Hi, HAProxy 2.9.11 was released on 2024/09/19. It added 58 new commits after version 2.9.10.
This release is pretty similar to the 3.0.5. Following bugs were fixed: * A temporary leak of sessions was fixed in the H1 multiplexer when the zero-copy data forwarding was inuse. When the H1 connection was about to be closed, the event was not properly handled in case of zero-copy data forwarding, leaving the connection in CLOSING state till the timeout was reached. This could be detected by an excess of connections in CLOSE_WAIT state. * HTTP applets (stats, cache and promex) were starting to process the request and reply without worrying about whether the request analysis was finished or not. In the vast majority of cases, it is not an issue because the request analysis is indeed finished in the same time the applet on server side is created. But if a filter delayed the request analysis, it might happens. In that case, some undefined and hardly predictable behaviors were able to be experienced, like responses sent too early or even crashes. Among others, the compression filter was pretty sensitive in this case because it is mandatory to filter the request before the response. To fix the issue, there is now a check in backend HTTP applets to wait for the end of the request analysis. * Several commits concerned the clock part to fix handling of time jumps. In case of large time jump, it was possible to no longer update the global time offset, leading to a wrong "date" value. Among other things, this could lead to wrong internal rates computation. By fixing the clock issues, a bug in the busy polling was revealed. The time and status passed to clock_update_local_date() was incorrect. * Some unhandled aborts were fixed in the H2 multiplexer. The end of message could be reported twice for tunneled streams, leaving the second one blocked at the channel level because of the first one. In additions, termination flags were not always properly propagated from the H2 stream to the stream-endpoint descriptor. Because of these both bugs, it was possible from time to time to block streams infinitely. * The zero-copy data forwarding in H1 was erroneously disabled when a tunnel was established because the response message was flagged to have no data. While such response has no HTTP payload, tunneled data are expected. * Write error on client side when HAProxy was waiting for the server response was not properly handled. The stream was not properly aborted as usual. It was not an issue if no filter was used. But with a filter, it was possible to infinitely block the stream because data could remain blocked in the response channel buffer. * Same kind of issue was fixed but at the H1/pass-though multiplexer level. The pipe used for the kernel splicing was not properly released on write error, preventing the stream to be released when a filter was used because the corresponding channel always appeared as non-empty. On write error, the pipe can be safely released because no more data can be sent. * The pipeline modes on the master CLI was broken since the 3.0-dev4. On older versions, this still works but a warning is emitted. When the pipeline modes was fixed to match the documentation (having a semi-colon between commands and a new-line at the end) for the worker CLI, we forgot to reflect the change to the master CLI. It is now fixed. * The fix concerning the session queuing in the 2.9.10 introduced a regression, leading to a infinite loop in assign_server_and_queue() because of a race condition between dequeuing and queuing mechanisms. The bug was mainly due to the fact that a trylock was used to dequeue a session when a server slot was released. A trylock was used to be sure no thread was waiting to dequeue sessions if another one was still doing it, because it is an expensive task. However, the trylock could also fail when a session is queued. So, to fix the bug, a flag is now used instead of a trylock. * Several bugs were fixed on QUIC: - A 0-RTT session may be opened with a spoofed IP address, trusted by HAProxy because of a previously established connection, by-passing this way IP allow/block list. The problem was reported by Michael Wedl. To mitigate this vulnerability, the NEW_TOKEN frame support was added so as to always be able to validate reachability of the client during 0-RTT. It allows to deliver an IP-based token to the client for use later, and if the address changes, then we can use a regular RETRY token. - It was possible to freeze a connection because of 0-RTT undeciphered content. - The MAX_STREAM ID value was not properly checked and it was possible to send too big value. It is now fixed. Thanks to this patch, this also ensure that the peer cannot open a stream with an invalid ID as this would cause a flow-control violation instead. - Too short datagram during packet building failures could lead to a crash. It was reported by Ilya when HAProxy was built against AWS-LC. - Some issues with the QUIC traces were fixed. * On H3, when a response is formatted to be sent to the client, the handling of responses with a too long header list was