HAProxy 2.9.1 was released on 2023/12/15. It added 20 new commits
after version 2.9.0.

This release addresses several issues discovered since the last version and
introduces some new features.

Firstly, there have been improvements to the SSL handling of the software. A
double free bug in ssl_sock_free_cert_key_and_chain_contents has been fixed,
which could lead to memory corruption and potential crashes when updating

Another issue related to SSL certificates has been addressed, specifically
with OpenSSL QUIC compatibility module. A possible buffer overflow was
discovered during the building of TLS records which could lead to unexpected
behavior or crashes. This bug only affected users who had enabled this
specific feature and has now been resolved.

Secondly, a new feature has been added to the ssl/cli subsystem. The
'warning' and 'alert' messages from ha_warning() and ha_alert() are now
prefixed in the CLI when using the commit ssl cert command. This will make
it easier for users to identify these important messages among other
output. In addition, the "set serverity-ouput" command was fixed to be also
supported on the master CLI socket.

Additionally, a regression in map/acl handling has been corrected. The
pat_ref_{set,delete}_by_id functions were not properly unlinking and freeing
removed references, leading to unexpected behavior when manipulating maps or
access control lists. A mistake in the code that prevented the default
configuration of "external-check" without an argument was corrected.

Thirdly, there have been improvements to the mux handling of the software. A
bug where data from input buffers could be counted twice during zero-copy
forwarding has been fixed, and a regression related to Content-Length
headers in bodyless requests was resolved. These changes should improve
performance and correctness for users working with HTTP/2 or QUIC

In addition, zero-copy forwarding is now blocked when an error is reported
by the consumer side. It was especially an issue for the QUIC. This reveals
another bug in QUIC when a STOP_SENDING frame is received early, before the
stream-connector is created. In this case, stream layer was never notified
about the underlying error and the response could be sent when the zero-copy
forwarding was in-use, leading to a crash because of a BUG_ON()
statement. This was fixed by creating the stream-connector in an error

Then, the parsing of trailers in H2 was fixed to not erroneously detect a
too large HEADERS frame if data of other streams fully fill the demux buffer.
It is not a 2.9 regression. All stable versions are affected.

An issue about the OSCP after an SSL certificate update was fixed. The OSCP
CID was not refreshed. The CLI and the LUA were both affected.

Lastly, there have been various cleanups and documentation updates
throughout the codebase. These changes do not directly impact users but help
maintain the quality of the software.

If you are running on the 2.9.0, you should update because fixed bugs,
especially those regarding zero-copy forwarding, may impact everyone.

Thanks everyone for your help and your contributions !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.9/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.9.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git
   Changelog        : https://www.haproxy.org/download/2.9/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (1):
      BUG/MEDIUM: mux-quic: report early error on stream

Aurelien DARRAGON (2):
      BUG/MEDIUM: map/acl: pat_ref_{set,delete}_by_id regressions
      BUG/MINOR: ext-check: cannot use without preserve-env

Christopher Faulet (6):
      MINOR: version: mention that it's stable now
      BUG/MEDIUM: stconn: Block zero-copy forwarding if EOS/ERROR on consumer 
      BUG/MEDIUM: mux-h1: Cound data from input buf during zero-copy forwarding
      BUG/MEDIUM: mux-h1: Explicitly skip request's C-L header if not set 
      CLEANUP: mux-h1: Fix a trace message about C-L header addition
      BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is 

Frédéric Lécaille (6):
      BUG/MINOR: ssl: Double free of OCSP Certificate ID
      MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
      BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
      BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
      BUG/MEDIUM: quic: Possible buffer overflow when building TLS records
      BUG/MEDIUM: quic: QUIC CID removed from tree without locking

William Lallemand (3):
      DOC: configuration: typo req.ssl_hello_type
      BUG/MINOR: mworker/cli: fix set severity-output support
      BUILD: ssl: update types in wolfssl cert selection callback

Willy Tarreau (2):
      DOC: config: add arguments to sample fetch methods in the table
      DOC: config: also add arguments to the converters in the table

Christopher Faulet

Reply via email to