Hi, HAProxy 3.2.6 was released on 2025/10/03. It added 57 new commits after version 3.2.5.
As promised in the 3.2.6 announce, here is the usual description of bugs fixed f76 by this release: * The most important one is obviously the mjson JSON decoder issue described in the previous mail. Decoding of numbers with large exponents was eating a lot of CPU and could even trigger the watchdog and kill the process. "json_query()", "jwt_header_query()", and "jwt_payload_query()" converters was affected. This bug was assigned CVE-2025-11230 and affected all versions featuring the JSON decoder, or 2.4 and above. * While it is not strictly speaking bug fixes, several improvements on sitck-tables were backported. The locking between stick-tables and peers was partially relaxed so that we don't insist too long anymore when detecting contention. Such contention used to cause severe performance degradation on some systems, sometimes even triggering the watchdog due to multiple milliseconds delays multiplied by the number of entries processed at once. More batching and delayed work was used instead, resulting in higher overall performance and a much smoother traffic flow. * A number of multi-threaded tasks were moved to single thread (e.g. table expiration, resolvers connections etc), because these were found to cause a lot of contention in the scheduler on high CPU count machines, for no added value. * On resolvers, the result of a "do-resolv" action was not cached, unlike it is stated in the documentation. The "hold valid" time is now respected. In addition, the round-robin selection on records in DNS answers was restored. It was accidentally broken during 2.5 development cycle. While it is an undocumented feature, some users relies on it, especially with the "do-resolv" action. * Several issues with acme was fixed: A possible UAF on a acme context, a crash because of an initialisation issue during startup of the acme sections, a crash with AWS-LC because some internal data were released with the libc free() function instead of OPENSSL_free() and two possible overflow raised by Coverity. * Allocation failures were not properly handled in the Leastconn load balancing algorithm when a server was reinserted in the tree. Crashes could be experienced if the operation failed. * On server side, a configured sni could be used as pool name for idle connections for non-SSL servers. While this kind of configuration is unlikely, it could result of inheritance of some default parameters. In that case, the connection reuse could be totally inoperative. * There was an issue when loading CA certificates from a directory. Only the first certificate of each file was loaded. It was an issue on some systems (debian/ubuntu ones were not affected). The issue was fixed by using X509_STORE_load_locations() on each file instead of loading certificates by hand. * In both H2 and H3, the 'Z' character (in upper case) was not rejected as expected from header field names. Thanks to @zhanhb, it now fixed. * For the HTTP compression, the "minsize-req" and "minsize-res" options were evaluated for messages with a not-fully known size. So it was possible to skip the compression for large messages because the available payload was under the configured limit. The options are now considered only when the size of the whole message is known. * Errors coud be erroneously reported during the configuration parsing when the same virtual map (with 'virt@' prefix) was used at diffrent places. In addition, optional maps (with 'opt@' prefix) were not properly referenced. The prefix was not removed from the map name as expected. Both issues were fixed. * The detection of stuck tasks was improved to be more accurate and limit wrong/ambiguous watchdog warnings. In addition to these fixes, the "ssl_bc_sni" sample fetch function was backported. It can be useful during debugging sessions to know what SNI was configured on a connection going to a server, for example to match it against what the server saw or to detect cases where a server would route on SNI instead of Host. Finally, some improvements on debugging tools where backported. Thanks everyone for your help. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Christopher Faulet (14): MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function BUG/MEDIUM: server: Use sni as pool connection name for SSL server only BUG/MINOR: server: Update healthcheck when server settings are changed via CLI BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections BUG/MEDIUM: resolvers: Properly cache do-resolv resolution BUG/MINOR: resolvers: Restore round-robin selection on records in DNS answers BUG/MEDIUM: resolvers: Test for empty tree when getting a record from DNS answer BUG/MEDIUM: resolvers: Make resolution owns its hostname_dn value BUG/MEDIUM: resolvers: Accept to create resolution without hostname BUG/MEDIUM: resolvers: Wake resolver task up whne unlinking a stream requester BUG/MINOR: pools: Fix the dump of pools info to deal with buffers limitations BUG/MINOR: compression: Test payload size only if content-length is specified BUG/MINOR: pattern: Properly flag virtual maps as using samples BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix Olivier Houchard (6): BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt MINOR: mt_list: Implement MT_LIST_POP_LOCKED() BUG/MEDIUM: stick-tables: Make sure not to free a pending entry MEDIUM: servers: Schedule the server requeue target on creation MEDIUM: fwlc: Make it so fwlc_srv_reposition works with unqueued srv BUG/MEDIUM: fwlc: Handle memory allocation failures. William Lallemand (9): BUG/MINOR: acme/cli: wrong description for "acme challenge_ready" BUILD: halog: misleading indentation in halog.c CI: github: build halog on the vtest job BUG/MINOR: acme: don't unlink from acme_ctx_destroy() BUG/MEDIUM: acme: cfg_postsection_acme() don't init correctly acme sections BUG/MEDIUM: acme: free() of i2d_X509_REQ() with AWS-LC BUG/MINOR: acme: possible overflow on scheduling computation BUG/MINOR: acme: possible overflow in acme_will_expire() BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file Willy Tarreau (26): MINOR: stick-tables: limit the number of visited nodes during expiration OPTIM: stick-tables: exit expiry faster when the update lock is held MINOR: debug: report the process id in warnings and panics DEBUG: stream: count the number of passes in the connect loop MINOR: debug: report the number of loops and ctxsw for each thread MINOR: debug: report the time since last wakeup and call DEBUG: peers: export functions that use locks MINOR: stick-table: permit stksess_new() to temporarily allocate more entries MEDIUM: stick-tables: relax stktable_trash_oldest() to only purge what is needed MEDIUM: stick-tables: give up on lock contention in process_table_expire() MEDIUM: stick-tables: don't wait indefinitely in stktable_add_pend_updates() MEDIUM: peers: don't even try to process updates under contention MEDIUM: stick-table: move process_table_expire() to a single thread MEDIUM: peers: move process_peer_sync() to a single thread MINOR: activity: indicate the number of calls on "show tasks" MINOR: tools: don't emit "+0" for symbol names which exactly match known ones OPTIM: sink: reduce contention on sink_announce_dropped() MEDIUM: dns: bind the nameserver sockets to the initiating thread MEDIUM: resolvers: make the process_resolvers() task single-threaded MINOR: sched: let's permit to share the local ctx between threads MINOR: sched: pass the thread number to is_sched_alive() BUG/MEDIUM: wdt: improve stuck task detection accuracy MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI DOC: config: clarify some known limitations of the json_query() converter BUG/CRITICAL: mjson: fix possible DoS when parsing numbers BUG/MEDIUM: resolvers: break an infinite loop in resolv_get_ip_from_response() zhanhb (2): BUG/MINOR: h2: forbid 'Z' as well in header field names checks BUG/MINOR: h3: forbid 'Z' as well in header field names checks --- Christopher Faulet
