Hi, HAProxy 2.0.31 was released on 2023/02/14. It added 24 new commits after version 2.0.30.
The main reason for this release today is the availability of a fix for the vulnerability explained in the other thread (CVE-2023-25725). In addition, this version addresses the following issues: - a regression from a previous fix that caused some server-side connection not to expire if some unsent data are blocked in the request channel. - a 13-years old issue with the expiration of old entries in stick- tables that slows down eviction at every timer period rollover (49.7 days), making the table size and memory usage grow for a while until all of them were either refreshed or expired. I'm still puzzled that 3 users apparently noticed it at the same time around last rollover on Jan 30th. - a bug in the SSL cache eviction that affected WolfSSL was fixed, but it's unclear if it could affect other libs (openssl was apparently not due to fixed-size records) - SSL verify error codes above 63 were not properly handled. These codes changed around OpenSSL 1.1.1 and could exceed this previous limit, losing some information in error reporting. - a crash could happen in the H2 mux in 2.2 and earlier when dealing with an interim response with the end-of-stream flag set. - a bug in the buffer copy function on wrapping data could theoretically cause a crash, though we couldn't find instances that could provoke them. The code has been there for 5 years and this bug might possibly have caused some such issues but it's too difficult to say, so let's fix it anyway. - resolvers incorrectly check expiration dates, that make timeouts spuriously trigger depending on the position in a ~50-day period. - the "do_resolv" action did not always yield, waiting for a response, causing failed resolutions. - an early failure to start in mworker mode could report a crash if peers were enabled due to trying to cleanup some parts that were not completely initialized. It was harmless but particularly confusing for users. - the status in logs did not always reflect the one presented to a users (essentially after an http-after-response rule) but only the received one. This is finally fixed. - a warning will be emitted when a crt-list line is malformed. - minor doc fixes The changes are intentionally limited so that all users of 2.0.30 and older can update without taking risks. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/20230214-cve-2023-25725/src/ Git repository : https://git.haproxy.org/git/haproxy-20230214-cve-2023-25725.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-20230214-cve-2023-25725.git Changelog : https://www.haproxy.org/download/20230214-cve-2023-25725/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Aleksey Ponomaryov (1): BUG/MEDIUM: stick-table: do not leave entries in end of window during purge Aurelien DARRAGON (2): DOC: config: fix option spop-check proxy compatibility DOC: config: 'http-send-name-header' option may be used in default section Christopher Faulet (7): BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action BUG/MINOR: promex: Don't forget to consume the request on error BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state Remi Tricot-Le Breton (2): BUG/MEDIUM: ssl: Verify error codes can exceed 63 BUG/MINOR: ssl: Fix potential overflow William Lallemand (4): CI: github: change "ubuntu-latest" to "ubuntu-20.04" BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers BUG/MEDIUM: ssl: wrong eviction from the session cache tree CI: github: don't warn on deprecated openssl functions on windows Willy Tarreau (7): SCRIPTS: announce-release: add a link to the data plane API BUILD: makefile: build the features list dynamically BUILD: makefile: sort the features list BUG/MINOR: http-ana: make set-status also update txn->status BUG/MEDIUM: cache: use the correct time reference when comparing dates DOC: proxy-protocol: fix wrong byte in provided example BUG/CRITICAL: http: properly reject empty http header field names scientiamobile (1): LICENSE: wurfl: clarify the dummy library license. ---