Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.


    Last release 3.3.10 was issued on 2026-05-11.  There are currently 96 
patches in the queue cut down this way:
    - 36 MEDIUM, first one merged on 2026-05-13
    - 60 MINOR, first one merged on 2026-05-21

Thus the computed ideal release date for 3.3.11 would be 2026-06-12, which was 
two weeks ago.

    Last release 3.2.19 was issued on 2026-05-11.  There are currently 83 
patches in the queue cut down this way:
    - 31 MEDIUM, first one merged on 2026-05-11
    - 52 MINOR, first one merged on 2026-05-21

Thus the computed ideal release date for 3.2.20 would be 2026-07-10, which is 
in two weeks or less.

    Last release 3.0.23 was issued on 2026-05-11.  There are currently 67 
patches in the queue cut down this way:
    - 25 MEDIUM, first one merged on 2026-05-21
    - 42 MINOR, first one merged on 2026-05-21

Thus the computed ideal release date for 3.0.24 would be 2026-08-13, which is 
in seven weeks or less.

The current list of patches in the queue is:
 - 3.0, 3.2, 3.3             - MEDIUM  : quic: handle ECONNREFUSED on RX side
 - 3.3                       - MEDIUM  : h3: fix MAX_PUSH_ID handling
 - 3.3                       - MEDIUM  : servers: Store the connection hash 
with the parameter cache
 - 3.0, 3.2, 3.3             - MEDIUM  : cache: fix a refcount leak for missed 
secondary entries
 - 3.0, 3.2, 3.3             - MEDIUM  : h1-htx: Sanitize parsing to properly 
handle upgrade requests
 - 3.2, 3.3                  - MEDIUM  : h1: limit status codes to 3 digits by 
default
 - 3.0, 3.2, 3.3             - MEDIUM  : h3: reject client push stream
 - 3.0, 3.2, 3.3             - MEDIUM  : dns: fix long loops in additional 
records parse on name failure"
 - 3.2, 3.3                  - MEDIUM  : acme: protect against risk of 
null-deref on connection failure
 - 3.0, 3.2, 3.3             - MEDIUM  : mux-fcgi: reject stream ID 0 for 
application records
 - 3.0, 3.2, 3.3             - MEDIUM  : auth: fix unconfigured password NULL 
deref
 - 3.0, 3.2, 3.3             - MEDIUM  : dns: fix memory leak of sockaddr in 
dns_session_init() error path
 - 3.3                       - MEDIUM  : servers: Don't forget to set srv_hash 
when needed
 - 3.0, 3.2, 3.3             - MEDIUM  : log-forward: make sure the month is 
unsigned
 - 3.0, 3.2, 3.3             - MEDIUM  : hlua: Fix integer underflow when 
receiving line from lua cosocket
 - 3.0, 3.2, 3.3             - MEDIUM  : dict: hold read lock while 
incrementing refcount in dict_insert
 - 3.2, 3.3                  - MEDIUM  : cpu-topo: Enforce thread-hard-limit on 
policy
 - 3.0, 3.2, 3.3             - MEDIUM  : quic: reset cwnd in slow_start on 
persistent congestion (cubic)
 - 3.0, 3.2, 3.3             - MEDIUM  : dict: hold lock while decrementing 
refcount in dict_entry_unref
 - 3.2, 3.3                  - MEDIUM  : h1: drop headers whose names contain 
invalid chars
 - 3.0, 3.2, 3.3             - MEDIUM  : applet: Properly handle receives of 
size 0
 - 3.0, 3.2, 3.3             - MEDIUM  : mux-h1: Dup connection/upgrade value 
to parse it when making headers
 - 3.0, 3.2, 3.3             - MEDIUM  : applet: Fix transfer of HTX data to 
the applet
 - 3.0, 3.2                  - MEDIUM  : mux_quic: adjust qcc_is_dead() to 
account detached streams
 - 3.3                       - MEDIUM  : http-client: Only consume input buffer 
when hc one is empty
 - 3.2, 3.3                  - MEDIUM  : tcpcheck/spoe: bound the SPOP error 
code to valid values
 - 3.0, 3.2, 3.3             - MEDIUM  : ssl-gencert: Unlock LRU cache if 
failing to generate certificate
