Hi, HAProxy 2.5.7 was released on 2022/05/13. It added 43 new commits after version 2.5.6.
This release fixed a regression in the H1 multiplexer, introduced in the previous release. If an H2 message announced the payload size with a Content-Length header and contained trailers, an internal error was triggered during forwarding on the other side, in the H1 multiplexer. A major issue in the DNS part was also fixed. A concurrency issue that could lead to a crash when a DNS request was failing. Because of some missing locks on dgram structure, it was possible to set the UDP socket FD to -1 on a thread while it was used to access to fdtab array on another one. Willy performed a refactoring of applets in the 2.6-dev, especially the CLI applet. During his refactoring, he fixes several issues with CLI commands. "show resolvers" command was not properly yielding, "show backend" was dumping the state of internal proxies, Some locks were missing in "show map" command, SSL commands were mixing 2 internal context inside the same union, and so on. It is very unlikely to have ever hit any issues related to one of these bugs, but not impossible though. Here is the list of other issues fixed by this release: * A server abort or a server timeout could be experienced with FCGI backend connections when the END_REQUEST record was delayed for responses with no content-length. * There was a memory leak in the redirect rules with ignore-empty option. The rule processing could be aborted without releasing the allocated trash buffer. * There was a memory leak during deinit stage on the resolvers part. Tim fixed it. * There was an issue in the loop consuming HTX blocks or the response in the HTTP client. HTX api was not properly used and could lead to undefined behaviors. * Lua functions to delete data into a channel's buffer or in an HTTP message were not properly handling arguments. * A timing issue could lead to some delay in the server-side connection establishment. It was a tricky issue, but sometimes the server-side connection attempts were only validated after the "timeout connect" value, and only with H2 clients. * H2 streams were marked as open after processing it instead of before. It could be an issue when a client didn't respect the H2 MAX_CONCURRENT_STREAMS setting because the max_id was only updated on the success path. Thus, under some circumstances a connection error could be reported instead of a stream error. * The watchdog could be erroneously triggered because an uninitialized value was not tested. It was possible to encounter this issue in the master just after loading the configuration. * Some shared pools were not properly released on exit. * It was reported the maximum line length on the server-state file was too small. It was increased to 2kB. In addition, some improvements were backported: * "close-spread-time" option may now be set to "infinite". This disables active connection closing during a soft-stop. The 'connection: close' header or the GOAWAY frame will not be added anymore to the server's response and active connections will only be closed once the clients disconnect. Idle connections will not be closed all at once when the soft-stop starts anymore, and each idle connection will follow its own timeout based on the multiple timeouts set in the configuration (as is the case during regular execution). * "h1-accept-payload-with-any-method" global option was added to accept HTTP/1.1 GET/HEAD/DELETE requests with payload. Those requests are rejected by default for security reasons, to avoid request smuggling attack on some servers or intermediaries. But it may be an issue with some old clients. This option must be set with caution. * "tune.ssl.hard-maxrecord" global option was added. This settings complements the existing "tune.ssl.maxrecord" that was only used during low-latency transfers to permit browsers to start to parse the response during the first RTT. The new one enforces the limit on all records, and helps interoperate with low-memory footprint IoT devices which cannot deal with a 16kB record. Thanks everyone for your help and your contributions ! Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.5/src/ Git repository : http://git.haproxy.org/git/haproxy-2.5.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages --- Complete changelog : Boyang Li (2): BUG/MEDIUM: lua: fix argument handling in data removal functions DOC/MINOR: fix typos in the lua-api document Christopher Faulet (7): BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified DOC: config: Update doc for PR/PH session states to warn about rewrite failures MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests CLEANUP: mux-h1: Fix comments and error messages for global options Emeric Brun (1): BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket Ilya Shipitsin (2): CI: github actions: update LibreSSL to 3.5.2 CI: dynamically determine actual version of h2spec Remi Tricot-Le Breton (2): MINOR: connection: Add way to disable active connection closing during soft-stop BUG/MINOR: ssl: Fix typos in crl-file related CLI commands Thomas Prückl (1): MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord" Tim Duesterhus (1): BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit() William Lallemand (4): BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port] BUG/MINOR: startup: usage() when no -cc arguments BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized Willy Tarreau (22): BUILD: compiler: properly distinguish weak and global symbols BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all() SCRIPTS: announce-release: add URL of dev packages BUG/MINOR: mux-h2: mark the stream as open before processing it not after MINOR: mux-h2: report a trace event when failing to create a new stream BUG/MEDIUM: resolvers: make "show resolvers" properly yield BUG/MEDIUM: cli: make "show cli sockets" really yield BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend" BUG/MINOR: map/cli: protect the backref list during "show map" errors BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl contexts BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts DOC: fix typo "ant" for "and" in INSTALL BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings BUILD: listener: shut report of possible null-deref in listener_accept() BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-( DOC: install: update gcc version requirements BUG/MINOR: conn_stream: do not confirm a connection from the frontend path CLEANUP: applet: make appctx_new() initialize the whole appctx vigneshsp (1): BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes). -- Christopher Faulet