Hi,

HAProxy 2.8.11 was released on 2024/09/19. It added 90 new commits
after version 2.8.10.

This release covers fixes shipped into the last four 2.9 releases (from
2.9.8 to 2.9.11). Here is the unordered list of issues fixes by the 2.8.11:

  * The SSL stack is now always completely initialized. Due to a change of
    API in 3.x the old call was deprecated and used to emit a warning, but
    it was later found to still be required in some cases.  This has been
    cooking in 2.9 for 6 months now and is considered OK.

  * A memory allocation error while loading OCSP parameters could leave the
    tree locked and freeze subsequent operations.

  * The hard limit on the number of file descriptors now defaults to about 1
    million, in order to match what has been done for a very long time on
    many distros, and that recently changed to 1 billion on some of them,
    causing a huge startup time (or even a watchdog at boot) and a massive
    memory usage.

  * The memory cleanup on the proxy fields on deinit was improved (some
    leaks were present till now as well as in 2.9 till 2.9.8).

  * A bug in the bwlim filter that can make it forget to update its timeout
    and loop fast when woken up with nothing to forward.

  * A crash could happen in mux-pt if an error happened on the connection
    just before an abort that is going to emit a shutdown, and with a
    pending wakeup that completes some work on a connection having no
    transport layer anymore. This only affects TCP (e.g. peers and master
    CLI; GH #2656).

  * The "show threads" command would crash if issued with less than 16
    threads (due to an area shared for two different things it would start
    to dump threads from the 17th).

  * The SSL library functions used to validate a JWT token would leave an
    error in the SSL stack, that will later be mistaken for an error on
    another connection and cause it to be closed. "jwt_verify" converter was
    fixed when called with a HMAC algorithm (HS256, HS384, HS512). In that
    case, the converter must not try to load a file because the key should
    hold a secret. It is especially important for runtime uses, like lua for
    instance. But note, for dynamic calls, this remains an issue for other
    algorithms because there is nothing to prevent I/O disk.

  * A time-of-check/time-of-use (TOCTOU) issue in the queue processing makes
    it rare but possible to leave a server with no connection yet not take
    any traffic. It's more likely to happen with maxconn 1, very hard at 2
    and almost impossible at 3 or above. In addition, A flag is now used to
    be sure only one thread is dequeuing session at once instead of relying
    on a trylock to do so. No 2.8 release was affected, but upper versions
    were buggy because of TOCTOU fix.

  * Empty transfer-encoding headers in H1 are now properly blocked since
    they may be used to try to build an attack against vulnerable
    implementations.  However, this will be slightly relaxed on the response
    side in the next release. Parsing of multiple "chunked" values will also
    be relaxed.

  * H1 multiplexer could repeat a 408 error multiple times in logs when
    failing to send an empty message on a full output buffer. In this case,
    it would attempt to close again every client timeout and produce a log
    each time despite no data leaving.

  * An issue in SPOE that can cause a thread to refrain from creating an
    applet to connect outside, causing failures on requests processed on
    this thread.

  * A hang on lua CLI applets when trying to deal with their own buffers.

  * It was possible to crash the process when performing an implicit
    protocol upgrade (TCP to HTTP due to a transition from a TCP front to an
    HTTP back) if an error happened on the connection just before the
    transition.

  * A temporary leak of sessions was fixed in the H1 multiplexer when the
    zero-copy data forwarding was inuse. When the H1 connection was about to
    be closed, the event was not properly handled in case of zero-copy data
    forwarding, leaving the connection in CLOSING state till the timeout was
    reached. This could be detected by an excess of connections in
    CLOSE_WAIT state.

  * HTTP applets (stats, cache and promex) were starting to process the
    request and reply without worrying about whether the request analysis
    was finished or not. In the vast majority of cases, it is not an issue
    because the request analysis is indeed finished in the same time the
    applet on server side is created. But if a filter delayed the request
    analysis, it might happens. In that case, some undefined and hardly
    predictable behaviors were able to be experienced, like responses sent
    too early or even crashes. Among others, the compression filter was
    pretty sensitive in this case because it is mandatory to filter the
    request before the response. To fix the issue, there is now a check in
    backend HTTP applets to wait for the end of the request analysis.

