Hi,
HAProxy 3.3.2 was released on 2026/01/29. It added 52 new commits
after version 3.3.1.
Following bugs were fixed with this release:
* A regression was introduced in the Prometheus exporter when the service
was refactored to use the new applet API. The service might be
unexpectedly called after it was released. If this happened in the
middle of the dump of a server metrics, it could corrupt the server
itself, leading to crashes. The issue was fixed in the applet API itself
by preventing any wakeup after the applet was released. Another issue
was fixed on the Prometheus exporter. The servers metrics dump was not
relying on the watcher mechanism introduced in 3.0 and that should be
always used when interruptible iterations over the server list are
performed.
* Working on the Prometheus exporter, we found an issue with the dump of
the Lua state when watchdog warnings were emitted, leading to crashes or
CPU loops. "show threads" CLI command was also affected. Because the
purpose of the Lua backtrace was to help locate Lua call places upon a
panic, it is now called on panic only. In addition, hlua_traceback()
function was fixed to no longer corrupt the stack (the root cause of the
debugger issue).
* Still about Lua, two issue in the Patref:add_bulk() function were fixed.
First, the yield mechanism was buggy, triggering a Lua error because the
check for the yield was misplaced. Then, arguments of the function were
not properly tested. Calling the function providing anything else than a
table led to a crash.
* An issue with the peer applets was fixed. The shutdown event could be
ignored by the applet if it failed to receive data. This could happen on
client timeout for instance. Because of this issue, it was possible to
have frozen peer applets. And with too many frozen applets, it was
possible to reach the maxconn, blocking the peers synchronization.
* A regression was introduced in the H1 multiplexer when the "extra" field
was removed from the HTX structure. When a chunked message was forwarded
via the zero-copy forwarding mechanism, the "kop" variable was not
properly updated, leading to a chunk desynchro by announcing a chunk
size larger than the chunk data sent. The issue was fixed but a
workaround consisted of disabling the zero-copy data forwarding with
"tune.disable-zero-copy-forwarding" or "tune.h1.zero-copy-fwd-send off"
global directives.
* On the H1 multiplexer, it was possible to fall in an infinite loop on
the response path. However, possibilities to encounter the bug were
quite limited. It only happened if the server response was intercepted
by HAProxy while the server was emitted a 1xx interim message and it was
received in same time as the final response. The issue was fixed by
properly looping on the HTX message when formatting the H1 response
staus line.
* Several issues were fixed on the SSL part. With the certificate
generation mechanism, some errors were not properly handled leading to
crashed with AWS-LC and the "CN" was not ignored when the SNI was
greater than 64 bytes leading to handshake failures. Some issues were
also fixed with the SSL passphrase callback function. It was possible to
loop infinitely if allocation errors were encountered and the Encrypted
keys could not be loaded when given alongside certificate.
* On QUIC, the warning about 'tune.quic.frontend.default-max-size'
deprecated directive was fixed, the ech configuration was enabled for
QUIC listeners, the ACK ECN frame parsing was fixed to avoid
desynchronization in the frames parsing code, which could lead to a
connection abort due to an invalid frame content read. Abort of
unidirectional stream was fixed to not erroneously trigger a BUG_ON().
Finally, since the QUIC backend support was implemented, the calls to
the SSL message callback functions were ignored if no connection was
available, breaking several features with QUIC, such as SSL key logging
or sample based on ClientHello capture. This was fixed by reworking this
part.
* An issue with the parsing of log-forward options, leading to crashes,
was fixed. the "option dont-parse-log" and "option assume-rfc6587-ntf"
directives were affected.
* On "show proc" master CLI command was fixed to properly handled more
than 202 processes. Still on the master part, it was reported that the
master couldn't reload after a failed reload following a wrong
configuration. It was still possible to perform a reload manually via
the master CLI, but every signals were blocked. This was fixed by adding
a task started by the signal handler and responsible to restore the
signals outside of it.
* Since the 2.6, the TCP fast-open option (TFO) was not longer enabled on
server connection because of a wrong test on the number of connection
retries. In addition, still since the 2.6, the wrong buffer was checked,
the response one instead of the request one, also breaking the TFO. Both
issues were fixed.
* Minor issues about the configuration parsing were fixed. Among others,
the parsing of invalid expression for the "set-map" action was fixed to
not crash on deinit, the allocation failures of some pools are now
properly handled and defaults sections with the same name no longer lead
to crashes on deinit.
