Hi,
HAProxy 2.2.17 was released on 2021/09/07. It added 18 new commits
after version 2.2.16.
This version essentially aims at fixing the HTX header encoding issue
mentioned in a previous message, and that may lead to a request smuggling
attack. All users must update.
Another important fix for some users is the relaxed double-slash rule in
the H2 parser, because the previous H2 fixes would (rightfully) block
requests starting by "//" due to a bug in the H2 spec itself! The nice
thing is that it allowed to spot and fix a bug in the spec :-)
A recent fix for "option abortonclose" has resulted in an issue for a
user who sometimes sees some streams looping. The fix was reverted for
now as the situation is worse than before, and the issue is still under
investigation.
A failed backport of a recent fix in 2.2.16 for early connection failures
was better addressed this time. It would manifest itself by high CPU usage
on certain threads, with the poller reporting the same FDs all the time.
The remaining fixes are less important:
- use thread-safe versions of localtime()/gmtime() in the ltime/utime
converters; previously it was theoretically possible to occasionally
retrieve a bad date under high thread contention
- fix for incorrect output size check in the base64dec/base64urldec
converters that could write up to 2 extra bytes, but normally they're
always used with outputs having sufficient room so I can't figure a
case where it could have represented a practical problem.
- tune.bufsize is now checked for being smaller than 256 MB in HTX mode
(that's the hard limit).
- Lua's initialization of sample converters now uses strlcpy2() and not
strncpy(), as this last one used to fill the entire buffer with zeroes,
resulting in a measurable startup time when using large buffers (a
second or so with 1 MB buffers).
- the sc-set-gpt* action parser was off by one argument and was ignoring
one word before the "if" condition, forcing to write garbage there (or
a second "if").
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy-2.2.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Christopher Faulet (2):
Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn
may receive"
MINOR: action: Use a generic function to check validity of an action rule
list
Dragan Dosen (1):
BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
Tim Duesterhus (3):
BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
BUG/MINOR: tools: Fix loop condition in dump_text()
CLEANUP: Add missing include guard to signal.h
Willy Tarreau (12):
BUG/MEDIUM: h2: match absolute-path not path-absolute for :path
BUG/MEDIUM: sock: really fix detection of early connection failures in
for 2.3-
REGTESTS: abortonclose: after retries, 503 is expected, not close
BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions
MINOR: compiler: implement an ONLY_ONCE() macro
BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
DOC: configuration: remove wrong tcp-request examples in tcp-response
BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
CLEANUP: htx: remove comments about "must be < 256 MB"
BUG/MAJOR: htx: fix missing header name length check in
htx_add_header/trailer
REGTESTS: mark http_abortonclose as broken
---
