Hi, HAProxy 2.8-dev4 was released on 2023/02/14. It added 41 new commits after version 2.8-dev3.
The main reason for this release today is the availability of a fix for the vulnerability explained in the other thread (CVE-2023-25725). In addition, this version addresses a risk of crashes in QUIC when "option nolinger" is present, brings a new "show quic" CLI command to list QUIC connections, fixes a 13-year old bug in the stick-table expiration algorithm that could leave some entries at the end making the tables (and memory) grow for a while every ~50 days, addresses a few wakeup issues at the stream layer, fixes some uptime reporting inaccuracies, and fixes a bug where hot-adding a server via the CLI could result in it not taking traffic if its "maxconn" value was set and not the "minconn" one. The changes are intentionally limited so that all users of 2.8-dev3 and older can update without taking risks. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/20230214-cve-2023-25725/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/20230214-cve-2023-25725/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Aleksey Ponomaryov (1): BUG/MEDIUM: stick-table: do not leave entries in end of window during purge Amaury Denoyelle (9): MINOR: quic: implement a basic "show quic" CLI handler MINOR: quic: display CIDs and state in "show quic" MINOR: quic: display socket info on "show quic" MINOR: quic: display infos about various encryption level on "show quic" MINOR: quic: display Tx stream info on "show quic" MINOR: quic: filter closing conn on "show quic" BUG/MINOR: quic: fix filtering of closing connections on "show quic" BUG/MINOR: quic: fix type bug on "show quic" for 32-bits arch BUG/MINOR: mworker: fix uptime for master process Aurelien DARRAGON (7): BUG/MINOR: stats: fix source buffer size for http dump BUG/MEDIUM: stats: fix resolvers dump BUG/MINOR: stats: fix ctx->field update in stats_dump_proxy_to_buffer() BUG/MINOR: stats: fix show stats field ctx for servers BUG/MINOR: stats: fix STAT_STARTED behavior with full htx MINOR: cfgparse/server: move (min/max)conn postparsing logic into dedicated function BUG/MINOR: server/add: ensure minconn/maxconn consistency when adding server Christopher Faulet (8): BUG/MEDIUM: stconn: Schedule a shutw on shutr if data must be sent first BUG/MEDIUM: stconn: Don't needlessly wake the stream on send during fast-forward BUG/MEDIUM: stconn: stop to enable/disable reads from streams via si_update_rx MINOR: ssl-ckch: Stop to test CF_WRITE_ERROR to commit CA/CRL file MINOR: bwlim: Remove useless test on CF_READ_ERROR to detect the last packet BUG/MINOR: http-ana: Fix condition to set LAST termination flag BUG/MINOR: mux-h1: Don't report an H1C error on client timeout BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend Frédéric Lécaille (4): MINOR: quic: Update version_information transport parameter to draft-14 BUG/MINOR: stats: Prevent HTTP "other sessions" counter underflows BUG/MEDIUM: quic: Buffer overflow when looking through QUIC CLI keyword list BUG/MINOR: quic: Wrong datagram dispatch because of qc_check_dcid() William Lallemand (3): BUG/MINOR: ssl/crt-list: warn when a line is malformated BUILD: ssl/ocsp: ssl_ocsp-t.h depends on ssl_sock-t.h MINOR: ssl/ocsp: add a function to check the OCSP update configuration Willy Tarreau (9): BUG/MEDIUM: thread: fix extraneous shift in the thread_set parser BUG/MEDIUM: listener/thread: bypass shards setting on failed thread resolution BUG/MINOR: clock: do not mix wall-clock and monotonic time in uptime calculation BUG/MEDIUM: cache: use the correct time reference when comparing dates MEDIUM: clock: force internal time to wrap early after boot BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend BUG/MINOR: clock/stats: also use start_time not start_date in HTML info DOC: proxy-protocol: fix wrong byte in provided example BUG/CRITICAL: http: properly reject empty http header field names ---
