Hi,

HAProxy 2.9.15 was released on 2025/03/21. It added 19 new commits
after version 2.9.14.

This is a small update with various non-sensitive fixes to stabilize the
last version of 2.9. At this point it should not be deployed and systems
must be updated to 3.0 or newer. This version is essentially for those
who got caught at the last minute and forgot the deadline. Only a subset
of the pending fixes were backported here:

  - reloads that transfer listening sockets to the new worker process could
    make the older worker consume a lot of CPU for no apparent reason for
    the time it remained present. The cause was that these FDs were
    registered in epoll and when a new connection arrived to the new
    process, the old one would also be notified without being able to
    unregister it since already closed (well-known epoll pitfall). Now
    these FDs are properly unregistered after being transfered so it's
    possible that some users with long-running old processes will observe
    a lower CPU usage on these old processes.

  - in API issue in the applets could have resulted in some shutdown or
    error conditions to be missed in the future, so as a prevention it
    was fixed. Turns out, after fixing this, it uncovered a bug in the
    CLI's "_getsocks" handler that was causing an infinite loop during
    reloads, and another one in the SPOE applet where the appled would
    never shut down (neither appeared in a released version), and these
    bug were also fixed.

  - SPOE applets could be woken in loops during stopping, thus eating a lot
    of CPU until the process stopped. Note that this only concerns versions
    3.0 and earlier.

  - a BUG_ON() could be triggered when using filters with no http_payload
    callback.

  - a bug in htx_xfer_blks() could result in occasionally transfering more
    blocks than requested on 32-bit platforms.

  - some TLSv1.3 signature algorithms were not recognized by the
    ClientHello parser which was written before TLSv1.3. The ones that
    were not correctly supported were based on RSA-PSS and would have
    resulted in presenting a possibly wrong certificate when both RSA and
    ECDSA ones were present for the same SNI.

  - a startup race can randomly affect the setting of CPU affinity of
    certain threads during boot, if the thread starts faster than the
    parent updates the pthread identifier upon return. When it happens,
    the affinity setting will often be silently ignored, but on some libs
    such as musl, it can also result in a segfault at boot.

  - a few isses on the peers section parser and config consistency checker
    possibly causing issues or even a segfault.

  - h2: leading and trailing spaces are now properly trimmed in header
    values.

  - the h3 mux will no longer forget to send the FIN when the server 
    responds before the end of the request. Without this, a client could
    remain stuck waiting for it.

  - servers attached to a ring wouldn't wait before trying to reconnect,
    causing connection storms in case of a server failure.

Please do not open issues about this version since it won't be fixed ;-)

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.9/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.9.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git
   Changelog        : https://www.haproxy.org/download/2.9/src/CHANGELOG
   Dataplane API    : 
https://github.com/haproxytech/dataplaneapi/releases/latest
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Willy
---
Complete changelog :
Amaury Denoyelle (2):
      BUG/MINOR: h3: do not report transfer as aborted on preemptive response
      CLEANUP: h3: fix documentation of h3_rcv_buf()

Aurelien DARRAGON (1):
      BUG/MINOR: sink: add tempo between 2 connection attempts for sft servers

Christopher Faulet (8):
      BUG/MINOR: spoe: Check the shared waiting queue to shut applets during 
stopping
      BUG/MINOR: spoe: Allow applet creation when closing the last one during 
stopping
      BUG/MEDIUM: spoe: Don't wakeup idle applets in loop during stopping
      REGTESTS: Fix truncated.vtc to send 0-CRLF
      BUG/MEDIUM: filters: Handle filters registered on data with no payload 
callback
      BUG/MINOR: mux-h2: Properly handle full or truncated HTX messages on shut
      BUG/MINOR: cli: Fix memory leak on error for _getsocks command
      BUG/MINOR: cli: Fix a possible infinite loop in _getsocks()

Valentine Krasnobaeva (2):
      BUG/MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers
      BUG/MEIDUM: startup: return to initial cwd only after 
check_config_validity()

William Lallemand (2):
      BUG/MEDIUM: ssl: chosing correct certificate using RSA-PSS with TLSv1.3
      BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks()

Willy Tarreau (4):
      BUG/MEDIUM: fd: mark FD transferred to another process as FD_CLONED
      BUG/MEDIUM: thread: use pthread_self() not ha_pthread[tid] in set_affinity
      BUG/MINOR: h2: always trim leading and trailing LWS in header values
      MINOR: version: Set the EOL of the 2.9 branch

---


Reply via email to