Hi,
HAProxy 3.1.7 was released on 2025/04/17. It added 65 new commits
after version 3.1.6.
This release addresses a few bugs in specific areas:
- transparent proxy connections at the proxy level ("option transparent")
would not include the destination address in the connection hash
calculation, meaning that idle connections for a different address
than expected could be reused between requests.
- usesrc clientip would accidentally include the client's port in the
hash calculation, resulting in a very low connection reuse ratio.
- a few months ago we addressed the presence of leading/trailing spaces
in H2 header values, but we forgot to do it for h3. This was now done.
In h2 it had been observed that some rare clients keep the space after
the comma when splitting "cookie" values, causing errors between
haproxy and servers, so we can reasonably expect that this would
happen with h3 too if the same clients support both protocols. In
addition, he H3 header sanitization was synchronized with the latest
fixes applied to H2 (filter "upgrade", block invalid chars in URI,
etc).
- TCP/HTTP Lua applets could lose some data when yielding.
- HTTP/1 uploads over reused connections facing a server close (e.g.
keep-alive timeout) could still return a 502 instead of silently
closing if the close was detected while uploading the payload. This
has been seen to cause occasional 502 with short PUT requests on
servers with a short keep-alive timeout. It's now handled correctly
and may even be eligible to L7 retries in case the payload fits
entirely in the buffer.
- an assertion could be violated in QUIC, causing a crash, if an invalid
request is received after the mux had emitted a STOP_SENDING frame.
- stick-tables could learn entries from peers with an expiration date
further in the future than what their own expire time permits, causing
entries resulting from a temporary misconfiguration to be very
difficult to evict from a cluster (e.g. mistakenly write "24d" instead
of "24h" and entries persist for 3 weeks even across reloads). Now the
entries' expiration date will be capped to the stick table's setting.
- the regsub converter, used to perform regex-based substitutions, would
check the remaining room in the buffer against the initially available
size for each replaced pattern instead of checking it against the
remaining size. This was reported by Aleandro Prudenzano of Doyensec
and Edoardo Geraci of Codean Labs, and was assigned CVE-2025-32464.
The risk is quite low since such configs are quite unlikely and in the
rare cases they will happen, the replacement will involve static
contents, thus essentially a risk of crash.
- in some rare cases, forced shutdowns of streams attached to a server
would result in the stream to freeze and stay in this state forever.
It would concern both those killed using "shutdown session" on the
CLI and those killed via on-marked-up, on-marked-down etc.
- there were still some case of signal re-entrance issues badly
affecting the relation between watchdog warnings, "show threads"
and panics. Some setups facing high latencies and triggering many
warnings would occasionally observe lockups that couldn't even be
killed by the watchdog since already blocked in it. The whole stuff
was reworked to prevent nested signal delivery and make everything
more reliable. It has resisted heavy warning loops and "show threads"
loops with a "warn-blocked-traffic-after" set to 1 millisecond.
There are also these less important ones:
- .notice/.warning/.alert in the config would appear twice, first during
the mode discovery pass, and second during the worker parsing. This was
now fixed and it will only appear once.
- the Lua could possibly crash due to a risk of use-after-free in the
Queue API if a resource allocation error happened on the consumption
side and the other side would still push into it.
- in certain rare cases (timing dependent), certain client aborts that
are forwarded to the server could be logged as server aborts ("SD")
instead of client aborts ("CD") depending on which side was checked
first when deciding on the final state.
- logs could sometimes produce an incorrect CBOR encoding. And a "raw"
encoding was also added.
- some minor updates to QUIC pacing (permit BBR without pacing for
testing, update wording in parser's error messages, etc).
- backtraces are now enabled by default on libmusl, we found why they
were not working. This means that reports from crashes inside Docker
images should be more useful now.
- a few minor fixes on RHTTP, and a few build issues (gcc-15 warnings,
NetBSD failing on CONCAT(), and a few doc fixes.
- backtraces can now also detect some direct calls to functions on x86
and arm64, and will decode them.
Overall this version only touches some not very commonly used areas, so
for most users there's no rush to upgrade. If you're using some of the
stuff mentioned above it's worth updating. Otherwise it can be the right
moment to update to something that should be smooth ;-)
Oh and a big thanks to Aurélien who handled all the backports to all
branches. Other branches will follow, possibly today or next week, as
time permits (announce messages are the most time consuming part once
backports are ready, so maybe some releases will be done first without
announcements).
