Hi,

HAProxy 2.5.7 was released on 2022/05/13. It added 43 new commits
after version 2.5.6.

This release fixed a regression in the H1 multiplexer, introduced in the
previous release. If an H2 message announced the payload size with a
Content-Length header and contained trailers, an internal error was
triggered during forwarding on the other side, in the H1 multiplexer.

A major issue in the DNS part was also fixed. A concurrency issue that could
lead to a crash when a DNS request was failing. Because of some missing
locks on dgram structure, it was possible to set the UDP socket FD to -1 on
a thread while it was used to access to fdtab array on another one.

Willy performed a refactoring of applets in the 2.6-dev, especially the
CLI applet. During his refactoring, he fixes several issues with CLI
commands. "show resolvers" command was not properly yielding, "show backend"
was dumping the state of internal proxies, Some locks were missing in "show
map" command, SSL commands were mixing 2 internal context inside the same
union, and so on. It is very unlikely to have ever hit any issues related to
one of these bugs, but not impossible though.

Here is the list of other issues fixed by this release:

 * A server abort or a server timeout could be experienced with FCGI backend
   connections when the END_REQUEST record was delayed for responses with no
   content-length.

 * There was a memory leak in the redirect rules with ignore-empty option. The
   rule processing could be aborted without releasing the allocated trash
   buffer.

 * There was a memory leak during deinit stage on the resolvers part. Tim
   fixed it.

 * There was an issue in the loop consuming HTX blocks or the response in
   the HTTP client. HTX api was not properly used and could lead to
   undefined behaviors.

 * Lua functions to delete data into a channel's buffer or in an HTTP
   message were not properly handling arguments.

 * A timing issue could lead to some delay in the server-side connection
   establishment. It was a tricky issue, but sometimes the server-side
   connection attempts were only validated after the "timeout connect"
   value, and only with H2 clients.

 * H2 streams were marked as open after processing it instead of before. It
   could be an issue when a client didn't respect the H2
   MAX_CONCURRENT_STREAMS setting because the max_id was only updated on the
   success path. Thus, under some circumstances a connection error could be
   reported instead of a stream error.

 * The watchdog could be erroneously triggered because an uninitialized value
   was not tested. It was possible to encounter this issue in the master
   just after loading the configuration.

 * Some shared pools were not properly released on exit.

 * It was reported the maximum line length on the server-state file was too
   small. It was increased to 2kB.

In addition, some improvements were backported:

 * "close-spread-time" option may now be set to "infinite". This disables
   active connection closing during a soft-stop. The 'connection: close'
   header or the GOAWAY frame will not be added anymore to the server's
   response and active connections will only be closed once the clients
   disconnect. Idle connections will not be closed all at once when the
   soft-stop starts anymore, and each idle connection will follow its own
   timeout based on the multiple timeouts set in the configuration (as is
   the case during regular execution).

 * "h1-accept-payload-with-any-method" global option was added to accept
   HTTP/1.1 GET/HEAD/DELETE requests with payload. Those requests are
   rejected by default for security reasons, to avoid request smuggling
   attack on some servers or intermediaries. But it may be an issue with
   some old clients. This option must be set with caution.

 * "tune.ssl.hard-maxrecord" global option was added. This settings
   complements the existing "tune.ssl.maxrecord" that was only used during
   low-latency transfers to permit browsers to start to parse the response
   during the first RTT. The new one enforces the limit on all records, and
   helps interoperate with low-memory footprint IoT devices which cannot
   deal with a 16kB record.

Thanks everyone for your help and your contributions !

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Documentation    : http://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.5/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.5.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git
   Changelog        : http://www.haproxy.org/download/2.5/src/CHANGELOG
   Pending bugs     : http://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs
   Code reports     : http://www.haproxy.org/l/code-reports
   Latest builds    : http://www.haproxy.org/l/dev-packages


---
Complete changelog :
Boyang Li (2):
      BUG/MEDIUM: lua: fix argument handling in data removal functions
      DOC/MINOR: fix typos in the lua-api document

Christopher Faulet (7):
      BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty 
option
      BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response 
channel
      BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX 
message
      BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was 
specified
      DOC: config: Update doc for PR/PH session states to warn about rewrite 
failures
      MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
      CLEANUP: mux-h1: Fix comments and error messages for global options

Emeric Brun (1):
      BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket

Ilya Shipitsin (2):
      CI: github actions: update LibreSSL to 3.5.2
      CI: dynamically determine actual version of h2spec

Remi Tricot-Le Breton (2):
      MINOR: connection: Add way to disable active connection closing during 
soft-stop
      BUG/MINOR: ssl: Fix typos in crl-file related CLI commands

Thomas Pr├╝ckl (1):
      MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord"

Tim Duesterhus (1):
      BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit()

William Lallemand (4):
      BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
      BUG/MINOR: startup: usage() when no -cc arguments
      BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail
      BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized

Willy Tarreau (22):
      BUILD: compiler: properly distinguish weak and global symbols
      BUG/MINOR: pools: make sure to also destroy shared pools in 
pool_destroy_all()
      SCRIPTS: announce-release: add URL of dev packages
      BUG/MINOR: mux-h2: mark the stream as open before processing it not after
      MINOR: mux-h2: report a trace event when failing to create a new stream
      BUG/MEDIUM: resolvers: make "show resolvers" properly yield
      BUG/MEDIUM: cli: make "show cli sockets" really yield
      BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend"
      BUG/MINOR: map/cli: protect the backref list during "show map" errors
      BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s 
init
      BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl 
contexts
      BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl 
contexts
      BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts
      BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts
      DOC: fix typo "ant" for "and" in INSTALL
      BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
      BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
      BUILD: listener: shut report of possible null-deref in listener_accept()
      BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
      DOC: install: update gcc version requirements
      BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
      CLEANUP: applet: make appctx_new() initialize the whole appctx

vigneshsp (1):
      BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 
bytes).

--
Christopher Faulet

Reply via email to