Hi,

HAProxy 2.6.6 was released on 2022/09/21. It added 68 new commits
after version 2.6.5.

As usual, this release fixed several bugs:

  * Several bugs on the QUIC and h3 parts were fixed. Mainly:

    - It was possible to experience crashes when an HTTP/3 connection was
     released before having sent any data. The API was updated to properly
     handle this case.

    - The QUIC connection's nb_hreq counter, used to track the number of
      active HTTP requests, could be decremented too often. This led to
      crashes when HAProxy was built with DEBUG_STRICT=2. Otherwise, it was
      breaking the timeout logic for QUIC connections.

    - Data forwarded from the application layer to a reset QUIC stream
      instance were fully accounted but not consumed, leaving the
      corresponding channel into an inconsistent state. Because of this bug,
      some sessions were blocked infinitely with no activity and no way to
      recover.

    - QUIC streams could be remotely closed to early if the FIN bit was
      received before having reveived all the data. It was only an issue
      when HAProxy was built with DEBUG_STRICT=2.

    - It was possible to crash HAProxy when verifying certificates because,
      most of time, the connection object was not yet initialized at this
      stage. A special case was added for QUIC to retrieve the quic_conn.

    - Crashes for the same reason could be experienced if "tls-ticket-keys"
      is used on QUIC bind lines.

  * It was possible to trigger the watchdog because of an extreme contention
    on the proxy's lock while the libc was in malloc()/free(). It was mainly
    due to the errors capture. A call to free() was under the lock with no
    special reason. The object is now released outside of the proxy's lock.

  * Pause or resume a proxy from lua code could lead to some race because
    these operations were performed outside the proxy's lock. To fix the
    issue and prevent any trouble, the proxy's API was slightly refactored
    to be sure the proxy's lock is always acquired by low-level functions.

  * It was possible to crash HAPRoxy when adding a server with hostname from
    the CLI. In itself, it is not an issue but the server is created with no
    address and an operation was not guarded against NULL addresses.

  * TCP sinks initialization was performed too early leading to crashes when
    SSL is configured.

  * Characters escaping process in log messages was not correctly processing
    strings coming from sample fetches truncating the output string.


In addition, some improvement were brought:

  * Headers case adjustment in H1 is now available for TCP proxies. It was
    an issue for HTTP health-checks on backend side or for TCP connections
    upgraded to HTTP on frontend side.

  * The task profiling was fixed to be more accurate.

  * The stats applet was reported paused frontends as OPEN. Now, these
    frontends are reported as PAUSED.

  * The number of updates sent at once during peers synchronization can now
    be limited. By default the maximum of updates is limited to 200 and this
    can be tuned via "tune.peers.max-updates-at-once" global parameter.
    Idea is to avoid some latency issues with large buffers which may
    trigger the watchdog in worst cases.

  * Encrypted password in Userlists are now supported on NetBSD

Thanks everyone for your help. A special thanks to Tristan for his help to
debug QUIC issues and make it more reliable. A 2.5 and 2.4 will be emitted
soon to bring some fixes shipped in the 2.6.5 and 2.6.6.


Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.6/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.6.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
   Changelog        : https://www.haproxy.org/download/2.6/src/CHANGELOG
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages


---
Complete changelog :
Amaury Denoyelle (9):
      BUG/MEDIUM: mux-quic: fix crash on early app-ops release
      CLEANUP: mux-quic: remove stconn usage in h3/hq
      BUG/MINOR: mux-quic: do not remotely close stream too early
      BUG/MEDIUM: mux-quic: fix nb_hreq decrement
      BUG/MINOR: mux-quic: do not keep detached qcs with empty Tx buffers
      REORG: mux-quic: extract traces in a dedicated source file
      REORG: mux-quic: export HTTP related function in a dedicated file
      MINOR: mux-quic: refactor snd_buf
      BUG/MEDIUM: mux-quic: properly trim HTX buffer on snd_buf reset

