Hi,
HAProxy 1.8.18 was released on 2019/02/06. It added 39 new commits
after version 1.8.17.
The changes here are fairly limited but worth a release, in an effort
to clean the net from previous versions which were affected by the TLS
1.3 KeyUpdate bug that currently prevents browsers from using these.
Other mostly relevant fixes include :
- a stability issue for the cache when a key used to hash to zero ;
- validation of the process chain for track-sc/stick tables and SPOE
- a number of small H2 problems which used to abusively result in some
connection aborts (please note that 1.8 will never be as good as 1.9
regarding H2, so if you heavily depend on it, you may want to give
1.9 a try).
- 0-RTT was fixed again; some defaults regarding the anti-replay
protection changed when openssl 1.1.1 was released, breaking 0-RTT.
- unique-id memory leak on TCP proxies due to defaults sections.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/1.8/src/
Git repository : http://git.haproxy.org/git/haproxy-1.8.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Christopher Faulet (1):
BUG/MINOR: check: Wake the check task if the check is finished in
wake_srv_chk()
Dirkjan Bussink (1):
BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages
Emeric Brun (1):
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file
Jarno Huuskonen (1):
DOC: http-request cache-use / http-response cache-store expects cache name
Jérôme Magnin (1):
BUG/MINOR: server: don't always trust srv_check_health when loading a
server state
Kevin Zhu (1):
BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit
Miroslav Zagorac (1):
BUG/MINOR: spoe: corrected fragmentation string size
Olivier Houchard (4):
BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with
0RTT.
DOC: Be a bit more explicit about allow-0rtt security implications.
MINOR: xref: Add missing barriers.
BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free().
Tim Duesterhus (1):
BUG/MINOR: stick_table: Prevent conn_cur from underflowing
Willy Tarreau (27):
BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key
BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH
BUG/MINOR: backend: balance uri specific options were lost across defaults
BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit
DOC: mention the effect of nf_conntrack_tcp_loose on src/dst
MINOR: h2: add a bit-based frame type representation
MINOR: h2: declare new sets of frame types
BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY
BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection
error
BUG/MINOR: mux-h2: make it possible to set the error code on an already
closed stream
BUG/MINOR: hpack: return a compression error on invalid table size updates
DOC: nbthread is no longer experimental.
SCRIPTS: add the slack channel URL to the announce script
SCRIPTS: add the issue tracker URL to the announce script
BUG/MINOR: stream: don't close the front connection when facing a backend
error
BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window
update
BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions
BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams
BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing
the connection
MINOR: stream-int: expand the flags to 32-bit
MINOR: stream-int: add a new flag to mention that we want the connection
to be killed
MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection
BUG/MEDIUM: mux-h2: do not close the connection on aborted streams
BUG/MINOR: config: fix bind line thread mask validation
BUG/MAJOR: config: verify that targets of track-sc and stick rules are
present
BUG/MAJOR: spoe: verify that backends used by SPOE cover all their
callers' processes
BUG/MINOR: config: make sure to count the error on incorrect
track-sc/stick rules
---
