Hi,

HAProxy 2.2.17 was released on 2021/09/07. It added 18 new commits
after version 2.2.16.

This version essentially aims at fixing the HTX header encoding issue
mentioned in a previous message, and that may lead to a request smuggling
attack. All users must update.

Another important fix for some users is the relaxed double-slash rule in
the H2 parser, because the previous H2 fixes would (rightfully) block
requests starting by "//" due to a bug in the H2 spec itself! The nice
thing is that it allowed to spot and fix a bug in the spec :-)

A recent fix for "option abortonclose" has resulted in an issue for a
user who sometimes sees some streams looping. The fix was reverted for
now as the situation is worse than before, and the issue is still under
investigation.

A failed backport of a recent fix in 2.2.16 for early connection failures
was better addressed this time. It would manifest itself by high CPU usage
on certain threads, with the poller reporting the same FDs all the time.

The remaining fixes are less important:
  - use thread-safe versions of localtime()/gmtime() in the ltime/utime
    converters; previously it was theoretically possible to occasionally
    retrieve a bad date under high thread contention

  - fix for incorrect output size check in the base64dec/base64urldec
    converters that could write up to 2 extra bytes, but normally they're
    always used with outputs having sufficient room so I can't figure a
    case where it could have represented a practical problem.

  - tune.bufsize is now checked for being smaller than 256 MB in HTX mode
    (that's the hard limit).

  - Lua's initialization of sample converters now uses strlcpy2() and not
    strncpy(), as this last one used to fill the entire buffer with zeroes,
    resulting in a measurable startup time when using large buffers (a
    second or so with 1 MB buffers).

  - the sc-set-gpt* action parser was off by one argument and was ignoring
    one word before the "if" condition, forcing to write garbage there (or
    a second "if").

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.2/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.2.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
   Changelog        : http://www.haproxy.org/download/2.2/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Christopher Faulet (2):
      Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn 
may receive"
      MINOR: action: Use a generic function to check validity of an action rule 
list

Dragan Dosen (1):
      BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}

Tim Duesterhus (3):
      BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
      BUG/MINOR: tools: Fix loop condition in dump_text()
      CLEANUP: Add missing include guard to signal.h

Willy Tarreau (12):
      BUG/MEDIUM: h2: match absolute-path not path-absolute for :path
      BUG/MEDIUM: sock: really fix detection of early connection failures in 
for 2.3-
      REGTESTS: abortonclose: after retries, 503 is expected, not close
      BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions
      MINOR: compiler: implement an ONLY_ONCE() macro
      BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
      BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
      DOC: configuration: remove wrong tcp-request examples in tcp-response
      BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
      CLEANUP: htx: remove comments about "must be < 256 MB"
      BUG/MAJOR: htx: fix missing header name length check in 
htx_add_header/trailer
      REGTESTS: mark http_abortonclose as broken

---

Reply via email to