Hi,
HAProxy 3.3.5 was released on 2026/03/09. It added 28 new commits
after version 3.3.4.
- H2/HPACK: the varint decoder would accept integers larger than 32-bit
but would keep the value as valid, though the spec mandates that an
error should be reported in this case. The only effect would be that
haproxy could decode a stream of bytes that an observer on the wire
(e.g. wireshark) could fail to parse. It will now properly return an
error.
- H2: glitches were not counted for invalid trailers, making it harder to
stop floods involving them. "tune.h2.log-errors" was backported. It
permits to disable emission of logs for H2 errors that result in
aborting the requests or the connection, and save precious CPU cycles
(and disk space) under flood attacks. Last, some pending errors were not
immediately reported to the stream if they happened before the stream
was instantiated, resulting in the stream being created and waiting for
a timeout before failing.
- H3/QPACK: a crash can be caused by an out-of-bounds read if a malformed
HPACK instruction is passed to the huffman decoder. A CVE was requested
for this one. The same issue with varints as with the HPACK decoder
above was also addressed (except that it's 64-bit in QPACK).
- QUIC backend: an incorrect check could result in an out-of-bounds read
in the preferred_address transport parameter, possibly crashing the
process. As a reminder, QUIC on the backend is still experimental.
- H1: while the request was properly tested, a test was missing on the
response to ensure that the version starts with "HTTP/". There's
normally no impact on this since users who could rely on such a thing
are expected to already use "accept-unsafe-violations-in-http-response".
- prometheus: the iterator wasn't robust against dynamic server deletion,
possibly resulting in crashes if the exporter had to stop on a server
that was deleted before the exporter could resume sending.
- streams: an internal task message (TASK_WOKEN_RES) was not properly
converted to a stream event (STRM_EVT_RES) so that if a request got
dequeued at the same moment a timeout triggered, the stream would
stay blocked till the queue timeout expiration.
- resolvers: domain name conversion to lowercase in responses was
performed on the whole string, hence on the length delimiters as well.
For very long names (65 to 90 chars per component) this would result on
artificially inflating the name and possibly even crash the process in
some cases.
- Lua: there was a possible risk of waiting for data forever when using the
HTTP applet in case a call is made to the receive function after everything
was already consumed. In addition, the wakeup/pause events associated with
reading via getline() were incorrectly set and could result in some fast
loops, possibly even trigger the watchdog.
- FastCGI: a crash might be triggered by a non-compliant server sending
records with malformed names/values. In addition, a theoretically
possible case of crash was addressed in the fcgi_send() function where a
stream might possibly remove itself from a list that is being scanned,
though we're not sure how this could be triggered.
- emitted byte counts per request could be reported lower than reality
when fast-forward was involved.
- req.bytes_{in,out} was reporting req.bytes_{in,out} due to a missing
"else" statement. Also, res.bytes_out was not incremented if an error
was sent by haproxy.
- a bit more debugging (currently running rule in stream dump, last rule
also committed when a filter fails).
- minor stuff (legacy applets byte counting, missing check for allocation
failure when calling EVP_Digest* in the sha2() converter, upgrade to
websocket for dispatch/transparent, haproxy-reload --verbose=all, doc
fixes).
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy-3.3.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (1):
BUG/MINOR: promex: fix server iteration when last server is deleted
Christopher Faulet (16):
BUG/MEDIUM: stream: Handle TASK_WOKEN_RES as a stream event
BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/"
DEBUG: stream: Display the currently running rule in stream dump
MINOR: filters: Set last_entity when a filter fails on stream_start
callback
DOC: config: Use the right alias for %B
BUG/MINOR: channel: Increase the stconn bytes_in value in
channel_add_input()
BUG/MINOR: sample: Fix sample to retrieve the number of bytes received
and sent
BUG/MINOR: http-ana: Increment scf bytes_out value if an haproxy error is
sent
BUG/MAJOR: fcgi: Fix param decoding by properly checking its size
BUG/MAJOR: resolvers: Properly lowered the names found in DNS response
BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for
sending
BUG/MINOR: hlua: Properly enable/disable line receives from HTTP applet
BUG/MEDIUM: hlua: Fix end of request detection when retrieving payload
BUG/MINOR: stconn: Increase SC bytes_out value in se_done_ff()
BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest*
failures
BUG/MINOR: backend: Don't get proto to use for webscoket if there is no
server
Frederic Lecaille (4):
BUG/MAJOR: qpack: unchecked length passed to huffman decoder
BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx()
BUG/MINOR: quic: fix OOB read in preferred_address transport parameter
BUG/MEDIUM: qpack: correctly deal with too large decoded numbers
William Lallemand (1):
BUG/MINOR: admin: haproxy-reload rename -vv long option
Willy Tarreau (6):
MINOR: mux-h2: also count glitches on invalid trailers
MINOR: mux-h2: add a new setting, "tune.h2.log-errors" to tweak error
logging
BUG/MEDIUM: mux-h2: make sure to always report pending errors to the
stream
BUG/MEDIUM: hpack: correctly deal with too large decoded numbers
SCRIPTS: git-show-backports: hide the common ancestor warning in quiet
mode
SCRIPTS: git-show-backports: add a restart-from-last option
---
