Hi,
HAProxy 2.9.1 was released on 2023/12/15. It added 20 new commits
after version 2.9.0.
This release addresses several issues discovered since the last version and
introduces some new features.
Firstly, there have been improvements to the SSL handling of the software. A
double free bug in ssl_sock_free_cert_key_and_chain_contents has been fixed,
which could lead to memory corruption and potential crashes when updating
certificates.
Another issue related to SSL certificates has been addressed, specifically
with OpenSSL QUIC compatibility module. A possible buffer overflow was
discovered during the building of TLS records which could lead to unexpected
behavior or crashes. This bug only affected users who had enabled this
specific feature and has now been resolved.
Secondly, a new feature has been added to the ssl/cli subsystem. The
'warning' and 'alert' messages from ha_warning() and ha_alert() are now
prefixed in the CLI when using the commit ssl cert command. This will make
it easier for users to identify these important messages among other
output. In addition, the "set serverity-ouput" command was fixed to be also
supported on the master CLI socket.
Additionally, a regression in map/acl handling has been corrected. The
pat_ref_{set,delete}_by_id functions were not properly unlinking and freeing
removed references, leading to unexpected behavior when manipulating maps or
access control lists. A mistake in the code that prevented the default
configuration of "external-check" without an argument was corrected.
Thirdly, there have been improvements to the mux handling of the software. A
bug where data from input buffers could be counted twice during zero-copy
forwarding has been fixed, and a regression related to Content-Length
headers in bodyless requests was resolved. These changes should improve
performance and correctness for users working with HTTP/2 or QUIC
protocols.
In addition, zero-copy forwarding is now blocked when an error is reported
by the consumer side. It was especially an issue for the QUIC. This reveals
another bug in QUIC when a STOP_SENDING frame is received early, before the
stream-connector is created. In this case, stream layer was never notified
about the underlying error and the response could be sent when the zero-copy
forwarding was in-use, leading to a crash because of a BUG_ON()
statement. This was fixed by creating the stream-connector in an error
state.
Then, the parsing of trailers in H2 was fixed to not erroneously detect a
too large HEADERS frame if data of other streams fully fill the demux buffer.
It is not a 2.9 regression. All stable versions are affected.
An issue about the OSCP after an SSL certificate update was fixed. The OSCP
CID was not refreshed. The CLI and the LUA were both affected.
Lastly, there have been various cleanups and documentation updates
throughout the codebase. These changes do not directly impact users but help
maintain the quality of the software.
If you are running on the 2.9.0, you should update because fixed bugs,
especially those regarding zero-copy forwarding, may impact everyone.
Thanks everyone for your help and your contributions !
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.9/src/
Git repository : https://git.haproxy.org/git/haproxy-2.9.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git
Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (1):
BUG/MEDIUM: mux-quic: report early error on stream
Aurelien DARRAGON (2):
BUG/MEDIUM: map/acl: pat_ref_{set,delete}_by_id regressions
BUG/MINOR: ext-check: cannot use without preserve-env
Christopher Faulet (6):
MINOR: version: mention that it's stable now
BUG/MEDIUM: stconn: Block zero-copy forwarding if EOS/ERROR on consumer
side
BUG/MEDIUM: mux-h1: Cound data from input buf during zero-copy forwarding
BUG/MEDIUM: mux-h1: Explicitly skip request's C-L header if not set
originally
CLEANUP: mux-h1: Fix a trace message about C-L header addition
BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is
empty
Frédéric Lécaille (6):
BUG/MINOR: ssl: Double free of OCSP Certificate ID
MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
BUG/MEDIUM: quic: Possible buffer overflow when building TLS records
BUG/MEDIUM: quic: QUIC CID removed from tree without locking
William Lallemand (3):
DOC: configuration: typo req.ssl_hello_type
BUG/MINOR: mworker/cli: fix set severity-output support
BUILD: ssl: update types in wolfssl cert selection callback
Willy Tarreau (2):
DOC: config: add arguments to sample fetch methods in the table
DOC: config: also add arguments to the converters in the table
--
Christopher Faulet
