Hi,

HAProxy 2.8.12 was released on 2024/11/08. It added 30 new commits
after version 2.8.11.

This release is quite small. It is emitted to flush the pipe and to remain
aligned to other versions. Following bugs were fixed:

  * During OCSP update, an issue with the reference counting caused some
    certificates to reference a just freed OCSP response.

  * Crashes may be experienced with "update ssl ocsp-response" CLI command
    because of concurrent accesses to the OCSP response by the main OCSP
    update task.

  * It was possible to experienced a deadlock by setting the maxconn of a
    frontend on the CLI, because of a double lock on the proxy lock.

  * It was possible to reuse HTTP connections for requests to different
    endpoints because some address families where not properly handled. The
    issue was encountered with the HTTP client and UNIX socket combination.

  * A crash could happen in mux-pt if an error happened on the connection
    just before an abort that is going to emit a shutdown, and with a
    pending wakeup that completes some work on a connection having no
    transport layer anymore. This only affects TCP (e.g. peers and master
    CLI; GH #2656).

   * At the stream-connector level, blocked data by an error on the sending
    path were not always properly detected, leaving streams blocked without
    any timeout armed.

  * On QUIC side, a stream could be erroneously closed with an empty frame
    with FIN bit set instead of a RESET_STREAM frame when not data was sent
    at all; and the server timeout was never armed for small requests, fully
    received when the stream is created.

  * A server abort was reported on an invalid HTTP response payload instead
    of an internal error. And it was also possible to report a client abort
    instead of a server abort during the HTTP response forwarding. The right
    termination states are now reported in both cases.

  * "set ssl cert" CLI command was not properly checking the transaction
    name. That could lead to commit accidentally a transaction on the wrong
    certificate.

  * A memory leak was possible if a failure is encountered when a dynamic
    server is added with a check or agent-check options. In that case, the
    server cannot be released because its refcount was incremented too
    early. In addition access to the global server list during a dynamic
    server deletion was not protected against concurrent accesses. In the
    longterm, this could cause list corruption and crashes.

In addition to these bug fixes, two improvements were added:

   * Some invalid Transfer-Encoding values are now accepted during the H1
     response parsing when accept-invalid-http-response option is enabled,
     even if it is forbidden by the RFC-9112. So, now, with this option,
     multiple "chunked" values are accepted, as well as empty values. When
     several "chunked" values are found, the payload will still be considered
     as encoded once and the header will be sanitized when sent to the
     client. The request parsing was not changed. This remains forbidden
     because it is highly suspicious if a client is sending an invalid T-E
     header. On server side, we can consider the server as trusted. But you
     must still remain careful with such behavior. And, of course, the best
     is to fix the application.

  * Memory profiling was also improved. Some entries were displayed with a
    NULL return address, causing confusion. Now, undecodable stacks causing
    an apparent NULL return address all lead to the "other" bin.

Thanks everyone for your help !

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.8/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.8.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
   Changelog        : https://www.haproxy.org/download/2.8/src/CHANGELOG
   Dataplane API    : 
https://github.com/haproxytech/dataplaneapi/releases/latest
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages


---
Complete changelog :
Amaury Denoyelle (4):
      BUG/MEDIUM: mux-quic: ensure timeout server is active for short requests
      BUG/MINOR: mux-quic: do not close STREAM with empty FIN if no data sent
      BUG/MINOR: server: fix dynamic server leak with check on failed init
      BUG/MEDIUM: server: fix race on servers_list during server deletion

Aurelien DARRAGON (5):
      BUG/MEDIUM: server: server stuck in maintenance after FQDN change
      BUG/MEDIUM: hlua: make hlua_ctx_renew() safe
      BUG/MEDIUM: hlua: properly handle sample func errors in 
hlua_run_sample_{fetch,conv}()
      DOC: config: fix rfc7239 forwarded typo in desc
      BUG/MEDIUM: connection/http-reuse: fix address collision on unhandled 
address families

Christopher Faulet (9):
      MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response 
option
      DOC: config: Explicitly list relaxing rules for accept-invalid-http-* 
options
      BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown
      BUG/MINOR: http-ana: Don't report a server abort if response payload is 
invalid
      REGTESTS: Never reuse server connection in http-messaging/truncated.vtc
      BUG/MINOR: http-ana: Fix wrong client abort reports during responses 
forwarding
      BUG/MEDIUM: stconn: Report blocked send if sends are blocked by an error
      BUG/MINOR: http-ana: Report internal error if an action yields on a final 
eval
      MINOR: stream: Save last evaluated rule on invalid yield

Oliver Dala (1):
      BUG/MEDIUM: cli: Deadlock when setting frontend maxconn

Remi Tricot-Le Breton (2):
      BUG/MAJOR: ocsp: Separate refcount per instance and per store
      BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when 
an update is ongoing

Valentine Krasnobaeva (2):
      BUG/MINOR: cfgparse-global: fix allowed args number for setenv
      BUG/MINOR: mworker: fix mworker-max-reloads parser

William Lallemand (3):
      BUG/MINOR: httpclient: return NULL when no proxy available during 
httpclient_new()
      MINOR: cli: remove non-printable characters from 'debug dev fd'
      BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name 
correctly

Willy Tarreau (4):
      BUG/MINOR: server: make sure the HMAINT state is part of MAINT
      MINOR: activity/memprofile: always return "other" bin on NULL return 
address
      MINOR: pools: export the pools variable
      CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry

--
Christopher Faulet


Reply via email to