Hi, HAProxy 2.8.12 was released on 2024/11/08. It added 30 new commits after version 2.8.11.
This release is quite small. It is emitted to flush the pipe and to remain aligned to other versions. Following bugs were fixed: * During OCSP update, an issue with the reference counting caused some certificates to reference a just freed OCSP response. * Crashes may be experienced with "update ssl ocsp-response" CLI command because of concurrent accesses to the OCSP response by the main OCSP update task. * It was possible to experienced a deadlock by setting the maxconn of a frontend on the CLI, because of a double lock on the proxy lock. * It was possible to reuse HTTP connections for requests to different endpoints because some address families where not properly handled. The issue was encountered with the HTTP client and UNIX socket combination. * A crash could happen in mux-pt if an error happened on the connection just before an abort that is going to emit a shutdown, and with a pending wakeup that completes some work on a connection having no transport layer anymore. This only affects TCP (e.g. peers and master CLI; GH #2656). * At the stream-connector level, blocked data by an error on the sending path were not always properly detected, leaving streams blocked without any timeout armed. * On QUIC side, a stream could be erroneously closed with an empty frame with FIN bit set instead of a RESET_STREAM frame when not data was sent at all; and the server timeout was never armed for small requests, fully received when the stream is created. * A server abort was reported on an invalid HTTP response payload instead of an internal error. And it was also possible to report a client abort instead of a server abort during the HTTP response forwarding. The right termination states are now reported in both cases. * "set ssl cert" CLI command was not properly checking the transaction name. That could lead to commit accidentally a transaction on the wrong certificate. * A memory leak was possible if a failure is encountered when a dynamic server is added with a check or agent-check options. In that case, the server cannot be released because its refcount was incremented too early. In addition access to the global server list during a dynamic server deletion was not protected against concurrent accesses. In the longterm, this could cause list corruption and crashes. In addition to these bug fixes, two improvements were added: * Some invalid Transfer-Encoding values are now accepted during the H1 response parsing when accept-invalid-http-response option is enabled, even if it is forbidden by the RFC-9112. So, now, with this option, multiple "chunked" values are accepted, as well as empty values. When several "chunked" values are found, the payload will still be considered as encoded once and the header will be sanitized when sent to the client. The request parsing was not changed. This remains forbidden because it is highly suspicious if a client is sending an invalid T-E header. On server side, we can consider the server as trusted. But you must still remain careful with such behavior. And, of course, the best is to fix the application. * Memory profiling was also improved. Some entries were displayed with a NULL return address, causing confusion. Now, undecodable stacks causing an apparent NULL return address all lead to the "other" bin. Thanks everyone for your help ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (4): BUG/MEDIUM: mux-quic: ensure timeout server is active for short requests BUG/MINOR: mux-quic: do not close STREAM with empty FIN if no data sent BUG/MINOR: server: fix dynamic server leak with check on failed init BUG/MEDIUM: server: fix race on servers_list during server deletion Aurelien DARRAGON (5): BUG/MEDIUM: server: server stuck in maintenance after FQDN change BUG/MEDIUM: hlua: make hlua_ctx_renew() safe BUG/MEDIUM: hlua: properly handle sample func errors in hlua_run_sample_{fetch,conv}() DOC: config: fix rfc7239 forwarded typo in desc BUG/MEDIUM: connection/http-reuse: fix address collision on unhandled address families Christopher Faulet (9): MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown BUG/MINOR: http-ana: Don't report a server abort if response payload is invalid REGTESTS: Never reuse server connection in http-messaging/truncated.vtc BUG/MINOR: http-ana: Fix wrong client abort reports during responses forwarding BUG/MEDIUM: stconn: Report blocked send if sends are blocked by an error BUG/MINOR: http-ana: Report internal error if an action yields on a final eval MINOR: stream: Save last evaluated rule on invalid yield Oliver Dala (1): BUG/MEDIUM: cli: Deadlock when setting frontend maxconn Remi Tricot-Le Breton (2): BUG/MAJOR: ocsp: Separate refcount per instance and per store BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing Valentine Krasnobaeva (2): BUG/MINOR: cfgparse-global: fix allowed args number for setenv BUG/MINOR: mworker: fix mworker-max-reloads parser William Lallemand (3): BUG/MINOR: httpclient: return NULL when no proxy available during httpclient_new() MINOR: cli: remove non-printable characters from 'debug dev fd' BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly Willy Tarreau (4): BUG/MINOR: server: make sure the HMAINT state is part of MAINT MINOR: activity/memprofile: always return "other" bin on NULL return address MINOR: pools: export the pools variable CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry -- Christopher Faulet