Hi, HAProxy 2.8.17 was released on 2025/12/19. It added 71 new commits after version 2.8.16.
It is the last release of the series for this week. The list above was extracted from 3.0.11 and 3.0.12 announces: - An old bug were revealed about synchronous write events than could be missed during the data processing. This issue could lead to freeze a session until the next I/O event or a timeout expiration. The issue was fixed but it remains a bit sensitive. - The way certain QUIC stacks recently started to send their crypto frames leaving a single byte hole between them was fundamentally incompatible with our storage model which requires at least 8 bytes holes. As such, some of them would experience random connection failures due to dropped frames. This required to rework that storage part (the "ncbuf" stuff) to support an alternate byte-addressed area that is compatible with this behavior that we initially considered as irrelevant and only likely used by attackers. This new work has been extensively tested in produciton where the issue was first reported, and given that there were some reports of recent Firefox versions triggering the issue, we considered that we should not wait to backport it. Thanks Annika for your wonderful help BTW! - An issue was fixed about stick-tables. The refcount of an entry can become inconsistent and prevent the entry from ever expiring if a local and remote update happen at the exact same time and the local entry is created at the moment the peers code releases the lock. On some rare occasions, stick-table keys of type strings could sometimes be incorrectly indexed with some extra bytes past the final zero and appear as duplicates, causing entries to get mixed. This is one of the longest living bugs we've had, it's been there since the feature was implemented in 1.4-dev7 almost 16 years ago! - A slow memory leak of SSL captures has been noticed over the last two years on haproxy.org, making us believe that it was in the SSL lib, because the counters we placed around it showed more calls to the init() callback than the release() one. We were actually wrong and discovered that in TLS 1.3 there can be two consecutive Client Hello messages on a connection and that this caused the capture area to be allocated twice and only the last one was freed. At least it explained everything, and this was fixed (and confirms to no longer leak). - A ring that would fail to connect to one of its servers could remain stuck forever if unlucky and it happens at a precise ms within the 20 first seconds of boot (then every 49.7 days). - Updating a CA from the CLI could occasionally cause a crash due to objects being still referenced. - Default HTTP 405, 431 and 501 error files had an incorrect content length that would probably cause the front connections to be closed after the response. - A crash that could occur after HTTP/2 upgrades from HTTP/1.1 has been resolved. The issue stemmed from the mux not being able to report that it had only released its structure and not the whole connection, causing the SSL tasklet to never be freed while being returned as running, thus causing an infinite loop. - A failure to allocate a new QUIC Connection ID during a RETIRE_CONNECTION_ID frame was silently ignored, potentially leaving the peer without valid IDs and causing connection failures. Now, such allocation errors are treated as fatal, closing the connection promptly, which is safer when memory pressure is high and prevents silent degradation of connectivity. Related to SSL 0-RTT, the header "Early-data: 1" is now added on requests handled by haproxy as QUIC 0-RTT if the handshake is not yet completed. This is helpful to inform servers that such request should be processed carefully. An internal change during stream notification mechanism is introduced which is transparent to most users, however if you ever encountered frozen transfers it could be a solution for this. Few issues in the CRYPTO frames parsing were fixed. QUIC listeners on FreeBSD were not functional if bound on a specific address. And, minimum and maximum limits enforced on the congestion window were not always respected. Both issues were fixed too. - 1xx responses in HTTP/3 were not always properly encoded if they would appear in the same response packet as the final response, and they would generally cause a parsing error on the client, which will abort the connection; 1xx sent along the final response are really not common right now and mostly happen in testing, but some applications could trigger them more than others. - The value of "tune.maxpollevents" could lead to an integer overflow when calculating the size to be allocated, resulting in a failure that would cause the poller to process no events at all (in practice the process is totally unresponsive). The value is now capped to 1 million, which is 4000 times higher than the default (250) and already does not make much sense, it should not need to be touched again for the next century. - An old bug form 2012 was fixed about the HTTP TUNNEL handling that causing tunnelled streams closed by the server to be closed on both sides at once and logging an error. And the timer used for "wait-for-body" action was not properly reset, causing some trouble with some following actions, like "pause". - Several OOM checks was added here and there by Alexander Stephan. - On the LUA side, read and write events are now properly notified when using the socket class to avoid infinite wait when the write side has been blocked earlier. - The tasks used to manage resolvers and the ones used to deal with communications with these resolvers are now single-threaded. These tasks were found to cause a lot of contention in the scheduler on high CPU count machines, for no added value. The rest is pretty minor, small fixes here and there and doc updates. Thanks everyone for your help. