Hi,
HAProxy 2.8.12 was released on 2024/11/08. It added 30 new commits
after version 2.8.11.
This release is quite small. It is emitted to flush the pipe and to remain
aligned to other versions. Following bugs were fixed:
* During OCSP update, an issue with the reference counting caused some
certificates to reference a just freed OCSP response.
* Crashes may be experienced with "update ssl ocsp-response" CLI command
because of concurrent accesses to the OCSP response by the main OCSP
update task.
* It was possible to experienced a deadlock by setting the maxconn of a
frontend on the CLI, because of a double lock on the proxy lock.
* It was possible to reuse HTTP connections for requests to different
endpoints because some address families where not properly handled. The
issue was encountered with the HTTP client and UNIX socket combination.
* A crash could happen in mux-pt if an error happened on the connection
just before an abort that is going to emit a shutdown, and with a
pending wakeup that completes some work on a connection having no
transport layer anymore. This only affects TCP (e.g. peers and master
CLI; GH #2656).
* At the stream-connector level, blocked data by an error on the sending
path were not always properly detected, leaving streams blocked without
any timeout armed.
* On QUIC side, a stream could be erroneously closed with an empty frame
with FIN bit set instead of a RESET_STREAM frame when not data was sent
at all; and the server timeout was never armed for small requests, fully
received when the stream is created.
* A server abort was reported on an invalid HTTP response payload instead
of an internal error. And it was also possible to report a client abort
instead of a server abort during the HTTP response forwarding. The right
termination states are now reported in both cases.
* "set ssl cert" CLI command was not properly checking the transaction
name. That could lead to commit accidentally a transaction on the wrong
certificate.
* A memory leak was possible if a failure is encountered when a dynamic
server is added with a check or agent-check options. In that case, the
server cannot be released because its refcount was incremented too
early. In addition access to the global server list during a dynamic
server deletion was not protected against concurrent accesses. In the
longterm, this could cause list corruption and crashes.
In addition to these bug fixes, two improvements were added:
* Some invalid Transfer-Encoding values are now accepted during the H1
response parsing when accept-invalid-http-response option is enabled,
even if it is forbidden by the RFC-9112. So, now, with this option,
multiple "chunked" values are accepted, as well as empty values. When
several "chunked" values are found, the payload will still be considered
as encoded once and the header will be sanitized when sent to the
client. The request parsing was not changed. This remains forbidden
because it is highly suspicious if a client is sending an invalid T-E
header. On server side, we can consider the server as trusted. But you
must still remain careful with such behavior. And, of course, the best
is to fix the application.
* Memory profiling was also improved. Some entries were displayed with a
NULL return address, causing confusion. Now, undecodable stacks causing
an apparent NULL return address all lead to the "other" bin.
Thanks everyone for your help !
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.8/src/
Git repository : https://git.haproxy.org/git/haproxy-2.8.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (4):
BUG/MEDIUM: mux-quic: ensure timeout server is active for short requests
BUG/MINOR: mux-quic: do not close STREAM with empty FIN if no data sent
BUG/MINOR: server: fix dynamic server leak with check on failed init
BUG/MEDIUM: server: fix race on servers_list during server deletion
Aurelien DARRAGON (5):
BUG/MEDIUM: server: server stuck in maintenance after FQDN change
BUG/MEDIUM: hlua: make hlua_ctx_renew() safe
BUG/MEDIUM: hlua: properly handle sample func errors in
hlua_run_sample_{fetch,conv}()
DOC: config: fix rfc7239 forwarded typo in desc
BUG/MEDIUM: connection/http-reuse: fix address collision on unhandled
address families
Christopher Faulet (9):
MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response
option
DOC: config: Explicitly list relaxing rules for accept-invalid-http-*
options
BUG/MEDIUM: mux-pt: Never fully close the connection on shutdown
BUG/MINOR: http-ana: Don't report a server abort if response payload is
invalid
REGTESTS: Never reuse server connection in http-messaging/truncated.vtc
BUG/MINOR: http-ana: Fix wrong client abort reports during responses
forwarding
BUG/MEDIUM: stconn: Report blocked send if sends are blocked by an error
BUG/MINOR: http-ana: Report internal error if an action yields on a final
eval
MINOR: stream: Save last evaluated rule on invalid yield
Oliver Dala (1):
BUG/MEDIUM: cli: Deadlock when setting frontend maxconn
Remi Tricot-Le Breton (2):
BUG/MAJOR: ocsp: Separate refcount per instance and per store
BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when
an update is ongoing
Valentine Krasnobaeva (2):
BUG/MINOR: cfgparse-global: fix allowed args number for setenv
BUG/MINOR: mworker: fix mworker-max-reloads parser
William Lallemand (3):
BUG/MINOR: httpclient: return NULL when no proxy available during
httpclient_new()
MINOR: cli: remove non-printable characters from 'debug dev fd'
BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name
correctly
Willy Tarreau (4):
BUG/MINOR: server: make sure the HMAINT state is part of MAINT
MINOR: activity/memprofile: always return "other" bin on NULL return
address
MINOR: pools: export the pools variable
CLEANUP: connection: properly name the CO_ER_SSL_FATAL enum entry
--
Christopher Faulet
