Hi, HAProxy 2.4.11 was released on 2022/01/07. It added 20 new commits after version 2.4.10.
This version addresses a small number of issues that were not merged into 2.4.10 yet, either because not stricly required and uncertain by then, or because they were fixed after. - there was a possible slow memory leak of struct sockaddr during layer-7 retries that would end up with a redispatch. We're speaking about ~200 bytes per retried request, which normally doesn't harm, but can at least fool some monitoring and cause some concerns - there was a risk of frozen stream or spinning loop when combining layer-7 retries with some filters because an analyser responsible for releasing the filter was dropped. This was fixed. - there was an allocation problem when SSL was configured using a "default-server" directive. Some SSL settings like "crt" or possibly "ca" as well were causing an SSL_CTX to be allocated too early (at the moment the directive was parsed) and replicated for each server inheriting it. But that led to problems when these fields were updated at runtime for a given server as that could affect other servers' as well. And during soft-stop it would cause double-free issues as reported in github issue 1488. - William found that a number of free() were missing for server SSL settings when deleting a server. That's not dramatic but it could definitely be noticeable by those adding/removing servers often. - splicing of HTTP/1.1 responses would always incorrectly end up in closing the client connection at the end of the transfer, and was simply disabled for messages of unknown lengths (neither content-length nor transfer-encoding). This was fixed. - since 2.4 during a soft-stop we're closing all idle frontend connections so that we don't have to wait for clients to time out nor for them to send a new request. But it turns out that doing it as any server would do it disturbs AWS' ALB, which immediately emits a 502 to their clients after failing to upload a new request on such a closed connection. It's well known (and documented) that reused connections have a window of uncertainty and that an agent must retry on them (which is why haproxy usually silently closes with the client when it experiences this so that the client can decide to retry). Thus ALB's behavior is incorrect and prevents from using keep-alive normally with the next hop. What was done here was to add an option "idle-close-on-response" to reintroduce the old behavior and wait for clients to speak first before closing. Credits go to William Dauchy for the report and the work around. - eliminate a rare risk of deadlock when built with DEBUG_UAF. It would only affect developers chasing some user-after-free bugs, but better fix it anyway. - on reload we used to transfer listening sockets by packs of 253 between the old and the new process but it looks like for whatever reason on musl 253 doesn't work and the limit is 252. It might be caused by a slightly different layout for the message. So the limit was lowered by one as this will definitely not affect reload time! - Daniel Jakots fixed the build with libreSSL 3.5 and newer (some macros didn't work anymore). - David Carlier fixed the build with FreeBSD 14, which changes the cpuset API to better match Linux's. - another build issue, this time with clang on i386. It tries to make use of the CMPXCHG8B instruction to perform 64-bit atomics but incorrectly expects the operands to be 64-bit aligned while neither the ABI nor the instruction have this requirement. So basically it complains about the code it produces itself. The analysis showed that working around this would require tens to hundreds of isolated hacks and that the least dirty solution is to disable the warning. Firefox faced the same issue 3 years ago and adopted the same work around. I guess nobody's interested anymore in i386 for anyone to expect a fix there anyway. - fixed some usual "maybe unused" warnings on old compilers for unusual platform (gcc-4.7 on MIPS with threads disabled). - a small improvement, in order to help users provide exploitable cores, there's now a new command-line option "-dL" which dumps the dynamic libraries that were detected at run time just before forking. This possibly includes dependencies from Lua or various other libs that do not always appear in "ldd". Typically libgcc_s is listed. The output format allows to pipe that to tar to produce an archive of all executable code that apparently tends to open well with a core, irrelevant to the distros in use. Since it eases bug reports, we've decided to backport it. There's still one thing currently being discussed in issue 1498: there is an incompatibility between the nghttp client and a few HTTP/2 servers among which haproxy when the HPACK headers table is set by the client to a value lower than the default one (4096). It comes from a part of the HPACK spec which is prone to different interpretations. Given that discussions with the nghttp author quickly ended up with calling servers who applied word for word what is written as "broken" and the issue being closed and locked, we discussed it within the HTTP working group instead, and it seems that a consensus is coming up on a spec change to adapt servers to do what nghttp expects (as there's a gray area related to settings update in the middle of a connection) and marking its behavior as non-interoperable to discourage users from relying too much on that. I think it's the most reasonable way forward that will best support deployed implementations. It will involve a dirty hack in the code but it's quite a simple one for which a patch already exists. It's just sad that we have to implement code for features we do not use :-/ Thus I guess this will get merged soon once the discussions are over and the change merged in the new spec. Now I'd say that if you're already on 2.4.10 and are not using SSL to reach your servers, there's no emergency to update. If you're before 2.4.10 this is a great opportunity to get rid of old painful bugs. If you're using SSL servers, you'd rather upgrade before reporting any crash that we'll likely attribute to SSL. I wanted to also emit a 2.5.1 as there are a few issues that would warrant a release by now. However Pierre Cheynier reported a few very bizarre crashes on reload that only affect 2.5 that we're still working on. William thinks they might possibly have a relation with the recent updates in the master-worker code so it's better not to rush a release until we get a better idea of the root cause. I hope to emit 2.3 and 2.2 next week, and 2.0 either next week or the week after. Oh, and as discussed a few days ago, since nobody objected, I'll mark 1.7 end-of-life. There's not even a relevant fix for it in queue, let's let it RIP. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.4/src/ Git repository : http://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (3): BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message BUG/MINOR: mux-h1: Fix splicing for messages with unknown length BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry Daniel Jakots (1): BUILD: ssl: unbreak the build with newer libressl David CARLIER (1): BUILD/MINOR: cpuset FreeBSD 14 build fix. David Carlier (1): BUILD/MINOR: tools: solaris build fix on dladdr. Thierry Fournier (1): DOC: fix misspelled keyword "resolve_retries" in resolvers William Dauchy (1): MINOR: proxy: add option idle-close-on-response William Lallemand (5): BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server REGTESTS: ssl: fix ssl_default_server.vtc BUG/MINOR: ssl: free the fields in srv->ssl_ctx BUG/MEDIUM: ssl: free the ckch instance linked to a server BUG/MINOR: cli: fix _getsocks with musl libc Willy Tarreau (7): BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch BUG/MINOR: pools: don't mark ourselves as harmless in DEBUG_UAF mode BUILD: cli: clear a maybe-unused warning on some older compilers BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning MINOR: compat: detect support for dl_iterate_phdr() MINOR: debug: add ability to dump loaded shared libraries MINOR: debug: add support for -dL to dump library names at boot ---