HAProxy 2.7.5 was released on 2023/03/17. It added 26 new commits
after version 2.7.4.

This version primarily focuses on fixes:
- Christopher fixed the issue mentioned last week affecting the CLI on UNIX
  sockets that was causing some connections not to close properly, so the
  workaround consisting in increasing "stats maxconn" is no longer needed.

- The security researchers team "CertiK Skyfall Team" found a possible
  crash in the QPACK decoder used by HTTP/3 due to an insufficiently
  checked index causing an out-of-bounds read.

- Some SSL-only errors could be reported at the connection level but that
  error prevented the mux H1 from consulting and flushing last data and
  the error, possibly causing loops involving mux-h1 until the stream
  times out and closes.

- A recent fix for the idle connections was insufficient and/or incorrect,
  because it could result in a connection removal being counted twice, and
  the number of idle conns either growing a lot, or underflowing. The effect
  could be an excess of idle connections to a server possibly preventing new
  connections from establishing.

- Upon reload, health checks were not properly stopped in pure backends,
  that was only done in listen sections because only proxies having
  listeners were stopped. This has been the case since 2.4 despite the
  doc, and resolvers experienced the same since 2.6.

- It could happen that in HTTP/1 the 408-Request-timeout wasn't delivered
  to the client because the timeout was promoted to error, preventing any
  future write from being done.

- Aurélien found that fc_dst_port() and fc_dst_is_local() could
  occasionally fail because a condition was placed on the ability to
  retrieve the source instead of the destination, so if the destination
  had already been retrieved it would work otherwise not.

- Fred addressed a few possible QUIC crashes related to invalid stream frame
  lengths triggering assertions.

- The H2 mux supports chaining multiple buffers at the connection level in
  order to store the data from many streams. However if a connection is
  severely congested, we could go back to the initial single-buffer situation
  where releasing a few kB of data would cause all waiting streams to be
  woken up, with only one of them succeeding in sending something. The
  symptoms are a lower H2 bit rate, a high CPU usage, an important presence
  of sc_conn_io_cb() in the run queue in "show tasks" (typically 90% of
  places) and 5-20 times more calls to sc_conn_io_cb() from
  h2_resume_each_sending_h2s() than other ones in "show profiling tasks".
  The correct way of proceeding consists in only restarting streams once
  the ring of connection buffers goes down to a single buffer. This also
  reduces memory usage under congestion.

- The recent fix for multiple "bind fd@0" that could crash on start was
  finally backported.

- The H2 mux was always sending its data using short SSL records, which
  explains why the performance was not as good as with HTTP/1. The reason
  is that the dynamic SSL records predates the muxes, and that the
  mechanism involved to use them was moved to the mux-H1 during the
  transition, without the mux-H2 being aware that there was something to
  be done. Now we continue to use small records when sending single
  buffers, but we use large records when sending more than one record,
  indicating large objects are being downloaded in parallel or that the
  link is congested.

- The H2 mux could sometimes crash when detaching a stream on a congested
  connection with no client timeout.

- Some rare bind errors on UNIX sockets were not correctly reported on

And there were a few tiny improvements as well:
  - the support for constant limits in the bandwidth limiter was backported
    as planned 2 months ago

  - the H2 traces can now dump H2 headers (useful for debugging)

  - a few more fields are printed in "show fd"

  - a suboptimal recv() sequence in the HTTP/1 mux resulted in a short
    16-byte recv() call for objects larger than bufsize-maxrewrite. This
    was addressed.

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.7/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.7.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.7.git
   Changelog        : https://www.haproxy.org/download/2.7/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Aurelien DARRAGON (4):
      BUG/MINOR: tcp_sample: fix a bug in fc_dst_port and fc_dst_is_local 
sample fetches
      BUG/MINOR: proto_ux: report correct error when bind_listener fails
      BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all()
      BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp()

Christopher Faulet (11):
      BUG/MEDIUM: mux-pt: Set EOS on error on sending path if read0 was received
      BUG/MINOR: mux-h1: Don't report an H1C error on client timeout
      BUG/MEDIUM: proxy: properly stop backends on soft-stop
      BUG/MEDIUM: resolvers: Properly stop server resolutions on soft-stop
      DEBUG: cli/show_fd: Display connection error code
      DEBUG: ssl-sock/show_fd: Display SSL error code
      BUG/MEDIUM: mux-h1: Don't block SE_FL_ERROR if EOS is not reported on H1C
      BUG/MEDIUM: connection: Preserve flags when a conn is removed from an 
idle list
      MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit 
      BUG/MINOR: mux-h2: Fix possible null pointer deref on h2c in 
      BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend

Frédéric Lécaille (2):
      BUG/MINOR: quic: Missing STREAM frame length updates
      BUG/MINOR: quic: Missing STREAM frame data pointer updates

Willy Tarreau (9):
      BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it
      MINOR: buffer: add br_single() to check if a buffer ring has more than 
one buf
      BUG/MEDIUM: mux-h2: only restart sending when mux buffer is decongested
      BUG/MINOR: mux-h2: set CO_SFL_STREAMER when sending lots of data
      BUG/MEDIUM: listener: duplicate inherited FDs if needed
      MINOR: h2: add h2_phdr_to_ist() to make ISTs from pseudo headers
      MEDIUM: mux-h2/trace: add tracing support for headers
      BUG/MAJOR: qpack: fix possible read out of bounds in static table
      OPTIM: mux-h1: limit first read size to avoid wrapping


Reply via email to