Hi,
This is an update of branch 1.4, after 10 months of fixes.
Aside the various minor fixes that could accumulate over almost one year, we
have four fixes for important bugs :
- http-send-name-header was still broken and could cause corrupted requests
to be sent when requests were pipelined. The bug was reported by Guillaume
Castagnino and debugged by Cyril and myself. It made us scratch our heads
a lot ; I think it has been one of the hardest ones to fix so far because
1.4's infrastructure is not well suited to support this feature. Thus if
you use it, it should now be safe, but if any new bug surfaces, please
upgrade to 1.5.
- a possible integer overflow could happen when computing available data in
a buffer when combined with http-send-name-header, resulting in a read
overflow which can crash the process. Did I say that we shouldn't use
http-send-name-header in 1.4 ?
- using http-send-name-header with a POST request whose body fills the
request buffer could cause a memmove to be performed with a negative
size length if the connection to the server fails and is redispatched
to a server with a longer name, crashing the process.
- issuing "show sess" on the CLI may sometimes maintain a reference to a
session which is not properly released if the CLI is suddenly aborted
while the reference is kept (eg: buffer full). This can silently corrupt
the back ref list and cause haproxy to crash when freeing pools, typically
while soft-stopping on a reload, causing the loss of all established
sessions.
The other ones are not that important and probably self-explanatory from
the changelog below :
- BUG/MINOR: stats: fix a typo on a closing tag for a server tracking
another one
- BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an
unknown encryption algorithm
- BUG/MEDIUM: config: userlists should ensure that encrypted passwords are
supported
- BUG/MINOR: log: fix request flags when keep-alive is enabled
- BUG/MINOR: checks: prevent http keep-alive with http-check expect
- BUG/MEDIUM: backend: Update hash to use unsigned int throughout
- BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized"
- BUG/MINOR: build: handle whitespaces in wc -l output
- DOC: httplog does not support 'no'
- BUG/MEDIUM: regex: fix risk of buffer overrun in exp_replace()
- BUILD: fix Makefile.bsd
- BUILD: also fix Makefile.osx
- BUG/MAJOR: http: fix again http-send-name-header
- BUG/MAJOR: buffer: fix possible integer overflow on reserved size
computation
- BUG/MAJOR: buffer: don't schedule data in transit for leaving until
connected
- BUG/MINOR: http: don't report server aborts as client aborts
- DOC: stop referencing the slow git repository in the README
- DOC: remove the ultra-obsolete TODO file
- BUILD: remove TODO from the spec file and add README
- MINOR: log: make MAX_SYSLOG_LEN overridable at build time
- DOC: remove references to CPU=native in the README
- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
- BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
- BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
- BUG/MINOR: config: don't inherit the default balance algorithm in
frontends
- BUG/MEDIUM: http: fix header removal when previous header ends with pure
LF
- BUG/MINOR: http: abort request processing on filter failure
For distro packages maintainers, I'd suggest to backport at least all the
MAJOR and MEDIUM fixes.
Usual links below :
Site index : http://www.haproxy.org/
Sources : http://www.haproxy.org/download/1.4/src/devel/
Changelog : http://www.haproxy.org/download/1.4/src/CHANGELOG
Cyril's HTML doc :
http://cbonte.github.io/haproxy-dconv/configuration-1.4.html
Willy