fixed to no longer abort the process but to return proper error. * Some bugs related to pattern expressions handling loaded from file were fixed. * Some updates for server's address and port could be missed because of a bug in the task responsible to handle these updates. This could happen with too many updates, when the task was interrupted. The next event to be processed when the interrupt occurred was lost. In addition, it was not released, leading to a memory leak. * When a listen() failed for TCP and Unix sockets, the file descriptor was not removed from the fdtab[] array, leading to a possible crash because of a BUG_ON() when this FD was reused. The FD is now properly removed from fdtab[] in that case. In addition to these bug fixes, two improvements were added: * QUIC crypto with EVP_AEAD was implemented: The QUIC crypto is using the EVP_CIPHER API in order to achieve authenticated encryption, this was the API which was used with OpenSSL. With libraries that inspires from BoringSSL (libreSSL and AWS-LC), the AEAD algorithms are implemented using the EVP_AEAD API. The call to the EVP_CIPHER API when called in the contex of AEAD cryptography for QUIC are now converted. This was mainly done for AWS-LC but this could be useful for other libraries. This should finally allow to use CHACHA20_POLY1305 with AWS-LC. * Some invalid Transfer-Encoding values are now accepted during the H1 response parsing when accept-invalid-http-response option is enabled, even if it is forbidden by the RFC-9112. So, now, with this option, multiple "chunked" values are accepted, as well as empty values. When several "chunked" values are found, the payload will still be considered as encoded once and the header will be sanitized when sent to the client. The request parsing was not changed. This remains forbidden because it is highly suspicious if a client is sending an invalid T-E header. On server side, we can consider the server as trusted. But you must still remain careful with such behavior. And, of course, the best is to fix the application. Thanks everyone for your help ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.9/src/ Git repository : https://git.haproxy.org/git/haproxy-2.9.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (3): BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID BUG/MINOR: h3: properly reject too long header responses Aurelien DARRAGON (4): BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss and leak BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg() BUG/MEDIUM: pattern: prevent UAF on reused pattern expr BUG/MINOR: cfgparse-listen: fix option httpslog override warning message Christopher Faulet (12): BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path BUILD: mux-pt: Use the right name for the sedesc variable BUG/MEDIUM: http-ana: Report error on write error waiting for the response BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is established MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options BUG/MEDIUM: cache/stats: Wait to have the request before sending the response BUG/MEDIUM: promex: Wait to have the request before sending the response Frederic Lecaille (10): MINOR: tools: Implement ipaddrcpy(). MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: quic: Token for future connections implementation. BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. BUG/MEDIUM: quic: always validate sender address on 0-RTT BUG/MINOR: quic: Crash from trace dumping SSL eary data status (AWS-LC) BUG/MINOR: quic: Too short datagram during packet building failures (aws-lc only) Ilia Shipitsin (1): BUG/MINOR: fcgi-app: handle a possible strdup() failure Nathan Wehrman (1): DOC: config: correct the table for option tcplog Valentine Krasnobaeva (6): BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails BUG/MINOR: proto_tcp: keep error msg if listen() fails BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity BUG/MINOR: pattern: pat_ref_set: return 0 if err was found BUG/MINOR: cfgparse-global: remove tune.fast-forward from common_kw_list William Lallemand (4): MINOR: channel: implement ci_insert() function BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI REGTESTS: mcli: test the pipelined commands on master CLI MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD Willy Tarreau (17): BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() BUG/MINOR: trace: automatically start in waiting mode with "start <evt>" BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE BUG/MEDIUM: clock: also update the date offset on time jumps DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load BUG/MEDIUM: clock: detect and cover jumps during execution BUG/MINOR: pattern: do not leave a leading comma on "set" error messages BUG/MINOR: polling: fix time reporting when using busy polling BUG/MINOR: clock: make time jump corrections a bit more accurate BUG/MINOR: clock: validate that now_offset still applies to the current date BUG/MEDIUM: queue: implement a flag to check for the dequeuing BUG/MINOR: ssl_sock: fix xprt_set_used() to properly clear the TASK_F_USR1 bit -- Christopher Faulet