Hi, HAProxy 2.2.6 was released on 2020/11/30. It added 49 new commits after version 2.2.5.
Two major bugs were fixed in this versions, both leading to a memory corruption and random crashes. The first one was in the SPOE. Some released spoe applets could still be referenced in the offload streams. There are many ways to trigger this bug. The easiest is probably during reloads. The second one was in the checks. The buffers used for I/O were still allocated by hand during the startup with a specific size (not necessarily the same than other buffers). But since the recent refactoring of the checks to rely exclusively on the tcp-checks and to use the underlying mux layer, this part was totally buggy. Indeed, because these buffers are now passed to a mux, they may be swapped if a zero-copy is possible. In fact, for now it is only possible in h2_rcv_buf(). Thus, the bug concretely only existed if a h2 health-check was performed. But, it was a latent bug for other muxes. Now, these buffers are allocated using the buffer pool. As a side effect, the "tune.chksize" global option is now deprecated. Another major bug fixed is a possible overflow in the offset variable when using the filters. It was in fact an hidden bug, only revealed by another commit of this release. So, not so major in reality. The commit in question is a fix on filters to forward all filtered data at the end of http filtering. When http filtering ends, if there are some filtered data not forwarded yet, we now forward them in flt_http_end(). It is required for tunnel established using a CONNECT. The last major bug fixed is an inter-release bug, in a Willy's attempt to fix a decoding problem in the peers implementation which was leading to protocol errors. Frédéric also fixed two other bugs on peers and added some traces so that exchanges can now be observed. Everything should be fixed on this part now. Amaury fixed a problem in the checks which could lead to a segfault when a pure tcp-check was performed on an HTTP server. Now, extra tests are performed during startup to select the right mode and an error is triggered if an incompatibility is detected. A bug in the http-after-response ruleset was fixed. It is unexpected to evaluate these rules on an empty response. This may happen when an empty errorfile is returned. This case is now properly handled. Maciej fixed the sample fetches to retrieve messages cookies when called without cookie name. This case was never properly handled, contrary to what the doc says. He also implemented the "-m" argument to the "del-header" action to match on a full header name, a substring, a prefix, a suffix, or even a regex. Thierry fixed a bug in string pattern matching. Constant sample fetches must be duplicated first to not overwrite it when the trailing 0 is added. William Lallemand fixed a SSL bug, a segfault on startup when a certificate using the X509v3 AKID extension without the keyid field was loaded. And ssl_{c,s}_chain_der fetch methods, added by William Dauchy, was backported. On the build part, Tim added the DEBUG flags in haproxy -vv output. He also added them in .build_opts file, forcing recompilation if the flags change. The configuration manual was improved. Among other, Willy added a better description of the configuration file format and the escaping/quoting rules. The other fixes and patches are listed in the complete changelog below. It is highly recommended to update to this version. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.2/src/ Git repository : http://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Amaury Denoyelle (3): BUG/MEDIUM: check: reuse srv proto only if using same mode MINOR: check: report error on incompatible proto MINOR: check: report error on incompatible connect proto Christopher Faulet (20): MINOR: http-htx: Add understandable errors for the errorfiles parsing BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L DOC: config: Fix a typo on ssl_c_chain_der BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches BUG/MINOR: http-htx: Handle warnings when parsing http-error and http-errors BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet MINOR: spoe: Don't close connection in sync mode on processing timeout BUG/MINOR: tcpcheck: Don't warn on unused rules if check option is after MINOR: init: Fix the prototype for per-thread free callbacks MINOR: config/mux-h2: Return ERR_ flags from init_h2() instead of a status REGTEST: make ssl_client_samples and ssl_server_samples require to 2.2 BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests BUG/MEDIUM: http-ana: Don't eval http-after-response ruleset on empty messages BUG/MAJOR: filters: Always keep all offsets up to date during data filtering BUG/MINOR: tcpcheck: Don't forget to reset tcp-check flags on new kind of check MINOR: tcpcheck: Don't handle anymore in-progress send rules in tcpcheck_main BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer pool DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section BUG/MINOR: http-fetch: Fix smp_fetch_body() when called from a health-check Eric Salama (1): MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error. Frédéric Lécaille (3): BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries. BUG/MINOR: peers: Missing TX cache entries reset. MINOR: peers: Add traces to peer_treat_updatemsg(). Joao Morais (2): DOC: clarify how to create a fallback crt DOC: better describes how to configure a fallback crt Maciej Zdeb (5): BUG/MINOR: http-fetch: Extract cookie value even when no cookie name BUG/MINOR: http_htx: Fix searching headers by substring MINOR: http_act: Add -m flag for del-header name matching method BUG/MEDIUM: http_act: Restore init of log-format list DOC: Clarify %HP description in log-format Thierry Fournier (2): BUG/MINOR: pattern: a sample marked as const could be written BUG/MINOR: lua: set buffer size during map lookups Tim Duesterhus (3): REGTESTS: Add sample_fetches/cook.vtc BUILD: Make DEBUG part of .build_opts BUILD: Show the value of DEBUG= in haproxy -vv William Dauchy (2): MINOR: ssl: add ssl_{c,s}_chain_der fetch methods REGTESTS: converter: add url_dec test William Lallemand (2): BUG/MINOR: ssl: double free w/ smp_fetch_ssl_x_chain_der() BUG/MINOR: ssl: segv on startup when AKID but no keyid Willy Tarreau (5): BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages BUILD: http-htx: fix build warning regarding long type in printf BUG/MAJOR: peers: fix partial message decoding DOC: better document the config file format and escaping/quoting rules Your Name (1): MINOR: plock: use an ARMv8 instruction barrier for the pause instruction -- Christopher Faulet