Hi,
HAProxy 2.2.25 was released on 2022/07/27. It added 57 new commits
after version 2.2.24.
Here is the unsorted list of main issues fixed in this released, cut-pasted
from the 2.4.18 announce:
* On HTTP/2, the maintainer of the Lighttpd web server reported a nasty
case that he observed between curl and lighttpd which is very similar to
the so called "Silly Window Syndrom" in TCP where a difference of one
byte between a buffer size and a window size may progressively make the
transfer degenerate until almost all frames are 1-byte in size. It's not
a bug in any product, just a consequence of making certain
standard-compliant stacks interoperate. Some workarounds were placed in
various components that allowed the issue to appear. We did careful
testing on HAProxy and couldn't produce it there, in part due to our
buffer management that makes it difficult to read exactly the sizes that
produce the issue. But there's nothing either that can strictly prevent
it from happening (e.g. with a sender using smaller frames maybe). So we
implemented the workaround as well, which will also result in sending
slightly less frames during uploads.
* The protocol matching for HTTP/1.X is now strict. Non-HTTP/1.X protocols
are now rejected by default. This can be relaxed by adding
"accept-invalid-http-request" option.
* The CLI commands set to manage SSL certificates has been improved.
Message/error reporting for "commit ssl" commands may have been lost if
HAProxy internal output buffer is full. And a crash was reproduced on
"add ssl crt-list" but this was encountered only in the dubious case
where it referenced a certificate used both by a bind and a server
instance.
* HAProxy might rewrite some parts of an HTTP request outside of
http-rules, for an example to add an X-Forwarded-For header when "option
forwardfor" is set. Previously, failures on these rewrites operations
were reported as internal errors in logs. Now, this appears as rewrite
failure, which is consistent with http-rules error reporting.
* New option "http-restrict-req-hdr-names" was added at the proxy level.
It can be used to inspect HTTP header names and decide what to do with
those having any character other than alphanumerical or dash ("-"),
either delete the header or reject the request. The purpose is to help
protect application servers that map dash to underscore due to CGI
inheritance, or worse, which crash when passed such characters. The
option is automatically set to the delete mode in backends having FastCGI
configured.
* Tunneled H1 sessions could be blocked when raw data were received before
the end of the request analysis because of a wrong assumption on the
request buffer emptiness.
* A bug in the "method" sample fetch could lead to a crash if it was used
in logs for errors triggered at the mux level. This sample requires a
stream, witch does not yet exist when an early error is reported by a
mux. Now, a non-matching is returned in this case.
* Invalid 103-early-hints messages could be generated when some "early-hint"
rules were conditioned by ACLs.
* Some sessions could leak because connection errors were ignored by the H1
multiplexer during a synchronous send. It is only a transient leakage but
could be quite long, depending on the client or server timeout values.
* An internal error was reported when loadbalancing on source IP address
was impossible. It could happens with SPOE applets or with clients
connected to HAProxy via a unix socket. Now, when this happens, a
fallback to round-robin is performed.
* Lookup for a private key in extra files was not ignored when it was
already found in the pem file, while it should.
* Depending on the declaration order of "http-check send" and "option
httpchk" directives, the configured headers could be ignored. Now a
previous list of headers is replaced by a new one only if it is not
empty.
* It was possible to crash HAProxy by defining multiple bind lines in a
peers section. An error is now reported during configuration parsing.
* A warning is now reported when some unsupported keywords are used in
peers section instead of silently ignoring them. init_addr, resolvers,
check, agent-check are concerned.
* The DNS resolution is now ignored for disabled proxies preventing some
crashes.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy-2.2.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
---
Complete changelog :
Christopher Faulet (29):
MEDIUM: http-ana: Add a proxy option to restrict chars in request header
names
REGTESTS: abortonclose: Fix some race conditions
BUG/MEDIUM: config: Reset outline buffer size on realloc error in
readcfgfile()
BUG/MINOR: check: Reinit the buffer wait list at the end of a check
BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function
BUG/MEDIUM: dns: Keep the right count of active nameservers for a resolver
BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry
fails
BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer
cases
MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
REGTESTS: abortonclose: Add a barrier to not mix up log messages
REGTESTS: http_request_buffer: Increase client timeout to wait "slow"
clients
BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O
handler
REGTESTS: restrict_req_hdr_names: Extend supported versions
BUG/MEDIUM: mailers: Set the object type for check attached to an email
alert
REGTESTS: healthcheckmail: Update the test to be functionnal again
REGTESTS: healthcheckmail: Relax health-check failure condition
BUG/MINOR: tcp-rules: Make action call final on read error and delay
expiration
BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is
created
BUG/MINOR: http-fetch: Use integer value when possible in "method" sample
fetch
BUG/MINOR: http-check: Preserve headers if not redefined by an implicit
rule
BUG/MINOR: http-act: Properly generate 103 responses when several rules
are used
BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL
state
BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
REGTESTS: Fix some scripts to be compatible with 2.4 and prior
BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
David Carlier (1):
BUILD: fix build warning on solaris based systems with __maybe_unused.
Emeric Brun (4):
BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
DOC: peers: clarify when entry expiration date is renewed.
DOC: peers: fix port number and addresses on new peers section format
Ilya Shipitsin (3):
CI: determine actual LibreSSL version dynamically
CI: determine actual OpenSSL version dynamically
CI: re-enable gcc asan builds
Remi Tricot-Le Breton (2):
BUG/MINOR: ssl: Fix crash when no private key is found in pem
BUG/MINOR: ssl: Do not look for key in extra files if already in pem
Thayne McCombs (1):
BUG/MEDIUM: sample: Fix adjusting size in word converter
Tim Duesterhus (2):
BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2)
William Lallemand (3):
BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
BUG/MINOR: peers: fix possible NULL dereferences at config parsing
BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
Willy Tarreau (12):
BUG/MINOR: cfgparse: abort earlier in case of allocation error
BUG/MINOR: peers: fix error reporting of "bind" lines
SCRIPTS: add make-releases-json to recreate a releases.json file in
download dirs
SCRIPTS: make publish-release try to launch make-releases-json
DOC: peers: indicate that some server settings are not usable
BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
BUILD: compiler: implement unreachable for older compilers too
BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
BUG/MINOR: server: do not enable DNS resolution on disabled proxies
BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
BUG/MINOR: peers/config: always fill the bind_conf's argument
--
Christopher Faulet
