Hi all,
we've fixed quite some bugs since 1.6-dev2 and I'm absent next week (going
to the HTTP workshop), so I thought it would be nice to issue a new version
in better shape than the last one. I counted 55 patches among which 15 bugs.
Regarding the important issues that were fixed :
- LRU cache could possibly cause a crash when expiring old entries
- "http-request set-var" was not practically usable to a freezing bug if
the expression did not properly evaluate
- HTTP pipelining bug causing information leak (CVE-2015-3281)
- improper parsing of some TLV headers in proxy v2 protocol (namespaces part)
- tcp-request {content,connection} accept was broken and considered as a reject
after addition of an action registration mechanism
- 51d sample fetch missing some proper const tags resulting in a risk that
some further converters modify the input in the buffer or LRU cache
- off-by-one in the dns parsing code causing memory corruption with hostnames
ending on a malloc boundary
The other ones are less important. Some improvements were brought as well :
- netbsd 6.0 now builds
- 51d sample fetch now makes use of the LRU cache to speed up operations
- new "set-src" target for http-request rules. Does the same as accept-proxy
but for use with HTTP headers for example (sets the client address to the
contents of the expression).
- it's now possible to send an SNI when connecting to a server. This is
useful in virtual-hosted environments.
- switch all integer operations to 64-bits in sample fetches and patterns
- make arithmetic operators use saturated arithmetic instead of overflowing,
that makes size checks safer especially when dealing with content lengths
or advertised payload lengths
- all arithmetic operators now also accept a variable as an alternative to
a constant, which makes it possible to add/multiply/divide values.
Baptiste has almost finished the cleanup of the state reload code that should
be mergeable soon. I understood that the DNS code will experience a revamping
at some point and will be improved to support init-addr. On my side I have
started to make small steps towards the ability to reuse backend connections
between multiple front connections. It's a bit tricky but not that much anymore.
I don't know if it will be finished for 1.6-final, at least I want to ensure
that the infrastructure is ready for it so that we don't have to start to
break everything when opening 1.7 for HTTP/2.
As usual, if you see that some patches you sent are missing, feel free to
resend. And bug reports are always welcome!
For those who would like to contribute something and have no idea where to
start, I noticed that the sample-fetch section of the doc started to become
a bit heavy with many redundant parts since the addition of variables. I
think that adding a dedicated section about variables would make some sense
and would add an opportunity to explain how to properly use them.
Here's a copy-paste of the small changelog (the smallest of a dev branch
for a long time) :
2015/07/22 : 1.6-dev3
- CLEANUP: sample: generalize sample_fetch_string() as
sample_fetch_as_type()
- MEDIUM: http: Add new 'set-src' option to http-request
- DOC usesrc root privileges requirments
- BUG/MINOR: dns: wrong time unit for some DNS default parameters
- MINOR: proxy: bit field for proxy_find_best_match diff status
- MINOR: server: new server flag: SRV_F_FORCED_ID
- MINOR: server: server_find functions: id, name, best_match
- DOC: dns: fix chapters syntax
- BUILD/MINOR: tools: rename popcount to my_popcountl
- BUILD: add netbsd TARGET
- MEDIUM: 51Degrees code refactoring and cleanup
- MEDIUM: 51d: add LRU-based cache on User-Agent string detection
- DOC: add notes about the "51degrees-cache-size" parameter
- BUG/MEDIUM: 51d: possible incorrect operations on smp->data.str.str
- BUG/MAJOR: connection: fix TLV offset calculation for proxy protocol v2
parsing
- MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
- BUG/MINOR: payload: Add volatile flag to smp_fetch_req_ssl_ec_ext
- BUG/MINOR: lua: type error in the arguments wrapper
- CLEANUP: vars: remove unused struct
- BUG/MINOR: http/sample: gmtime/localtime can fail
- MINOR: standard: add 64 bits conversion functions
- MAJOR: sample: converts uint and sint in 64 bits signed integer
- MAJOR: arg: converts uint and sint in sint
- MEDIUM: sample: switch to saturated arithmetic
- MINOR: vars: returns variable content
- MEDIUM: vars/sample: operators can use variables as parameter
- BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
- BUILD/MINOR: lua: fix a harmless build warning
- BUILD/MINOR: stats: fix build warning due to condition always true
- BUG/MAJOR: lru: fix unconditional call to free due to unexpected
semi-colon
- BUG/MEDIUM: logs: fix improper systematic use of quotes with a few tags
- BUILD/MINOR: lua: ensure that hlua_ctx_destroy is properly defined
- BUG/MEDIUM: lru: fix possible memory leak when ->free() is used
- MINOR: vars: make the accounting not depend on the stream
- MEDIUM: vars: move the session variables to the session, not the stream
- BUG/MEDIUM: vars: do not freeze the connection when the expression cannot
be fetched
- BUG/MAJOR: buffers: make the buffer_slow_realign() function respect
output data
- BUG/MAJOR: tcp: tcp rulesets were still broken
- MINOR: stats: improve compression stats reporting
- MINOR: ssl: make self-generated certs also work with raw IPv6 addresses
- CLEANUP: ssl: make ssl_sock_generated_cert_serial() take a const
- CLEANUP: ssl: make ssl_sock_generate_certificate() use
ssl_sock_generated_cert_serial()
- BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
- MINOR: args: add new context for servers
- MINOR: stream: maintain consistence between channel_forward and HTTP
forward
- MINOR: ssl: provide ia function to set the SNI extension on a connection
- MEDIUM: ssl: add sni support on the server lines
- CLEANUP: stream: remove a useless call to si_detach()
- CLEANUP: stream-int: fix a few outdated comments about
stream_int_register_handler()
- CLEANUP: stream-int: remove stream_int_unregister_handler() and
si_detach()
- MINOR: stream-int: only use si_release_endpoint() to release a connection
- MINOR: standard: provide htonll() and ntohll()
- CLEANUP/MINOR: dns: dns_str_to_dn_label() only needs a const char
- BUG/MAJOR: dns: fix the length of the string to be copied
Usual URLs below :
Site index : http://www.haproxy.org/
Sources : http://www.haproxy.org/download/1.6/src/devel/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/1.6/src/CHANGELOG
Cyril's HTML doc :
http://cbonte.github.com/haproxy-dconv/configuration-1.6.html
Regards,
Willy
