as we are close to 2.5, can the following remaining Coverity issues be addressed ? at least I'm aware of possible null pointer deref
src/stream_interface.c: insecure data handling suspected by coverity · Issue #1405 · haproxy/haproxy (github.com) <https://github.com/haproxy/haproxy/issues/1405> src/stick_table.c: unchecked return value suspected by coverity · Issue #1163 · haproxy/haproxy (github.com) <https://github.com/haproxy/haproxy/issues/1163> Null pointer dereference suspected by coverity · Issue #1434 · haproxy/haproxy (github.com) <https://github.com/haproxy/haproxy/issues/1434> сб, 6 нояб. 2021 г. в 14:11, Willy Tarreau <[email protected]>: > Hi, > > HAProxy 2.5-dev13 was released on 2021/11/06. It added 35 new commits > after version 2.5-dev12. > > These are the last-mile fixes and cleanups for this release. > > - the backend support for WebSocket over HTTP/2 was adjusted to allow > WebSocket to use HTTP/1 even if HTTP traffic uses HTTP/2. There were > indeed some users complaining about broken WebSocket when H2 is > enabled on the backend side because their servers did not yet support > WebSocket over HTTP/2. With this, haproxy will offer WS over HTTP/2 > even if the server runs HTTP/2 without it, and haproxy will use HTTP/1 > connections to the server for WS. The new server keyword to tune this > is "ws". This part will be backported to 2.4 to fix the issues that > these users are facing. More improvements are planned (autodetection) > but they do present certain shortcomings in case servers would restart > and change their status, so they were kept on hold for now. > > - the fc_conn_err and bc_conn_err sample fetch functions which return the > frontend connection and backend connection error codes were renamed to > "fc_err" and "bc_err" to be consistent with the other ones, as "fc" and > "bc" already stand for "frontend connection" and "backend connection". > No need for the confusing redundancy. This may possibly break some > configs if you were using them on a development version, but better fix > that before they're part of a final release. > > - as discussed a few days ago, the frontend connection's SNI was added to > the HTTPS log format. It was placed just before the SSL version and > ciphers, delimited with a '/' so that even if an empty one is sent, > there is no ambiguity on the field parsing. > > - some of the DNS stats counters were split into their own resolvers > stats, because they were really resolver events rather than DNS > protocol level events. This could make a difference when we later > implement support for DNS load balancing. > > - a warning is now sent when "compression offload" is used in a defaults > section, because that does nothing. While the doc was already clear > about it, it used to be accepted by the config parser, so we cannot > really error on it now at the risk of breaking some harmless configs. > However a warning does seem appropriate at least. > > - small fixes and updates on JWT, resolvers, and QUIC > > - build instructions for QUIC and quictls were added to the INSTALL file > > - an example error-log-format was added to the doc, as it wasn't exactly > trivial. We think it covers most use cases, so with a bit of luck it > will often be copy-pasted and generalized. > > - more code cleanups, doc updates, and regtest cleanups > > Yesterday while reviewing optimal logging options for HTTPS with William, > we noticed that some sample-fetch functions are missing to retrieve the > certificate check status on the backend, or extract the backend's TLS > version or SNI. The code already exists (we even did most of it on the > fly just to test) but I didn't want to rush a last-minute set of new > sample-fetch functions, whose tests and documentation would needlessly > delay this release. I will probably add them later next week or after the > release, and they're low-importance details that can trivially be > backported if we want. > > I've told Björn not to rush his patches on Multi-path TCP. While they're > trivial and certainly harmless, there's no reason to hurry on this at the > last minute and risk to make mistakes, we'll have plenty of time to > complete > this work later. MPTCP is still young, and if there's some demand, once > merged the backport should even be trivial to perform. > > I expect a few more doc updates, makefile reorderings/cleanups, regtests, > bug fixes, maybe a few more sample-fetch functions and converters, some > more tests on various machine sizes, and if everything's good we could > release by the end of next week. > > So, please test it. If you can't take any risk on your production, at the > very least please check that it properly loads your configuration and/or > that any warning or error is expected, that could save you some precious > time later ;-) > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Wiki : https://github.com/haproxy/wiki/wiki > Sources : http://www.haproxy.org/download/2.5/src/ > Git repository : http://git.haproxy.org/git/haproxy.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy.git > Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > Amaury Denoyelle (8): > MINOR: mux-h2: add trace on extended connect usage > BUG/MEDIUM: mux-h2: reject upgrade if no RFC8441 support > MINOR: stream/mux: implement websocket stream flag > MINOR: connection: implement function to update ALPN > MINOR: connection: add alternative mux_ops param for > conn_install_mux_be > MEDIUM: server/backend: implement websocket protocol selection > MINOR: server: add ws keyword > DOC: add QUIC instruction in INSTALL > > Christopher Faulet (2): > MINOR: backend: Get client dst address to set the server's one only > if needful > MINOR: compression: Warn for 'compression offload' in defaults > sections > > Emeric Brun (4): > BUG/MINOR: resolvers: fix sent messages were counted twice > BUG/MINOR: resolvers: throw log message if trash not large enough > for query > MINOR: resolvers/dns: split dns and resolver counters in dns_counter > struct > MEDIUM: resolvers: rename dns extra counters to resolvers extra > counters > > Frédéric Lécaille (5): > MINOR: quic: Allocate listener RX buffers > CLEANUP: quic: Remove useless code > MINOR: quic: Enhance the listener RX buffering part > MINOR: quic: Remove a useless lock for CRYPTO frames > MINOR: quic: Use QUIC_LOCK QUIC specific lock label. > > Remi Tricot-Le Breton (1): > BUG/MINOR: jwt: Fix jwt_parse_alg incorrectly returning JWS_ALG_NONE > > Tim Duesterhus (7): > MINOR: jwt: Make invalid static JWT algorithms an error in > `jwt_verify` converter > CLEANUP: halog: Remove dead stores > DEV: coccinelle: Add ha_free.cocci > CLEANUP: Apply ha_free.cocci > DEV: coccinelle: Add rule to use `istnext()` where possible > CLEANUP: Apply ist.cocci > REGTESTS: Use `feature cmd` for 2.5+ tests (2) > > Willy Tarreau (8): > SCRIPTS: git-show-backports: re-enable file-based filtering > DOC: internals: move some API definitions to an "api" subdirectory > MEDIUM: connection: rename fc_conn_err and bc_conn_err to fc_err and > bc_err > DOC: configuration: move the default log formats to their own section > MINOR: ssl: make the ssl_fc_sni() sample-fetch function always > available > MEDIUM: log: add the client's SNI to the default HTTPS log format > DOC: config: add an example of reasonably complete error-log-format > DOC: config: move error-log-format before custom log format > > --- > >
