Hi,
This is a friendly bot that watches fixes pending for the next haproxy-stable
release! One such e-mail is sent periodically once patches are waiting in the
last maintenance branch, and an ideal release date is computed based on the
severity of these fixes and their merge date. Responses to this mail must be
sent to the mailing list.
Last release 3.3.10 was issued on 2026-05-11. There are currently 96
patches in the queue cut down this way:
- 36 MEDIUM, first one merged on 2026-05-13
- 60 MINOR, first one merged on 2026-05-21
Thus the computed ideal release date for 3.3.11 would be 2026-06-12, which was
one week ago.
Last release 3.2.19 was issued on 2026-05-11. There are currently 83
patches in the queue cut down this way:
- 31 MEDIUM, first one merged on 2026-05-11
- 52 MINOR, first one merged on 2026-05-21
Thus the computed ideal release date for 3.2.20 would be 2026-07-10, which is
in three weeks or less.
Last release 3.0.23 was issued on 2026-05-11. There are currently 67
patches in the queue cut down this way:
- 25 MEDIUM, first one merged on 2026-05-21
- 42 MINOR, first one merged on 2026-05-21
Thus the computed ideal release date for 3.0.24 would be 2026-08-13, which is
in eight weeks or less.
The current list of patches in the queue is:
- 3.3 - MEDIUM : servers: Store the connection hash
with the parameter cache
- 3.0, 3.2, 3.3 - MEDIUM : applet: Fix transfer of HTX data to
the applet
- 3.0, 3.2, 3.3 - MEDIUM : resolvers: Fix test on dn label size
in resolv_dn_label_to_str()
- 3.0, 3.2, 3.3 - MEDIUM : dns: fix memory leak of sockaddr in
dns_session_init() error path
- 3.0, 3.2, 3.3 - MEDIUM : log-forward: make sure the month is
unsigned
- 3.0, 3.2, 3.3 - MEDIUM : cache: always verify the primary hash
in get_secondary_entry()
- 3.2, 3.3 - MEDIUM : h1: drop headers whose names contain
invalid chars
- 3.2, 3.3 - MEDIUM : h1: limit status codes to 3 digits by
default
- 3.0, 3.2, 3.3 - MEDIUM : ssl-gencert: Unlock LRU cache if
failing to generate certificate
- 3.0, 3.2, 3.3 - MEDIUM : applet: Properly handle receives of
size 0
- 3.0, 3.2, 3.3 - MEDIUM : hlua: Fix integer underflow when
receiving line from lua cosocket
- 3.0, 3.2, 3.3 - MEDIUM : h1: Skip all h2c values from Upgrade
headers during parsing
- 3.0, 3.2, 3.3 - MEDIUM : dict: hold lock while decrementing
refcount in dict_entry_unref
- 3.0, 3.2, 3.3 - MEDIUM : auth: fix unconfigured password NULL
deref
- 3.0, 3.2, 3.3 - MEDIUM : quic: reset cwnd in slow_start on
persistent congestion (cubic)
- 3.2, 3.3 - MEDIUM : quic: reset consecutive_losses on exit
from recovery period (cubic)
- 3.2, 3.3 - MEDIUM : cpu-topo: Enforce thread-hard-limit on
policy
- 3.3 - MEDIUM : limits: properly account for
global.maxpipes in compute_ideal_maxconn()
- 3.0, 3.2, 3.3 - MEDIUM : dns: fix long loops in additional
records parse on name failure"
- 3.0, 3.2, 3.3 - MEDIUM : resolvers: Wait a bit before calling
the xprt prepare_srv
- 3.0, 3.2, 3.3 - MEDIUM : dict: hold read lock while
incrementing refcount in dict_insert
- 3.0, 3.2, 3.3 - MEDIUM : server/cli: unlock server lock on
failure in cli_parse_set_server
- 3.0, 3.2 - MEDIUM : mux_quic: adjust qcc_is_dead() to
