Hi, HAProxy 2.4.25 was released on 2023/12/14. It added 73 new commits after version 2.4.24.
This release flushes the pipe of pending fixes. Everything was already announced in 2.6.16: On H2 side, a possible crash was fixed when processing a response containing a DATA frame after an 1xx response (or more generally before final headers). When a congested H2 connection is shut done, we now take care to wait to send the final empty DATA frame with the ES flag, if necessary, instead of sending a RST_STREAM. H2 streams waiting in the send_list or the fctl_list are now properly woken up, improving performance on constraint environments. Finally, the stream ID is now committed even if the stream is rejected. In the H1 multiplexer, handling of http-request and http-keep-alive timeouts was fixed. Related to H1 but at the applicative level, the abortonclose option handling was fixed. It was not properly handled when set on the backend only. It was only usable on defaults section. Finally, an issue in the H1 chunked payload parsing was fixed by Chris Staite. The takeover mechanism, used by H1, H2 and FCGI multiplexers, to allow thread migration of idle connections on server side, was fixed. In case of memory allocation failure, the connection was released synchronously, which was unexpected. Now, allocations are performed first. Thus on error, the migration is just cancelled and the connection remains untouched. On lua, It is now possible to mix lua actions loaded from 'lua-load' and 'lua-load-per-thread' directives within a single http/tcp session. Incomplete cache entries when streams are interrupted by the clients are now properly removed from the cache, instead of waiting their expiration. The "word" converter was fixed to properly work with "-m found" operator. The configuration parser was fixed to properly handle lines with an unmatched environment variables instead of stopping the line parsing. A memory leak was fixed when parsing a "default-server" directive in defaults sections. A possible crash in fcgi with stderr records due to a zero-copy operation that should not be allowed in this case. Streamers detection, used to perform SSL sends bigger than tune.ssl.maxrecord, was no longer working for HTX streams. Matching of action's arguments was not working as expected because the parser stopped on the first match instead of looking for the longest matching name. It was possible to enter into a deadlock when purging a pattern because pools were trimmed while the operation was under a lock. Thus during a clearing of a map, if another thread tried to access or update an entry in the same map, it had to wait for the pattern lock to be released, while the pools trimming function was waiting for all threads to be harmless, thus causing a deadlock. To fix the issue, the pools are now trimmed by the caller. With TLSv1.3, the certificate selection favored RSA certificated over ECDSA when both were available for a domain while it should be the opposite. sc-add-gpc and sc-set-gpt(0) actions are now allowed from tcp-request connection. According to the documentation, this was supposed to be supported. Thanks everyone for your help and your contributions ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Aurelien DARRAGON (22): BUG/MINOR: hlua: fix invalid use of lua_pop on error paths BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage DOC: lua: fix core.register_action typo BUG/MINOR: hlua/action: incorrect message on E_YIELD error MINOR: hlua: add hlua_stream_ctx_prepare helper function BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume() BUG/MINOR: hlua/init: coroutine may not resume itself BUG/MINOR: server: add missing free for server->rdr_pfx MINOR: pattern: fix pat_{parse,match}_ip() function comments BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume (2nd try) BUG/MINOR: stktable: missing free in parse_stick_table() BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure BUG/MINOR: stick-table/cli: Check for invalid ipv4 key MINOR: stktable: add stktable_deinit function BUG/MINOR: proxy/stktable: missing frees on proxy cleanup REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY DOC: lua: add sticktable class reference from Proxy.stktable DOC: lua: fix Proxy.get_mode() output DOC: config: specify supported sections for "max-session-srv-conns" DOC: config: add matrix entry for "max-session-srv-conns" Cedric Paillet (1): BUG/MINOR: promex: fix backend_agg_check_status Christopher Faulet (20): BUG/MEDIUM: dns: Be sure to unlock DSS when existing dns_session_io_handler() BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending shutdown BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure CLEANUP: htx: Properly indent htx_reserve_max_data() function BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up MINOR: connection: Add a CTL flag to notify mux it should wait for reads again MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only REGTESTS: http: Improve script testing abortonclose option BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented MINOR: htx: Use a macro for overhead induced by HTX MINOR: channel: Add functions to get info on buffers and deal with HTX streams BUG/MINOR: stconn: Fix streamer detection for HTX streams BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer Eugene Dorfman (1): DOC: 51d: updated 51Degrees repo URL for v3.2.10 Frédéric Lécaille (2): MINOR: buf: Add b_force_xfer() function BUG/MINOR: config: Stopped parsing upon unmatched environment variables Remi Tricot-Le Breton (1): BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed Tim Duesterhus (4): CI: Update to actions/checkout@v4 REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter BUG/MINOR: sample: Make the `word` converter compatible with `-m found` DOC: Clarify the differences between field() and word() William Lallemand (6): BUILD: Makefile: add the USE_QUIC option to make help BUILD: ssl: buggy -Werror=dangling-pointer since gcc 13.0 BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA BUG/MEDIUM: ssl: segfault when cipher is NULL DOC: management: -q is quiet all the time BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly Willy Tarreau (16): SCRIPTS: git-show-backports: automatic ref and base detection with -m BUG/MINOR: ssl_sock: fix possible memory leak on OOM BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API BUG/MINOR: debug: enter ha_panic() only once BUG/MEDIUM: actions: always apply a longest match on prefix lookup BUG/MINOR: mux-h2: make up other blocked streams upon removal from list BUG/MINOR: mux-h2: commit the current stream ID even on reject BUG/MINOR: mux-h2: update tracked counters with req cnt/req err DOC: config: use the word 'backend' instead of 'proxy' in 'track' description BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover() BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover() BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover() BUG/MINOR: stream/cli: report correct stream age in "show sess" REGTESTS: http: add a test to validate chunked responses delivery BUG/MINOR: server: do not leak default-server in defaults sections BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range() -- Christopher Faulet