сб, 29 июн. 2024 г. в 12:01, Willy Tarreau <w...@1wt.eu>: > Hi, > > HAProxy 3.1-dev2 was released on 2024/06/29. It added 45 new commits > after version 3.1-dev1. > > Several fixes related to the recent 3.0 release are present in this > version, as well as a few older ones. Most visible are three QUIC > crashes, a possible double free on stick-tables, issues affecting > aws-lc with ECDSA, a risk of server flapping when DNS resolution > times out, and the usual amount of small fixes all over the place. > > In addition we've been notified by Yuki Mogi of FFRI Security that > some of our pseudo-headers in H3 were not sanitized enough and that > these could theoretically be abused with some severely non-compliant > backend servers, so this was fixed as well. This will be backported > to the next stable versions as it's not dramatic enough to warrant a > release on its own. > > The "show dev" command was improved to report command-line args as > well as boot & current capabilities. Linux capabilities switched to > v3 instead of v1 in order to avoid a deprecation warning on recent > kernels. We've checked the impacts and apparently there are none, > beyond the lack of support of kernels prior to 2.6.26, so we'll soon > backport it to 3.0 so as to silence the annoying warning users are > facing. > > A date converter was added to take an HTTP date on input and produce > a UNIX timestamp on output. This will help calculate expiration delays > for example. > > The sigalg feature was added for aws-lc, which, I think, should now > match 1:1 the features level of openssl (unless I'm missing something). >
it is VERY close to openssl. however there are few gaps. the one I'm aware of is haproxy/include/haproxy/quic_tls.h at master · haproxy/haproxy (github.com) <https://github.com/haproxy/haproxy/blob/master/include/haproxy/quic_tls.h#L143-L154> aws-lc implements chacha20_poly1305 in a different way than QuicTLS. and if that gap is eliminated, it will be a good point to declare aws-lc as a recommended QUIC lib. if we compare aws-lc against openssl-1.1 (not quictls), it is indeed matches (maybe except some niche features like async) > > Some hints were added to crash outputs to suggest how to decode the > core file and what to report. > > And the rest is a start of files reorganization, cleanups and doc updates. > > Really nothing truly exciting but it's only dev2, be patient :-) > > Regarding the MPTCP and CONNECT patches that have been floating around, > I just couldn't assign a single minute to them since my return from > vacation. Maybe I'll have an eye on one of them next week, may be the > week after. Don't worry, they're not forgotten. I'd also like that we > revive Tristan's abns change proposal for 3.1, now that we're no longer > at the end of a cycle. I'll also try better next time to advance the > release to the middle of the week but this time it didn't work. > > Please find the usual URLs below : > Site index : https://www.haproxy.org/ > Documentation : https://docs.haproxy.org/ > Wiki : https://github.com/haproxy/wiki/wiki > Discourse : https://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : https://www.haproxy.org/download/3.1/src/ > Git repository : https://git.haproxy.org/git/haproxy.git/ > Git Web browsing : https://git.haproxy.org/?p=haproxy.git > Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG > Dataplane API : > https://github.com/haproxytech/dataplaneapi/releases/latest > Pending bugs : https://www.haproxy.org/l/pending-bugs > Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs > Code reports : https://www.haproxy.org/l/code-reports > Latest builds : https://www.haproxy.org/l/dev-packages > > Willy > --- > Complete changelog : > Amaury Denoyelle (12): > BUG/MAJOR: quic: fix padding with short packets > BUG/MAJOR: quic: do not loop on emission on closing/draining state > SCRIPTS: git-show-backports: do not truncate git-show output > BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY > emission > BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure > BUG/MINOR: h3: fix BUG_ON() crash on control stream alloc failure > BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure > BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid > BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid > BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid() > BUG/MINOR: quic: fix race condition in qc_check_dcid() > BUG/MINOR: quic: fix race-condition on trace for CID retrieval > > Aurelien DARRAGON (11): > BUG/MINOR: log: fix broken '+bin' logformat node option > DEBUG: hlua: distinguish burst timeout errors from exec timeout > errors > BUG/MEDIUM: proxy: fix email-alert invalid free > REORG: mailers: move free_email_alert() to mailers.c > BUG/MINOR: proxy: fix email-alert leak on deinit() (2nd try) > DOC: management: document ptr lookup for table commands > DOC: api/event_hdl: small updates, fix an example and add some > precisions > BUG/MINOR: hlua: report proper context upon error in > hlua_cli_io_handler_fct() > MINOR: cfgparse/log: remove leftover dead code > BUG/MINOR: server: fix first server template name lookup UAF > BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout > or error > > Christopher Faulet (2): > BUG/MEDIUM: stick-table: Decrement the ref count inside lock to kill > a session > MINOR: stick-table: Always decrement ref count before killing a > session > > Frederic Lecaille (1): > BUILD: Missing inclusion header for ssize_t type > > Valentine Krasnobaeva (9): > MINOR: capabilities: export capget and __user_cap_header_struct > MINOR: capabilities: prepare support for version 3 > MINOR: capabilities: use _LINUX_CAPABILITY_VERSION_3 > MINOR: cli/debug: show dev: add cmdline and version > MINOR: cli/debug: show dev: show capabilities > REORG: init: do MODE_CHECK_CONDITION logic first > REORG: init: encapsulate CHECK_CONDITION logic in a func > REORG: init: encapsulate 'reload' sockpair and master CLI listeners > creation > REORG: init: encapsulate code that reads cfg files > > William Lallemand (6): > REGTESTS: ssl: fix some regtests 'feature cmd' start condition > BUG/MEDIUM: ssl: AWS-LC + TLSv1.3 won't do ECDSA in RSA+ECDSA > configuration > MINOR: ssl: activate sigalgs feature for AWS-LC > REGTESTS: ssl: activate new SSL reg-tests with AWS-LC > DOC: configuration: fix alphabetical order of bind options > MINOR: sample: date converter takes HTTP date and output an UNIX > timestamp > > Willy Tarreau (4): > DEV: flags/show-fd-to-flags: adapt to recent versions > MINOR: debug: print gdb hints when crashing > BUILD: debug: also declare strlen() in __ABORT_NOW() > MINOR: activity: make the memory profiling hash size configurable at > build time > > --- > >