Hi, HAProxy 2.8.5 was released on 2023/12/07. It added 44 new commits after version 2.8.4.
This release is quite small. It mainly flushes the pipe to be able to make clean releases on lower versions. However, it still comes with some fixes. A QUIC incompatibility with L4 tcp-rules was fixed. QUIC connections are redispatched on threads after the handshake completion. The migration is performed in two steps. However, a L4 rule such as "tcp-request connection reject", which closes the connection early, was interrupting the migration in the middle. If a datagram was received before the connection was released, this crashed the process because of a BUG_ON(). We now take care to finish the thread migration of QUIC connections before L4 tcp-rules evaluation. It was also possible to experience a crash on QUIC connections waiting to be killed if some retransmissions were still to be processed. Now, these retransmits are cancelled for such connections. A crash during retransmissions with a heavy load, reported by libasan, was fixed. The CONNECTION_CLOSE_APP encoding was fixed. However this bug was harmless for the 2.8 and lower. Some leak under heavy load were also fixed. On H3 side, the trailers encoding was fixed. It was never working as intended. Every HTTP/3 requests with trailers were reported as errors with the 'CL--' termination state in logs. In addition, PUSH_PROMISE are now always rejected. It is stated in the RFC that PUSH_PROMISE are never sent by a client. Thus, it can be rejected in any case until HTTP/3 will be implemented on the backend side. For the 2.8.4, I announced a fix about the master CLI when several thread-groups were configured. The bug was only partially fixed. Only the worker socket was pinned on the first thread of the first group. I missed to do the same with the master CLI itself. It is now fixed. Note it is only a temporary fix. This works but William found there is in fact an issue with the socketpairs when several thread-groups are configured. The takeover mechanism, used by H1, H2 and FCGI multiplexers, to allow thread migration of idle connections on server side, was fixed. In case of memory allocation failure, the connection was released synchronously, which was unexpected. Now, allocations are performed first. Thus on error, the migration is just cancelled and the connection remains untouched. A bug in the peer applet was fixed. It was possible to fall into a spinning loop on partial message decoding when a connection was aborted by the peer. Most of time, it was properly detected, except when the multi-bytes integer indicating the message length was incomplete. An issue with the cache was fixed. When a stream was interrupted by the client before the response was fully stored in the cache, we ended up with an incomplete entry in the cache until it "naturally" expired. These incomplete entries are now properly removed from the cache. Some bugs where fixed on OCSP: A double free on the OCSP CID and an issue with the OSCP response after a SSL certificate modification, from the CLI or a LUA script. Possible crashes with the HTTP compression were fixed. Two cases where not properly handled: A frontend with the compression configured but not on the backend and the compression configured but without any algorithm. The "word" converter was fixed to properly work with "-m found" operator. The configuration parser was fixed to properly handle lines with an unmatched environment variables instead of stopping the line parsing. A memory leak was fixed when parsing a "default-server" directive in defaults sections. Finally, proxy initialization was fixed to also initialize all default settings. It is especially useful to prevent crashes for internal proxies, such as sinks and log forwarders. Thanks everyone for your help and your contributions ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (5): BUG/MAJOR: quic: complete thread migration before tcp-rules BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding BUG/MINOR: h3: fix TRAILERS encoding BUG/MINOR: h3: always reject PUSH_PROMISE BUG/MINOR: quic_tp: fix preferred_address decoding Aurelien DARRAGON (11): MINOR: stktable: add stktable_deinit function BUG/MINOR: proxy/stktable: missing frees on proxy cleanup DOC: config: fix timeout check inheritance restrictions REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY DOC: lua: add sticktable class reference from Proxy.stktable DOC: lua: fix Proxy.get_mode() output BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request() BUG/MINOR: cfgparse-listen: fix warning being reported as an alert DOC: config: specify supported sections for "max-session-srv-conns" DOC: config: add matrix entry for "max-session-srv-conns" DOC: config: fix monitor-fail typo Christopher Faulet (2): BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1 BUG/MEDIUM: peers: fix partial message decoding Eugene Dorfman (1): DOC: 51d: updated 51Degrees repo URL for v3.2.10 Frédéric Lécaille (11): BUG/MEDIUM: quic: Possible crash for connections to be killed BUG/MINOR: quic: Possible RX packet memory leak under heavy load BUG/MINOR: config: Stopped parsing upon unmatched environment variables BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load BUG/MINOR: quic: Possible leak of TX packets under heavy load BUG/MINOR: quic: Missing QUIC connection path member initialization BUG/MINOR: quic: Packet number spaces too lately initialized BUG/MINOR: ssl: Double free of OCSP Certificate ID MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) Remi Tricot-Le Breton (1): BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed Tim Duesterhus (3): REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter BUG/MINOR: sample: Make the `word` converter compatible with `-m found` DOC: Clarify the differences between field() and word() William Lallemand (1): BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly Willy Tarreau (9): BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover() BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover() BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover() BUG/MINOR: stream/cli: report correct stream age in "show sess" REGTESTS: http: add a test to validate chunked responses delivery BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them BUG/MINOR: server: do not leak default-server in defaults sections DOC: config: fix missing characters in set-spoe-group action BUG/MEDIUM: proxy: always initialize the default settings after init -- Christopher Faulet