HAProxy 2.7.2 was released on 2023/01/20. It added 91 new commits
after version 2.7.1.

Lots of small issues were fixed, a great part in QUIC, and a few stability
issues were addressed as well, some specific to 2.7 and others older.

* H3/QUIC:
  - a double-delete could happen in a list, causing memory corruption and
  - too much memory was allocated to listeners bound only to certain
    threads (one buffer per thread instead of one buffer per bound
    thread). Given that we're encouraging users to use "shards by-thread",
    this would cause N^2 buffers allocation for N threads, and taking half
    a gigabyte per listener for 48 threads.
  - the mapping between connection ID and threads was incorrect when
    shards were enabled, possibly resulting in an imbalance of the load.

  - the QUICv2 protocol version has been updated in the final version of
    the spec, so it was updated.

  - there is now a global "no-quic" option availble to globally disable
    QUIC listeners (they continue to be bound but do not process traffic),
    and a "quic_enabled" sample-fetch function that is convenient to
    condition Alt-Svc advertisement. The purpose is to make it easier to
    globally disable QUIC in a config without having to comment plenty of
    lines, should a serious problem happen in the future.

  - among a connection, the traffic distribution between streams was
    unfair, and the first streams used to be able to take as much of the
    window as they wanted, resulting in some streams progressing much
    slower than others. This was addressed.

  - H3 did not yet implement trailers support, which could possibly be
    annoying in some environments, this was now implemented.

  - small improvements such as detection of shutdown streams with empty
    response, handling of RESET_STREAM and emission of STOP_SENDING,
    ability to only abort streams on H3 errors, small fixes on flow
    control, reject forbidden headers, explicitly advertise that we don't
    perform active connection migration.

* H2:
  - a bug was introduced in 2.7, where responses of unknown lengths will
    cause a CANCEL to be emitted instead of an end-of-stream.

  - an interim response that carries the end-of-stream flag was not
    rejected as invalid. The consequences are uncertain in 2.4 and newer,
    but on 2.2 and older it could trigger a BUG_ON() condition and cause a

  - logs were not emitted for invalid requests that are blocked due to
    forbidden headers or syntaxes. That made it complicated to debug errors
    reported by clients. They will now be emitted, and traces will also
    reflect this.

* HTTP rules:
  - make sure that the logged status matches the reported status even upon
    errors and also after http-after-response

  - there was a small leak per request when using the "originalto" option,
    and another leak (per config entry) for "http-request redirect" lines.

  - there was a parsing error reported for responses carrying a websocket
    header when the status was not 101.

* listeners:
  - multiple races were found and addressed related to closed FDs (mostly
    happening on reload, sometimes on resuming after an aborted reload)

  - some assertions could be triggered at boot if using shards with inherited
    FDs ("bind fd@xxx").

* other:
  - a fix for a buffer realignment bug introduced in 1.9 was fixed. It's
    uncertain whether it was possible to trigger it or not, but it could
    possibly have been responsible for some rare unexplained corruptions.

  - JWT ECDSA signatures were not properly handled, this was now fixed.
    However, another issue was just discovered after the release that may
    still randomly trigger errors.

  - fcgi: the path-info subexpression was not properly handled due to an
    inverted condition.

  - config: the patch adding environment variables HAPROXY_TCP_LOG_FMT,
    default log format strings was backported because it simplifies some
    configurations by reducing the amount of copy-pasting.

  - debug: thread dumps woudln't show backtraces anymore, this was fixed.

  - sometimes there could be races between "show threads" and the delivery
    of the reload signal, causing an older process to spin at 100% forever.

  - bwlim: some checks were insufficient on the set-bandwidth-limit

  - pools: severe thread contention could be caused by false sharing of a
    same cache line between different CPUs due to usage counters and
    limits being very close in the structure. This was emphasized by QUIC
    which uses pools more often due to the usage of small packets, where
    just adding a cache-line alignment resulted in a 130% performance gain
    on a 48 threads machine.

  - makefile: minor build updates (sorting of enabled features,
    fix build of wolfSSL when SSL_INC is set, ...)

  - various CI, regtest, error messages, and doc updates

I hope that I didn't miss anything!

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.7/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.7.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.7.git
   Changelog        : https://www.haproxy.org/download/2.7/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (17):
      BUG/MEDIUM: mux-quic: fix double delete from qcc.opening_list
      MEDIUM: mux-quic: implement shutw
      MINOR: mux-quic: do not count stream flow-control if already closed
      MINOR: mux-quic: handle RESET_STREAM reception
      MEDIUM: mux-quic: implement STOP_SENDING emission
      MINOR: h3: use stream error when needed instead of connection
      BUG/MINOR: mux-quic: ignore remote unidirectional stream close
      BUG/MINOR: mux-quic: fix transfer of empty HTTP response
      MINOR: mux-quic: add traces for flow-control limit reach
      MAJOR: mux-quic: rework stream sending priorization
      MEDIUM: h3: send SETTINGS before STREAM frames
      MINOR: mux-quic: use send-list for STOP_SENDING/RESET_STREAM emission
      MINOR: mux-quic: use send-list for immediate sending retry
      BUG/MINOR: h3: properly handle connection headers
      MINOR: h3: extend function for QUIC varint encoding
      MINOR: h3: implement TRAILERS encoding
      MINOR: h3: implement TRAILERS decoding

