Hi, HAProxy 3.2.6 was released on 2025/10/03. It added 57 new commits after version 3.2.5.
It is not the usual announce message describing all bugs fixed by this release. Here, only the critical fixes about the mjson JSON decoder will be described. The formal announce message will come quickly after that, by replying to this mail, most probably next Monday. So, as said, an issue in the mjson JSON decoder causes number with large exponents to eat a lot of CPU and possibly even to trigger the watchdog and kill the process. It affects converters "json_query()", "jwt_header_query()", and "jwt_payload_query()". There's no work around for this because the issue is at a really low level in the decoder, so one cannot really count on a reasonable regex or such a thing to fix this. This bug was assigned CVE-2025-11230 and affects all versions featuring the JSON decoder, or 2.4 and above. Only an update will fix this. We'd like to thank Oula Kivalo for reporting the issue with a reproducer. As a note, we were notified that CVE-2023-30421 had already been assigned to the mjson library two years ago about the same issue but no fix had been issued and it was not mentioned in the project (though an issue about this was reported). If you rely on one of the converters above, you must definitely upgrade. Otherwise, stay tune for the official announce message to have more info about this release. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Christopher Faulet (14): MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function BUG/MEDIUM: server: Use sni as pool connection name for SSL server only BUG/MINOR: server: Update healthcheck when server settings are changed via CLI BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections BUG/MEDIUM: resolvers: Properly cache do-resolv resolution BUG/MINOR: resolvers: Restore round-robin selection on records in DNS answers BUG/MEDIUM: resolvers: Test for empty tree when getting a record from DNS answer BUG/MEDIUM: resolvers: Make resolution owns its hostname_dn value BUG/MEDIUM: resolvers: Accept to create resolution without hostname BUG/MEDIUM: resolvers: Wake resolver task up whne unlinking a stream requester BUG/MINOR: pools: Fix the dump of pools info to deal with buffers limitations BUG/MINOR: compression: Test payload size only if content-length is specified BUG/MINOR: pattern: Properly flag virtual maps as using samples BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix Olivier Houchard (6): BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt MINOR: mt_list: Implement MT_LIST_POP_LOCKED() BUG/MEDIUM: stick-tables: Make sure not to free a pending entry MEDIUM: servers: Schedule the server requeue target on creation MEDIUM: fwlc: Make it so fwlc_srv_reposition works with unqueued srv BUG/MEDIUM: fwlc: Handle memory allocation failures. William Lallemand (9): BUG/MINOR: acme/cli: wrong description for "acme challenge_ready" BUILD: halog: misleading indentation in halog.c CI: github: build halog on the vtest job BUG/MINOR: acme: don't unlink from acme_ctx_destroy() BUG/MEDIUM: acme: cfg_postsection_acme() don't init correctly acme sections BUG/MEDIUM: acme: free() of i2d_X509_REQ() with AWS-LC BUG/MINOR: acme: possible overflow on scheduling computation BUG/MINOR: acme: possible overflow in acme_will_expire() BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file Willy Tarreau (26): MINOR: stick-tables: limit the number of visited nodes during expiration OPTIM: stick-tables: exit expiry faster when the update lock is held MINOR: debug: report the process id in warnings and panics DEBUG: stream: count the number of passes in the connect loop MINOR: debug: report the number of loops and ctxsw for each thread MINOR: debug: report the time since last wakeup and call DEBUG: peers: export functions that use locks MINOR: stick-table: permit stksess_new() to temporarily allocate more entries MEDIUM: stick-tables: relax stktable_trash_oldest() to only purge what is needed MEDIUM: stick-tables: give up on lock contention in process_table_expire() MEDIUM: stick-tables: don't wait indefinitely in stktable_add_pend_updates() MEDIUM: peers: don't even try to process updates under contention MEDIUM: stick-table: move process_table_expire() to a single thread MEDIUM: peers: move process_peer_sync() to a single thread MINOR: activity: indicate the number of calls on "show tasks" MINOR: tools: don't emit "+0" for symbol names which exactly match known ones OPTIM: sink: reduce contention on sink_announce_dropped() MEDIUM: dns: bind the nameserver sockets to the initiating thread MEDIUM: resolvers: make the process_resolvers() task single-threaded MINOR: sched: let's permit to share the local ctx between threads MINOR: sched: pass the thread number to is_sched_alive() BUG/MEDIUM: wdt: improve stuck task detection accuracy MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI DOC: config: clarify some known limitations of the json_query() converter BUG/CRITICAL: mjson: fix possible DoS when parsing numbers BUG/MEDIUM: resolvers: break an infinite loop in resolv_get_ip_from_response() zhanhb (2): BUG/MINOR: h2: forbid 'Z' as well in header field names checks BUG/MINOR: h3: forbid 'Z' as well in header field names checks -- Christopher Faulet
