Hi, This is an update of branch 1.4, after 10 months of fixes.
Aside the various minor fixes that could accumulate over almost one year, we have four fixes for important bugs : - http-send-name-header was still broken and could cause corrupted requests to be sent when requests were pipelined. The bug was reported by Guillaume Castagnino and debugged by Cyril and myself. It made us scratch our heads a lot ; I think it has been one of the hardest ones to fix so far because 1.4's infrastructure is not well suited to support this feature. Thus if you use it, it should now be safe, but if any new bug surfaces, please upgrade to 1.5. - a possible integer overflow could happen when computing available data in a buffer when combined with http-send-name-header, resulting in a read overflow which can crash the process. Did I say that we shouldn't use http-send-name-header in 1.4 ? - using http-send-name-header with a POST request whose body fills the request buffer could cause a memmove to be performed with a negative size length if the connection to the server fails and is redispatched to a server with a longer name, crashing the process. - issuing "show sess" on the CLI may sometimes maintain a reference to a session which is not properly released if the CLI is suddenly aborted while the reference is kept (eg: buffer full). This can silently corrupt the back ref list and cause haproxy to crash when freeing pools, typically while soft-stopping on a reload, causing the loss of all established sessions. The other ones are not that important and probably self-explanatory from the changelog below : - BUG/MINOR: stats: fix a typo on a closing tag for a server tracking another one - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported - BUG/MINOR: log: fix request flags when keep-alive is enabled - BUG/MINOR: checks: prevent http keep-alive with http-check expect - BUG/MEDIUM: backend: Update hash to use unsigned int throughout - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized" - BUG/MINOR: build: handle whitespaces in wc -l output - DOC: httplog does not support 'no' - BUG/MEDIUM: regex: fix risk of buffer overrun in exp_replace() - BUILD: fix Makefile.bsd - BUILD: also fix Makefile.osx - BUG/MAJOR: http: fix again http-send-name-header - BUG/MAJOR: buffer: fix possible integer overflow on reserved size computation - BUG/MAJOR: buffer: don't schedule data in transit for leaving until connected - BUG/MINOR: http: don't report server aborts as client aborts - DOC: stop referencing the slow git repository in the README - DOC: remove the ultra-obsolete TODO file - BUILD: remove TODO from the spec file and add README - MINOR: log: make MAX_SYSLOG_LEN overridable at build time - DOC: remove references to CPU=native in the README - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets - BUG/MINOR: config: don't inherit the default balance algorithm in frontends - BUG/MEDIUM: http: fix header removal when previous header ends with pure LF - BUG/MINOR: http: abort request processing on filter failure For distro packages maintainers, I'd suggest to backport at least all the MAJOR and MEDIUM fixes. Usual links below : Site index : http://www.haproxy.org/ Sources : http://www.haproxy.org/download/1.4/src/devel/ Changelog : http://www.haproxy.org/download/1.4/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/configuration-1.4.html Willy