Hi,

HAProxy 3.1-dev8 was released on 2024/09/18. It added 50 new commits
after version 3.1-dev7.

The last two weeks have been mostly dedicated to fixing bugs in order to
update stable branches, so it will be no surprise that this version mostly
contains fixes as well. They are not even particularly interesting to
describe here (frozen H1 connections, crashes with cache+compression+extra
filters, second fix for the dequeue lockup).

A few points are still worth mentioning:
  - despite the code that tries to correct possible time jumps, there were
    some uncovered cases (typically if the time changes outside the polling
    loop instead of during poll). These were addressed as well, and since
    we were already collecting the monotonic time on operating systems
    supporting it, it was the right moment to opportunistically rely on it
    when it ticks.

  - the previously discussed choice of sending warnings for all detected
    cases of conflicts on proxy names has started. Now we detect frontend
    vs backend, listen after backend, defaults vs other proxies. Some
    cleanups are still deserved for defaults handling (right now they're
    all preserved but the duplicate ones of same names should be dropped).
    Detection of server name duplicates still needs to be done.

  - accept-invalid-http-response now also tolerates responses with two
    "chunked" transfer-codings like before, because of a report of at
    least one bogus application relying on that (GitHub issue #2677).
    This is not accepted in requests though, as this remains particularly
    dangerous.

  - the accept-invalid-http-request/response options were more and more
    used to adapt bogus applications in ways that start to pose security
    concerns. Lukas suggested that we'd rename them in a way that makes
    this aspect more obvious, and it was the right moment! They're now
    called: "accept-unsafe-violations-in-http-request/response". The old
    ones are still supported but deprecated and will issue a warning
    suggesting the new one. With a bit of luck some users seeing the
    warning will reconsider whether or not they still need these.

  - the CLI now offers "dump ssl cert" to dump a certificate directly
    in PEM format.

  - speaking of the CLI, the "init-state" server keyword wasn't permitted
    on the "add server" directive, it is now.

  - configs with many variables should now run faster: they used to be
    stored in a linked list, and lookups could take quite some time.
    Now they're stored in a tree. This shows a performance gain of 67%
    at max speed for 100 variables set and each read 10 times in a
    section (OK that's a pretty empirical test).

We've created a new "Breaking Changes" page on the wiki. The official
purpose is to let everyone know what updates may require some efforts,
but we all know that the main goal is for me to stop forgetting about
deprecating stuff that was already planned, thus postponing that by a
year once noticed :-)  That can be useful over time to help users
making big jumps from older to newer versions spanning multiple cycles.

New stable versions are coming. We're done with the backports, and are
still orking on collecting the list of changes for the announce message,
and we'll hopefully issue them this Thursday.

Oh before I forget, some might not have noticed the news, but the date
of the HAProxyConf 2025 is now fixed to June 4-5 2025 in San Francisco,
and with some workshops starting on June 3. There's currently a Call For
Papers open. If you have any ideas of topics worth presenting, some cool
tricks you figured and would like to share, report a nice success story,
or enumerate all the points that annoy you in HAProxy as well, don't be
shy and please consider proposing a talk. The Call for Papers site is:
https://www.haproxyconf.com/call-for-papers/ . You can know more by
visiting the site, which is still: https://www.haproxyconf.com/ .

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/3.1/src/
   Git repository   : https://git.haproxy.org/git/haproxy.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy.git
   Changelog        : https://www.haproxy.org/download/3.1/src/CHANGELOG
   Dataplane API    : 
https://github.com/haproxytech/dataplaneapi/releases/latest
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Willy
---
Complete changelog :
Amaury Denoyelle (1):
      BUG/MINOR: mux-quic: report glitches to session

Aurelien DARRAGON (7):
      BUG/MINOR: pattern: prevent const sample from being tampered in 
pat_match_beg()
      BUG/MEDIUM: pattern: prevent uninitialized reads in pat_match_{str,beg}
      BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
      BUG/MINOR: peers: local entries updates may not be advertised after resync
      BUG/MINOR: fix missing "log-format overrides previous 'option tcplog 
clf'..." detection
      BUG/MINOR: fix missing "'option httpslog' overrides previous 'option 
tcplog clf'..." detection
      BUG/MINOR: cfgparse-listen: fix option httpslog override warning message

Christopher Faulet (12):
      MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state
      BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only
      REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades
      BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
      BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is 
established
      MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response 
option
      DOC: config: Explicitly list relaxing rules for accept-invalid-http-* 
options
      MINOR: proxy: Rename accept-invalid-http-* options
      DOC: configuration: Remove dangerous directives from the proxy matrix
      BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous 
send
      BUG/MEDIUM: cache/stats: Wait to have the request before sending the 
response
      BUG/MEDIUM: promex: Wait to have the request before sending the response

Damien Claisse (2):
      MINOR: server: allow init-state for dynamic servers
      DOC: management: add init-state to add server keywords

William Lallemand (1):
      MEDIUM: ssl/cli: "dump ssl cert" allow to dump a certificate in PEM format

Willy Tarreau (27):
      DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct 
line
      BUG/MEDIUM: clock: detect and cover jumps during execution
      REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
      BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
      REGTESTS: shorten a bit the delay for the h1/h2 upgrade test
      DOC: server: document what to check for when adding new server keywords
      BUG/MINOR: polling: fix time reporting when using busy polling
      BUG/MINOR: clock: make time jump corrections a bit more accurate
      BUG/MINOR: clock: validate that now_offset still applies to the current 
date
      BUG/MEDIUM: queue: implement a flag to check for the dequeuing
      OPTIM: sample: don't check casts for samples of same type
      OPTIM: vars: remove the unneeded lock in vars_prune_*
      OPTIM: vars: inline vars_prune() to avoid many calls
      MINOR: vars: remove the emptiness tests in callers before pruning
      IMPORT: import cebtree (compact elastic binary trees)
      OPTIM: vars: use a cebtree instead of a list for variable names
      OPTIM: vars: use multiple name heads in the vars struct
      MINOR: clock: test all clock_gettime() return values
      MEDIUM: clock: collect the monotonic time in clock_local_update_date()
      MEDIUM: clock: opportunistically use CLOCK_MONOTONIC for the internal time
      MEDIUM: clock: use the monotonic clock for idle time calculation
      MEDIUM: clock: don't compute before_poll when using monotonic clock
      BUG/MINOR: cfgparse: detect incorrect overlap of same backend names
      MEDIUM: cfgparse: warn about proxies having the same names
      BUILD: cebtree: silence a bogus gcc warning on impossible code paths
      MEDIUM: cfgparse: warn about colliding names between defaults and proxies
      MEDIUM: cfgparse: detect collisions between defaults and log-forward

---


Reply via email to