 - 3.3                       - MEDIUM  : limits: properly account for 
global.maxpipes in compute_ideal_maxconn()
 - 3.0, 3.2, 3.3             - MEDIUM  : resolvers: Fix test on dn label size 
in resolv_dn_label_to_str()
 - 3.0, 3.2, 3.3             - MEDIUM  : h1: Skip all h2c values from Upgrade 
headers during parsing
 - 3.0, 3.2, 3.3             - MEDIUM  : resolvers: fix name compression 
pointer validation in resolv_read_name()
 - 3.0, 3.2, 3.3             - MEDIUM  : dns: fix long loops in additional 
records parse on name failure
 - 3.0, 3.2, 3.3             - MEDIUM  : cache: always verify the primary hash 
in get_secondary_entry()
 - 3.3                       - MEDIUM  : regex: allocate a large enough pcre2 
match for all matches
 - 3.0, 3.2, 3.3             - MEDIUM  : server/cli: unlock server lock on 
failure in cli_parse_set_server
 - 3.0, 3.2, 3.3             - MEDIUM  : resolvers: Wait a bit before calling 
the xprt prepare_srv
 - 3.2, 3.3                  - MEDIUM  : quic: reset consecutive_losses on exit 
from recovery period (cubic)
 - 3.0, 3.2, 3.3             - MINOR   : base64: return empty string for empty 
input in base64dec()
 - 3.0, 3.2, 3.3             - MINOR   : quic: reject packet too short for HP 
decryption
 - 3.0, 3.2, 3.3             - MINOR   : quic: fix ack range node pool_free 
call passing wrong pointer type
 - 3.0, 3.2, 3.3             - MINOR   : log: look for the end of priority 
before the end of the buffer
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: fix leaked dgram and 
dns_ring struct in parse_resolve_conf()
 - 3.0, 3.2, 3.3             - MINOR   : h1: Don't mask websocket protocol if 
multiple protocols used
 - 3.0, 3.2, 3.3             - MINOR   : config/dns: properly fail on duplicate 
nameserver name detection
 - 3.0, 3.2, 3.3             - MINOR   : addons/51d: NUL-terminate headers 
before passing them to Trie API
 - 3.0, 3.2, 3.3             - MINOR   : tcpcheck: Check LDAP response to not 
read more data than available
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: switch to a better PRNG for 
query IDs
 - 3.2, 3.3                  - MINOR   : jws: fix OpenSSL 3.0 version check 
from > to >=
 - 3.0, 3.2, 3.3             - MINOR   : jwt: fix possible memory leak in 
convert_ecdsa_sig() error path
 - 3.0, 3.2, 3.3             - MINOR   : mux-fcgi: Use relative offset to 
compute contig data in demux buf
 - 3.2, 3.3                  - MINOR   : session/trace: use distinct flags for 
SESS_EV_END and _ERR
 - 3.2, 3.3                  - MINOR   : jws: Add missing return value check 
(EVP_PKEY_get_bn_param)
 - 3.0, 3.2, 3.3             - MINOR   : ssl-gencert: validate SNI characters 
to prevent SAN certificate injection
 - 3.3                       - MINOR   : mux_quic: open an idle QCS on reset on 
BE side
 - 3.0, 3.2, 3.3             - MINOR   : hlua: prevent Lua from passing 
CR/LF/NUL in HTTP headers
 - 3.0, 3.2, 3.3             - MINOR   : qpack: fix sign bit mask in 
qpack_decode_fs_pfx()
 - 3.3                       - MINOR   : h3: add missing break on rcv_buf()
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: fix risk of appending 
garbage past the domain name
 - 3.0, 3.2, 3.3             - MINOR   : ssl-hello: make use of the 
null-terminated servername
 - 3.0, 3.2, 3.3             - MINOR   : qpack: fix potential null-pointer 
dereference in qpack_dht_insert()
 - 3.3                       - MINOR   : mux_quic: do not exceed 
stream.max-concurrent on backend side
 - 3.0, 3.2, 3.3             - MINOR   : http-ext: always check remaining data 
when reading rfc7239 nodeport
 - 3.0, 3.2, 3.3             - MINOR   : sample: limit the be2hex converter's 
