Hi,
HAProxy 2.9.11 was released on 2024/09/19. It added 58 new commits
after version 2.9.10.
This release is pretty similar to the 3.0.5. Following bugs were fixed:
* A temporary leak of sessions was fixed in the H1 multiplexer when the
zero-copy data forwarding was inuse. When the H1 connection was about to
be closed, the event was not properly handled in case of zero-copy data
forwarding, leaving the connection in CLOSING state till the timeout was
reached. This could be detected by an excess of connections in
CLOSE_WAIT state.
* HTTP applets (stats, cache and promex) were starting to process the
request and reply without worrying about whether the request analysis
was finished or not. In the vast majority of cases, it is not an issue
because the request analysis is indeed finished in the same time the
applet on server side is created. But if a filter delayed the request
analysis, it might happens. In that case, some undefined and hardly
predictable behaviors were able to be experienced, like responses sent
too early or even crashes. Among others, the compression filter was
pretty sensitive in this case because it is mandatory to filter the
request before the response. To fix the issue, there is now a check in
backend HTTP applets to wait for the end of the request analysis.
* Several commits concerned the clock part to fix handling of time
jumps. In case of large time jump, it was possible to no longer update
the global time offset, leading to a wrong "date" value. Among other
things, this could lead to wrong internal rates computation. By fixing
the clock issues, a bug in the busy polling was revealed. The time and
status passed to clock_update_local_date() was incorrect.
* Some unhandled aborts were fixed in the H2 multiplexer. The end of
message could be reported twice for tunneled streams, leaving the second
one blocked at the channel level because of the first one. In additions,
termination flags were not always properly propagated from the H2 stream
to the stream-endpoint descriptor. Because of these both bugs, it was
possible from time to time to block streams infinitely.
* The zero-copy data forwarding in H1 was erroneously disabled when a
tunnel was established because the response message was flagged to have
no data. While such response has no HTTP payload, tunneled data are
expected.
* Write error on client side when HAProxy was waiting for the server
response was not properly handled. The stream was not properly aborted
as usual. It was not an issue if no filter was used. But with a filter,
it was possible to infinitely block the stream because data could
remain blocked in the response channel buffer.
* Same kind of issue was fixed but at the H1/pass-though multiplexer
level. The pipe used for the kernel splicing was not properly released
on write error, preventing the stream to be released when a filter was
used because the corresponding channel always appeared as non-empty. On
write error, the pipe can be safely released because no more data can be
sent.
* The pipeline modes on the master CLI was broken since the 3.0-dev4. On
older versions, this still works but a warning is emitted. When the
pipeline modes was fixed to match the documentation (having a semi-colon
between commands and a new-line at the end) for the worker CLI, we
forgot to reflect the change to the master CLI. It is now fixed.
* The fix concerning the session queuing in the 2.9.10 introduced a
regression, leading to a infinite loop in assign_server_and_queue()
because of a race condition between dequeuing and queuing mechanisms.
The bug was mainly due to the fact that a trylock was used to dequeue a
session when a server slot was released. A trylock was used to be sure
no thread was waiting to dequeue sessions if another one was still doing
it, because it is an expensive task. However, the trylock could also
fail when a session is queued. So, to fix the bug, a flag is now used
instead of a trylock.
* Several bugs were fixed on QUIC:
- A 0-RTT session may be opened with a spoofed IP address, trusted by
HAProxy because of a previously established connection, by-passing
this way IP allow/block list. The problem was reported by Michael
Wedl. To mitigate this vulnerability, the NEW_TOKEN frame support was
added so as to always be able to validate reachability of the client
during 0-RTT. It allows to deliver an IP-based token to the client for
use later, and if the address changes, then we can use a regular RETRY
token.
- It was possible to freeze a connection because of 0-RTT undeciphered
content.
- The MAX_STREAM ID value was not properly checked and it was possible
to send too big value. It is now fixed. Thanks to this patch, this
also ensure that the peer cannot open a stream with an invalid ID as
this would cause a flow-control violation instead.
- Too short datagram during packet building failures could lead to a
crash. It was reported by Ilya when HAProxy was built against AWS-LC.
- Some issues with the QUIC traces were fixed.
* On H3, when a response is formatted to be sent to the client, the
handling of responses with a too long header list was fixed to no longer
abort the process but to return proper error.
* Some bugs related to pattern expressions handling loaded from file were
fixed.
