Hi, HAProxy 2.8.11 was released on 2024/09/19. It added 90 new commits after version 2.8.10.
This release covers fixes shipped into the last four 2.9 releases (from 2.9.8 to 2.9.11). Here is the unordered list of issues fixes by the 2.8.11: * The SSL stack is now always completely initialized. Due to a change of API in 3.x the old call was deprecated and used to emit a warning, but it was later found to still be required in some cases. This has been cooking in 2.9 for 6 months now and is considered OK. * A memory allocation error while loading OCSP parameters could leave the tree locked and freeze subsequent operations. * The hard limit on the number of file descriptors now defaults to about 1 million, in order to match what has been done for a very long time on many distros, and that recently changed to 1 billion on some of them, causing a huge startup time (or even a watchdog at boot) and a massive memory usage. * The memory cleanup on the proxy fields on deinit was improved (some leaks were present till now as well as in 2.9 till 2.9.8). * A bug in the bwlim filter that can make it forget to update its timeout and loop fast when woken up with nothing to forward. * A crash could happen in mux-pt if an error happened on the connection just before an abort that is going to emit a shutdown, and with a pending wakeup that completes some work on a connection having no transport layer anymore. This only affects TCP (e.g. peers and master CLI; GH #2656). * The "show threads" command would crash if issued with less than 16 threads (due to an area shared for two different things it would start to dump threads from the 17th). * The SSL library functions used to validate a JWT token would leave an error in the SSL stack, that will later be mistaken for an error on another connection and cause it to be closed. "jwt_verify" converter was fixed when called with a HMAC algorithm (HS256, HS384, HS512). In that case, the converter must not try to load a file because the key should hold a secret. It is especially important for runtime uses, like lua for instance. But note, for dynamic calls, this remains an issue for other algorithms because there is nothing to prevent I/O disk. * A time-of-check/time-of-use (TOCTOU) issue in the queue processing makes it rare but possible to leave a server with no connection yet not take any traffic. It's more likely to happen with maxconn 1, very hard at 2 and almost impossible at 3 or above. In addition, A flag is now used to be sure only one thread is dequeuing session at once instead of relying on a trylock to do so. No 2.8 release was affected, but upper versions were buggy because of TOCTOU fix. * Empty transfer-encoding headers in H1 are now properly blocked since they may be used to try to build an attack against vulnerable implementations. However, this will be slightly relaxed on the response side in the next release. Parsing of multiple "chunked" values will also be relaxed. * H1 multiplexer could repeat a 408 error multiple times in logs when failing to send an empty message on a full output buffer. In this case, it would attempt to close again every client timeout and produce a log each time despite no data leaving. * An issue in SPOE that can cause a thread to refrain from creating an applet to connect outside, causing failures on requests processed on this thread. * A hang on lua CLI applets when trying to deal with their own buffers. * It was possible to crash the process when performing an implicit protocol upgrade (TCP to HTTP due to a transition from a TCP front to an HTTP back) if an error happened on the connection just before the transition. * A temporary leak of sessions was fixed in the H1 multiplexer when the zero-copy data forwarding was inuse. When the H1 connection was about to be closed, the event was not properly handled in case of zero-copy data forwarding, leaving the connection in CLOSING state till the timeout was reached. This could be detected by an excess of connections in CLOSE_WAIT state. * HTTP applets (stats, cache and promex) were starting to process the request and reply without worrying about whether the request analysis was finished or not. In the vast majority of cases, it is not an issue because the request analysis is indeed finished in the same time the applet on server side is created. But if a filter delayed the request analysis, it might happens. In that case, some undefined and hardly predictable behaviors were able to be experienced, like responses sent too early or even crashes. Among others, the compression filter was pretty sensitive in this case because it is mandatory to filter the request before the response. To fix the issue, there is now a check in backend HTTP applets to wait for the end of the request analysis. * Several commits concerned the clock part to fix handling of time jumps. In case of large time jump, it was possible to no longer update the global time offset, leading to a wrong "date" value. Among other things, this could lead to wrong internal rates computation. By fixing the clock issues, a bug in the busy polling was revealed. The time and status passed to clock_update_local_date() was incorrect. * Some unhandled aborts were fixed in the H2 multiplexer. The end of message could be reported twice for tunneled streams, leaving the second one blocked at the channel level because of the first one. In addition, termination flags were not always properly propagated from the H2 stream to the stream-endpoint descriptor. Because of these both bugs, it was possible from time to time to block streams infinitely. * Write error on client side when HAProxy was waiting for the server response was not properly handled. The stream was not properly aborted as usual. It was not an issue if no filter was used. But with a filter, it was possible to infinitely block the stream because data could remain blocked in the response channel buffer. * Same kind of issue was fixed but at the H1/pass-though multiplexer level. The pipe used for the kernel splicing was not properly released on write error, preventing the stream to be released when a filter was used because the corresponding channel always appeared as non-empty. On write error, the pipe can be safely released because no more data can be sent. * The pipeline modes on the master CLI was broken since the 3.0-dev4. On older versions, this still works but a warning is emitted. When the pipeline modes was fixed to match the documentation (having a semi-colon between commands and a new-line at the end) for the worker CLI, we forgot to reflect the change to