Hi, HAProxy 2.4.33 was released on 2026/04/30. It added 4 new commits after version 2.4.32.
A major issue were fixed by this release. It was related to the scheme-based normalization. The presence of commas in Host header and authority was permitted and would be used to compare the values, which then would differ when read via hdr(host) which splits them on commas, and under certain circumstances, trigger crashes (at least it did in the OSS-Fuzz environment when injecting the values directly at the HTX layer). The issue was fixed. Remains the case of the comma characters in authorities. Even though the spec permits commas in authorities (not in domain names), there is currently no use case for this and it causes an ambiguity with the historical use of hdr(host), so we preferred to just deny them. The change was performed on the 3.4-dev10 and postponed for the next 3.3 release. It will probably be backported to lower versions too. And an issue in the FCGI multiplexer was fixed. The function responsible to emit FCGI_PARAM records was not handling cases of full buffer in a consistant way. The issue was quite limited, but the "http-send-name-header" option could be silently ignored. The issue was fixed by reworking this function. Unfortunately, shortly after the 2.4.32, it is recommended to update again. Thanks everyone for your help ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Christopher Faulet (4): BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based normalization BUG/MEDIUM: http-htx: Don't use data from HTX message to update authority BUG/MEDIUM: http-htx: Loop on full host value during scheme based normalization BUG/MEDIUM: mux-fcgi: Properly handle full buffer for FCGI_PARAM record -- Christopher Faulet
