HAProxy 2.0.31 was released on 2023/02/14. It added 24 new commits
after version 2.0.30.

The main reason for this release today is the availability of a fix for the
vulnerability explained in the other thread (CVE-2023-25725).

In addition, this version addresses the following issues:

  - a regression from a previous fix that caused some server-side
    connection not to expire if some unsent data are blocked in the
    request channel.

  - a 13-years old issue with the expiration of old entries in stick-
    tables that slows down eviction at every timer period rollover
    (49.7 days), making the table size and memory usage grow for a
    while until all of them were either refreshed or expired. I'm
    still puzzled that 3 users apparently noticed it at the same time
    around last rollover on Jan 30th.

  - a bug in the SSL cache eviction that affected WolfSSL was fixed, but
    it's unclear if it could affect other libs (openssl was apparently not
    due to fixed-size records)

  - SSL verify error codes above 63 were not properly handled. These
    codes changed around OpenSSL 1.1.1 and could exceed this previous
    limit, losing some information in error reporting.

  - a crash could happen in the H2 mux in 2.2 and earlier when dealing with
    an interim response with the end-of-stream flag set.

  - a bug in the buffer copy function on wrapping data could theoretically
    cause a crash, though we couldn't find instances that could provoke
    them. The code has been there for 5 years and this bug might possibly
    have caused some such issues but it's too difficult to say, so let's
    fix it anyway.

  - resolvers incorrectly check expiration dates, that make timeouts
    spuriously trigger depending on the position in a ~50-day period.

  - the "do_resolv" action did not always yield, waiting for a response,
    causing failed resolutions.

  - an early failure to start in mworker mode could report a crash if
    peers were enabled due to trying to cleanup some parts that were not
    completely initialized. It was harmless but particularly confusing for

  - the status in logs did not always reflect the one presented to a
    users (essentially after an http-after-response rule) but only the
    received one. This is finally fixed.

  - a warning will be emitted when a crt-list line is malformed.

  - minor doc fixes

The changes are intentionally limited so that all users of 2.0.30 and older
can update without taking risks.

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : 
   Git repository   : 
   Git Web browsing : 
   Changelog        : 
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Aleksey Ponomaryov (1):
      BUG/MEDIUM: stick-table: do not leave entries in end of window during 

Aurelien DARRAGON (2):
      DOC: config: fix option spop-check proxy compatibility
      DOC: config: 'http-send-name-header' option may be used in default section

Christopher Faulet (7):
      BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task 
      BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
      BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in 
      BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is 
      BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
      BUG/MINOR: promex: Don't forget to consume the request on error
      BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in 

Remi Tricot-Le Breton (2):
      BUG/MEDIUM: ssl: Verify error codes can exceed 63
      BUG/MINOR: ssl: Fix potential overflow

William Lallemand (4):
      CI: github: change "ubuntu-latest" to "ubuntu-20.04"
      BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
      BUG/MEDIUM: ssl: wrong eviction from the session cache tree
      CI: github: don't warn on deprecated openssl functions on windows

Willy Tarreau (7):
      SCRIPTS: announce-release: add a link to the data plane API
      BUILD: makefile: build the features list dynamically
      BUILD: makefile: sort the features list
      BUG/MINOR: http-ana: make set-status also update txn->status
      BUG/MEDIUM: cache: use the correct time reference when comparing dates
      DOC: proxy-protocol: fix wrong byte in provided example
      BUG/CRITICAL: http: properly reject empty http header field names

scientiamobile (1):
      LICENSE: wurfl: clarify the dummy library license.


Reply via email to