* Some updates for server's address and port could be missed because of a
bug in the task responsible to handle these updates. This could happen
with too many updates, when the task was interrupted. The next event to
be processed when the interrupt occurred was lost. In addition, it was
not released, leading to a memory leak.
* When a listen() failed for TCP and Unix sockets, the file descriptor was
not removed from the fdtab[] array, leading to a possible crash because
of a BUG_ON() when this FD was reused. The FD is now properly removed
from fdtab[] in that case.
In addition to these bug fixes, two improvements were added:
* QUIC crypto with EVP_AEAD was implemented: The QUIC crypto is using the
EVP_CIPHER API in order to achieve authenticated encryption, this was
the API which was used with OpenSSL. With libraries that inspires from
BoringSSL (libreSSL and AWS-LC), the AEAD algorithms are implemented
using the EVP_AEAD API. The call to the EVP_CIPHER API when called in
the contex of AEAD cryptography for QUIC are now converted. This was
mainly done for AWS-LC but this could be useful for other libraries.
This should finally allow to use CHACHA20_POLY1305 with AWS-LC.
* Some invalid Transfer-Encoding values are now accepted during the H1
response parsing when accept-invalid-http-response option is enabled,
even if it is forbidden by the RFC-9112. So, now, with this option,
multiple "chunked" values are accepted, as well as empty values. When
several "chunked" values are found, the payload will still be considered
as encoded once and the header will be sanitized when sent to the
client. The request parsing was not changed. This remains forbidden
because it is highly suspicious if a client is sending an invalid T-E
header. On server side, we can consider the server as trusted. But you
must still remain careful with such behavior. And, of course, the best
is to fix the application.
Thanks everyone for your help !
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.9/src/
Git repository : https://git.haproxy.org/git/haproxy-2.9.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git
Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (3):
BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
BUG/MINOR: h3: properly reject too long header responses
Aurelien DARRAGON (4):
BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss
and leak
BUG/MINOR: pattern: prevent const sample from being tampered in
pat_match_beg()
BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
Christopher Faulet (12):
BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was
set
BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on
sending path
BUILD: mux-pt: Use the right name for the sedesc variable
BUG/MEDIUM: http-ana: Report error on write error waiting for the response
BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in
h2s_wake_one_stream
BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is
established
MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response
option
DOC: config: Explicitly list relaxing rules for accept-invalid-http-*
options
BUG/MEDIUM: cache/stats: Wait to have the request before sending the
response
BUG/MEDIUM: promex: Wait to have the request before sending the response
Frederic Lecaille (10):
MINOR: tools: Implement ipaddrcpy().
MINOR: quic: Implement quic_tls_derive_token_secret().
MINOR: quic: Token for future connections implementation.
BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder
MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct)
MINOR: quic: Implement qc_ssl_eary_data_accepted().
MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event.
BUG/MEDIUM: quic: always validate sender address on 0-RTT
BUG/MINOR: quic: Crash from trace dumping SSL eary data status (AWS-LC)
BUG/MINOR: quic: Too short datagram during packet building failures
(aws-lc only)
Ilia Shipitsin (1):
BUG/MINOR: fcgi-app: handle a possible strdup() failure
Nathan Wehrman (1):
DOC: config: correct the table for option tcplog
Valentine Krasnobaeva (6):
BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
BUG/MINOR: proto_tcp: keep error msg if listen() fails
BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
BUG/MINOR: cfgparse-global: remove tune.fast-forward from common_kw_list
William Lallemand (4):
MINOR: channel: implement ci_insert() function
BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI
REGTESTS: mcli: test the pipelined commands on master CLI
MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD
Willy Tarreau (17):
BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect
BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
BUG/MEDIUM: trace: fix null deref in lockon mechanism since
TRACE_ENABLED()
BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
BUG/MEDIUM: clock: also update the date offset on time jumps
DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct
line
REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
BUG/MEDIUM: clock: detect and cover jumps during execution
BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
BUG/MINOR: polling: fix time reporting when using busy polling
BUG/MINOR: clock: make time jump corrections a bit more accurate
BUG/MINOR: clock: validate that now_offset still applies to the current
date
BUG/MEDIUM: queue: implement a flag to check for the dequeuing
BUG/MINOR: ssl_sock: fix xprt_set_used() to properly clear the
TASK_F_USR1 bit
--
Christopher Faulet
