HAProxy 2.4.19 was released on 2022/09/28. It added 63 new commits
after version 2.4.18.

This release is very similar to the 2.5.9, released one week ago. There
is only a bug about resolvers, fixed in this release, but too late to be
shipped with the last 2.6 and 2.5 releases. It was possible to experience a
crash because of a use-after-free when a resolution was released. When a
resolution was aborted, it was not removed from the tree referencing all
pending requests. Thus it was still possible to get a reference on a
resolution in the same time it was released.

For other bugs fixed in this release, here is a cut-pasted list from the
2.5.9 announce:

  * There was an issue with the log-forward section, where a missing
    initialization due to code duplication caused some settings from "bind"
    lines to be ignored (ssl, thread, a few such things). There was the same
    issue with ring. The sink initialization was performed too early.

  * It was possible to trigger the watchdog because of an extreme contention
    on the proxy's lock while the libc was in malloc()/free(). It was mainly
    due to the errors capture. A call to free() was under the lock with no
    special reason. The object is now released outside of the proxy's lock.

  * Some ugly crashes saying "offset > buf->data" were reported when using
    the DNS (e.g. issue #1781), and it was found that it was using
    uninitialized fields in a structure. A pool_zalloc() was used to paper
    over it, since it's not even impossible that others fields are affected
    and that this part requires a deep breath before being dived into.

  * There was a logic bug in processing of option
    http-restrict-req-hdr-names that could cause deletion of a wrong header
    or a crash when facing multiple forbidden chars. This was reported in
    issue #1822, analysed and fixed by Mateusz Malek.

  * Server-side idle connections were often left in TIME_WAIT due to an
    undesired shutdown() being performed before closing them, resulting in
    more outgoing ports being used than really necessary.

  * Aborting pipelined HTTP/1.1 transfers could sometimes result in a high
    CPU usage until the timeout stroke.

  * An old bug in the H2 mux may cause spurious stream resets when uploading
    and downloading at the same time from the same stream, due to the window
    update frames having to be delayed when the output is full, and sent
    later after the stream ID was reset. Those using POST to servers might
    have experienced such occasional issues and might want to check for any
    improvement there. This was reported in issue #1830 and diagnosed by
    David le Blanc.

  * During atomic map updates of entries based on prefix length ("_ip" and
    "_beg"), if a new finer entry was added and matched an input before
    being committed, it was naturally ignored, but the lookup would continue
    with next keys without rechecking the key, possibly returning an
    incorrect match. This was reported by Miroslav in issue #1802.

  * Tim reported in issue #1799 that upon reload, and old process that
    failed to synchronize its tables with the new one could loop for a while
    without any pause and waste a lot of CPU doing this.

  * Reloading peers could compete on the local one and slow down or block
    the replication.

  * Reloading peers could interrupt a resync in progress if the retry timer
    triggered before the end.

  * The recently added assertion in fd_delete() already spotted a long
    existing bug on reload, where the FD that was used by the pipe of an
    exiting thread could be instantly reused as a socket by another thread
    and be incorrectly inserted in the table. Most of the time it remained
    unnoticed as these were mostly health checks on a reloading process, but
    since the assertion a few users started to see logs of a crash of the
    exiting process. This was reported both by Christian Ruppert in issue
    #1807 and by Cedric Paillet.

  * Pause or resume a proxy from lua code could lead to some race because
    these operations were performed outside the proxy's lock. To fix the
    issue and prevent any trouble, the proxy's API was slightly refactored
    to be sure the proxy's lock is always acquired by low-level functions.

  * There was an undesired sharing of data between default-servers that
    could lead to double-frees concretized by crashes when checking the
    config. This was reported in issue #1804 by Fabiano Nunes.

  * The ring section's "size" parser was too lax and would take "1M" for "1"
    without even issuing a warning... Also error messages regarding
    incorrect values would copy the input string instead of the parsed
    value, providing no way to diagnose.

  * There was a bug in the SPOE. In sync or pipelining modes, an unhealthy
    SPOA could led HAProxy to create a huge number of applets to process
    queued messages, slowing down all processing.

  * Willy managed to trigger an error on reload where the old process died
    saying "t->tid >= 0 && t->tid != tid". This is caused by the deinit code
    that needs to stop stuff initialized on other threads, and as such it
    violates some consistency checks. The check was relaxed to ignore the
    stopping condition.

  * Characters escaping process in log messages was not correctly processing
    strings coming from sample fetches truncating the output string.

  * Using HAProxy built with PCRE2_JIT with a lib built without would fail
    to match. Now it will fall back to the regular match.

  * Agent-check could be delayed by ~200ms due to TCP QUICKACK being
    disabled by default.

  * Reading from the rings could also occasionally freeze at high rate if
    the reader had to stop due to a buffer full while the writer had already
    stopped due to a ring full.