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Alexander Stephan (5): BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url() BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger() BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen() BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options() BUG/MINOR: tools: Add OOM check for malloc() in indent_msg() Amaury Denoyelle (24): MINOR: quic: rename min/max fields for congestion window algo BUG/MINOR: quic: ensure cwnd limits are always enforced BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream OPTIM: quic: improve slightly qc_snd_buf() internal MINOR: quic: move IP_PKTINFO on send on a dedicated function BUG/MEDIUM: h3: do not overwrite interim with final response BUG/MINOR mux-quic: apply correctly timeout on output pending data BUG/MINOR: quic: check applet_putchk() for 'show quic' first line BUG/MEDIUM: h3: properly encode response after interim one in same buf MINOR: qmux: change API for snd_buf FIN transmission BUG/MEDIUM: h3: handle interim response properly on FE side BUG/MINOR: quic: close connection on CID alloc failure MINOR: ncbuf: extract common types MINOR: ncbmbuf: define new ncbmbuf type MINOR: ncbmbuf: implement add MINOR: ncbmbuf: implement iterator bitmap utilities functions MINOR: ncbmbuf: implement ncbmb_data() MINOR: ncbmbuf: implement advance operation MINOR: ncbmbuf: add tests as standalone mode BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling MINOR: mux-quic: refactor wait-for-handshake support BUG/MEDIUM: mux-quic: ensure Early-data header is set BUG/MINOR: mux-quic: ensure close-spread-time is properly applied BUG/MEDIUM: mux-quic: adjust wakeup behavior Aurelien DARRAGON (3): BUG/MINOR: sink: retry attempt for sft server may never occur BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list() BUG/MINOR: cfgparse-listen: update err_code for fatal error on proxy directive Christopher Faulet (6): BUG/MINOr: hlua: Fix receive from HTTP applet by properly accounting data BUG/MAJOR: stream: Force channel analysis on successful synchronous send BUG/MINOR: config: Limit "tune.maxpollevents" parameter to 1000000 BUG/MEDIUM: stick-tables: Always return the good stksess from stktable_set_entry BUG/MINOR: http-ana: Reset analyse_exp date after 'wait-for-body' action BUG/MEDIUM: http-ana: Don't close server connection on read0 in TUNNEL mode Frederic Lecaille (8): BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets MINOR: quic: remove ->offset qf_crypto struct field CLEANUP: quic: remove a useless CRYPTO frame variable assignment BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete() BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames BUG/MINOR: quic: Missing SSL session object freeing BUG/MINOR: quic: Wrong source address use on FreeBSD BUG/MINOR: quic: do not set first the default QUIC curves Huangbin Zhan (1): MINOR: http: fix 405,431,501 default errorfile Lukas Tribus (1): DOC: http: document 413 response code Olivier Houchard (3): BUG/MEDIUM: stick-tables: Don't forget to dec count on failure. MINOR: h1: h1_release() should return if it destroyed the connection BUG/MEDIUM: h1: prevent a crash on HTTP/2 upgrade Remi Tricot-Le Breton (4): BUG/MINOR: ssl: Free global_ssl structure contents during deinit BUG/MEDIUM: ssl: Crash because of dangling ckch_store reference in a ckch instance BUG/MINOR: init: Do not close previously created fd in stdio_quiet BUG/MINOR: jwt: Missing "case" in switch statement William Lallemand (6): BUILD: halog: misleading indentation in halog.c BUILD: ssl: can't build when using -DLISTEN_DEFAULT_CIPHERS BUG/MINOR: ssl: returns when SSL_CTX_new failed during init DOC: configuration: add missing ssllib_name_startswith() DOC: configuration: add missing openssl_version predicates BUG/MINOR: ssl: remove dead code in ssl_sock_from_buf() Willy Tarreau (10): BUG/MEDIUM: ssl: take care of second client hello BUG/MINOR: ssl: always clear the remains of the first hello for the second one BUILD: makefile: disable tail calls optimizations with memory profiling BUG/MINOR: stick-tables: properly index string-type keys DOC: config: slightly clarify the ssl_fc_has_early() behavior BUG/MEDIUM: mux-h2: make sure not to move a dead connection to idle MEDIUM: dns: bind the nameserver sockets to the initiating thread MEDIUM: resolvers: make the process_resolvers() task single-threaded DOC: config: mention clearer that the cache's total-max-size is mandatory DOC: config: reorder the cache section's keywords -- Christopher Faulet
