Hi, HAProxy 2.8.20 was released on 2026/03/20. It added 16 new commits after version 2.8.19. The most notable changes are in the HTTP/3 and HTTP/2 parsers, mixed with a serie of less important ones in the rest of the code.
HTTP/3 is responsible to check that the received payload size is equal to the content-length header if advertised. This prevents any risk of desynchronization with the backend side which could be exploited for request smuggling. This check is already performed most of the times, but it was missing when the stream was closed with an empty STREAM frame. This major flaw has been reported by Martino Spagnuolo. Thanks to him, a proper fix has been integrated with the necessary check now also performed when parsing empty frames. A CVE will be requested soon. Another issue in the HTTP/3 parser was the manipulation of unaligned non-DATA frames which resulted in undefined behavior. In practice, currently this condition never happens in a real-case scenario. As such, the safest solution is implemented for now with the connection immediately closed and glitch counter incremented. HTTP/2 and HTTP/3 parsers are also improved together to ensure any partial headers or trailers are properly removed on error from the HTX message. Also, the accounting for maximum trailers was not correct. An interoperability issue has been found in HTTP/2 multiplexer. The handling of GOAWAY and WINDOW_UPDATE is corrected to properly ignore the R bit when reading the stream ID as specified by the standard. This could have cause haproxy to ignore a received GOAWAY frame and continue to open new streams. This issue has been reported by Haruto Kimura and fixed thanks to him. Parser for the peers protocol is strengthened. Now received key type is always checked for conformity to prevent any risk of crash. In practice, as the peer protocol is only used in trusted network, the risk remains very low though. Thanks again to Haruto Kimura for having also found this one. Several minor fixes are related to the master process and the reload operation. The most important one is the correction of a file-descriptor leak present since 3.1 which can occur during the transfer of FDs via sockpair from a worker process to the master. Thanks to everyone who contributed to this release, Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (2): BUG/MAJOR: h3: check body size with content-length on empty FIN BUG/MEDIUM: h3: reject unaligned frames except DATA Christopher Faulet (5): BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX message MINOR: htx: Add function to truncate all blocks after a specific block BUG/MINOR: h2/h3: Never insert partial headers/trailers in an HTX message BUG/MINOR: http-ana: Swap L7 buffer with request buffer by hand BUG/MINOR: stream: Fix crash in stream dump if the current rule has no keyword Tim Duesterhus (1): BUG/MINOR: tcpcheck: Fix typo in error error message for `http-check expect` Tom Braarup (1): DOC: configuration: http-check expect example typo William Lallemand (4): CI: github: treat vX.Y.Z release tags as stable like haproxy-* branches BUG/MINOR: mworker: fix typo &= instead of & in proc list serialization BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS BUG/MINOR: mjson: make mystrtod() length-aware to prevent out-of-bounds reads Willy Tarreau (3): BUG/MEDIUM: peers: enforce check on incoming table key type BUG/MINOR: mux-h2: properly ignore R bit in GOAWAY stream ID BUG/MINOR: mux-h2: properly ignore R bit in WINDOW_UPDATE increments -- Amaury Denoyelle
