HAProxy 2.8.5 was released on 2023/12/07. It added 44 new commits
after version 2.8.4.

This release is quite small. It mainly flushes the pipe to be able to make
clean releases on lower versions. However, it still comes with some fixes.

A QUIC incompatibility with L4 tcp-rules was fixed. QUIC connections are
redispatched on threads after the handshake completion. The migration is
performed in two steps. However, a L4 rule such as "tcp-request connection
reject", which closes the connection early, was interrupting the migration
in the middle. If a datagram was received before the connection was
released, this crashed the process because of a BUG_ON(). We now take care
to finish the thread migration of QUIC connections before L4 tcp-rules

It was also possible to experience a crash on QUIC connections waiting to be
killed if some retransmissions were still to be processed. Now, these
retransmits are cancelled for such connections. A crash during
retransmissions with a heavy load, reported by libasan, was fixed. The
CONNECTION_CLOSE_APP encoding was fixed. However this bug was harmless for
the 2.8 and lower. Some leak under heavy load were also fixed.

On H3 side, the trailers encoding was fixed. It was never working as
intended. Every HTTP/3 requests with trailers were reported as errors with
the 'CL--' termination state in logs. In addition, PUSH_PROMISE are now
always rejected. It is stated in the RFC that PUSH_PROMISE are never sent by
a client. Thus, it can be rejected in any case until HTTP/3 will be
implemented on the backend side.

For the 2.8.4, I announced a fix about the master CLI when several
thread-groups were configured. The bug was only partially fixed. Only the
worker socket was pinned on the first thread of the first group. I missed to
do the same with the master CLI itself. It is now fixed. Note it is only a
temporary fix. This works but William found there is in fact an issue with
the socketpairs when several thread-groups are configured.

The takeover mechanism, used by H1, H2 and FCGI multiplexers, to allow
thread migration of idle connections on server side, was fixed. In case of
memory allocation failure, the connection was released synchronously, which
was unexpected. Now, allocations are performed first. Thus on error, the
migration is just cancelled and the connection remains untouched.

A bug in the peer applet was fixed. It was possible to fall into a spinning
loop on partial message decoding when a connection was aborted by the
peer. Most of time, it was properly detected, except when the multi-bytes
integer indicating the message length was incomplete.

An issue with the cache was fixed. When a stream was interrupted by the
client before the response was fully stored in the cache, we ended up with
an incomplete entry in the cache until it "naturally" expired. These
incomplete entries are now properly removed from the cache.

Some bugs where fixed on OCSP: A double free on the OCSP CID and an issue
with the OSCP response after a SSL certificate modification, from the CLI
or a LUA script.

Possible crashes with the HTTP compression were fixed. Two cases where not
properly handled: A frontend with the compression configured but not on the
backend and the compression configured but without any algorithm.

The "word" converter was fixed to properly work with "-m found" operator.

The configuration parser was fixed to properly handle lines with an
unmatched environment variables instead of stopping the line parsing.

A memory leak was fixed when parsing a "default-server" directive in
defaults sections.

Finally, proxy initialization was fixed to also initialize all default
settings. It is especially useful to prevent crashes for internal proxies,
such as sinks and log forwarders.

Thanks everyone for your help and your contributions !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.8/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.8.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
   Changelog        : https://www.haproxy.org/download/2.8/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (5):
      BUG/MAJOR: quic: complete thread migration before tcp-rules
      BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding
      BUG/MINOR: h3: fix TRAILERS encoding
      BUG/MINOR: h3: always reject PUSH_PROMISE
      BUG/MINOR: quic_tp: fix preferred_address decoding

Aurelien DARRAGON (11):
      MINOR: stktable: add stktable_deinit function
      BUG/MINOR: proxy/stktable: missing frees on proxy cleanup
      DOC: config: fix timeout check inheritance restrictions
      REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY
      DOC: lua: add sticktable class reference from Proxy.stktable
      DOC: lua: fix Proxy.get_mode() output
      BUG/MINOR: compression: possible NULL dereferences in 
      BUG/MINOR: cfgparse-listen: fix warning being reported as an alert
      DOC: config: specify supported sections for "max-session-srv-conns"
      DOC: config: add matrix entry for "max-session-srv-conns"
      DOC: config: fix monitor-fail typo

Christopher Faulet (2):
      BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1
      BUG/MEDIUM: peers: fix partial message decoding

Eugene Dorfman (1):
      DOC: 51d: updated 51Degrees repo URL for v3.2.10

Frédéric Lécaille (11):
      BUG/MEDIUM: quic: Possible crash for connections to be killed
      BUG/MINOR: quic: Possible RX packet memory leak under heavy load
      BUG/MINOR: config: Stopped parsing upon unmatched environment variables
      BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load
      BUG/MINOR: quic: Possible leak of TX packets under heavy load
      BUG/MINOR: quic: Missing QUIC connection path member initialization
      BUG/MINOR: quic: Packet number spaces too lately initialized
      BUG/MINOR: ssl: Double free of OCSP Certificate ID
      MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
      BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
      BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)

Remi Tricot-Le Breton (1):
      BUG/MINOR: cache: Remove incomplete entries from the cache when stream is 

Tim Duesterhus (3):
      REGTESTS: sample: Test the behavior of consecutive delimiters for the 
field converter
      BUG/MINOR: sample: Make the `word` converter compatible with `-m found`
      DOC: Clarify the differences between field() and word()

William Lallemand (1):
      BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly

Willy Tarreau (9):
      BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()
      BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()
      BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()
      BUG/MINOR: stream/cli: report correct stream age in "show sess"
      REGTESTS: http: add a test to validate chunked responses delivery
      BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind 
      BUG/MINOR: server: do not leak default-server in defaults sections
      DOC: config: fix missing characters in set-spoe-group action
      BUG/MEDIUM: proxy: always initialize the default settings after init

Christopher Faulet

Reply via email to