  * In Lua, it was possible to hand reading HTTP payload (by line or not)
    from an HTTP applet because we relied on a transiant HTX flags to detect
    the end of the message instead of relying on the channel flag.

  * A 60s delay could be experienced after stopping HAProxy. This was
    happening when a signal was received before entering the poller and
    without any activity on the process. In mworker mode, if a worker exited
    and the SIGCHLD signal was delivered at the right time to the master,
    this one could be stuck for 60s. The timeout is now set to 0 in this
    specific case.

  * In master-worker mode, it was reported that HAProxy was consuming too
    much memory because of a too high maxconn value. To limit memory
    consumption, the master is now using a default maxconn value in

  * In HTTP/1.1, the matching between the authority and the Host header value
    for CONNECT requests was buggy. An exact match was performed ignoring any
    normalization on the port. For CONNECT request the authority must contain
    the port but it may be omitted from the host header value for default
    ports (80 or 443). The matching was fixed to properly handle this case.

The following improvements were also backported:

  * Headers case adjustment in H1 is now available for TCP proxies. It was
    an issue for HTTP health-checks on backend side or for TCP connections
    upgraded to HTTP on frontend side.

  * The stats applet was reported paused frontends as OPEN. Now, these
    frontends are reported as PAUSED.

  * Encrypted password in Userlists are now supported on NetBSD

Thanks everyone for your help and your contributions!

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.4/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.4.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git
   Changelog        : https://www.haproxy.org/download/2.4/src/CHANGELOG
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Aurelien DARRAGON (4):
      BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
      MINOR: listener: small API change
      BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN'
      BUG/MINOR: log: improper behavior when escaping log data

Brad Smith (1):
      BUILD: makefile: enable crypt(3) for NetBSD

Christopher Faulet (25):
      MINOR: http: Add function to get port part of a host
      MINOR: http: Add function to detect default port
      BUG/MEDIUM: h1: Improve authority validation for CONNCET request
      MINOR: http-htx: Use new HTTP functions for the scheme based normalization
      MINOR: peers: Use a dedicated reconnect timeout when stopping the local 
      BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
      BUG/MINOR: peers: Use right channel flag to consider the peer as connected
      BUG/MEDIUM: dns: Properly initialize new DNS session
      MINOR: server: Constify source server to copy its settings
      REORG: server: Export srv_settings_cpy() function
      BUG/MEDIUM: proxy: Perform a custom copy for default server settings
      BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after 
      REGTESTS: Fix prometheus script to perform HTTP health-checks
      BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
      BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
      BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
      BUG/MEDIUM: peers: Don't start resync on reload if local peer is not 
      BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets
      BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule)
      REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
      BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support
      BUG/MINOR: h1: Support headers case adjustment for TCP proxies
      REGTESTS: healthcheckmail: Relax matching on the healthcheck log message
      REGTESTS: 4be_1srv_smtpchk_httpchk_layer47errors: Return valid SMTP 
      BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree

Emeric Brun (3):
      BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
      BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
      BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring.

Ilya Shipitsin (1):
      CI: cirrus-ci: bump FreeBSD image to 13-1

Mateusz Malek (1):
      BUG/MEDIUM: http-ana: fix crash or wrong header deletion by 

Mathias Weiersmueller (1):
      DOC: fix TOC in starter guide for subsection 3.3.8. Statistics

Matthias Wirth (1):
      BUG/MINOR: signals/poller: ensure wakeup from signals

William Lallemand (6):
      BUG/MEDIUM: mworker: use default maxconn in wait mode
      BUG/MINOR: resolvers: return the correct value in 
      DOC: configuration: do-resolve doesn't work with a port in the string
      BUG/MINOR: signals/poller: set the poller timeout to 0 when there are 
      REGTESTS: log: test the log-forward feature
      REGTESTS: ssl/log: test the log-forward with SSL

Willy Tarreau (20):
      MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups
      BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions
      BUG/MINOR: ring/cli: fix a race condition between the writer and the 
      BUG/MINOR: sink: fix a race condition between the writer and the reader
      BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h
      BUG/MEDIUM: poller: use fd_delete() to release the poller pipes
      BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq()
      BUILD: debug: silence warning on gcc-5
      BUG/MEDIUM: ring: fix too lax 'size' parser
      BUILD: http: silence an uninitialized warning affecting gcc-5
      BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
      BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of 
      BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools
      BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber
      BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber
      BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber
      BUG/MINOR: task: always reset a new tasklet's call date
      BUG/MEDIUM: captures: free() an error capture out of the proxy lock
      BUILD: fd: fix a build warning on the DWCAS
      SCRIPTS: announce-release: update some URLs to https

Christopher Faulet

Reply via email to