account detached streams
- 3.2, 3.3 - MEDIUM : tcpcheck/spoe: bound the SPOP error
code to valid values
- 3.0, 3.2, 3.3 - MEDIUM : h1-htx: Sanitize parsing to properly
handle upgrade requests
- 3.2, 3.3 - MEDIUM : acme: protect against risk of
null-deref on connection failure
- 3.3 - MEDIUM : servers: Don't forget to set srv_hash
when needed
- 3.0, 3.2, 3.3 - MEDIUM : mux-fcgi: reject stream ID 0 for
application records
- 3.3 - MEDIUM : http-client: Only consume input buffer
when hc one is empty
- 3.0, 3.2, 3.3 - MEDIUM : dns: fix long loops in additional
records parse on name failure
- 3.0, 3.2, 3.3 - MEDIUM : cache: fix a refcount leak for missed
secondary entries
- 3.3 - MEDIUM : h3: fix MAX_PUSH_ID handling
- 3.0, 3.2, 3.3 - MEDIUM : quic: handle ECONNREFUSED on RX side
- 3.0, 3.2, 3.3 - MEDIUM : h3: reject client push stream
- 3.0, 3.2, 3.3 - MEDIUM : resolvers: fix name compression
pointer validation in resolv_read_name()
- 3.0, 3.2, 3.3 - MEDIUM : mux-h1: Dup connection/upgrade value
to parse it when making headers
- 3.3 - MEDIUM : regex: allocate a large enough pcre2
match for all matches
- 3.3 - MINOR : server: accept server IDs above 2^31
and clarify error message
- 3.0, 3.2, 3.3 - MINOR : ocsp: Manage date too far away in the
future
- 3.0, 3.2, 3.3 - MINOR : tcpcheck: Check LDAP response to not
read more data than available
- 3.0, 3.2, 3.3 - MINOR : tcpchecks: Limit parsing of
agent-check reply to the buffer
- 3.0, 3.2, 3.3 - MINOR : qpack: fix huff_dec() error handling
in qpack_decode_fs()
- 3.2, 3.3 - MINOR : server: Properly handle init-state
value during haproxy startup
- 3.2, 3.3 - MINOR : resolvers: fix dangling list pointer
in resolvers_new() error paths
- 3.0, 3.2, 3.3 - MINOR : log: look for the end of priority
before the end of the buffer
- 3.0, 3.2, 3.3 - MINOR : qpack: Fix index calculation in debug
functions
- 3.0, 3.2, 3.3 - MINOR : resolvers: switch to a better PRNG for
query IDs
- 3.0, 3.2, 3.3 - MINOR : cache: Fix copy of value when parsing
maxage
- 3.0, 3.2, 3.3 - MINOR : sample: limit the be2hex converter's
chunk size
- 3.0, 3.2, 3.3 - MINOR : qpack: fix potential null-pointer
dereference in qpack_dht_insert()
- 3.0, 3.2, 3.3 - MINOR : qpack: fix sign bit mask in
qpack_decode_fs_pfx()
- 3.2, 3.3 - MINOR : jws: Add missing return value check
(EVP_PKEY_get_bn_param)
- 3.2, 3.3 - MINOR : threads: set at least grp_max when
mtpg is too small
- 3.2, 3.3 - MINOR : session/trace: use distinct flags for
SESS_EV_END and _ERR
- 3.0, 3.2, 3.3 - MINOR : config/dns: properly fail on duplicate
nameserver name detection
- 3.2, 3.3 - MINOR : servers: use proper source of
pool_conn_name in srv_settings_cpy()
- 3.3 - MINOR : mux_quic: do not exceed
stream.max-concurrent on backend side
- 3.0, 3.2, 3.3 - MINOR : h1: Don't mask websocket protocol if
multiple protocols used
- 3.0, 3.2, 3.3 - MINOR : jwt: fix possible memory leak in
convert_ecdsa_sig() error path
- 3.0, 3.2, 3.3 - MINOR : backend: fix balance hash calculation
when using hash-type none
- 3.0, 3.2, 3.3 - MINOR : dns: fix dangling dgram pointer on
dns_dgram_init() failure path
