Hi,
HAProxy 2.4.4 was released on 2021/09/07. It added 21 new commits
after version 2.4.3.
This version essentially aims at fixing the HTX header encoding issue
mentioned in a previous message, and that may lead to a request smuggling
attack. All users must update.
Another important fix for some users is the relaxed double-slash rule in
the H2 parser, because the previous H2 fixes would (rightfully) block
requests starting by "//" due to a bug in the H2 spec itself! The nice
thing is that it allowed to spot and fix a bug in the spec :-)
A recent fix for "option abortonclose" has resulted in an issue for a
user who sometimes sees some streams looping. The fix was reverted for
now as the situation is worse than before, and the issue is still under
investigation.
The remaining fixes are less important:
- use thread-safe versions of localtime()/gmtime() in the ltime/utime
converters; previously it was theoretically possible to occasionally
retrieve a bad date under high thread contention
- fix for incorrect output size check in the base64dec/base64urldec
converters that could write up to 2 extra bytes, but normally they're
always used with outputs having sufficient room so I can't figure a
case where it could have represented a practical problem.
- tune.bufsize is now checked for being smaller than 256 MB in HTX mode
(that's the hard limit).
- Lua's initialization of sample converters now uses strlcpy2() and not
strncpy(), as this last one used to fill the entire buffer with zeroes,
resulting in a measurable startup time when using large buffers (a
second or so with 1 MB buffers).
- the sc-set-gpt* action parser was off by one argument and was ignoring
one word before the "if" condition, forcing to write garbage there (or
a second "if").
- the idle time computation would overflow for sleep times greater than
42 seconds and could mistakenly report low idle values under low load.
The idle value reported in the stats will now also reflect the process
wide value and not the randomly picked thread's value.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Christopher Faulet (1):
Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn
may receive"
Dragan Dosen (2):
BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
BUG/MINOR: base64: base64urldec() ignores padding in output size check
Tim Duesterhus (3):
BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
BUG/MINOR: tools: Fix loop condition in dump_text()
CLEANUP: Add missing include guard to signal.h
Willy Tarreau (15):
BUG/MEDIUM: h2: match absolute-path not path-absolute for :path
REGTESTS: http_upgrade: fix incorrect expectation on TCP->H1->H2
REGTESTS: abortonclose: after retries, 503 is expected, not close
MINOR: hlua: take the global Lua lock inside a global function
BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions
MINOR: compiler: implement an ONLY_ONCE() macro
BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
BUG/MINOR: time: fix idle time computation for long sleeps
MINOR: time: add report_idle() to report process-wide idle time
BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
BUG/MINOR: vars: fix set-var/unset-var exclusivity in the keyword parser
DOC: configuration: remove wrong tcp-request examples in tcp-response
BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
CLEANUP: htx: remove comments about "must be < 256 MB"
BUG/MAJOR: htx: fix missing header name length check in
htx_add_header/trailer
---
