HAProxy 2.4.4 was released on 2021/09/07. It added 21 new commits
after version 2.4.3.

This version essentially aims at fixing the HTX header encoding issue
mentioned in a previous message, and that may lead to a request smuggling
attack. All users must update.

Another important fix for some users is the relaxed double-slash rule in
the H2 parser, because the previous H2 fixes would (rightfully) block
requests starting by "//" due to a bug in the H2 spec itself! The nice
thing is that it allowed to spot and fix a bug in the spec :-)

A recent fix for "option abortonclose" has resulted in an issue for a
user who sometimes sees some streams looping. The fix was reverted for
now as the situation is worse than before, and the issue is still under

The remaining fixes are less important:
  - use thread-safe versions of localtime()/gmtime() in the ltime/utime
    converters; previously it was theoretically possible to occasionally
    retrieve a bad date under high thread contention

  - fix for incorrect output size check in the base64dec/base64urldec
    converters that could write up to 2 extra bytes, but normally they're
    always used with outputs having sufficient room so I can't figure a
    case where it could have represented a practical problem.

  - tune.bufsize is now checked for being smaller than 256 MB in HTX mode
    (that's the hard limit).

  - Lua's initialization of sample converters now uses strlcpy2() and not
    strncpy(), as this last one used to fill the entire buffer with zeroes,
    resulting in a measurable startup time when using large buffers (a
    second or so with 1 MB buffers).

  - the sc-set-gpt* action parser was off by one argument and was ignoring
    one word before the "if" condition, forcing to write garbage there (or
    a second "if").

  - the idle time computation would overflow for sleep times greater than
    42 seconds and could mistakenly report low idle values under low load.
    The idle value reported in the stats will now also reflect the process
    wide value and not the randomly picked thread's value.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.4/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.4.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
   Changelog        : http://www.haproxy.org/download/2.4/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Christopher Faulet (1):
      Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn 
may receive"

Dragan Dosen (2):
      BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
      BUG/MINOR: base64: base64urldec() ignores padding in output size check

Tim Duesterhus (3):
      BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
      BUG/MINOR: tools: Fix loop condition in dump_text()
      CLEANUP: Add missing include guard to signal.h

Willy Tarreau (15):
      BUG/MEDIUM: h2: match absolute-path not path-absolute for :path
      REGTESTS: http_upgrade: fix incorrect expectation on TCP->H1->H2
      REGTESTS: abortonclose: after retries, 503 is expected, not close
      MINOR: hlua: take the global Lua lock inside a global function
      BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions
      MINOR: compiler: implement an ONLY_ONCE() macro
      BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
      BUG/MINOR: time: fix idle time computation for long sleeps
      MINOR: time: add report_idle() to report process-wide idle time
      BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
      BUG/MINOR: vars: fix set-var/unset-var exclusivity in the keyword parser
      DOC: configuration: remove wrong tcp-request examples in tcp-response
      BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
      CLEANUP: htx: remove comments about "must be < 256 MB"
      BUG/MAJOR: htx: fix missing header name length check in 


Reply via email to