Hi, HAProxy 1.8.26 was released on 2020/08/03. It added 71 new commits after version 1.8.25.
The previous release is 4 months old, so the list of fixes is a bit large. Most of these were already mentioned over the last releases. The most noticeable are: - Some crashes were fixed with the unique-id, the http_first_req, and the capture.* sample fetches when called without a stream. - The "http-check send" keyword was backported, it allows you to add extra headers and payload in your HTTP checks. - A bug with the no-check-ssl option was fixed. - A really old bug was found in the shctx lock code, making the process crash when there is a lot of lock contention on the cache. The shctx code is also used for the SSL sessions cache but there is less chance to provoke this problem. - An HTTP reuse issue was fixed when using NTML authentication, this was fixed by using a safer test for making the NTML sessions private. - A memory leak in the DNS code was fixed. The DNS answer items attached to a resolution were not released when the DNS resolution was freed. - Lua operations performed on map or acl files (set/add/del) are now thread-safe. And the analyze timeout is now reset before executing a lua action to avoid a loop because of a not updated expired timeout. - In the H2 multiplexer, when an chunked H1 response is parsed before sending it to the client, if a chunk size or a chunk CRLF is incomplete, an error is now triggered and an RST_STREAM is sent to the client with the ROTOCOL_ERROR error code. It may happens if the server closes the connection, because the remaining incomplete data are unconditionally forwarded. Without this fix, nothing is parsed, leading to a infinite loop in the h2_snd_buf() function. - Some inconsistencies in the argument parser were fixed, the parameter of all options now support a hyphen as a first character except the -sf/st ones. We also fixed the support of the "--" option in the mworker mode, which is useful at the end of the command when you want to use a list of configuration files. - The url_dec converter now takes an optional argument to specify if the input string is part of a form or a query-string to adapt the decoding. - A thread-safety issue was fixed in the pattern matching code. - The hdr_ip() sample fetch now properly parses IPv4 addresses without a NULL character delimiter. - The memcmp() in ebtree was replaced by a byte-per-byte memcmp() to compare memory blocks because memcmp() was dangerous as it could read past the end on implementations that read multiple bytes at a time. - A risk of looping (and abort) on channels that's triggered at least by Lua cosockets attempting to read a complete line from truncated contents was fixed. - String comparisons with patterns (ACLs, ...) were performed by adding a trailing nul character but didn't check if it would fit, occasionally causing crashes (e.g. comparison with ALPN). Now short patterns are duplicated first. This list is not exhaustive. Please have a look at the changelog below for the complete list of fixes, and do not forget to update. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Christopher Faulet (20): BUG/MINOR: check: Update server address and port to execute an external check BUG/MINOR: checks: Respect the no-check-ssl option BUG/MINOR: checks/server: use_ssl member must be signed BUG/MINOR: sample: Set the correct type when a binary is converted to a string BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields MINOR: checks: Add a way to send custom headers and payload during http chekcs BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks BUG/MINOR: checks: Remove a warning about http health checks BUG/MEDIUM: server/checks: Init server check during config validity check BUG/MEDIUM: checks: Always initialize checks before starting them BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable Emeric Brun (3): BUG/MINOR: peers: fix internal/network key type mapping. BUG/MINOR: logs: prevent double line returns in some events. BUG/MEDIUM: logs: fix trailing zeros on log message. Gaetan Rivet (1): BUG/MINOR: checks: chained expect will not properly wait for enough data Jerome Magnin (3): BUG/MINOR: ssl: default settings for ssl server options are not used DOC: option logasap does not depend on mode BUILD: select: only declare existing local labels to appease clang Miroslav Zagorac (1): BUG/MINOR: spoe: correction of setting bits for analyzer Olivier Doucet (1): DOC: Improve documentation on http-request set-src Ryan O'Hara (1): BUG/MINOR: systemd: Wait for network to be online Tim Duesterhus (5): BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL BUG/MINOR: http_act: don't check capture id in backend (2) BUG/MINOR: sample: Free str.area in smp_check_const_bool BUG/MINOR: sample: Free str.area in smp_check_const_meth William Dauchy (1): BUG/MINOR: pollers: remove uneeded free in global init William Lallemand (7): REGTEST: ssl: test the client certificate authentication BUG/MEDIUM: mworker: fix the copy of options in copy_argv() BUG/MINOR: init: -x can have a parameter starting with a dash BUG/MEDIUM: mworker: fix the reload with an -- option BUG/MINOR: mworker: fix a memleak when execvp() failed BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0 DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list Willy Tarreau (28): BUILD: chunk: properly declare pool_head_trash as extern BUILD: cache: avoid a build warning with some compilers/linkers BUG/MINOR: tools: fix the i386 version of the div64_32 function BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam BUG/MEDIUM: shctx: really check the lock's value while waiting BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock BUG/MEDIUM: http_ana: make the detection of NTLM variants safer SCRIPTS: publish-release: pass -n to gzip to remove timestamp BUG/MEDIUM: pattern: fix thread safety of pattern matching BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks BUG/MINOR: spoe: add missing key length check before checking key names MINOR: cli: make "show sess" stop at the last known session BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash BUG/MINOR: proxy: always initialize the trash in show servers state BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp() BUG/MINOR: cfgparse: don't increment linenum on incomplete lines SCRIPTS: announce-release: add the link to the wiki in the announce messages SCRIPTS: git-show-backports: make -m most only show the left branch SCRIPTS: git-show-backports: emit the shell command to backport a commit BUG/MINOR: http: make url_decode() optionally convert '+' to SP BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS() BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}() BUG/MINOR: pools: use %u not %d to report pool stats in "show pools" MEDIUM: map: make the "clear map" operation yield -- Christopher Faulet
