Hi, HAProxy 3.3.8 was released on 2026/04/30. It added 28 new commits after version 3.3.7.
Two major issues were fixed by this release. The first one was related to the scheme-based normalization. The presence of commas in Host header and authority was permitted and would be used to compare the values, which then would differ when read via hdr(host) which splits them on commas, and under certain circumstances, trigger crashes (at least it did in the OSS-Fuzz environment when injecting the values directly at the HTX layer). The issue was fixed. Remains the case of the comma characters in authorities. Even though the spec permits commas in authorities (not in domain names), there is currently no use case for this and it causes an ambiguity with the historical use of hdr(host), so we preferred to just deny them. The change was performed on the 3.4-dev10 and postponed for the next 3.3 release. It will probably be backported to lower versions too. The other major issue was about the H1 multiplexer and the way size of chunks were emitted on 32-bit machines. Only the 32 lower bits of the chunk size were advertise, which could be used to form request or response smuggling. All 3.x versions were affected. Otherwise, a regression was introduced in 3.3.7 on the task scheduler, leading to a deadlock with the lock held by idle connections tasks. It's difficult to reproduce but sadly it happens much more often than the one it was fixing. A new fix was emitted which better addresses the issue. An issue in the FCGI multiplexer was fixed. The function responsible to emit FCGI_PARAM records was not handling cases of full buffer in a consistant way. The issue was quite limited, but the "http-send-name-header" option could be silently ignored. The issue was fixed by reworking this function. The scheme-based normalization was fixed to properly handle case of OPTIONS requests. As stated in RFC9110#4.2.3, when the scheme-based normalization is performed, an empty path must be normalized to "/", except for OPTIONS request. On ACME, crashes could be experienced when an ACME server returned a newOrder response with an empty authorizations array. The error is now properly handled and the caller can retries. In addition, the auth/challenge steps is now skipped when the ACME server returns a certificate URL directly in the newOrder response. Daniel Lenar fixed an issue on HTTP health-check by allowing connection reuse without prior traffic. Now, when an HTTP health-check is performed, if "check-reuse-pool" option is enabled, a newly created connection will be inserted in the idle pool and will be eligible for reuse, both for regular traffic and checks. Before, such connections were marked as private and not reused at all. Ilia fixed some realloc issues in ssl code. The original pointer was not freed on error. He replaced realloc() calls by my_realloc2(). Finally, some other memory leaks on error path here and there (sample, tools) and minor issues were also fixed. Unfortunately, shortly after the 3.3.7, it is recommended to update again. Thanks everyone for your help ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Christopher Faulet (7): DOC: config: Fix log-format example with last rule expressions BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based normalization BUG/MEDIUM: http-htx: Don't use data from HTX message to update authority BUG/MEDIUM: http-htx: Loop on full host value during scheme based normalization BUG/MAJOR: mux-h1: Deal with true 64-bits integer to emit chunks size BUG/MEDIUM: mux-fcgi: Properly handle full buffer for FCGI_PARAM record BUG/MINOR: http-htx: Don't normalize emtpy path for OPTIONS requests Daniel Lenar (1): BUG/MINOR: tcpcheck: Allow connection reuse without prior traffic Ilia Shipitsin (2): BUG/MINOR: ssl: fix memory leaks on realloc failure in ssl_ckch.c BUG/MINOR: ssl: fix memory leaks on realloc failure in ssl_sock.c Olivier Houchard (1): BUG/MEDIUM: tasks: Do not loop in task_schedule() if a task is running William Lallemand (3): BUILD: 51d: fix bool definition on dummy lib v4 BUG/MEDIUM: acme: fix segfault on newOrder with empty authorizations BUG/MINOR: acme: skip auth/challenge steps when newOrder returns a certificate Willy Tarreau (14): BUG/MINOR: ssl: fix double-free on failed realloc in ssl_sock.c BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte reading BUG/MINOR: tools: fix memory leak in indent_msg() on out of memory BUG/MINOR: tools: free previously allocated strings on strdup failure in backup_env() BUG/MINOR: sample: fix memory leak in check_when_cond() when ACL is not found BUG/MINOR: sample: fix NULL strm dereference in sample_conv_when BUG/MINOR: peers: fix logical "and" when checking for local in PEER_APP_ST_STARTING BUG/MINOR: peers: fix wrong flag reported twice for dump_flags CLEANUP: peers: fix a few user-visible spelling mistakes BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size() BUG/MINOR: http_ana: use scf to report term_evts in http_wait_for_request() BUG/MINOR: fix various typos and spelling mistakes in user-visible messages BUG/MINOR: payload: validate minimum keyshare_len in smp_fetch_ssl_keyshare_groups BUG/MINOR: payload: prevent integer overflow in distcc token parsing -- Christopher Faulet
