HAProxy 2.3.12 was released on 2021/07/08. It added 2 new commits
after version 2.3.11.

Please do not use 2.3.11! I failed the backport of the use-after-free bug
fix in the lockless pools between 2.4 and 2.3. The pools code in 2.4 was
significantly reworked to be cleaner and simpler, and I found two
occurrences in 2.3 and older that required the same fix and that were
missing it. The result can be a runtime deadlock depending on the build
options, the operating system and the load (the watchdog will catch it,
but nobody wants to deploy this, obviously).

After scrutinizing the code all the afternoon and torturing it under
different build options, I can now affirm that the code is properly fixed
in 2.3.12.

These patches were backported into 2.2 as well because the faulty patch was
already there. For 2.0 and below the patch was fixed to limit the risks of
incomplete backports (namely for those who continue to cherry-pick selected

I'm seeing that at least Vincent was fast enough to package 2.3.11 for
debian 10, I hope nobody deployed it yet. I'm really sorry for the mess.
For those who are wondering, 2.4 was not affected.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.3/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.3.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git
   Changelog        : http://www.haproxy.org/download/2.3/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Willy Tarreau (2):
      BUG/MAJOR: pools: fix incomplete backport of lockless pool fix
      BUG/MAJOR: pools: second fix for incomplete backport of lockless pool fix


Reply via email to