HAProxy 2.4.25 was released on 2023/12/14. It added 73 new commits
after version 2.4.24.

This release flushes the pipe of pending fixes. Everything was already
announced in 2.6.16:

On H2 side, a possible crash was fixed when processing a response containing
a DATA frame after an 1xx response (or more generally before final
headers). When a congested H2 connection is shut done, we now take care to
wait to send the final empty DATA frame with the ES flag, if necessary,
instead of sending a RST_STREAM. H2 streams waiting in the send_list or the
fctl_list are now properly woken up, improving performance on constraint
environments. Finally, the stream ID is now committed even if the stream is

In the H1 multiplexer, handling of http-request and http-keep-alive timeouts
was fixed. Related to H1 but at the applicative level, the abortonclose
option handling was fixed. It was not properly handled when set on the
backend only. It was only usable on defaults section. Finally, an issue in
the H1 chunked payload parsing was fixed by Chris Staite.

The takeover mechanism, used by H1, H2 and FCGI multiplexers, to allow
thread migration of idle connections on server side, was fixed. In case of
memory allocation failure, the connection was released synchronously, which
was unexpected. Now, allocations are performed first. Thus on error, the
migration is just cancelled and the connection remains untouched.

On lua, It is now possible to mix lua actions loaded from 'lua-load' and
'lua-load-per-thread' directives within a single http/tcp session.

Incomplete cache entries when streams are interrupted by the clients are now
properly removed from the cache, instead of waiting their expiration.

The "word" converter was fixed to properly work with "-m found" operator.

The configuration parser was fixed to properly handle lines with an
unmatched environment variables instead of stopping the line parsing.

A memory leak was fixed when parsing a "default-server" directive in
defaults sections.

A possible crash in fcgi with stderr records due to a zero-copy operation
that should not be allowed in this case.

Streamers detection, used to perform SSL sends bigger than
tune.ssl.maxrecord, was no longer working for HTX streams.

Matching of action's arguments was not working as expected because the
parser stopped on the first match instead of looking for the longest
matching name.

It was possible to enter into a deadlock when purging a pattern because
pools were trimmed while the operation was under a lock. Thus during a
clearing of a map, if another thread tried to access or update an entry in
the same map, it had to wait for the pattern lock to be released, while the
pools trimming function was waiting for all threads to be harmless, thus
causing a deadlock. To fix the issue, the pools are now trimmed by the

With TLSv1.3, the certificate selection favored RSA certificated over ECDSA
when both were available for a domain while it should be the opposite.

sc-add-gpc and sc-set-gpt(0) actions are now allowed from tcp-request
connection. According to the documentation, this was supposed to be

Thanks everyone for your help and your contributions !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.4/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.4.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git
   Changelog        : https://www.haproxy.org/download/2.4/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Aurelien DARRAGON (22):
      BUG/MINOR: hlua: fix invalid use of lua_pop on error paths
      BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection
      BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage
      DOC: lua: fix core.register_action typo
      BUG/MINOR: hlua/action: incorrect message on E_YIELD error
      MINOR: hlua: add hlua_stream_ctx_prepare helper function
      BUG/MEDIUM: hlua: streams don't support mixing lua-load with 
      BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
      BUG/MINOR: hlua/init: coroutine may not resume itself
      BUG/MINOR: server: add missing free for server->rdr_pfx
      MINOR: pattern: fix pat_{parse,match}_ip() function comments
      BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume (2nd 
      BUG/MINOR: stktable: missing free in parse_stick_table()
      BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
      BUG/MINOR: stick-table/cli: Check for invalid ipv4 key
      MINOR: stktable: add stktable_deinit function
      BUG/MINOR: proxy/stktable: missing frees on proxy cleanup
      REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY
      DOC: lua: add sticktable class reference from Proxy.stktable
      DOC: lua: fix Proxy.get_mode() output
      DOC: config: specify supported sections for "max-session-srv-conns"
      DOC: config: add matrix entry for "max-session-srv-conns"

Cedric Paillet (1):
      BUG/MINOR: promex: fix backend_agg_check_status

Christopher Faulet (20):
      BUG/MEDIUM: dns: Be sure to unlock DSS when existing 
      BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending 
      BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout
      BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR 
      BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before 
      BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending
      BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task
      BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check 
      CLEANUP: htx: Properly indent htx_reserve_max_data() function
      BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive 
      BUG/MINOR: stconn: Handle abortonclose if backend connection was already 
set up
      MINOR: connection: Add a CTL flag to notify mux it should wait for reads 
      MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for 
      BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only
      REGTESTS: http: Improve script testing abortonclose option
      BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented
      MINOR: htx: Use a macro for overhead induced by HTX
      MINOR: channel: Add functions to get info on buffers and deal with HTX 
      BUG/MINOR: stconn: Fix streamer detection for HTX streams
      BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer

Eugene Dorfman (1):
      DOC: 51d: updated 51Degrees repo URL for v3.2.10

Frédéric Lécaille (2):
      MINOR: buf: Add b_force_xfer() function
      BUG/MINOR: config: Stopped parsing upon unmatched environment variables

Remi Tricot-Le Breton (1):
      BUG/MINOR: cache: Remove incomplete entries from the cache when stream is 

Tim Duesterhus (4):
      CI: Update to actions/checkout@v4
      REGTESTS: sample: Test the behavior of consecutive delimiters for the 
field converter
      BUG/MINOR: sample: Make the `word` converter compatible with `-m found`
      DOC: Clarify the differences between field() and word()

William Lallemand (6):
      BUILD: Makefile: add the USE_QUIC option to make help
      BUILD: ssl: buggy -Werror=dangling-pointer since gcc 13.0
      BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual 
      BUG/MEDIUM: ssl: segfault when cipher is NULL
      DOC: management: -q is quiet all the time
      BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly

Willy Tarreau (16):
      SCRIPTS: git-show-backports: automatic ref and base detection with -m
      BUG/MINOR: ssl_sock: fix possible memory leak on OOM
      BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
      BUG/MINOR: debug: enter ha_panic() only once
      BUG/MEDIUM: actions: always apply a longest match on prefix lookup
      BUG/MINOR: mux-h2: make up other blocked streams upon removal from list
      BUG/MINOR: mux-h2: commit the current stream ID even on reject
      BUG/MINOR: mux-h2: update tracked counters with req cnt/req err
      DOC: config: use the word 'backend' instead of 'proxy' in 'track' 
      BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()
      BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()
      BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()
      BUG/MINOR: stream/cli: report correct stream age in "show sess"
      REGTESTS: http: add a test to validate chunked responses delivery
      BUG/MINOR: server: do not leak default-server in defaults sections
      BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()

Christopher Faulet

Reply via email to