Hi,
HAProxy 2.6.23 was released on 2025/10/03. It added 35 new commits
after version 2.6.22.
As promised in the 2.6.23 announce, here is the usual description of bugs
fixed by this release.:
* The most important one is obviously the mjson JSON decoder issue
described in the previous mail. Decoding of numbers with large exponents
was eating a lot of CPU and could even trigger the watchdog and kill the
process. "json_query()", "jwt_header_query()", and "jwt_payload_query()"
converters was affected. This bug was assigned CVE-2025-11230 and
affected all versions featuring the JSON decoder, or 2.4 and above.
* In the QUIC part, Wrong error codes were used to missing or invalid
transport parameters. Some others were not rejected. It is now properly
handled.
* In both H2 and H3, the 'Z' character (in upper case) was not rejected as
expected from header field names. Thanks to @zhanhb, it now fixed.
* On H2, streams are now reset with NO_ERROR and not CANCEL when the
server responds before the end of the request and closes, making it
clear to the client that the response is valid and not an error.
* On H3, Information about :scheme pseudo-header were not properly
reported at the HTX level, preventing the H2 multiplexer to preserve it
on server side.
* For resolvers, an unexpected CPU usage could be experienced because
there was no delay on connection retries. It was observed with a
nameserver with invalid network settings. There is now a one-second delay
between two connections.
* In lua; Channel:data() and Channel:line() functions was fixed to respect
the documentation.
* On the CLI, no error was reported when too many arguments were passed for
a command. Instead, arguments above the limit (64 by default) were just
silently ignored.
* "send-proxy" and "send-proxy-v2" options are not relevant nor supported
on a ring server. It is now explicitly ignored and a warning is emitted.
Thanks everyone for your help !
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.6/src/
Git repository : https://git.haproxy.org/git/haproxy-2.6.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (7):
MINOR: quic: extend return value during TP parsing
BUG/MINOR: quic: use proper error code on missing CID in TPs
BUG/MINOR: quic: use proper error code on invalid server TP
BUG/MINOR: quic: reject retry_source_cid TP on server side
BUG/MINOR: quic: use proper error code on invalid received TP value
BUG/MINOR: quic: fix TP reject on invalid max-ack-delay
BUG/MINOR: quic: reject invalid max_udp_payload size
Aurelien DARRAGON (5):
MINOR: applet: add appctx_schedule() macro
BUG/MINOR: dns: add tempo between 2 connection attempts for dns servers
BUG/MINOR: cli: fix too many args detection for commands
BUG/MINOR: sink: detect and warn when using "send-proxy" options with
ring servers
DOC: config: restore default values for resolvers hold directive
Christopher Faulet (10):
BUG/MINOR: cli: Issue an error when too many args are passed for a command
BUG/MINOR: mux-h1: Don't pretend connection was released for TCP>H1>H2
upgrade
BUG/MINOR: mux-h1: Fix trace message in h1_detroy() to not relay on
connection
BUG/MINOR: hlua: Fix Channel:data() and Channel:line() to respect
documentation
MEDIUM: hlua: Add function to change the body length of an HTTP Message
BUG/MINOR: mux-h2: Reset streams with NO_ERROR code if full response was
already sent
BUG/MINOR: h3: Set HTX flags corresponding to the scheme found in the
request
REGTESTS: Make the script testing conditional set-var compatible with
Vtest2
CI: vtest: Rely on VTest2 to run regression tests
REGTESTS: Explicitly allow failing shell commands in some scripts
Frederic Lecaille (2):
CLEANUP: quic: Useless BIO_METHOD initialization
MINOR: quic: Add useful error traces about qc_ssl_sess_init() failures
Lukas Tribus (1):
DOC: ring: refer to newer RFC5424
Valentine Krasnobaeva (2):
BUG/MINOR: limits: compute_ideal_maxconn: don't cap remain if
fd_hard_limit=0
MINOR: compiler: add __nonstring macro
Willy Tarreau (6):
DOC: config: recommend disabling libc-based resolution with resolvers
DOC: config: clarify some known limitations of the json_query() converter
BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
BUILD: compiler: add a macro to detect if another one is set and equals 1
BUILD: compiler: fix __equals_1() on older compilers
BUILD: compiler: add a default definition for __has_attribute()
zhanhb (2):
BUG/MINOR: h2: forbid 'Z' as well in header field names checks
BUG/MINOR: h3: forbid 'Z' as well in header field names checks
--
Christopher Faulet
