Hi, HAProxy 2.8.19 was released on 2026/03/09. It added 43 new commits after version 2.8.18. It's a bit larger than more recent versions because no 2.8 was issued since end of December. Some parts of the changelog come from the 3.0.15 changelog:
- We found an issue with the dump of the Lua state when watchdog warnings were emitted, leading to crashes or CPU loops. "show threads" CLI command was also affected. Because the purpose of the Lua backtrace was to help locate Lua call places upon a panic, it is now called on panic only. In addition, hlua_traceback() function was fixed to no longer corrupt the stack (the root cause of the debugger issue). - Several issues were fixed on the SSL part. With the certificate generation mechanism, some errors were not properly handled leading to crashed with AWS-LC and the "CN" was not ignored when the SNI was greater than 64 bytes leading to handshake failures. - On QUIC, the ACK ECN frame parsing was fixed to avoid desynchronization in the frames parsing code, which could lead to a connection abort due to an invalid frame content read. - The ALPN handling for listeners was improved to better handle cases where the protocol is forced with the "proto" keyword, preventing connection errors in certain configurations (e.g. when "proto h1" is forced while the default ALPN was still "h2,http/1.1"). - Since the 2.6, the TCP fast-open option (TFO) was not longer enabled on server connection because of a wrong test on the number of connection retries. In addition, still since the 2.6, the wrong buffer was checked, the response one instead of the request one, also breaking the TFO. Both issues were fixed. - Minor issues about the configuration parsing were fixed. Among others, the parsing of invalid expression for the "set-map" action was fixed to not crash on deinit, the allocation failures of some pools are now properly handled and defaults sections with the same name no longer lead to crashes on deinit. - frontend sockets in transparent mode will now ignore conntrack so as not to return the wrong source/destination addresses in case a late retransmit happens from the local host after the connection expires. - H2/HPACK: the varint decoder would accept integers larger than 32-bit but would keep the value as valid, though the spec mandates that an error should be reported in this case. The only effect would be that haproxy could decode a stream of bytes that an observer on the wire (e.g. wireshark) could fail to parse. It will now properly return an error. - H2: some pending errors were not immediately reported to the stream if they happened before the stream was instantiated, resulting in the stream being created and waiting for a timeout before failing. - H3/QPACK: a crash can be caused by an out-of-bounds read if a malformed HPACK instruction is passed to the huffman decoder. A CVE was requested for this one. The same issue with varints as with the HPACK decoder above was also addressed (except that it's 64-bit in QPACK). - H1: while the request was properly tested, a test was missing on the response to ensure that the version starts with "HTTP/". There's normally no impact on this since users who could rely on such a thing are expected to already use "accept-unsafe-violations-in-http-response". - resolvers: domain name conversion to lowercase in responses was performed on the whole string, hence on the length delimiters as well. For very long names (65 to 90 chars per component) this would result on artificially inflating the name and possibly even crash the process in some cases. - FastCGI: a crash might be triggered by a non-compliant server sending records with malformed names/values. In addition, a theoretically possible case of crash was addressed in the fcgi_send() function where a stream might possibly remove itself from a list that is being scanned, though we're not sure how this could be triggered. - minor stuff (missing check for allocation failure when calling EVP_Digest* in the sha2() converter, upgrade to websocket for dispatch/ transparent). - it is now possible to disable the certificates compression by setting the new "tune.ssl.certificate-compression" global directive to "off". Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (3): MINOR: cfgparse: remove duplicate "force-persist" in common kw list BUG/MEDIUM: quic: fix ACK ECN frame parsing BUG/MINOR: proxy: free persist_rules Aurelien DARRAGON (3): BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in release_http_map() BUG/MEDIUM: hlua: fix invalid lua_pcall() usage in hlua_traceback() BUG/MINOR: hlua: consume error object if ignored after a failing lua_pcall() Christian Ruppert (1): REGTESTS: ssl: Fix reg-tests curve check Christopher Faulet (12): BUG/MEDIUM: http-ana: Properly detect client abort when forwarding response (v2) BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already received MINOR: muxes: Support an optional ALPN string when defining mux protocols MINOR: config: Do proto detection for listeners before checks about ALPN BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if forced BUG/MINOR: promex: Detach promex from the server on error dump its metrics dump BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/" BUG/MAJOR: fcgi: Fix param decoding by properly checking its size BUG/MAJOR: resolvers: Properly lowered the names found in DNS response BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for sending BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures BUG/MINOR: backend: Don't get proto to use for webscoket if there is no server Egor Shestakov (2): BUG/MINOR: cfgparse: fix "default" prefix parsing DOC: reg-tests: update VTest upstream link in the starting guide Frederic Lecaille (3): BUG/MAJOR: qpack: unchecked length passed to huffman decoder BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx() BUG/MEDIUM: qpack: correctly deal with too large decoded numbers William Lallemand (10): BUILD: ssl: strchr definition changed in C23 BUG/MINOR: cfgparse: wrong section name upon error BUG/MINOR: cli/stick-tables: argument to "show table" is optional BUG/MEDIUM: ssl: fix error path on generate-certificates BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes REGTESTS: ssl: fix generate-certificates w/ LibreSSL MINOR: ssl: allow to disable certificate compression BUG/MINOR: ssl: fix error message of tune.ssl.certificate-compression CI: vtest: move the vtest2 URL to vinyl-cache.org CI: github: disable windows.yml by default on unofficials repo Willy Tarreau (9): BUG/MINOR: backend: fix the conn_retries check for TFO BUG/MINOR: backend: inspect request not response buffer to check for TFO BUG/MINOR: sock-inet: ignore conntrack for transparent sockets on Linux BUG/MEDIUM: debug: only dump Lua state when panicking BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend stream BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream BUG/MEDIUM: hpack: correctly deal with too large decoded numbers SCRIPTS: git-show-backports: hide the common ancestor warning in quiet mode SCRIPTS: git-show-backports: add a restart-from-last option ---
