Hi, HAProxy 2.5-dev4 was released on 2021/08/17. It added 82 new commits after version 2.5-dev3.
This version was expected to be emitted last week but was slightly delayed so that it contains the final fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which affect Host name consistency with H2 backend servers when Host and :authority differ or when garbage is placed in the ":scheme" or ":path" headers, and the one which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). In addition to this, this version contains a number of improvements: - The filters support was added to Lua. It is now possible to write Lua scripts to filter HTTP or TCP sessions. For now, this feature is highly experimental and must not be used in production as the API might possibly still change a little bit (see lua-api/index.rst for the details). The API of the Channel class was revisited and an HTTPMessage class was added to help writing filters. It comes with some limitations. First, it is not possible to yield inside a filter callback and it is not really clear for now if this limitation will ever be lifted. Second, most functions exposed by the Channel class are forbidden when an HTTP message is filtered. Finally, only few filter callbacks are supported for now: start_analyze, end_analyze, http_headers, http_payload, http_end and tcp_payload. This feature was not heavily tested. Thus, if you try it, you will most probably encounter several bugs. Be gentle but don't hesitate to report them and feel free to criticize the API. It is the first stage of this feature and inputs and feedback will help us to improve it. - health checks and agent checks can now be enabled on dynamically added servers. Out of my head, I think it was the last missing feature to get fully functional hot addition/removal of servers, so testers are really welcome! - the enable/disable health/agent CLI commands that were mistakenly marked as deprecated while cleaning up the CLI help have been fixed as they are not deprecated. - the stats page now always continues to list stopped proxies during reloads, and only skips the internal ones (there was no such notion of internal proxies in the past, forcing us to resort to some tricks to avoid listing the ones used by the master CLI for example). This means that it finally is possible to collect the last stats of a stopping process. And 25 bugs were fixed, mostly on dynamic servers, Lua, and of course, H2. Given that 2.5 is focused on technical improvements, I'm fine with merging patches reasonably late in the release cycle, so let's fix a freeze of important code submissions on September 15th, which should allow one or two round trips before the 30th, after which anything too sensitive should be postponed to -next, and the focus will move towards fixing (or reverting) what was already merged, and cleaning it up. This should leave us with about one month for this and will allow us to release between late October and early November just like we did for 2.3. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.5/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (24): BUG/MINOR: server: fix race on error path of 'add server' CLI if track BUG/MINOR: server: remove srv from px list on CLI 'add server' error MINOR: server: unmark deprecated on enable health/agent cli MEDIUM: task: implement tasklet kill MINOR: server: initialize fields for dynamic server check MINOR: check: allocate default check ruleset for every backends MINOR: check: export check init functions MINOR: check: do not increment global maxsock at runtime MINOR: server: implement a refcount for dynamic servers MEDIUM: check: implement check deletion for dynamic servers MINOR: check: enable safe keywords for dynamic servers MEDIUM: server: implement check for dynamic servers MEDIUM: server: implement agent check for dynamic servers REGTESTS: server: add dynamic check server test MINOR: doc: specify ulimit-n usage for dynamic servers REGTESTS: server: fix dynamic server with checks test BUG/MINOR: check: test if server is not null in purge MINOR: global: define MODE_STOPPING BUG/MINOR: server: do not use refcount in free_server in stopping mode BUG/MINOR: check: do not reset check flags on purge BUG/MINOR: check: fix leak on add dynamic server with agent-check error BUG/MEDIUM: check: fix leak on agent-check purge BUG/MEDIUM: server: support both check/agent-check on a dynamic instance REGTESTS: add a test to prevent h2 desync attacks Christopher Faulet (27): MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer BUG/MINOR: stream: Don't release a stream if FLT_END is still registered MINOR: lua: Add a flag on lua context to know the yield capability at run time BUG/MINOR: lua: Yield in channel functions only if lua context can yield BUG/MINOR: lua: Don't yield in channel.append() and channel.set() MINOR: filters/lua: Release filters before the lua context MINOR: lua: Add a function to get a reference on a table in the stack MEDIUM: lua: Process buffer data using an offset and a length MEDIUM: lua: Improve/revisit the lua api to manipulate channels DOC: Improve the lua documentation MEDIUM: filters/lua: Add support for dummy filters written in lua MINOR: lua: Add a function to get a filter attached to a channel class MINOR: lua: Add flags on the lua TXN to know the execution context MEDIUM: filters/lua: Be prepared to filter TCP payloads MEDIUM: filters/lua: Support declaration of some filter callback functions in lua MEDIUM: filters/lua: Add HTTPMessage class to help HTTP filtering MINOR: filters/lua: Add request and response HTTP messages in the lua TXN MINOR: filters/lua: Support the HTTP filtering from filters written in lua DOC: config: Fix 'http-response send-spoe-group' documentation BUG/MINOR: lua: Properly check negative offset in Channel/HttpMessage functions BUG/MINOR: lua: Properly catch alloc errors when parsing lua filter directives BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set BUG/MINOR: lua/filters: Return right code when txn:done() is called DOC: lua-api: Add documentation about lua filters David Carlier (1): BUILD: tools: get the absolute path of the current binary on NetBSD. Emeric Brun (1): BUG/MEDIUM: cfgcheck: verify existing log-forward listeners during config check Ilya Shipitsin (3): CI: travis-ci: temporarily disable arm64 builds CLEANUP: assorted typo fixes in the code and comments CI: github actions: relax OpenSSL-3.0.0 version comparision Jonathon Lacher (1): DOC/MINOR: fix typo in management document Kunal Gangakhedkar (1): DOC: Minor typo fix - 'question mark' -> 'exclamation mark' Tim Duesterhus (1): CI: Remove obsolete USE_SLZ=1 CI job William Lallemand (8): MINOR: log: rename 'dontloglegacyconnerr' to 'log-error-via-logformat' MINOR: doc: rename conn_status in `option httsplog` MINOR: proxy: disabled takes a stopping and a disabled state MINOR: stats: shows proxy in a stopped state BUG/MINOR: buffer: fix buffer_dump() formatting MINOR: channel: remove an htx block from a channel MINOR: cli: delare the CLI frontend as an internal proxy MINOR: proxy: disable warnings for internal proxies Willy Tarreau (15): CLEANUP: thread: fix fantaisist indentation of thread_harmless_till_end() MINOR: threads: make thread_release() not wait for other ones to complete MEDIUM: threads: add a stronger thread_isolate_full() call MEDIUM: servers: make the server deletion code run under full thread isolation MINOR: activity/fd: remove the dead_fd counter MAJOR: fd: get rid of the DWCAS when setting the running_mask CLEANUP: fd: remove the now unused fd_set_running() CLEANUP: fd: remove the now unneeded fd_mig_lock BUG/MINOR: server: update last_change on maint->ready transitions too ADMIN: dyncookie: implement a simple dynamic cookie calculator MINOR: http: add a new function http_validate_scheme() to validate a scheme BUG/MAJOR: h2: verify early that non-http/https schemes match the valid syntax BUG/MAJOR: h2: verify that :path starts with a '/' before concatenating it BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header BUG/MEDIUM: h2: give :authority precedence over Host ---