- 3.0, 3.2, 3.3 - MINOR : hlua: prevent Lua from passing
CR/LF/NUL in HTTP headers
- 3.0, 3.2, 3.3 - MINOR : resolvers: report the expression error
in the do-resolve() action parser
- 3.0, 3.2, 3.3 - MINOR : httpclient-cli: Destroy http-client
context if failing to start it
- 3.0, 3.2, 3.3 - MINOR : resolvers: fix risk of appending
garbage past the domain name
- 3.0, 3.2, 3.3 - MINOR : resolvers: fix room for trailing zero
in resolv_dn_label_to_str()
- 3.0, 3.2, 3.3 - MINOR : addons/51d: NUL-terminate headers
before passing them to Trie API
- 3.0, 3.2, 3.3 - MINOR : http-fetch: check against the whole
token in get_http_auth()
- 3.3 - MINOR : h3: reject server push stream
- 3.0, 3.2, 3.3 - MINOR : ssl-gencert: validate SNI characters
to prevent SAN certificate injection
- 3.0, 3.2, 3.3 - MINOR : cache: fix cache tree iteration
- 3.2, 3.3 - MINOR : cache: also recognize directives in
the form "token="
- 3.0, 3.2, 3.3 - MINOR : quic: fix ack range node pool_free
call passing wrong pointer type
- 3.0, 3.2, 3.3 - MINOR : resolvers: relax size checks in
authority record parsing
- 3.2, 3.3 - MINOR : quic: update drs->lost before calling
on_ack_recv
- 3.0, 3.2, 3.3 - MINOR : init: use more than ha_random64() for
the cluster secret
- 3.0, 3.2, 3.3 - MINOR : quic: reject packet too short for HP
decryption
- 3.0, 3.2, 3.3 - MINOR : backend: correct parameter value
validation in get_server_ph_post()
- 3.0, 3.2, 3.3 - MINOR : h3: reject client CANCEL_PUSH frame
- 3.3 - MINOR : mux_quic: open an idle QCS on reset on
BE side
- 3.3 - MINOR : h3: reject server MAX_PUSH_ID frame
- 3.0, 3.2, 3.3 - MINOR : resolvers: fix leaked dgram and
dns_ring struct in parse_resolve_conf()
- 3.0, 3.2, 3.3 - MINOR : check: properly report errno in
chk_report_conn_err()
- 3.0, 3.2, 3.3 - MINOR : http-ext: always check remaining data
when reading rfc7239 nodeport
- 3.3 - MINOR : httpclient-cli: fix uninit variable in
error label
- 3.2, 3.3 - MINOR : jws: fix OpenSSL 3.0 version check
from > to >=
- 3.0, 3.2, 3.3 - MINOR : quic: fix ODCID lookup from derived
value
- 3.0, 3.2, 3.3 - MINOR : mux-h2: Count padding for connection
flow control on error path
- 3.0, 3.2, 3.3 - MINOR : dict: fix refcount race on insert
collision
- 3.0, 3.2, 3.3 - MINOR : mux-fcgi: Use relative offset to
compute contig data in demux buf
- 3.2, 3.3 - MINOR : mux-spop: Use relative offset to
compute contig data in demux buf
- 3.3 - MINOR : h3: add missing break on rcv_buf()
- 3.0, 3.2, 3.3 - MINOR : ssl-hello: make use of the
null-terminated servername
- 3.0, 3.2, 3.3 - MINOR : mux-h2: validate HEADERS frame length
before reading stream dep
- 3.0, 3.2, 3.3 - MINOR : payload: fix the handshake length
bounds check smp_client_hello_parse()
- 3.0, 3.2, 3.3 - MINOR : base64: return empty string for empty
input in base64dec()
- 3.3 - MINOR : h3: adjust error on PUSH_PROMISE frame
reception
--
The haproxy stable-bot is freely provided by HAProxy Technologies to help
improve the quality of each HAProxy release. If you have any issue with these
emails or if you want to suggest some improvements, please post them on the
list so that the solutions suiting the most users can be found.