Aurelien DARRAGON (5):
      BUG/MINOR: proxy: free orgto_hdr_name in free_proxy()
      REGTEST: fix the race conditions in json_query.vtc
      REGTEST: fix the race conditions in add_item.vtc
      REGTEST: fix the race conditions in digest.vtc
      REGTEST: fix the race conditions in hmac.vtc

Christopher Faulet (15):
      BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
      BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in 
      BUG/MINOR: http-fetch: Only fill txn status during prefetch if not 
already set
      BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is 
      DOC: config: fix alphabetical ordering of http-after-response rules
      DOC: config: remove duplicated "http-response sc-set-gpt0" directive
      BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 
      BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the 
      BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
      BUG/MINOR: promex: Don't forget to consume the request on error
      BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request 
      BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in 
      BUG/MEDIUM: mux-h2: Don't send CANCEL on shutw when response length is 
      BUG/MINOR: bwlim: Check scope for period expr for set-bandwitdh-limit 
      BUG/MINOR: bwlim: Fix parameters check for set-bandwidth-limit actions

Daniel Corbett (1):
      DOC: config: fix "Address formats" chapter syntax

Frédéric Lécaille (5):
      MINOR: quic: Useless test about datagram destination addresses
      MINOR: quic: Disable the active connection migrations
      MINOR: quic: Add "no-quic" global option
      MINOR: sample: Add "quic_enabled" sample fetch
      MINOR: quic: Replace v2 draft definitions by those of the final 2 version

Ilya Shipitsin (1):
      CI: github: enable github api authentication for OpenSSL tags read

Manu Nicolas (1):
      CLEANUP: htx: fix a typo in an error message of http_str_to_htx

Mathias Weiersmueller (1):
      DOC: config: added optional rst-ttl argument to silent-drop in action 

Paul Barnetta (1):
      BUG/MINOR: mux-fcgi: Correctly set pathinfo

Remi Tricot-Le Breton (3):
      BUG/MINOR: http: Memory leak of http redirect rules' format string
      BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S 
      BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing 

Sébastien Gross (1):
      MINOR: config: add environment variables for default log format

Tim Duesterhus (6):
      CI: Improve headline in matrix.py
      CI: Add in-memory cache for the latest OpenSSL/LibreSSL
      CI: Use proper `if` blocks instead of conditional expressions in matrix.py
      CI: Unify the `GITHUB_TOKEN` name across matrix.py and vtest.yml
      CI: Explicitly check environment variable against `None` in matrix.py
      CI: Reformat `matrix.py` using `black`

William Lallemand (5):
      REGTESTS: ssl: enable the ssl_reuse.vtc test for WolfSSL
      MINOR: httpclient: don't add body when istlen is empty
      CI: github: use the GITHUB_TOKEN instead of a manually generated token
      DOC: management: add details on "Used" status
      DOC: management: add details about @system-ca in "show ssl ca-file"

Willy Tarreau (29):
      OPTIM: pool: split the read_mostly from read_write parts in pool_head
      BUG/MEDIUM: quic: properly take shards into account on bind lines
      BUG/MINOR: quic: do not allocate more rxbufs than necessary
      BUILD: makefile: build the features list dynamically
      BUILD: makefile: sort the features list
      BUILD: makefile: clean the wolfssl include and lib generation rules
      BUILD: makefile: make sure to also ignore SSL_INC when using wolfssl
      BUG/MINOR: debug: don't mask the TH_FL_STUCK flag before dumping threads
      MINOR: cfgparse-ssl: avoid a possible crash on OOM in ssl_bind_parse_npn()
      BUG/MINOR: stick-table: report the correct action name in error message
      BUG/MINOR: fd: avoid bad tgid assertion in fd_delete() from deinit()
      DEV: tcploop: add minimal support for unix sockets
      BUG/MEDIUM: peers: make "show peers" more careful about partial 
      BUG/MINOR: http-ana: make set-status also update txn->status
      BUG/MINOR: listeners: fix suspend/resume of inherited FDs
      DOC: config: fix wrong section number for "protocol prefixes"
      DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@"
      DOC: config: mention the missing "quic4@" and "quic6@" in protocol 
      MINOR: listener: also support "quic+" as an address prefix
      CLEANUP: stconn: always use se_fl_set_error() to set the pending error
      BUG/MEDIUM: stconn: also consider SE_FL_EOI to switch to SE_FL_ERROR
      BUG/MINOR: listener: close tiny race between resume_listener() and 
      BUG/MEDIUM: fd/threads: fix again incorrect thread selection in wakeup 
      BUG/MINOR: thread: always reload threads_enabled in loops
      MINOR: threads: add a thread_harmless_end() version that doesn't wait
      BUG/MEDIUM: debug/thread: make the debug handler not wait for 
      BUG/MINOR: mux-h2: make sure to produce a log on invalid requests
      BUG/MINOR: mux-h2: add missing traces on failed headers decoding
      BUILD: hpack: include global.h for the trash that is needed in debug mode


Reply via email to