HAProxy 2.6.2 was released on 2022/07/22. It added 58 new commits
after version 2.6.1.

Several issues about QUIC were fixed in this release. A memory leak was
fixed on datagrams receipt. It was possible to erroneously report a protocol
violation when stream data were received with a partially new offset with
some data already consumed out of the RX buffer. It was fixed by properly
updating the buffer state. To respect RFC9000, a CONNECTION_CLOSE frame with
APPLICATION_ERROR code is now sent instead of CONNECTION_CLOSE_APP code in
an Initial or Handshake packet. the QUIC multiplexer is now properly dealing
with chunk-encoded server responses. The FIN bit was missing on the last
frame and the client was waiting indefinitely for it. We now ensure that all
data were received to signal the end of data. Indeed, it is possible to
receive the STREAM FIN while some data are missing. QUIC support was also
improved. New counters were added to diagnose RX buffer overrun. The
datagrams receipt was improved, reducing the latency: the RX buffer size was
increased to 64kB and we try to fulfill it as much as possible at each I/O
handler call.

In addition, here are main other issues fixed in this release:

 * Some peer sessions could be blocked during a reload because the connect
   expiration data was reset by the frontend side while it must only be
   reset by the backend side. This prevented old workers to die. This issue
   was introduced in 2.6, during the conn-stream refactoring.

 * Crashes could be experienced during hot-upgrade from 2.4 to 2.6 because
   old worker was still identified as a running worker.

 * HAProxy could crash on old Glibc on dlsym() function call if it is
   statically built.

 * Several "show thread" commands running in loop could provoke segfaults
   because of a null pointer dereference.

 * Some sessions could leak because connection errors were ignored by the H1
   multiplexer during a synchronous send.

 * tunneled H1 sessions could be blocked when raw data were received before
   the end of the request analysis because of a wrong assumption on the
   request buffer emptiness.

 * A bug in The "method" sample fetch could lead to a crash if it was used
   in logs for errors triggered at the mux level.

 * In HTTP/1.1, the matching between the authority and the Host header value
   for CONNECT requests was buggy. An exact match was performed ignoring any
   normalization on the port. For CONNECT request the authority must contain
   the port but it may be omitted from the host header value for default
   ports (80 or 443). The matching was fixed to properly handle this case.

  * Unexpected FD close using SSL async engine could be experienced because
    the engine and HAProxy both closed it. To fix the issue a flag is now
    used to instruct HAProxy to not close the FD when the it is removed from
    the fdtab array.

  * Invalid 103-early-hints messages coud be generated when some
    "early-hint" rules were conditioned by ACLs.

  * Depending on the declaration order of "http-check send" and "option
    httpchk" directives, the configured headers could be ignored.

  * Duplicate certificates in ca-file directories were not properly handled
    because of an OpenSSL error. The error is now ignored.

  * Lookup for a private key in extra files was not ignored when it was
    already found in the pem file, while it should.

  * The HTTP scheme based normalization did not properly handle the URIs
    with userinfo. They were not preserved after the normalization process.

  * An internal error was reported when loadbalancing on source IP address
    was impossible. It could happens with SPOE applets or with clients
    connected to HAPRoxy via a unix socket. Now, when this happens, a
    fallback to round-robin is performed.

Thanks to everyone for this release. Enjoy !

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Documentation    : http://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.6/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.6.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.6.git
   Changelog        : http://www.haproxy.org/download/2.6/src/CHANGELOG
   Pending bugs     : http://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs
   Code reports     : http://www.haproxy.org/l/code-reports
   Latest builds    : http://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (8):
      MINOR: ncbuf: implement ncb_is_fragmented()
      BUG/MINOR: mux-quic: do not signal FIN if gap in buffer
      MINOR: h3: add h3c pointer into h3s instance
      MINOR: h3: handle errors on HEADERS parsing/QPACK decoding
      MINOR: qpack: properly handle invalid dynamic table references
      BUG/MEDIUM: mux-quic: fix server chunked encoding response
      BUG/MINOR: quic: fix closing state on NO_ERROR code sent
      BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake

Benoit DOLEZ (1):
      BUILD: quic: fix anonymous union for gcc-4.4

Brad Smith (1):
      BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX

Christian Ruppert (1):
      BUILD: Makefile: Add Lua 5.4 autodetect

Christopher Faulet (16):
      BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is 
      BUG/MINOR: http-fetch: Use integer value when possible in "method" sample 
      BUG/MINOR: http-check: Preserve headers if not redefined by an implicit 
      BUG/MINOR: http-act: Properly generate 103 responses when several rules 
are used
      BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
      MINOR: http: Add function to get port part of a host
      MINOR: http: Add function to detect default port
      BUG/MEDIUM: h1: Improve authority validation for CONNCET request
      MINOR: http-htx: Use new HTTP functions for the scheme based normalization
      BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
      REGTEESTS: filters: Fix CONNECT request in random-forwarding script
      BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
      BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL 
      BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
      BUG/MEDIUM: stconn: Only reset connect expiration when processing backend 
      BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible

Emeric Brun (3):
      MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
      BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
      MINOR: fd: Add BUG_ON checks on fd_insert()

Frédéric Lécaille (13):
      BUG/MINOR: quic: Missing acknowledgments for trailing packets
      BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
      BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
      BUG/MAJOR: quic: Big RX dgrams leak with POST requests
      BUILD: quic+h3: 32-bit compilation errors fixes
      BUG/MINOR: quic: Dropped packets not counted (with RX buffers full)
      MINOR: quic: Add new stats counter to diagnose RX buffer overrun
      MINOR: quic: Duplicated QUIC_RX_BUFSZ definition
      MINOR: task: Add tasklet_wakeup_after()
      MINOR: quic: Improvements for the datagrams receipt
      MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb)
      CLEANUP: h2: Typo fix in h2_unsubcribe() traces
      BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap

Ilya Shipitsin (1):
      CI: re-enable gcc asan builds

Remi Tricot-Le Breton (1):
      BUG/MINOR: ssl: Do not look for key in extra files if already in pem

William Lallemand (7):
      BUG/MINOR: peers: fix possible NULL dereferences at config parsing
      MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
      MINOR: resolvers: resolvers_destroy() deinit and free a resolver
      BUG/MINOR: resolvers: shut off the warning for the default resolvers
      BUG/MINOR: ssl: allow duplicate certificates in ca-file directories
      BUG/MINOR: mworker/cli: relative pid prefix not validated anymore
      BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload

Willy Tarreau (8):
      MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
      BUG/MINOR: peers/config: always fill the bind_conf's argument
      BUG/MEDIUM: cli/threads: make "show threads" more robust on applets
      BUG/MINOR: debug: enter ha_panic() only once
      BUG/MEDIUM: tools: avoid calling dlsym() in static builds
      BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
      BUG/MINOR: tools: fix statistical_prng_range()'s output range
      BUILD: add detection for unsupported compiler models

Christopher Faulet

Reply via email to