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.1/src/
Git repository : https://git.haproxy.org/git/haproxy-3.1.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.1.git
Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (18):
BUG/MEDIUM: mux-quic: fix crash on RS/SS emission if already close local
BUG/MINOR: mux-quic: remove extra BUG_ON() in _qcc_send_stream()
BUG/MINOR: rhttp: fix incorrect dst/dst_port values
BUG/MINOR: backend: do not overwrite srv dst address on reuse
BUG/MEDIUM: backend: fix reuse with set-dst/set-dst-port
MINOR: quic: remove references to burst in quic-cc-algo parsing
MINOR: quic: allow BBR testing without pacing
MINOR: quic: transform pacing settings into a global option
MINOR: quic: define quic_tune
BUILD: quic: fix overflow in global tune
BUG/MEDIUM: h3: trim whitespaces when parsing headers value
BUG/MEDIUM: h3: trim whitespaces in header value prior to QPACK encoding
BUG/MINOR: h3: filter upgrade connection header
BUG/MINOR: h3: reject invalid :path in request
BUG/MINOR: h3: reject request URI with invalid characters
BUG/MINOR: mux-h2: prevent past scheduling with idle connections
BUG/MINOR: rhttp: fix reconnect if timeout connect unset
BUG/MINOR: rhttp: ensure GOAWAY can be emitted after reversal
Aurelien DARRAGON (7):
MINOR: log: support "raw" logformat node typecast
MINOR: task: add thread safe notification_new and notification_wake
variants
BUG/MINOR: hlua_fcn: fix potential UAF with Queue:pop_wait()
CLEANUP: log: adjust _lf_cbor_encode_byte() comment
BUG/MINOR: log: fix CBOR encoding with LOG_VARTEXT_START() +
lf_encode_chunk()
BUG/MINOR: hlua: fix invalid errmsg use in hlua_init()
BUG/MEDIUM: hlua: fix hlua_applet_{http,tcp}_fct() yield regression (lost
data)
Christopher Faulet (3):
BUG/MEDIUM: stream: Fix a possible freeze during a forced shut on a stream
BUG/MINOR: http-ana: Properly detect client abort when forwarding the
response
BUG/MEDIUM: http-ana: Report 502 from req analyzer only during rsp
forwarding
Emeric Brun (2):
BUG/MINOR: peers: fix expire learned from a peer not converted from ms to
ticks
BUG/MEDIUM: peers: prevent learning expiration too far in futur from
unsync node
Olivier Houchard (1):
TESTS: Fix build for filltab25.c
Valentine Krasnobaeva (1):
BUG/MINOR: log: fix gcc warn about truncating NUL terminator while init
char arrays
Willy Tarreau (33):
BUG/MINOR: config: silence .notice/.warning/.alert in discovery mode
DOC: config: fix two missing "content" in "tcp-request" examples
BUILD: compiler: undefine the CONCAT() macro if already defined
BUILD: quic_sock: address a strict-aliasing build warning with gcc 5 and 6
DOC: update INSTALL to reflect the minimum compiler version
BUG/MEDIUM: sample: fix risk of overflow when replacing multiple regex
back-refs
BUG/MINOR: backend: do not use the source port when hashing clientip
BUG/MINOR: debug: remove the trailing \n from BUG_ON() statements
DOC: config: add the missing "profiling.memory" to the global kw index
DOC: config: add the missing "force-cfg-parser-pause" to the global kw
index
MINOR: tools: let dump_addr_and_bytes() support dumping before the offset
MINOR: debug: in call traces, dump the 8 bytes before the return address,
not after
MINOR: debug: detect call instructions and show the branch target in
backtraces
MINOR: compiler: add a __has_builtin() macro to detect features more
easily
MINOR: compiler: add a new "ASSUME" macro to help the compiler
MINOR: compiler: also enable __builtin_assume() for ASSUME()
MINOR: compiler: add ASSUME_NONNULL() to tell the compiler a pointer is
valid
BUILD: makefile: enable backtrace by default on musl
BUG/MINOR: threads: set threads_idle and threads_harmless even with no
threads
BUG/MINOR debug: fix !USE_THREAD_DUMP in ha_thread_dump_fill()
BUG/MINOR: wdt/debug: avoid signal re-entrance between debugger and
watchdog
BUG/MINOR: debug: detect and prevent re-entrance in ha_thread_dump_fill()
MINOR: tools: also protect the library name resolution against concurrent
accesses
MINOR: tools: protect dladdr() against reentrant calls from the debug
handler
MINOR: debug: protect ha_dump_backtrace() against risks of re-entrance
MINOR: tinfo: keep a copy of the pointer to the thread dump buffer
MINOR: debug: always reset the dump pointer when done
MINOR: debug: remove unused case of thr!=tid in ha_thread_dump_one()
MINOR: pass a valid buffer pointer to ha_thread_dump_one()
MEDIUM: wdt: always make the faulty thread report its own warnings
MINOR: debug: make ha_stuck_warning() only work for the current thread
MINOR: debug: make ha_stuck_warning() print the whole message at once
MINOR: compiler: rely on builtin detection for __builtin_unreachable()
---
