Hi, HAProxy 3.3.6 was released on 2026/03/19. It added 73 new commits after version 3.3.5. The most notable changes are in the HTTP/3 and HTTP/2 parsers, mixed with a serie of less important ones in the rest of the code.
HTTP/3 is responsible to check that the received payload size is equal to the content-length header if advertised. This prevents any risk of desynchronization with the backend side which could be exploited for request smuggling. This check is already performed most of the times, but it was missing when the stream was closed with an empty STREAM frame. This major flaw has been reported by Martino Spagnuolo. Thanks to him, a proper fix has been integrated with the necessary check now also performed when parsing empty frames. A CVE will be requested soon. Another issue in the HTTP/3 parser was the manipulation of unaligned non-DATA frames which resulted in undefined behavior. In practice, currently this condition never happens in a real-case scenario. As such, the safest solution is implemented for now with the connection immediately closed and glitch counter incremented. HTTP/2 and HTTP/3 parsers are also improved together to ensure any partial headers or trailers are properly removed on error from the HTX message. Also, the accounting for maximum trailers was not correct. An interoperability issue has been found in HTTP/2 multiplexer. The handling of GOAWAY and WINDOW_UPDATE is corrected to properly ignore the R bit when reading the stream ID as specified by the standard. This could have cause haproxy to ignore a received GOAWAY frame and continue to open new streams. This issue has been reported by Haruto Kimura and fixed thanks to him. Parser for the peers protocol is strengthened. Now received key type is always checked for conformity to prevent any risk of crash. In practice, as the peer protocol is only used in trusted network, the risk remains very low though. Thanks again to Haruto Kimura for having also found this one. SSL early data handling is adjusted so that is now works as expected with BoringSSL and AWS-LC libraries. Several minor fixes are related to the master process and the reload operation. The most important one is the correction of a file-descriptor leak present since 3.1 which can occur during the transfer of FDs via sockpair from a worker process to the master. Output of "show proc" command has also been fixed as some entries could have been missing. SPOE filter processing is now properly interrupted if a client abort occured due to abortonclose option. A bunch of changes concerns the "show profiling" utility. Notably, memory usage can now be displayed sorted by the calling context. Aggregate display mode is also supported for memory inspection. Finally, the CLI output of "show profiling" is no longer limited on a number of entries and it should consume less CPU when sorting a large number of them. Coredump loading is a procedure frequently performed by developers when debugging a crash. This is now easier with an utility to automatically find the post-mortem section in the coredump. It is also possible to include all loaded libraries in the dump itself with the option "set-dumpable libs". This should only be activated on developer request. Thanks to everyone who contributed to this release, ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Alexander Stephan (2): MINOR: mworker/cli: extract worker "show proc" row printer BUG/MINOR: mworker/cli: fix show proc pagination losing entries on resume Amaury Denoyelle (2): BUG/MAJOR: h3: check body size with content-length on empty FIN BUG/MEDIUM: h3: reject unaligned frames except DATA Christopher Faulet (10): BUG/MEDIUM: shctx: Use the next block when data exactly filled a block BUG/MINOR: spoe: Properly switch SPOE filter to WAITING_ACK state BUG/MEDIUM: spoe: Properly abort processing on client abort BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX message MINOR: htx: Add function to truncate all blocks after a specific block BUG/MINOR: h2/h3: Never insert partial headers/trailers in an HTX message BUG/MINOR: http-ana: Swap L7 buffer with request buffer by hand BUG/MINOR: stream: Fix crash in stream dump if the current rule has no keyword BUG/MINOR: spoe: Fix condition to abort processing on client abort BUILD: spoe: Remove unsused variable Egor Shestakov (1): DOC/CLEANUP: config: update mentions of the old "Global parameters" section Mia Kanashi (1): BUG/MINOR: jws: fix memory leak in jws_b64_signature Olivier Houchard (2): BUG/MEDIUM: ssl: Handle receiving early data with BoringSSL/AWS-LC BUG/MEDIUM: ssl: Don't report read data as early data with AWS-LC Tim Duesterhus (1): BUG/MINOR: tcpcheck: Fix typo in error error message for `http-check expect` Tom Braarup (1): DOC: configuration: http-check expect example typo William Lallemand (10): BUG/MINOR: mworker: don't set the PROC_O_LEAVING flag on master process BUG/MINOR: mworker: always stop the receiving listener BUG/MINOR: mworker: only match worker processes when looking for unspawned proc BUG/MINOR: mworker: fix typo &= instead of & in proc list serialization BUG/MINOR: mworker: set a timeout on the worker socketpair read at startup BUG/MINOR: mworker: avoid passing NULL version in proc list serialization BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS BUG/MINOR: mjson: make mystrtod() length-aware to prevent out-of-bounds reads BUG/MINOR: mworker: don't try to access an initializing process CI: github: treat vX.Y.Z release tags as stable like haproxy-* branches Willy Tarreau (43): BUG/MINOR: memprof: avoid a small memory leak in "show profiling" MINOR: activity: use dynamic allocation for "show profiling" entries MINOR: tools: extend the pointer hashing code to ease manipulations MINOR: memprof: attempt different retry slots for different hashes on collision BUG/MINOR: proxy: do not forget to validate quic-initial rules DEV: gdb: add a utility to find the post-mortem address from a core MINOR: tools: add a function to create a tar file header MINOR: tools: add a function to load a file into a tar archive MINOR: config: support explicit "on" and "off" for "set-dumpable" MINOR: debug: read all libs in memory when set-dumpable=libs DEV: gdb: add a new utility to extract libs from a core dump: libs-from-core MINOR: debug: copy debug symbols from /usr/lib/debug when present MINOR: debug: opportunistically load libthread_db.so.1 with set-dumpable=libs BUILD: makefile: fix range build without test command MINOR: tools: add a new pointer hash function that also takes an argument MINOR: tinfo: start to add basic thread_exec_ctx MINOR: memprof: prepare to consider exec_ctx in reporting MINOR: memprof: also permit to sort output by calling context MINOR: tools: add a function to write a thread execution context. MINOR: debug: report the execution context on thread dumps MINOR: memprof: report the execution context on profiling output MINOR: initcall: record the file and line declaration of an INITCALL MINOR: tools: decode execution context TH_EX_CTX_INITCALL MINOR: tools: support decoding ha_caller type exec context MINOR: sample: store location for fetch/conv via initcalls MINOR: sample: also report contexts registered directly MINOR: tools: support an execution context that is just a function MINOR: actions: store the location of keywords registered via initcalls MINOR: actions: also report execution contexts registered directly MINOR: filters: set the exec context to the current filter config MINOR: ssl: set the thread execution context during message callbacks MINOR: connection: track mux calls to report their allocation context MINOR: task: set execution context on task/tasklet calls MINOR: applet: set execution context on applet calls MINOR: cli: keep the info of the current keyword being processed in the appctx MINOR: cli: keep track of the initcall context since kw registration MINOR: cli: implement execution context for manually registered keywords MINOR: activity: support aggregating by caller also for memprofile MINOR: activity: raise the default number of memprofile buckets to 4k DOC: internals: short explanation on how thread_exec_ctx works BUG/MEDIUM: peers: enforce check on incoming table key type BUG/MINOR: mux-h2: properly ignore R bit in GOAWAY stream ID BUG/MINOR: mux-h2: properly ignore R bit in WINDOW_UPDATE increments --- -- Amaury Denoyelle
