Hi, This release comes a bit earlier than expected. The reason is that it contains one major fix related to QUIC. This bug was reported by Asim Viladi Oglu Manizada and can be exploited to remotely trigger a crash of the process. So please upgrade immediately if you're using QUIC listeners. Note that by default, QUIC is not enabled, so only users with explicit QUIC bind lines added in the configuration are vulnerable. Use the following command on your config files to find matching lines :
$ grep '^[^#]*bind.*quic' <config_file> The patch is related to the QUIC packet parsing code. It is a case of integer overflow when handling a token and is assigned to CVE-2026-26081 report. Note that contrary to 3.2 and above, 3.0 version is not affected by CVE-2026-26080.If you want more details, please refer to the following article from the haproxy.com blog : https://www.haproxy.com/blog/cves-2026-quic-denial-of-service Aside from this major patch, this release comes with a series of other less important fixes. Here is the traditional summary of them. SSL connections with SNI on the backend side could behave unexpectedely due to inappropriate TLS session resume. This could affect both regular and health check traffic. Now, SNI hash is considered to ensure a TLS session is resumed only if it matches. Also, health-checks won't perform TLS session resume as the SSL settings for checks can be different from the regular traffic. An internal fix was made for applets to ensure that their I/O handlers is never called after the shut operation. Previously, this was not the case, in violation with the applets API. This could cause unexpected issues. One of them affected the prometheus exporter, with a crash encountered when accessing a corrupted server instance. With the API now strictly enforces, this is no longer the case. A bug was discovered on the haproxy task scheduler which could prevent a sleeping thread from being woken up to accept new connections. This bug is in fact really rare, as it only happens when the haproxy process is totally idle and without any outgoing connections, which never happen in real case scenarii. In 3.0, a new server setting "hash-key" has been introduced for extra configuration of the consistent hash load balancing method. However, due to an internal code issue, this was not properly taken into account for dynamic servers added via the runtime API. Thus, load-balancing server init module has been updated to fix the issue and prevent any similar ones in the future. Along with this change, documentation related to "hash-key" has been extended when using "id", which is the default value. This now includes a description to indicate that only the 28 lowest bit of the server ID are taken into account, so anything above 268435456 will generate duplicate keys. This also affects "random" load-balancing algorithm. The HTTP/2 multiplexer on the backend side has been adjusted to properly take into account a received GOAWAY. Previously, new streams could still be opened until reaching the ID advertised by the peer. However, this is not fair to the remote side, so now the connection won't be reused after a GOAWAY reception. For listeners used in transparent mode, the client destination address reported by the "dst" sample could mistakenly reflect the client source address when netfilter conntrack is used simultaneously. This has been worked around by ignoring the conntrack address when transparent mode is detected. This is the end of the changes for this release. Once again, users relying on QUIC have to update immediately. If this is not possible due to a delay constraint, know that you can add the keyword "no-quic" in the global section : this effectively disables any QUIC listeners in the configuration without having to comment each QUIC bind lines, rendering the process immune to the crashes. global no-quic In any case, every users is advised to update to benefit from all the latest improvements listed here. Many thanks to Asim Viladi Oglu Manizada for having found the QUIC security bugs and reaching us. His analysis was very detailled and helped us to solve quickly the issues. Finally, thanks also to every other contributer on this release. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.0/src/ Git repository : https://git.haproxy.org/git/haproxy-3.0.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.0.git Changelog : https://www.haproxy.org/download/3.0/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (1): BUG/MAJOR: quic: reject invalid token Christopher Faulet (9): MINOR: ssl: Add a function to hash SNIs MINOR: ssl: Store hash of the SNI for cached TLS sessions MINOR: ssl: Compare hashes instead of SNIs when a session is cached MINOR: connection/ssl: Store the SNI hash value in the connection itself MEDIUM: tcpcheck/backend: Get the connection SNI before initializing SSL ctx BUG/MEDIUM: ssl: Don't reuse TLS session if the connection's SNI differs MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions BUG/MAJOR: applet: Don't call I/O handler if the applet was shut BUG/MEDIUM: applet: Fix test on shut flags for legacy applets Olivier Houchard (3): MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag BUG/MEDIUM: ssl: Don't resume session for check connections BUG/MEDIUM: threads: Atomically set TH_FL_SLEEPING and clr FL_NOTIFIED Willy Tarreau (5): BUG/MINOR: sock-inet: ignore conntrack for transparent sockets on Linux BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend stream CLEANUP: haproxy: fix bad line wrapping in run_poll_loop() BUG/MEDIUM: lb-chash: always properly initialize lb_nodes with dynamic servers DOC: config: mention the limitation on server id range for consistent hash --- -- Amaury Denoyelle