Aurelien DARRAGON (8):
      BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
      MINOR: listener: small API change
      MINOR: proxy/listener: support for additional PAUSED state
      BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN'
      CLEANUP: listener: function comment typo in stop_listener()
      BUG/MINOR: listener: null pointer dereference suspected by coverity
      BUG/MEDIUM: server: segv when adding server with hostname from CLI
      BUG/MINOR: log: improper behavior when escaping log data

Brad Smith (2):
      MINOR: Revert part of clarifying samples support per os commit
      BUILD: makefile: enable crypt(3) for NetBSD

Christopher Faulet (4):
      BUG/MINOR: h1: Support headers case adjustment for TCP proxies
      BUG/MINOR: task: Fix detection of tasks profiling in 
tasklet_wakeup_after()
      BUG/MINOR: mux-h1: Increment open_streams counter when H1 stream is 
created
      REGTESTS: healthcheckmail: Relax matching on the healthcheck log message

Emeric Brun (1):
      BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring.

Frédéric Lécaille (12):
      BUG/MINOR: quic: Retransmitted frames marked as acknowledged
      BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines
      BUG/MINOR: quic: Possible crash when verifying certificates
      MINOR: quic: Add traces about sent or resent TX frames
      MINOR: quic: No TRACE_LEAVE() in retrieve_qc_conn_from_cid()
      BUG/MINOR: quic: Wrong connection ID to thread ID association
      BUG/MINOR: quic: Speed up the handshake completion only one time
      BUG/MINOR: quic: Trace fix about packet number space information.
      BUG/MINOR: h3: Crash when h3 trace verbosity is "minimal"
      MINOR: h3: Add the quic_conn object to h3 traces
      MINOR: h3: Missing connection argument for a TRACE_LEAVE() argument
      MINOR: h3: Send the h3 settings with others streams (requests)

Ilya Shipitsin (4):
      CI: cirrus-ci: bump FreeBSD image to 13-1
      REGTESTS: ssl: adopt tests to OpenSSL-3.0.N
      REGTESTS: ssl: adopt tests to OpenSSL-3.0.N
      REGTESTS: ssl: fix grep invocation to use extended regex in 
ssl_generate_certificate.vtc

Mathias Weiersmueller (1):
      DOC: fix TOC in starter guide for subsection 3.3.8. Statistics

Matthias Wirth (1):
      BUG/MINOR: signals/poller: ensure wakeup from signals

William Lallemand (11):
      BUILD: quic: add some ifdef around the SSL_ERROR_* for libressl
      BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb
      BUILD: quic: temporarly ignore chacha20_poly1305 for libressl
      BUILD: quic: enable early data only with >= openssl 1.1.1
      BUILD: ssl: fix the ifdef mess in ssl_sock_initial_ctx
      BUILD: quic: fix the #ifdef in ssl_quic_initial_ctx()
      MINOR: quic: add QUIC support when no client_hello_cb
      BUG/MINOR: signals/poller: set the poller timeout to 0 when there are 
signals
      REGTESTS: log: test the log-forward feature
      REGTESTS: ssl/log: test the log-forward with SSL
      MEDIUM: quic: separate path for rx and tx with set_encryption_secrets

Willy Tarreau (14):
      MEDIUM: peers: limit the number of updates sent at once
      BUG/MINOR: task: always reset a new tasklet's call date
      BUG/MINOR: task: make task_instant_wakeup() work on a task not a tasklet
      MINOR: task: permanently enable latency measurement on tasklets
      CLEANUP: task: rename ->call_date to ->wake_date
      BUG/MINOR: sched: properly account for the CPU time of dying tasks
      MINOR: sched: store the current profile entry in the thread context
      BUG/MINOR: stream/sched: take into account CPU profiling for the last call
      DEV: flags: fix usage message to reflect available options
      DEV: flags: add missing CO_FL_FDLESS connection flag
      CLEANUP: pollers: remove dead code in the polling loop
      BUG/MEDIUM: captures: free() an error capture out of the proxy lock
      BUILD: fd: fix a build warning on the DWCAS
      SCRIPTS: announce-release: update some URLs to https

cui fliter (1):
      CLEANUP: quic,ssl: fix tiny typos in C comments

--
Christopher Faulet

Reply via email to