Hi,
HAProxy 2.2.6 was released on 2020/11/30. It added 49 new commits after
version 2.2.5.
Two major bugs were fixed in this versions, both leading to a memory
corruption and random crashes. The first one was in the SPOE. Some released
spoe applets could still be referenced in the offload streams. There are
many ways to trigger this bug. The easiest is probably during reloads. The
second one was in the checks. The buffers used for I/O were still allocated
by hand during the startup with a specific size (not necessarily the same
than other buffers). But since the recent refactoring of the checks to rely
exclusively on the tcp-checks and to use the underlying mux layer, this part
was totally buggy. Indeed, because these buffers are now passed to a mux,
they may be swapped if a zero-copy is possible. In fact, for now it is
only possible in h2_rcv_buf(). Thus, the bug concretely only existed if a h2
health-check was performed. But, it was a latent bug for other muxes. Now,
these buffers are allocated using the buffer pool. As a side effect, the
"tune.chksize" global option is now deprecated.
Another major bug fixed is a possible overflow in the offset variable when
using the filters. It was in fact an hidden bug, only revealed by another
commit of this release. So, not so major in reality. The commit in question
is a fix on filters to forward all filtered data at the end of http
filtering. When http filtering ends, if there are some filtered data not
forwarded yet, we now forward them in flt_http_end(). It is required for
tunnel established using a CONNECT.
The last major bug fixed is an inter-release bug, in a Willy's attempt to
fix a decoding problem in the peers implementation which was leading to
protocol errors. Frédéric also fixed two other bugs on peers and added some
traces so that exchanges can now be observed. Everything should be fixed on
this part now.
Amaury fixed a problem in the checks which could lead to a segfault when a
pure tcp-check was performed on an HTTP server. Now, extra tests are
performed during startup to select the right mode and an error is triggered
if an incompatibility is detected.
A bug in the http-after-response ruleset was fixed. It is unexpected to
evaluate these rules on an empty response. This may happen when an empty
errorfile is returned. This case is now properly handled.
Maciej fixed the sample fetches to retrieve messages cookies when called
without cookie name. This case was never properly handled, contrary to what
the doc says. He also implemented the "-m" argument to the "del-header"
action to match on a full header name, a substring, a prefix, a suffix, or
even a regex.
Thierry fixed a bug in string pattern matching. Constant sample fetches must
be duplicated first to not overwrite it when the trailing 0 is added.
William Lallemand fixed a SSL bug, a segfault on startup when a certificate
using the X509v3 AKID extension without the keyid field was loaded. And
ssl_{c,s}_chain_der fetch methods, added by William Dauchy, was backported.
On the build part, Tim added the DEBUG flags in haproxy -vv output. He also
added them in .build_opts file, forcing recompilation if the flags change.
The configuration manual was improved. Among other, Willy added a better
description of the configuration file format and the escaping/quoting rules.
The other fixes and patches are listed in the complete changelog below. It
is highly recommended to update to this version.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy-2.2.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Amaury Denoyelle (3):
BUG/MEDIUM: check: reuse srv proto only if using same mode
MINOR: check: report error on incompatible proto
MINOR: check: report error on incompatible connect proto
Christopher Faulet (20):
MINOR: http-htx: Add understandable errors for the errorfiles parsing
BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match
the C-L
DOC: config: Fix a typo on ssl_c_chain_der
BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample
fetches
BUG/MINOR: http-htx: Handle warnings when parsing http-error and
http-errors
BUG/MAJOR: spoe: Be sure to remove all references on a released spoe
applet
MINOR: spoe: Don't close connection in sync mode on processing timeout
BUG/MINOR: tcpcheck: Don't warn on unused rules if check option is after
MINOR: init: Fix the prototype for per-thread free callbacks
MINOR: config/mux-h2: Return ERR_ flags from init_h2() instead of a status
REGTEST: make ssl_client_samples and ssl_server_samples require to 2.2
BUG/MEDIUM: filters: Forward all filtered data at the end of http
filtering
BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
BUG/MEDIUM: http-ana: Don't eval http-after-response ruleset on empty
messages
BUG/MAJOR: filters: Always keep all offsets up to date during data
filtering
BUG/MINOR: tcpcheck: Don't forget to reset tcp-check flags on new kind of
check
MINOR: tcpcheck: Don't handle anymore in-progress send rules in
tcpcheck_main
BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer
pool
DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
BUG/MINOR: http-fetch: Fix smp_fetch_body() when called from a
health-check
Eric Salama (1):
MINOR: cfgparse: tighten the scope of newnameserver variable, free it on
error.
Frédéric Lécaille (3):
BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.
BUG/MINOR: peers: Missing TX cache entries reset.
MINOR: peers: Add traces to peer_treat_updatemsg().
Joao Morais (2):
DOC: clarify how to create a fallback crt
DOC: better describes how to configure a fallback crt
Maciej Zdeb (5):
BUG/MINOR: http-fetch: Extract cookie value even when no cookie name
BUG/MINOR: http_htx: Fix searching headers by substring
MINOR: http_act: Add -m flag for del-header name matching method
BUG/MEDIUM: http_act: Restore init of log-format list
DOC: Clarify %HP description in log-format
Thierry Fournier (2):
BUG/MINOR: pattern: a sample marked as const could be written
BUG/MINOR: lua: set buffer size during map lookups
Tim Duesterhus (3):
REGTESTS: Add sample_fetches/cook.vtc
BUILD: Make DEBUG part of .build_opts
BUILD: Show the value of DEBUG= in haproxy -vv
William Dauchy (2):
MINOR: ssl: add ssl_{c,s}_chain_der fetch methods
REGTESTS: converter: add url_dec test
William Lallemand (2):
BUG/MINOR: ssl: double free w/ smp_fetch_ssl_x_chain_der()
BUG/MINOR: ssl: segv on startup when AKID but no keyid
Willy Tarreau (5):
BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's
higher
BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table
messages
BUILD: http-htx: fix build warning regarding long type in printf
BUG/MAJOR: peers: fix partial message decoding
DOC: better document the config file format and escaping/quoting rules
Your Name (1):
MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
--
Christopher Faulet
