HAProxy 2.5.11 was released on 2023/01/24. It added 65 new commits
after version 2.5.10.

As for the 2.6.8, this release includes the fix about the "set-uri" HTTP
action. This fix was delayed for the 2.5.10. It is now shipped with the
2.5.11.  The behavior of this action is no longer the same. This action is
been bogus for a while and was not working as documented, and used to make
HTTP/1 and HTTP/2 produce different outputs. The URI is now sent to H1
server exactly as set by the action.

Otherwise, for other fixes, this release is pretty similar to the 2.6.8,
excluding QUIC/H2 fixes:

About the H2:
  * Interim responses that carry the end-of-stream flag are now rejected as
    invalid while it was handled as a full response. The consequences of
    this issue are uncertain in 2.4 and newer, but on 2.2 and older it could
    trigger a BUG_ON() condition and cause a panic.

About the H1:
  * Authority validation was improved to conform RFC3986 for non-CONNECT
    methods. The validation was too strict and expected an exact match
    between the authority and the host header value. Default ports are now
    properly handled.

  * In addition, having an empty port in the authority for CONNECT requests
    is no considered as invalid and a 400-Bad-request is now returned. For
    other methods, empty ports in authority are considered as valid and are
    handled as default ports.

About the FCGI
  * The path-info subexpression was not properly handled due to an inverted

  * A major fix regarding uninitialized bytes in the FCGI mux was backported.
    It one could have leak sensitive data to the backends before the fix.

About listeners:
  * Multiple races were found and addressed related to closed FDs (mostly
    happening on reload, sometimes on resuming after an aborted reload)

About HTTP rules:
  * Make sure that the logged status matches the reported status even upon
    errors and also after http-after-response

  * There was a parsing error reported for responses carrying a websocket
    header when the status was not 101.

About the Master-Worker:
  * When trying to upgrade from a previous version with a reload instead of
    a restart, a bug in the master-worker was preventing to reload and was
    stopping the whole process.

About other fixes:
  * A fix for a buffer realignment bug introduced in 1.9 was fixed. It's
    uncertain whether it was possible to trigger it or not, but it could
    possibly have been responsible for some rare unexplained corruptions.

  * JWT ECDSA signatures were not properly handled, this was now fixed.
    However, another issue was just discovered after the release that may
    still randomly trigger errors.

  * The maxconn automatic computation was fixed, its output value was not
    correct anymore since the introduction of the httpclient SSL backend.

  * The haproxy_backend_agg_check_status metric for the Prometheus exporter
    was backported.

  * A scheduling issue in the resolvers was preventing the resolution during

  * A possible crash with the Lua HTTP-client during the cleanup stage was

Thanks everyone for you help and your contributions !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.5/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.5.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.5.git
   Changelog        : https://www.haproxy.org/download/2.5/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Aurelien DARRAGON (3):
      REGTEST: fix the race conditions in json_query.vtc
      REGTEST: fix the race conditions in digest.vtc
      REGTEST: fix the race conditions in hmac.vtc

Cedric Paillet (2):
      BUG/MINOR: promex: create haproxy_backend_agg_server_status
      MINOR: promex: introduce haproxy_backend_agg_check_status

Christopher Faulet (25):
      BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri 
      BUG/MEDIIM: stconn: Flush output data before forwarding close to write 
      Revert "CI: switch to the "latest" LibreSSL"
      Revert "CI: enable QUIC for LibreSSL builds"
      Revert "CI: determine actual OpenSSL version dynamically"
      DOC: promex: Add missing backend metrics
      REGTESTS: fix the race conditions in iff.vtc
      BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task 
      BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
      BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in 
      BUG/MINOR: http-fetch: Only fill txn status during prefetch if not 
already set
      BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is 
      DOC: config: fix alphabetical ordering of http-after-response rules
      DOC: config: remove duplicated "http-response sc-set-gpt0" directive
      BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 
      BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the 
      BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
      BUG/MINOR: promex: Don't forget to consume the request on error
      BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request 
      BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in 
      MINOR: h1: Consider empty port as invalid in authority for CONNECT
      MINOR: http: Considere empty ports as valid default ports
      BUG/MINOR: h1: Replace authority validation to conform RFC3986
      REG-TESTS: http: Add more tests about authority/host matching
      BUG/MINOR: http-htx: Normalized absolute URIs with an empty port

Daniel Corbett (1):
      DOC: config: fix "Address formats" chapter syntax

Manu Nicolas (1):
      CLEANUP: htx: fix a typo in an error message of http_str_to_htx

Paul Barnetta (1):
      BUG/MINOR: mux-fcgi: Correctly set pathinfo

Remi Tricot-Le Breton (7):
      BUG/MEDIUM: ssl: Verify error codes can exceed 63
      BUG/MINOR: ssl: Fix potential overflow
      BUG/MINOR: ssl: Fix memory leak of find_chain in ssl_sock_load_cert_chain
      BUG/MINOR: http: Memory leak of http redirect rules' format string
      BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S 
      BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing 
      BUG/MINOR: jwt: Wrong return value checked

William Lallemand (13):
      CI: github: change "ubuntu-latest" to "ubuntu-20.04"
      BUILD: peers: peers-t.h depends on stick-table-t.h
      MINOR: mworker: display an alert upon a wait-mode exit
      BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
      BUG/MEDIUM: httpclient/lua: double LIST_DELETE on end of lua task
      REGTESTS: startup: check maxconn computation
      BUG/MINOR: startup: don't use internal proxies to compute the maxconn
      CI: github: set ulimit -n to a greater value
      REGTESTS: startup: activate automatic_maxconn.vtc
      REGTESTS: startup: change the expected maxconn to 11000
      REGTESTS: startup: add alternatives values in automatic_maxconn.vtc
      REGTESTS: startup: disable automatic_maxconn.vtc
      DOC: management: add details on "Used" status

Willy Tarreau (10):
      BUILD: makefile: build the features list dynamically
      BUILD: makefile: sort the features list
      BUG/MINOR: stick-table: report the correct action name in error message
      BUG/MINOR: http-ana: make set-status also update txn->status
      BUG/MINOR: listeners: fix suspend/resume of inherited FDs
      DOC: config: fix wrong section number for "protocol prefixes"
      DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@"
      BUG/MINOR: listener: close tiny race between resume_listener() and 
      BUG/MINOR: mux-h2: add missing traces on failed headers decoding
      BUILD: hpack: include global.h for the trash that is needed in debug mode

Youfu Zhang (1):
      BUG/MAJOR: fcgi: Fix uninitialized reserved bytes

scientiamobile (1):
      LICENSE: wurfl: clarify the dummy library license.

Christopher Faulet

Reply via email to