Hi, HAProxy 3.2.13 was released on 2026/02/19. It added 29 new commits after version 3.2.12.
This announce is quite smiliar to the 3.3.3 announce. Thanks to Mike Walker that found two issues on QUIC, both fixed. First, a possible crash issue was identified when an HTTP tunnel is established with QUIC on client side. It was fixed by reverting a commit a bit too strict. Then, it was clear that the CONNECT never worked. So it was disabled for now, waiting for time to fix it properly. Then, HTTP multiplexers were fixed to disable the 0-copy data forwarding if the stream is already closed (for h2/h3) or if the message is already finished (h1). This way, errors can be properly handled on the usual sending path. It is a theoretical issue that should not happen, except if there are internal issues. A 3.2.12 regression on applet management, preventing some applets to be properly shutdown, was fixed. Depending on the applets, the effect of this bug could vary. For the DNS applets, it could lead to a connections leak, stalled in CLOSE_WAIT state. For the peer applets, the maxconn can be reached, preventing the peers synchronisation. The wait-for-body HTTP action was fixed to properly handle client aborts when waiting for the response payload and when "abort-on-cloe" option is set. The action is now interrupted as expected instead of triggering an internal error. Several issue were fixed on SSL. A possible user-after-free on cached TLS session on server side. A lock was missing to protect the session release on handshake error. Note that while this fix remains valide, this part requires a deeper review, so it will not be backported immediately to lower versions. But this bug is here since a while and was never triggered, so there is no emergency. Several issues with "ssl-f-use" directive parsing were fixed: A double free and a memory leak on error paths, too light reporting of parsing errors and an issue when no "crt" keyword was used. David Carlier fixed several minor issues on Device Atlas addon. The remaining is the usual bunch of doc improvements, small internal fixes and cleanups here and there. Everyone running QUIC on client side should consider to upgrade to this version. Thanks everyone for your help. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (2): BUG/MAJOR: Revert "MEDIUM: mux-quic: add BUG_ON if sending on locally closed QCS" BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented Christopher Faulet (8): BUG/MEDIUM: mux-h2/quic: Stop sending via fast-forward if stream is closed BUG/MEDIUM: mux-h1: Stop sending vi fast-forward for unexpected states BUG/MEDIUM: applet: Fix test on shut flags for legacy applets (v2) DEV: term-events: Fix hanshake events decoding BUG/MINOR: flt-trace: Properly compute length of the first DATA block CLEANUP: compression: Remove unused static buffers BUG/MINOR: http-ana: Stop to wait for body on client error/abort MINOR: stconn: Add missing SC_FL_NO_FASTFWD flag in sc_show_flags David Carlier (9): BUG/MINOR: deviceatlas: add missing return on error in config parsers BUG/MINOR: deviceatlas: add NULL checks on strdup() results in config parsers BUG/MEDIUM: deviceatlas: fix resource leaks on init error paths BUG/MINOR: deviceatlas: fix off-by-one in da_haproxy_conv() BUG/MINOR: deviceatlas: fix cookie vlen using wrong length after extraction BUG/MINOR: deviceatlas: fix double-checked locking race in checkinst BUG/MINOR: deviceatlas: fix resource leak on hot-reload compile failure BUG/MINOR: deviceatlas: fix deinit to only finalize when initialized BUG/MINOR: deviceatlas: set cache_size on hot-reloaded atlas instance Egor Shestakov (1): CLEANUP: mux-h1: Remove unneeded null check William Lallemand (8): DOC: internals: addd mworker V3 internals BUG/MINOR: ssl: lack crtlist_dup_ssl_conf() declaration BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser BUG/MINOR: ssl: fix leak in ssl-f-use parser upon error BUG/MINOR: ssl: clarify ssl-f-use errors in post-section parsing BUG/MINOR: ssl: error with ssl-f-use when no "crt" CI: vtest: move the vtest2 URL to vinyl-cache.org CI: github: disable windows.yml by default on unofficials repo Willy Tarreau (1): DOC: proxy-proto: underline the packed attribute for struct pp2_tlv_ssl -- Christopher Faulet
