Hi, HAProxy 2.3.14 was released on 2021/09/07. It added 19 new commits after version 2.3.13.
This version essentially aims at fixing the HTX header encoding issue mentioned in a previous message, and that may lead to a request smuggling attack. All users must update. Another important fix for some users is the relaxed double-slash rule in the H2 parser, because the previous H2 fixes would (rightfully) block requests starting by "//" due to a bug in the H2 spec itself! The nice thing is that it allowed to spot and fix a bug in the spec :-) A recent fix for "option abortonclose" has resulted in an issue for a user who sometimes sees some streams looping. The fix was reverted for now as the situation is worse than before, and the issue is still under investigation. A failed backport of a recent fix in 2.3.13 for early connection failures was better addressed this time. It would manifest itself by high CPU usage on certain threads, with the poller reporting the same FDs all the time. The remaining fixes are less important: - use thread-safe versions of localtime()/gmtime() in the ltime/utime converters; previously it was theoretically possible to occasionally retrieve a bad date under high thread contention - fix for incorrect output size check in the base64dec/base64urldec converters that could write up to 2 extra bytes, but normally they're always used with outputs having sufficient room so I can't figure a case where it could have represented a practical problem. - tune.bufsize is now checked for being smaller than 256 MB in HTX mode (that's the hard limit). - Lua's initialization of sample converters now uses strlcpy2() and not strncpy(), as this last one used to fill the entire buffer with zeroes, resulting in a measurable startup time when using large buffers (a second or so with 1 MB buffers). - the sc-set-gpt* action parser was off by one argument and was ignoring one word before the "if" condition, forcing to write garbage there (or a second "if"). Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.3/src/ Git repository : http://git.haproxy.org/git/haproxy-2.3.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git Changelog : http://www.haproxy.org/download/2.3/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (2): Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive" MINOR: action: Use a generic function to check validity of an action rule list Dragan Dosen (1): BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec} Tim Duesterhus (3): BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time BUG/MINOR: tools: Fix loop condition in dump_text() CLEANUP: Add missing include guard to signal.h Willy Tarreau (13): BUG/MEDIUM: h2: match absolute-path not path-absolute for :path BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3- REGTESTS: abortonclose: after retries, 503 is expected, not close BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions MINOR: compiler: implement an ONLY_ONCE() macro BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long BUG/MINOR: vars: fix set-var/unset-var exclusivity in the keyword parser DOC: configuration: remove wrong tcp-request examples in tcp-response BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB CLEANUP: htx: remove comments about "must be < 256 MB" BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer REGTESTS: mark http_abortonclose as broken ---