the master CLI. It is now fixed. * Several bugs were fixed on QUIC: - An incorrect computation was performed when encoding a STREAM frame in a single packet leading to datagrams smaller than expected, resulting in suboptimal for bandwidth. - A few assorted minor fixes (possible crash on resource allocation error, slight loss of precision in Cubic parameters calculations etc). - It was possible to freeze a connection because of 0-RTT undeciphered content. - The MAX_STREAM ID value was not properly checked and it was possible to send too big value. It is now fixed. Thanks to this patch, this also ensure that the peer cannot open a stream with an invalid ID as this would cause a flow-control violation instead. - Some issues with the QUIC traces were fixed. - A rare but possible deadlock (and crash) in QUIC after a recent fix for a race condition in the CID tree, that also went into 2.9.9. - An unreproduced race condition affecting the QUIC CID tree. The impact might be a possible crash but it was only found in code review and never reported nor reproduced. * On H3, when a response is formatted to be sent to the client, the handling of responses with a too long header list was fixed to no longer abort the process but to return proper error. In addition, the syntax checks on :method and :scheme H3 headers were insufficient. This was fixed too. Finally, there was a possible crash when a STOP_SENDING frame was received after a GOAWAY emission if it was the first frame for the stream. * Some bugs related to pattern expressions handling loaded from file were fixed. * When a listen() failed for TCP and Unix sockets, the file descriptor was not removed from the fdtab[] array, leading to a possible crash because of a BUG_ON() when this FD was reused. The FD is now properly removed from fdtab[] in that case. * L4/L5 rules defined in a default section were not evaluated at all. * Description of the command line options -dR and -dV were missing in the management documentation. It is now fixed. Documentation about "show stat" CLI command was also updated to reflect the renaming of "dns" counters to "resolvers". More details about the master-worker was added in the configuration manual and the "maxconn" description was improved, as well as info about http-keep-alive timeout and other timeouts. Thanks everyone for your help ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (14): BUG/MINOR: quic: fix computed length of emitted STREAM frames SCRIPTS: git-show-backports: do not truncate git-show output BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid() BUG/MINOR: quic: fix race condition in qc_check_dcid() BUG/MINOR: quic: fix race-condition on trace for CID retrieval BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID BUG/MINOR: h3: properly reject too long header responses Aurelien DARRAGON (12): BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit() BUG/MINOR: proxy: fix log_tag leak on deinit() BUG/MINOR: proxy: fix check_{command,path} leak on deinit() BUG/MINOR: proxy: fix dyncookie_key leak on deinit() BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit() BUG/MINOR: proxy: fix header_unique_id leak on deinit() DOC: management: rename show stats domain cli "dns" to "resolvers" DOC: api/event_hdl: small updates, fix an example and add some precisions BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct() BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg() BUG/MEDIUM: pattern: prevent UAF on reused pattern expr BUG/MINOR: cfgparse-listen: fix option httpslog override warning message Christopher Faulet (21): BUG/MINOR: h1: Fail to parse empty transfer coding names BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value BUG/MEDIUM: h1: Reject empty Transfer-encoding header BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past BUG/MINOR: session: Eval L4/L5 rules defined in the default section BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution BUG/MINOR: cli: Atomically inc the global request counter between CLI commands BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set BUG/MEDIUM: http-ana: Report error on write error waiting for the response BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state BUG/MEDIUM: cache/stats: Wait to have the request before sending the response BUG/MEDIUM: promex: Wait to have the request before sending the response Frederic Lecaille (1): BUG/MINOR: quic: Lack of precision when computing K (cubic only cc) Ilia Shipitsin (1): BUG/MINOR: fcgi-app: handle a possible strdup() failure Nathan Wehrman (1): DOC: config: correct the table for option tcplog Valentine Krasnobaeva (10): DOC/MINOR: management: add missed -dR and -dv options DOC: configuration: update maxconn description BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2) BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails BUG/MINOR: proto_tcp: keep error msg if listen() fails BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity BUG/MINOR: pattern: pat_ref_set: return 0 if err was found William Lallemand (9): DOC: configuration: fix alphabetical order of bind options DOC: configuration: more details about the master-worker mode MEDIUM: ssl: initialize the SSL stack explicitely BUG/MINOR: jwt: don't try to load files with HMAC algorithm BUG/MINOR: jwt: fix variable initialisation DOC: configuration: issuers-chain-path not compatible with OCSP MINOR: channel: implement ci_insert() function BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI REGTESTS: mcli: test the pipelined commands on master CLI Willy Tarreau (21): MINOR: activity: make the memory profiling hash size configurable at build time BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts DOC: config: improve the http-keep-alive section MINOR: queue: add a function to check for TOCTOU after queueing BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue() BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() BUG/MINOR: trace: automatically start in waiting mode with "start <evt>" BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE BUG/MEDIUM: clock: also update the date offset on time jumps BUG/MINOR: pattern: do not leave a leading comma on "set" error messages DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load BUG/MEDIUM: clock: detect and cover jumps during execution BUG/MINOR: polling: fix time reporting when using busy polling BUG/MINOR: clock: make time jump corrections a bit more accurate BUG/MINOR: clock: validate that now_offset still applies to the current date BUG/MEDIUM: queue: implement a flag to check for the dequeuing -- Christopher Faulet