In addition to those fixes, The support for the Lua 5.5 was backported, the
H2 multiplexer was updated to perform a graceful close a 75% glitches
threshold and it is now possible to disable the certificates compression by
setting the new "tune.ssl.certificate-compression" global directive to
"off".
Thanks everyone for your help.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy-3.3.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Alexander Stephan (1):
BUG/MINOR: mworker/cli: fix show proc pagination using reload counter
Amaury Denoyelle (7):
BUG/MINOR: quic: fix deprecated warning for window size keyword
MINOR: cfgparse: remove duplicate "force-persist" in common kw list
BUG/MEDIUM: quic: fix ACK ECN frame parsing
BUG/MINOR: proxy: free persist_rules
BUG/MEDIUM: mux-quic: prevent BUG_ON() on aborted uni stream close
BUG/MINOR: proxy: fix deinit crash on defaults with duplicate name
BUG/MEDIUM: ssl: fix msg callbacks on QUIC connections
Aurelien DARRAGON (9):
BUG/MINOR: hlua_fcn: fix broken yield for Patref:add_bulk()
BUG/MINOR: hlua_fcn: ensure Patref:add_bulk() is given a table object
before using it
BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in
release_http_map()
MINOR: cli: use srv_drop() when server was created using new_server()
BUG/MINOR: server: ensure server is detached from proxy list before being
freed
BUG/MEDIUM: promex: server iteration may rely on stale server
BUG/MEDIUM: log: parsing log-forward options may result in segfault
BUG/MEDIUM: hlua: fix invalid lua_pcall() usage in hlua_traceback()
BUG/MINOR: hlua: consume error object if ignored after a failing
lua_pcall()
Christian Ruppert (1):
REGTESTS: ssl: Fix reg-tests curve check
Christopher Faulet (7):
BUG/MEDIUM: peers: Properly handle shutdown when trying to get a line
BUG/MEDIUM: mux-h1: Take care to update <kop> value during zero-copy
forwarding
BUG/MEDIUM: stconn: Move data from <kip> to <kop> during zero-copy
forwarding
BUG/MINOR: promex: Detach promex from the server on error dump its
metrics dump
BUG/MEDIUM: mux-h1: Skip UNUSED htx block when formating the start line
BUG/MINOR: proto_tcp: Properly report support for HAVE_TCP_MD5SIG feature
BUG/MAJOR: applet: Don't call I/O handler if the applet was shut
Egor Shestakov (2):
BUG/MINOR: cfgparse: fix "default" prefix parsing
DOC: reg-tests: update VTest upstream link in the starting guide
Mike Lothian (1):
MINOR: hlua: Add support for lua 5.5
Remi Tricot-Le Breton (2):
BUG/MINOR: ssl: Properly manage alloc failures in SSL passphrase callback
BUG/MINOR: ssl: Encrypted keys could not be loaded when given alongside
certificate
William Lallemand (10):
BUG/MEDIUM: mworker: can't use signals after a failed reload
BUILD: ssl: strchr definition changed in C23
BUILD: tools: memchr definition changed in C23
BUG/MINOR: cfgparse: wrong section name upon error
BUG/MINOR: cli/stick-tables: argument to "show table" is optional
BUG/MEDIUM: ssl: fix error path on generate-certificates
BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than
64bytes
REGTESTS: ssl: fix generate-certificates w/ LibreSSL
MINOR: ssl: allow to disable certificate compression
BUG/MINOR: ssl: fix error message of tune.ssl.certificate-compression
Willy Tarreau (11):
MINOR: mux-h2: add missing glitch count for non-decodable H2 headers
MINOR: mux-h2: perform a graceful close at 75% glitches threshold
BUG/MINOR: backend: fix the conn_retries check for TFO
BUG/MINOR: backend: inspect request not response buffer to check for TFO
DOC: config: fix the length attribute name for stick tables of type
binary / string
BUILD: sockpair: fix build issue on macOS related to variable-length
arrays
DOC: config: mention some possible TLS versions restrictions for kTLS
BUG/MINOR: stick-tables: abort startup on stk_ctr pool creation failure
BUG/MINOR: config: check capture pool creations for failures
BUG/MINOR: config/ssl: fix spelling of "expose-experimental-directives"
BUG/MEDIUM: debug: only dump Lua state when panicking
akarl10 (1):
BUG/MINOR: ech/quic: enable ech configuration also for quic listeners
--
Christopher Faulet