  * Several commits concerned the clock part to fix handling of time
    jumps. In case of large time jump, it was possible to no longer update
    the global time offset, leading to a wrong "date" value. Among other
    things, this could lead to wrong internal rates computation. By fixing
    the clock issues, a bug in the busy polling was revealed. The time and
    status passed to clock_update_local_date() was incorrect.

  * Some unhandled aborts were fixed in the H2 multiplexer. The end of
    message could be reported twice for tunneled streams, leaving the second
    one blocked at the channel level because of the first one. In addition,
    termination flags were not always properly propagated from the H2 stream
    to the stream-endpoint descriptor. Because of these both bugs, it was
    possible from time to time to block streams infinitely.

  * Write error on client side when HAProxy was waiting for the server
    response was not properly handled. The stream was not properly aborted
    as usual. It was not an issue if no filter was used. But with a filter,
    it was possible to infinitely block the stream because data could
    remain blocked in the response channel buffer.

  * Same kind of issue was fixed but at the H1/pass-though multiplexer
    level. The pipe used for the kernel splicing was not properly released
    on write error, preventing the stream to be released when a filter was
    used because the corresponding channel always appeared as non-empty. On
    write error, the pipe can be safely released because no more data can be
    sent.

  * The pipeline modes on the master CLI was broken since the 3.0-dev4. On
    older versions, this still works but a warning is emitted. When the
    pipeline modes was fixed to match the documentation (having a semi-colon
    between commands and a new-line at the end) for the worker CLI, we
    forgot to reflect the change to the master CLI. It is now fixed.

  * Several bugs were fixed on QUIC:

    - An incorrect computation was performed when encoding a STREAM frame in
      a single packet leading to datagrams smaller than expected, resulting
      in suboptimal for bandwidth.

    - A few assorted minor fixes (possible crash on resource allocation
      error, slight loss of precision in Cubic parameters calculations etc).

    - It was possible to freeze a connection because of 0-RTT undeciphered
      content.

    - The MAX_STREAM ID value was not properly checked and it was possible
      to send too big value. It is now fixed. Thanks to this patch, this
      also ensure that the peer cannot open a stream with an invalid ID as
      this would cause a flow-control violation instead.

    - Some issues with the QUIC traces were fixed.

    - A rare but possible deadlock (and crash) in QUIC after a recent fix
      for a race condition in the CID tree, that also went into 2.9.9.

    - An unreproduced race condition affecting the QUIC CID tree. The impact
      might be a possible crash but it was only found in code review and
      never reported nor reproduced.

  * On H3, when a response is formatted to be sent to the client, the
    handling of responses with a too long header list was fixed to no longer
    abort the process but to return proper error. In addition, the syntax
    checks on :method and :scheme H3 headers were insufficient. This was
    fixed too. Finally, there was a possible crash when a STOP_SENDING frame
    was received after a GOAWAY emission if it was the first frame for the
    stream.

  * Some bugs related to pattern expressions handling loaded from file were
    fixed.

  * When a listen() failed for TCP and Unix sockets, the file descriptor was
    not removed from the fdtab[] array, leading to a possible crash because
    of a BUG_ON() when this FD was reused. The FD is now properly removed
    from fdtab[] in that case.

  * L4/L5 rules defined in a default section were not evaluated at all.

  * Description of the command line options -dR and -dV were missing in the
    management documentation. It is now fixed. Documentation about "show
    stat" CLI command was also updated to reflect the renaming of "dns"
    counters to "resolvers". More details about the master-worker was added
    in the configuration manual and the "maxconn" description was improved,
    as well as info about http-keep-alive timeout and other timeouts.

