Hi,
HAProxy 3.0.15 was released on 2026/01/29. It added 44 new commits
after version 3.0.14.
Following issues were fixed in this release, mainly cut-pasted from 3.1.13
announce:
* We found an issue with the dump of the Lua state when watchdog warnings
were emitted, leading to crashes or CPU loops. "show threads" CLI
command was also affected. Because the purpose of the Lua backtrace was
to help locate Lua call places upon a panic, it is now called on panic
only. In addition, hlua_traceback() function was fixed to no longer
corrupt the stack (the root cause of the debugger issue).
* An issue was fixed on the Prometheus exporter. The servers metrics dump
was not relying on the watcher mechanism introduced in 3.0 and that
should be always used when interruptible iterations over the server list
are performed.
* On the H1 multiplexer, it was possible to fall in an infinite loop on
the response path. However, possibilities to encounter the bug were
quite limited. It only happened if the server response was intercepted
by HAProxy while the server was emitted a 1xx interim message and it was
received in same time as the final response. The issue was fixed by
properly looping on the HTX message when formatting the H1 response
status line.
* Several issues were fixed on the SSL part. With the certificate
generation mechanism, some errors were not properly handled leading to
crashed with AWS-LC and the "CN" was not ignored when the SNI was
greater than 64 bytes leading to handshake failures.
* The "show proc" master CLI command is no longer limited by the output
buffer size and will now be able to list many processes. In addition,
the command was fixed to properly handled more than 202 processes.
* On QUIC, the ACK ECN frame parsing was fixed to avoid desynchronization
in the frames parsing code, which could lead to a connection abort due
to an invalid frame content read.
* The ALPN handling for listeners was improved to better handle cases
where the protocol is forced with the "proto" keyword, preventing
connection errors in certain configurations (e.g. when "proto h1" is
forced while the default ALPN was still "h2,http/1.1").
* Since the 2.6, the TCP fast-open option (TFO) was not longer enabled on
server connection because of a wrong test on the number of connection
retries. In addition, still since the 2.6, the wrong buffer was checked,
the response one instead of the request one, also breaking the TFO. Both
issues were fixed.
* On resolvers, the result of a "do-resolv" action was not cached, unlike
it is stated in the documentation. The "hold valid" time is now
respected. In addition, the round-robin selection on records in DNS
answers was restored. It was accidentally broken during 2.5 development
cycle. While it is an undocumented feature, some users relies on it,
especially with the "do-resolv" action.
* Minor issues about the configuration parsing were fixed. Among others,
the parsing of invalid expression for the "set-map" action was fixed to
not crash on deinit, the allocation failures of some pools are now
properly handled and defaults sections with the same name no longer lead
to crashes on deinit.
In addition to those fixes, it is now possible to disable the certificates
compression by setting the new "tune.ssl.certificate-compression" global
directive to "off".
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.0/src/
Git repository : https://git.haproxy.org/git/haproxy-3.0.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.0.git
Changelog : https://www.haproxy.org/download/3.0/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Alexander Stephan (1):
BUG/MINOR: mworker/cli: fix show proc pagination using reload counter
Amaury Denoyelle (3):
MINOR: cfgparse: remove duplicate "force-persist" in common kw list
BUG/MEDIUM: quic: fix ACK ECN frame parsing
BUG/MINOR: proxy: free persist_rules
Aurelien DARRAGON (4):
BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in
release_http_map()
BUG/MEDIUM: promex: server iteration may rely on stale server
BUG/MEDIUM: hlua: fix invalid lua_pcall() usage in hlua_traceback()
BUG/MINOR: hlua: consume error object if ignored after a failing
lua_pcall()
Christian Ruppert (1):
REGTESTS: ssl: Fix reg-tests curve check
Christopher Faulet (13):
BUG/MEDIUM: http-ana: Properly detect client abort when forwarding
response (v2)
BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already
received
BUG/MEDIUM: resolvers: Properly cache do-resolv resolution
BUG/MINOR: resolvers: Restore round-robin selection on records in DNS
answers
BUG/MEDIUM: resolvers: Test for empty tree when getting a record from DNS
answer
BUG/MEDIUM: resolvers: Make resolution owns its hostname_dn value
BUG/MEDIUM: resolvers: Accept to create resolution without hostname
BUG/MEDIUM: resolvers: Wake resolver task up whne unlinking a stream
requester
MINOR: muxes: Support an optional ALPN string when defining mux protocols
MINOR: config: Do proto detection for listeners before checks about ALPN
BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if
forced
BUG/MINOR: promex: Detach promex from the server on error dump its
metrics dump
BUG/MEDIUM: mux-h1: Skip UNUSED htx block when formating the start line
Damien Claisse (1):
BUG/MINOR: resolvers: ensure fair round robin iteration
Egor Shestakov (2):
BUG/MINOR: cfgparse: fix "default" prefix parsing
DOC: reg-tests: update VTest upstream link in the starting guide
Olivier Houchard (1):
MEDIUM: h1: Immediately try to read data for frontend
William Lallemand (13):
BUILD: ssl: strchr definition changed in C23
BUG/MINOR: cfgparse: wrong section name upon error
BUG/MINOR: cli/stick-tables: argument to "show table" is optional
BUG/MEDIUM: ssl: fix error path on generate-certificates
BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than
64bytes
REGTESTS: ssl: fix generate-certificates w/ LibreSSL
MINOR: ssl: allow to disable certificate compression
BUG/MINOR: ssl: fix error message of tune.ssl.certificate-compression
CLEANUP: mworker/cli: remove useless variable
MINOR: mworker/cli: add 'debug' to 'show proc'
MINOR: mworker/cli: remove comment line for program when useless
MINOR: mworker/cli: 'show proc debug' for old workers
BUG/MINOR: mworker/cli: 'show proc' is limited by buffer size
Willy Tarreau (5):
BUG/MEDIUM: resolvers: break an infinite loop in
resolv_get_ip_from_response()
BUG/MINOR: backend: fix the conn_retries check for TFO
BUG/MINOR: backend: inspect request not response buffer to check for TFO
BUG/MINOR: config: check capture pool creations for failures
BUG/MEDIUM: debug: only dump Lua state when panicking
--
Christopher Faulet
