Hi,
HAProxy 2.6.9 was released on 2023/02/14. It added 35 new commits
after version 2.6.8.
The main reason for this release today is the availability of a fix for the
vulnerability explained in the other thread (CVE-2023-25725).
In addition, this version addresses the following issues:
- a risk of crash in QUIC when "option nolinger" is present, when
dealing with 1-RTT packets, or when no space is available to send
trailers or H3 SETTINGS frames.
- a regression from a previous fix that caused some server-side
connection not to expire if some unsent data are blocked in the
request channel.
- a 13-years old issue with the expiration of old entries in stick-
tables that slows down eviction at every timer period rollover
(49.7 days), making the table size and memory usage grow for a
while until all of them were either refreshed or expired. I'm
still puzzled that 3 users apparently noticed it at the same time
around last rollover on Jan 30th.
- hot-adding a server via the CLI could result in it not taking
traffic if its "maxconn" value was set and not the "minconn" one,
causing 503 to be returned.
- file-backed rings used by traces were not properly unmapped before
being closed, sometimes resulting in losing the latest updates.
- a bug in the SSL cache eviction that affected WolfSSL was fixed, but
it's unclear if it could affect other libs (openssl was apparently not
due to fixed-size records)
- a warning will be emitted when a crt-list line is malformed.
- minor doc fixes
The changes are intentionally limited so that all users of 2.6.8 and older
can update without taking risks.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources :
https://www.haproxy.org/download/20230214-cve-2023-25725/src/
Git repository :
https://git.haproxy.org/git/haproxy-20230214-cve-2023-25725.git/
Git Web browsing :
https://git.haproxy.org/?p=haproxy-20230214-cve-2023-25725.git
Changelog :
https://www.haproxy.org/download/20230214-cve-2023-25725/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Aleksey Ponomaryov (1):
BUG/MEDIUM: stick-table: do not leave entries in end of window during
purge
Amaury Denoyelle (4):
MINOR: mux-quic/h3: define stream close callback
BUG/MEDIUM: h3: handle STOP_SENDING on control stream
BUG/MINOR: h3: fix crash due to h3 traces
BUG/MEDIUM: quic: do not split STREAM frames if no space
Aurelien DARRAGON (12):
DEV: hpack: fix `trash` build regression
BUG/MINOR: fcgi-app: prevent 'use-fcgi-app' in default section
BUG/MINOR: stats: use proper buffer size for http dump
BUG/MINOR: stats: fix source buffer size for http dump
BUG/MEDIUM: stats: fix resolvers dump
BUG/MINOR: stats: fix ctx->field update in stats_dump_proxy_to_buffer()
BUG/MINOR: stats: fix show stats field ctx for servers
BUG/MINOR: stats: fix STAT_STARTED behavior with full htx
DOC: config: fix option spop-check proxy compatibility
DOC: config: 'http-send-name-header' option may be used in default section
MINOR: cfgparse/server: move (min/max)conn postparsing logic into
dedicated function
BUG/MINOR: server/add: ensure minconn/maxconn consistency when adding
server
Christopher Faulet (1):
BUG/MEDIUM: stconn: Schedule a shutw on shutr if data must be sent first
Frédéric Lécaille (7):
BUG/MINOR: quic: Possible stream truncations under heavy loss
BUG/MINOR: quic: Too big PTO during handshakes
BUG/MINOR: quic: Do not ignore coalesced packets in qc_prep_fast_retrans()
MINOR: quic: When probing Handshake packet number space, also probe the
Initial one
BUG/MAJOR: quic: Possible crash when processing 1-RTT during 0-RTT session
MEDIUM: quic: Remove qc_conn_finalize() from the ClientHello TLS callbacks
BUG/MINOR: quic: Unchecked source connection ID
William Lallemand (2):
BUG/MEDIUM: ssl: wrong eviction from the session cache tree
BUG/MINOR: ssl/crt-list: warn when a line is malformated
Willy Tarreau (8):
BUG/MINOR: sink: make sure to always properly unmap a file-backed ring
DEV: haring: add a new option "-r" to automatically repair broken files
BUG/MINOR: log: release global log servers on exit
BUG/MINOR: sink: free the forwarding task on exit
BUG/MEDIUM: cache: use the correct time reference when comparing dates
BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend
DOC: proxy-protocol: fix wrong byte in provided example
BUG/CRITICAL: http: properly reject empty http header field names
---