Thanks  everyone for your help !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.8/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.8.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
   Changelog        : https://www.haproxy.org/download/2.8/src/CHANGELOG
   Dataplane API    : 
https://github.com/haproxytech/dataplaneapi/releases/latest
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages


---
Complete changelog :
Amaury Denoyelle (14):
      BUG/MINOR: quic: fix computed length of emitted STREAM frames
      SCRIPTS: git-show-backports: do not truncate git-show output
      BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission
      BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
      BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
      BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
      BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
      BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()
      BUG/MINOR: quic: fix race condition in qc_check_dcid()
      BUG/MINOR: quic: fix race-condition on trace for CID retrieval
      BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
      BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
      BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
      BUG/MINOR: h3: properly reject too long header responses

Aurelien DARRAGON (12):
      BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()
      BUG/MINOR: proxy: fix log_tag leak on deinit()
      BUG/MINOR: proxy: fix check_{command,path} leak on deinit()
      BUG/MINOR: proxy: fix dyncookie_key leak on deinit()
      BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()
      BUG/MINOR: proxy: fix header_unique_id leak on deinit()
      DOC: management: rename show stats domain cli "dns" to "resolvers"
      DOC: api/event_hdl: small updates, fix an example and add some precisions
      BUG/MINOR: hlua: report proper context upon error in 
hlua_cli_io_handler_fct()
      BUG/MINOR: pattern: prevent const sample from being tampered in 
pat_match_beg()
      BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
      BUG/MINOR: cfgparse-listen: fix option httpslog override warning message

Christopher Faulet (21):
      BUG/MINOR: h1: Fail to parse empty transfer coding names
      BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
      BUG/MEDIUM: h1: Reject empty Transfer-encoding header
      BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current 
thread
      BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in 
past
      BUG/MINOR: session: Eval L4/L5 rules defined in the default section
      BUG/MINOR: server: Don't warn fallback IP is used during init-addr 
resolution
      BUG/MINOR: cli: Atomically inc the global request counter between CLI 
commands
      BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the 
signature
      BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no 
longer ready
      BUG/MEDIUM: cli: Always release back endpoint between two commands on the 
mcli
      BUG/MEDIUM: mux-h1: Properly handle empty message when an error is 
triggered
      BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was 
set
      BUG/MEDIUM: http-ana: Report error on write error waiting for the response
      BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
      BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in 
h2s_wake_one_stream
      BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on 
sending path
      BUG/MINOR: stconn: Request to send something to be woken up when the pipe 
is full
      BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
      BUG/MEDIUM: cache/stats: Wait to have the request before sending the 
response
      BUG/MEDIUM: promex: Wait to have the request before sending the response

Frederic Lecaille (1):
      BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)

Ilia Shipitsin (1):
      BUG/MINOR: fcgi-app: handle a possible strdup() failure

Nathan Wehrman (1):
      DOC: config: correct the table for option tcplog

Valentine Krasnobaeva (10):
      DOC/MINOR: management: add missed -dR and -dv options
      DOC: configuration: update maxconn description
      BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
      MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
      BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
      BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
      BUG/MINOR: proto_tcp: keep error msg if listen() fails
      BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
      BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
      BUG/MINOR: pattern: pat_ref_set: return 0 if err was found

William Lallemand (9):
      DOC: configuration: fix alphabetical order of bind options
      DOC: configuration: more details about the master-worker mode
      MEDIUM: ssl: initialize the SSL stack explicitely
      BUG/MINOR: jwt: don't try to load files with HMAC algorithm
      BUG/MINOR: jwt: fix variable initialisation
      DOC: configuration: issuers-chain-path not compatible with OCSP
      MINOR: channel: implement ci_insert() function
      BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI
      REGTESTS: mcli: test the pipelined commands on master CLI

Willy Tarreau (21):
      MINOR: activity: make the memory profiling hash size configurable at 
build time
      BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking
      BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts
      DOC: config: improve the http-keep-alive section
      MINOR: queue: add a function to check for TOCTOU after queueing
      BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
      BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
      BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
      BUG/MEDIUM: trace: fix null deref in lockon mechanism since 
TRACE_ENABLED()
      BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
      BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
      BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
      BUG/MEDIUM: clock: also update the date offset on time jumps
      BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
      DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct 
line
      REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
      BUG/MEDIUM: clock: detect and cover jumps during execution
      BUG/MINOR: polling: fix time reporting when using busy polling
      BUG/MINOR: clock: make time jump corrections a bit more accurate
      BUG/MINOR: clock: validate that now_offset still applies to the current 
date
      BUG/MEDIUM: queue: implement a flag to check for the dequeuing

--
Christopher Faulet


Reply via email to