Hi, HAProxy 3.3.10 was released on 2026/05/11. It added 12 new commits after version 3.3.9.
The intent of this quick release is to fix a regression introduced in previous version affecting WebSocket over H2, and too short a master CLI timeout: - the recent change to try to release the master socket connections when an old worker doesn't respond were a bit too effective and broke valid operations. Indeed, by involving the server-fin timeout, the goal was to arm the timeout only once the client had disconnected, but right now commands are sent one at a time immediately followed by a shut which also arms the timeout, so commands that take too long to execute (e.g. reload) now report an error after one second. For now the fix was reverted since the original problem is super rare. Other options are still being considered, but it's possible that 3.4 and stable versions will use different approaches (e.g. a conservative timeout of several minutes for stable and something cleaner for 3.4). - the recent fix on handling of the H2 ":protocol" pseudo-header that was introduced with RFC8441 to support WebSocket over H2 was incorrect, due to my misunderstanding of the client's obligations in this spec when confronted to RFC9113: the client doesn't need to negotiate nor advertise intent to use Extended CONNECT, so that broke WebSocket over H2 on the frontend. - a bug in H2 DATA frame padding accounting would make cause connection errors when padding was used. It seems surprisingly rare considering that padding was designed primarily for DATA frames. - it was possible to corrupt a list causing infinite loops and panics by quickly enabling and disabling a dynamic server. - in some cases, the QUIC connection timeouts might be refreshed each time an I/O attempt was made, regardless of the progress, making them possibly last forever. - the recently fixed race condition between TASK_RUNNING and task_queue() still had a short race window open that could still cause an occasional crash. This should be completely fixed now. - the "set stick-table" command on the CLI used to perform a lookup before checking the CLI permissions, but this lookup could create a non-existing entry, without being able to set the relevant data, then ending in an error. While it cannot really be used for attacking, it could be misused by scripts accidentally leaving incomplete entries until the timeout strikes. - And the rest is pretty minor. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (3): BUG/MINOR: mux_quic: fix max stream ID reuse estimation BUG/MEDIUM: mux_quic: adjust qcc_is_dead() to account detached streams BUG/MINOR: mux_quic: refresh timeout only if I/O performed Christopher Faulet (1): BUG/MEDIUM: mux-h2: Properly consume padding for DATA frames Olivier Houchard (3): BUG/MINOR: ssl: Use the sequence number with kTLS and TLS 1.2 BUG/MEDIUM: servers: Only requeue servers if they are up BUG/MEDIUM: tasks: Keep the TASK_RUNNING flag until queued Willy Tarreau (5): Revert "BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect" Revert "BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting" BUG/MEDIUM: mux-h2: fix the detection of the ext connect support BUG/MEDIUM: stick-table: properly check permissions on CLI's set/clear cmd BUG/MINOR: cfgparse-listen: do not emit extraneous line in rule order warnings ---
