Hi, HAProxy 3.4-dev14 was released on 2026/05/26. It added 81 new commits after version 3.4-dev13.
The surpersitious ones will say they knew we couldn't finish on a positive note with a dev13 :-) We knew it was not a good idea to start looking a bit too deep into AI- assisted reports before a release... But facts are hard, and when a bug is present, releasing without fixing it will not make it magically disappear, while fixing it later just doesn't help! So after spending a few tens of hours evaluating them and fixing the ones that were definitely valid and deciding which ones to pick, we ended up with too many fixes for an immediate release. The good news is that there is nothing dramatic, only an accumulation of moderate bugs and annoyances, but still things that complicate analysis of bug reports, and that we preferred to address now to keep 3.4 as clean as possible. I'd say that roughly 3/4 of the fixes will have to be backported anyway, but I'd rather wait for quite a bit of time after 3.4.0 is out before starting to backport them as they're not urgent. And it could be another incentive for users to switch from 3.3 to 3.4. This time it's difficult to summarize the changes, as they're spread over many areas. There's some h1, h2, h3, quic, jwe, cache, peers, lua, log, tcp-checks, spoe, fcgi, sample-fetch, and resolvers of course. One point stands out, it was found that the random number generator we were using was disclosing a bit too much of its internal state for the use cases that adopted it (UUID, QUIC retry token, WebSocket), and it was the same for the DNS (with its own). So before it becomes a problem, it was reworked to hide its output via XXH3() and as a benefit it is now thread-local, and 15 to 20 times faster than before when tested on 20 threads, removing contention that would occur under sustained activity (UUID generation or more likely QUIC connection floods). A minimal backport will be feasible to improve protection on older releases at almost no cost, so it will be worth doing it. Overall I'm quite happy with the current state, it was well worth sweating like this on it. Not only should this save a few users from having to issue a bug report, but with a bit of luck it could slightly reduce the volume of AI-generated reports we'll get after the release (as none of us wants to deal with that often). Let's grant it one more week and aim for Wednesday, June 3rd. This time hopefully we'll merge almost nothing and will be more confident that it's ready. So deploy it, beat it hard, and report anything suspicious you might notice. It's already running on haproxy.org. Big thanks to those who tested, shared their reports, and to those who took their share of the load to quickly tidy everything up! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.4/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest OpenTelemetry : https://github.com/haproxytech/haproxy-opentelemetry Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (18): MINOR: ssl_sock: remove unneeded check on QMux flags MINOR: connection: define xprt_add_l6hs() MINOR: xprt_qmux: define default value for get_alpn MINOR: connection: define mask CO_FL_WAIT_XPRT_L6 MINOR: session: support QMux in clear on FE side MINOR: backend: support QMux in clear for BE side MINOR: mux_quic: handle STOP_SENDING in QMux MINOR: mux_quic: handle MAX_STREAMS for uni stream in QMux MINOR: mux_quic: do not crash on unhandled QMux frame reception BUG/MINOR: quic: fix ODCID lookup from derived value BUG/MEDIUM: h3: reject client push stream BUG/MINOR: h3: reject server push stream BUG/MINOR: h3: reject client CANCEL_PUSH frame BUG/MINOR: h3: adjust error on PUSH_PROMISE frame reception BUG/MINOR: h3: reject server MAX_PUSH_ID frame BUG/MINOR: h3: add missing break on rcv_buf() BUG/MINOR: qmux: do not crash on frame parsing issue BUG/MINOR: quic: reject packet too short for HP decryption Christopher Faulet (14): BUG/MEDIUM: applet: Properly handle receives of size 0 BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str() BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket BUG/MEDIUM: cli: Fix parsing of pattern finishing a command payload BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records MINOR: http: Add function to remove all occurrences of a value in a header MINOR: h1: Add a H1M flag to specify a non-empty 'Upgrade:' header was parsed BUG/MEDIUM: h1-htx: Sanitize parsing to properly handle upgrade requests BUG/MINOR: mux-fcgi: Use relative offset to compute contig data in demux buf BUG/MINOR: mux-spop: Use relative offset to compute contig data in demux buf CLEANUP: mux-fcgi/mux-spop: Remove copy/pasted comment about slow realign CyberpsychoJacob (1): BUG/MEDIUM: acme: NUL terminate response buffer before PEM parsing Frederic Lecaille (1): MINOR: haterm: enable h3 for TCP bindings Remi Tricot-Le Breton (3): BUG/MINOR: ocsp: Manage date too far away in the future BUG/MINOR: jwe: enforce GCM tag length to 128 bits BUG/MEDIUM: jwe: substitute random CEK on RSA1_5 decryption failure per RFC 7516 #11.5 William Lallemand (1): BUG/MEDIUM: auth: fix unconfigured password NULL deref Willy Tarreau (43): MINOR: config: shm-stats-file is no longer experimental BUILD: proxy: unstatify the proxies_del_lock to avoid a warning without threads BUG/MEDIUM: net_helper: fix a remaining possibly infinite loop in converters BUILD: intops: mask the fail value in array_size_or_fail() BUG/MEDIUM: log-forward: make sure the month is unsigned BUG/MEDIUM: regex: allocate a large enough pcre2 match for all matches BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values BUG/MEDIUM: cache: fix a refcount leak for missed secondary entries BUG/MINOR: log: free logformat expr on compile failure in cfg_parse_log_profile BUG/MINOR: resolvers: fix room for trailing zero in resolv_dn_label_to_str() BUG/MINOR: resolvers: fix risk of appending garbage past the domain name BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep BUG/MINOR: log: look for the end of priority before the end of the buffer BUG/MINOR: dict: fix refcount race on insert collision BUG/MINOR: init: use more than ha_random64() for the cluster secret BUG/MINOR: sample: limit the be2hex converter's chunk size CLEANUP: resolvers: use read_n32() instead of open-coded big-endian read CLEANUP: resolvers: remove pool_free(NULL) in SRV additional record matching CLEANUP: resolvers: fix comment typos and wrong filenames in file headers BUG/MINOR: haterm: fix the random suffix multiplication MINOR: haterm: do not emit a warning when not using SSL BUG/MEDIUM: h1: drop headers whose names contain invalid chars BUG/MEDIUM: h1: limit status codes to 3 digits by default BUG/MEDIUM: cache: always verify the primary hash in get_secondary_entry() BUG/MINOR: cache: also recognize directives in the form "token=" BUG/MINOR: resolvers: relax size checks in authority record parsing BUG/MINOR: sample: request an extra output byte for the url_dec converter BUG/MINOR: http-fetch: check against the whole token in get_http_auth() BUG/MEDIUM: acme: protect against risk of null-deref on connection failure BUG/MINOR: http-ext: always check remaining data when reading rfc7239 nodeport BUG/MINOR: base64: return empty string for empty input in base64dec() BUG/MINOR: payload: fix the handshake length bounds check smp_client_hello_parse() BUG/MINOR: ssl-hello: make use of the null-terminated servername BUG/MINOR: resolvers: switch to a better PRNG for query IDs BUG/MINOR: addons/51d: NUL-terminate headers before passing them to Trie API BUG/MEDIUM: tools: insert an XXH64 layer on the PRNG output MINOR: tools: provide a function to generate a hashed random pair MEDIUM: init: fall back to ha_random64_pair_hashed() for the cluster secret MEDIUM: tools: use the hashed random pair for UUID generation MEDIUM: h1: use ha_random64_pair_hashed() for the WebSocket key MEDIUM: quic: use ha_random64_pair_hashed() to generate the QUIC retry tokens MEDIUM: tools: switch the main PRNG to a thread-local xoshiro256** BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers ---
