUG/MINOR: lua: Duplicate map name to load it when a new Map object is created BUG/MINOR: arg: Fix leaks during arguments validation for fetches/converters BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation MINOR: hlua: Don't needlessly copy lua strings in trash during args validation BUG/MINOR: lua: Duplicate lua strings in sample fetches/converters arg array MEDIUM: lua: Don't filter exported fetches and converters BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers MINOR: http-htx: Add an option to eval query-string when the path is replaced BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action Revert "BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action" BUG/MEDIUM: doc: Fix replace-path action description MINOR: http-rules: Add set-pathq and replace-pathq actions MINOR: http-fetch: Add pathq sample fetch REGTEST: Add a test for request path manipulations, with and without the QS MINOR: arg: Use chunk_destroy() to release string arguments BUG/MEDIUM: dns: Don't store additional records in a linked-list BUG/MEDIUM: dns: Be sure to renew IP address for already known servers MINOR: server: Improve log message sent when server address is updated Gilchrist Dadaglo (5): BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed BUG/MINOR: contrib/spoa-server: Do not free reference to NULL BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address Jerome Magnin (1): DOC: ssl-load-extra-files only applies to certificates on bind lines Tim Duesterhus (4): DOC: cache: Use '<name>' instead of '<id>' in error message MINOR: cache: Reject duplicate cache names MINOR: Commit .gitattributes CLEANUP: Update .gitignore William Dauchy (2): BUG/MINOR: spoa-server: fix size_t format printing DOC: spoa-server: fix false friends `actually` William Lallemand (11): BUG/MINOR: ssl: fix memory leak at OCSP loading BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free() BUG/MINOR: snapshots: leak of snapshots on deinit() BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2 BUG/MEDIUM: ssl: never generates the chain from the verify store BUG/MEDIUM: ssl: fix ssl_bind_conf double free w/ wildcards BUG/MEDIUM: ssl: crt-list negative filters don't work BUG/MINOR: startup: haproxy -s cause 100% cpu BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp() BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate Willy Tarreau (11): SCRIPTS: git-show-backports: make -m most only show the left branch SCRIPTS: git-show-backports: emit the shell command to backport a commit BUG/MINOR: stats: use strncmp() instead of memcmp() on health states BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction BUG/MINOR: reload: do not fail when no socket is sent BUILD: tools: include auxv a bit later BUILD: task: work around a bogus warning in gcc 4.7/4.8 at -O1 BUG/MINOR: threads: work around a libgcc_s issue with chrooting BUILD: thread: limit the libgcc_s workaround to glibc only CLEANUP: dns: remove 45 "return" statements from dns_validate_dns_response() BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections ---