Hi, This release comes a bit earlier than expected. The reason is that it contains two major fixes related to QUIC. These bugs were reported by Asim Viladi Oglu Manizada and can be exploited to remotely trigger a crash of the process. So please upgrade immediately if you're using QUIC listeners. Note that by default, QUIC is not enabled, so only users with explicit QUIC bind lines added in the configuration are vulnerable. Use the following command on your config files to find matching lines :
$ grep '^[^#]*bind.*quic' <config_file> The two patches are related to the QUIC packet parsing code. The first case is an integer overflow when handling a token and is assigned to CVE-2026-26081 report. The second one happens when decoding the frame type and causes an infinite loop which triggers the haproxy watchdog. It is assigned to CVE-2026-26080 report. If you want more details, please refer to the following article from the haproxy.com blog : https://www.haproxy.com/blog/cves-2026-quic-denial-of-service Aside from these two major patches, this release comes with a series of other less important fixes. Here is the traditional summary of them. There has been some discussion on the mailing list related to the necessity for haproxy to validate HTTP chunk extensions. These extensions have never really been used, so haproxy previously simply discarded them when request are forwarded. However, they are used today in attempts to spot differences between HTTP stacks and try to exploit them. And some vulnerable parsers were indeed found on other implementations. Thus, it has been decided that from the next 3.4 release, haproxy will check chunk extensions if present and contain an invalid quoted format. If this is the case, the request is not forwarded and the connection is now aborted prematurely. In order to avoid any theoretical last-minute surprise for users upgrading from 3.3 to 3.4-LTS in a few months, it was decided to backport it to 3.3 so that both branches are identical regarding this stricter check. In SSL configuration, "@system-ca" parameter can be used to refer to the trusted CAs of the system. The documentation also mentions that the environment variable SSL_CERT_DIR can be used to override its value. However, this was not taken into account by the haproxy SSL subsystem. This is now correctly interpreted. Another fix was made on QUIC related to retransmission. During the handshake, if a server receives duplicated client crypto data, it can assume there was a packet loss. To speed up the handshake completion, the server may immediately retransmit its inflight crypto data. However, the QUIC specification indicates that this should only be performed once per connection to avoid excessive transmission. This control was accidentely removed when rewritting crypto data handling with gaps. This version restores the original behavior which limits immediate retransmission per connection. An internal fix was made for legacy applets to ensure that their I/O handlers is never called after the shut operation. This improves the consistency of the API when writing applets. Note that on 3.3 it is harmeless as all applets are already converted to the newer architecture. A bug was discovered on the haproxy task scheduler which could prevent a sleeping thread from being woken up to accept new connections. This bug is in fact really rare, as it only happens when the haproxy process is totally idle and without any outgoing connections, which never happen in real case scenarii. In 3.0, a new server setting "hash-key" has been introduced for extra configuration of the consistent hash load balancing method. However, due to an internal code issue, this was not properly taken into account for dynamic servers added via the runtime API. Thus, load-balancing server init module has been updated to fix the issue and prevent any similar ones in the future. Along with this change, documentation related to "hash-key" has been extended when using "id", which is the default value. This now includes a description to indicate that only the 28 lowest bit of the server ID are taken into account, so anything above 268435456 will generate duplicate keys. This also affects "random" load-balancing algorithm, which is the default method since 3.3. In a related issue, it was reported that "balance random" isn't quite fair for low loads on many servers (i.e. much less total connections than servers, resulting in most servers being at 0 or 1 connection), because the comparison on the current load isn't a discriminant anymore For this reason the algorithm now also uses the recent server activity (request rate) as a second discriminant so as to more fairly distribute the load to all servers. The task profiling is a debugging tool for the haproxy scheduler. It has been extended in 3.3 to also monitor time spent waiting on locks. However, this comes with a performance regression noticeable on highly loaded systems. This is unfortunate as some users have started to activate task profiling by default, as this can be an interesting way to monitor the process. To allow users to continue to use such setups, task profiling has been adjusted so that now value "on" or "auto" does not monitor lock usage. This can be enabled by using the extra keyword "lock". There is also an another value "memory", usable for time spent waiting for memory allocation. The CPU policy "performance" and "efficiency" have been fixed as the calculation was wrongly based on the number of CPUs instead of cores. This resulted in an inefficient process allocation on some platform, most notably with intel's 14th gen CPUs which combine efficiency and performance cores. An issue prevented haproxy startup on FreeBSD when using nameservers with the TCP protocol. The function which parses network addresses has been adjusted and the problem is now solved. This is the end of the changes for this release. Once again, users relying on QUIC have to update immediately. If this is not possible due to a delay constraint, know that you can add the keyword "tune.quic.listen off" in the global section : this effectively disables any QUIC listeners in the configuration without having to comment each QUIC bind lines, rendering the process immune to the crashes. global tune.quic.listen off In any case, every users is advised to update to benefit from all the latest improvements listed here. Many thanks to Asim Viladi Oglu Manizada for having found the QUIC security bugs and reaching us. His analysis was very detailled and helped us to solve quickly the issues. Finally, thanks also to every other contributer on this release. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (4): BUG/MINOR: quic: ensure handshake speed up is only run once per conn BUG/MINOR: backend: fix access on shared counters array BUG/MAJOR: quic: reject invalid token BUG/MAJOR: quic: fix parsing frame type Aperence (1): BUG/MINOR: config: Fix setting of alt_proto Christopher Faulet (1): BUG/MEDIUM: applet: Fix test on shut flags for legacy applets Egor Shestakov (3): DOC: internals: cleanup few typos in master-worker documentation BUG/MINOR: startup: fix allocation error message of progname string BUG/MINOR: startup: handle a possible strdup() failure Olivier Houchard (1): BUG/MEDIUM: threads: Atomically set TH_FL_SLEEPING and clr FL_NOTIFIED William Lallemand (1): BUG/MINOR: ssl: SSL_CERT_DIR environment variable doesn't affect haproxy Willy Tarreau (10): MEDIUM: h1: strictly verify quoting in chunk extensions CLEANUP: haproxy: fix bad line wrapping in run_poll_loop() BUG/MINOR: cpu-topo: count cores not cpus to distinguish core types CLEANUP: lb-chash: free lb_nodes from chash's deinit(), not global BUG/MEDIUM: lb-chash: always properly initialize lb_nodes with dynamic servers DOC: config: mention the limitation on server id range for consistent hash MEDIUM: backend: make "balance random" consider req rate when loads are equal MINOR: activity: support setting/clearing lock/memory watching for task profiling MEDIUM: activity: apply and use new finegrained task profiling settings MINOR: activity: allow to switch per-task lock/memory profiling at runtime --- -- Amaury Denoyelle