chunk size
 - 3.2, 3.3                  - MINOR   : mux-spop: Use relative offset to 
compute contig data in demux buf
 - 3.2, 3.3                  - MINOR   : resolvers: fix dangling list pointer 
in resolvers_new() error paths
 - 3.0, 3.2, 3.3             - MINOR   : check: properly report errno in 
chk_report_conn_err()
 - 3.0, 3.2, 3.3             - MINOR   : dict: fix refcount race on insert 
collision
 - 3.0, 3.2, 3.3             - MINOR   : backend: correct parameter value 
validation in get_server_ph_post()
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: report the expression error 
in the do-resolve() action parser
 - 3.0, 3.2, 3.3             - MINOR   : httpclient-cli: Destroy http-client 
context if failing to start it
 - 3.3                       - MINOR   : httpclient-cli: fix uninit variable in 
error label
 - 3.2, 3.3                  - MINOR   : cache: also recognize directives in 
the form "token="
 - 3.0, 3.2, 3.3             - MINOR   : ocsp: Manage date too far away in the 
future
 - 3.2, 3.3                  - MINOR   : quic: update drs->lost before calling 
on_ack_recv
 - 3.0, 3.2, 3.3             - MINOR   : mux-h2: validate HEADERS frame length 
before reading stream dep
 - 3.2, 3.3                  - MINOR   : server: Properly handle init-state 
value during haproxy startup
 - 3.2, 3.3                  - MINOR   : threads: set at least grp_max when 
mtpg is too small
 - 3.0, 3.2, 3.3             - MINOR   : cache: fix cache tree iteration
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: fix room for trailing zero 
in resolv_dn_label_to_str()
 - 3.3                       - MINOR   : server: accept server IDs above 2^31 
and clarify error message
 - 3.0, 3.2, 3.3             - MINOR   : init: use more than ha_random64() for 
the cluster secret
 - 3.3                       - MINOR   : h3: reject server MAX_PUSH_ID frame
 - 3.0, 3.2, 3.3             - MINOR   : backend: fix balance hash calculation 
when using hash-type none
 - 3.3                       - MINOR   : h3: reject server push stream
 - 3.0, 3.2, 3.3             - MINOR   : tcpchecks: Limit parsing of 
agent-check reply to the buffer
 - 3.3                       - MINOR   : h3: adjust error on PUSH_PROMISE frame 
reception
 - 3.2, 3.3                  - MINOR   : servers: use proper source of 
pool_conn_name in srv_settings_cpy()
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: relax size checks in 
authority record parsing
 - 3.0, 3.2, 3.3             - MINOR   : qpack: fix huff_dec() error handling 
in qpack_decode_fs()
 - 3.0, 3.2, 3.3             - MINOR   : dns: fix dangling dgram pointer on 
dns_dgram_init() failure path
 - 3.0, 3.2, 3.3             - MINOR   : payload: fix the handshake length 
bounds check smp_client_hello_parse()
 - 3.0, 3.2, 3.3             - MINOR   : cache: Fix copy of value when parsing 
maxage
 - 3.0, 3.2, 3.3             - MINOR   : quic: fix ODCID lookup from derived 
value
 - 3.0, 3.2, 3.3             - MINOR   : mux-h2: Count padding for connection 
flow control on error path
 - 3.0, 3.2, 3.3             - MINOR   : h3: reject client CANCEL_PUSH frame
 - 3.0, 3.2, 3.3             - MINOR   : http-fetch: check against the whole 
token in get_http_auth()
 - 3.0, 3.2, 3.3             - MINOR   : qpack: Fix index calculation in debug 
functions

-- 
The haproxy stable-bot is freely provided by HAProxy Technologies to help 
improve the quality of each HAProxy release.  If you have any issue with these 
emails or if you want to suggest some improvements, please post them on the 
list so that the solutions suiting the most users can be found.


Reply via email to