Hi, HAProxy 2.4.20 was released on 2022/12/09. It added 66 new commits after version 2.4.19.
All fixes shipped in this release were already described in 2.5.10 announcement. Just note that for there is still a pending fix for the "set-uri" action, not included in this release. It will only be shipped with the 2.4.21. The "set-uri" action is been bogus for a while and was not working as documented, and used to make HTTP/1 and HTTP/2 produce different outputs. The reason for being careful is that during 2.5 there was once an issue with "set-uri" and we proposed as an emergency work-around for those not having the time to upgrade to use "set-uri %[url]" and this very specific one will behave differently by sending absolute URIs just as documented (some users are currently annoyed by the bogus behavior in 2.6, so we'll have to fix it). As such, while updating to 2.4.20, take this opportunity to have a look at your config to see if you're having a old line like: http-request set-uri %[url] If so, just comment it out, it will not change anything, and will make sure that 2.4.21 doesn't cause any change. Otherwise, here is the list of fixes, cut-pasted from the 2.5.10 announce: * A major issue on sitck-tables were fixed about a possible crash if server name indexing is used to perform stickiness when the server is an applet. This is typically what happens when a "stick-store" rule is present in a backend featuring a "stats" directive. And at the end, to fix the bug, such rules must simply be ignored when the server is an applet. * A race condition on some global tasks was fixed. The stick-table expiration task and the listeners management task were concerned. These tasks may run on any thread. Both set their expiration date to TICK_ETERNITY. On the other hand, these task may be queued or scheduled from anywhere. The race was when the both happened at same time. Indeed it is forbidden to queue a task with no expiration date. To prevent any issue, a locking mechanism is now used. * The HTTP compression filter was fixed to properly handle rewrite errors. Indeed, on rewrite error, the compression is not performed. But in this case, we must be sure to remove the "Content-Encoding" header. * The FCGI multiplexer was fixed to avoid overflow on the data length copied into a buffer when STDIN record is built. This could happen when the buffer was almost full and lead to a crash. * A crash during ring section parsing was fixed. If a "ring" section initialization failed (e.g. due to a duplicate name, invalid chars, or missing memory), any subsequent "server" statement found in the same section crashed the config parser by dereferencing the currently NULL cfg_sink. * In peers, messages about unkown table was not properly ignored. Those messages are now silently ignored and the upper layer continue the processing as it is done for any valid messages * An issue during the argument parsing when sample fetches or converters are called from lua was fixed to avoid crashes on failure and to properly handle implicit stick-table. * The pgsql healthcheck was update to support new authentication methods. Now AUTH_REQ_GSS, AUTH_REQ_GSS and AUTH_REQ_SASL are supported. * On connection retry, Turn-around, adding 1 second pause before connection retry, is now enforce only when no redispatch is performed. * A memory leak was fixed when some TXN variables were defined from a tcp-request ruleset for an HTTP session. Indeed, in this case, these variables were lost because of an extra list initialization during the HTTP transaction creation. * smtpchk healthcheck now gracefully close SMTP transaction by sending a QUIT message. * Error handling during http replies parsing was fixed to prevent any crash during arguments parsing while a log-format body was expected but not evaluated yet. * And finally, to finish this boring list, the usual fixes here and there, documentation and build improvements. Thanks everyone for your help and your contributions. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Aurelien DARRAGON (6): DOC: configuration: missing 'if' in tcp-request content example BUG/MINOR: log: fixing bug in tcp syslog_io_handler Octet-Counting BUG/MEDIUM: wdt/clock: properly handle early task hangs BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists BUG/MINOR: cfgparse-listen: fix ebpt_next_dup pointer dereference on proxy "from" inheritance BUG/MINOR: log: fix parse_log_message rfc5424 size check Christopher Faulet (25): DOC: config: Fix pgsql-check documentation to make user param mandatory BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth() BUG/MINOR: mux-h1: Account consumed output data on synchronous connection error MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands BUG/MINOR: log: Preserve message facility when the log target is a ring buffer BUG/MINOR: ring: Properly parse connect timeout BUG/MEDIUM: compression: handle rewrite errors when updating response headers BUG/MINOR: sink: Only use backend capability for the sink proxies BUG/MINOR: sink: Set default connect/server timeout for implicit ring buffers BUG/MINOR: stick-table: Use server_id instead of std_t_sint in process_store_rules() BUG/MAJOR: stick-table: don't process store-response rules for applets BUG/MINOR: http-htx: Fix error handling during parsing http replies BUG/MINOR: resolvers: Set port before IP address when processing SRV records BUG/MINOR: mux-fcgi: Be sure to send empty STDING record in case of zero-copy BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once REG-TESTS: cache: Remove T-E header for 304-Not-Modified responses BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task BUILD: peers: Remove unused variables BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action BUILD: http-htx: Silent build error about a possible NULL start-line BUG/MINOR: mux-h1: Fix handling of 408-Request-Time-Out Revert "BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action" Revert "CI: switch to the "latest" LibreSSL" Revert "CI: determine actual OpenSSL version dynamically" Emeric Brun (1): BUG/MEDIUM: peers: messages about unkown tables not correctly ignored Fatih Acar (1): BUG/MINOR: checks: update pgsql regex on auth packet Ilya Shipitsin (4): CI: SSL: use proper version generating when "latest" semantic is used CI: SSL: temporarily stick to LibreSSL=3.5.3 CI: add monthly gcc cross compile jobs CI: switch to the "latest" LibreSSL Mickael Torres (1): BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers Olivier Houchard (2): BUG/MEDIUM: lua: Don't crash in hlua_lua2arg_check on failure BUG/MEDIUM: lua: handle stick table implicit arguments right. Remi Tricot-Le Breton (2): BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading issuer BUG/MINOR: ssl: ocsp structure not freed properly in case of error Tim Duesterhus (2): CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition William Lallemand (2): DOC: management: add forgotten "show startup-logs" BUG/MINOR: ssl: don't initialize the keylog callback when not required Willy Tarreau (19): BUILD: h1: silence an initiialized warning with gcc-4.7 and -Os BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os BUG/MINOR: backend: only enforce turn-around state when not redispatching BUG/MAJOR: stick-tables: do not try to index a server name for applets BUG/MINOR: server: make sure "show servers state" hides private bits BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task CI: emit the compiler's version in the build reports DOC: config: fix alphabetical ordering of global section BUG/MEDIUM: ring: fix creation of server in uninitialized ring BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes BUG/MINOR: server/idle: at least use atomic stores when updating max_used_conns BUILD: listener: fix build warning on global_listener_rwlock without threads DOC: config: provide some configuration hints for "http-reuse" DOC: config: clarify the fact that SNI should not be used in HTTP scenarios DOC: config: mention that a single monitor-uri rule is supported DOC: config: explain how default matching method for ACL works DOC: config: clarify the fact that "retries" is not just for connections DOC: config: clarify the -m dir and -m dom pattern matching methods SCRIPTS: announce-release: add a link to the data plane API wrightlaw (1): BUG/MINOR: smtpchk: SMTP Service check should gracefully close SMTP transaction -- Christopher Faulet
