Hi, HAProxy 2.4.31 was released on 2026/03/09. It added 15 new commits after version 2.4.30.
- H2/HPACK: the varint decoder would accept integers larger than 32-bit but would keep the value as valid, though the spec mandates that an error should be reported in this case. The only effect would be that haproxy could decode a stream of bytes that an observer on the wire (e.g. wireshark) could fail to parse. It will now properly return an error. - H1: while the request was properly tested, a test was missing on the response to ensure that the version starts with "HTTP/". There's normally no impact on this since users who could rely on such a thing are expected to already use "accept-unsafe-violations-in-http-response". - resolvers: domain name conversion to lowercase in responses was performed on the whole string, hence on the length delimiters as well. For very long names (65 to 90 chars per component) this would result on artificially inflating the name and possibly even crash the process in some cases. - FastCGI: a crash might be triggered by a non-compliant server sending records with malformed names/values. In addition, a theoretically possible case of crash was addressed in the fcgi_send() function where a stream might possibly remove itself from a list that is being scanned, though we're not sure how this could be triggered. - A slow memory leak of SSL captures has been noticed over the last two years on haproxy.org, making us believe that it was in the SSL lib, because the counters we placed around it showed more calls to the init() callback than the release() one. We were actually wrong and discovered that in TLS 1.3 there can be two consecutive Client Hello messages on a connection and that this caused the capture area to be allocated twice and only the last one was freed. At least it explained everything, and this was fixed (and confirms to no longer leak). - minor stuff (upgrade to websocket for dispatch/transparent). Given that 2.4 reaches EOL in about 3 months, this possibly is the last release for the 2.4 branch. We're no longer seeing reports in the issue tracker for 2.4 (nor 2.6 BTW) but if you're a happy user of this branch, it would be time to attempt an upgrade before it's no longer supported. 3.2 is a good candidate for those seeking a balance of performance and stability. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Christopher Faulet (6): REGTESTS: Explicitly allow failing shell commands in some scripts BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/" BUG/MAJOR: fcgi: Fix param decoding by properly checking its size BUG/MAJOR: resolvers: Properly lowered the names found in DNS response BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for sending BUG/MINOR: backend: Don't get proto to use for webscoket if there is no server Valentine Krasnobaeva (1): BUG/MINOR: resolvers: always normalize FQDN from response William Lallemand (2): CI: vtest: move the vtest2 URL to vinyl-cache.org CI: github: disable windows.yml by default on unofficials repo Willy Tarreau (6): BUG/MEDIUM: ssl: take care of second client hello BUG/MINOR: ssl: always clear the remains of the first hello for the second one BUILD: makefile: disable tail calls optimizations with memory profiling BUG/MEDIUM: hpack: correctly deal with too large decoded numbers SCRIPTS: git-show-backports: hide the common ancestor warning in quiet mode SCRIPTS: git-show-backports: add a restart-from-last option ---
