Hi,
HAProxy 3.3.4 was released on 2026/02/19. It added 32 new commits
after version 3.3.3.
Thanks to Mike Walker that found two issues on QUIC, both fixed.
First, a possible crash issue was identified when an HTTP tunnel is
established with QUIC on client side. It was fixed by reverting a commit a
bit too strict. Then, it was clear that the CONNECT never worked. So it was
disabled for now, waiting for time to fix it properly.
An issue was fixed with the connection establishment management to a QUIC
server. The test on the cached server ALPN was performed too late, that
could lead to a crash when a QUIC connection populated the server ALPN cache
while another was being established.
Then, HTTP multiplexers were fixed to disable the 0-copy data forwarding if
the stream is already closed (for h2/h3) or if the message is already
finished (h1). This way, errors can be properly handled on the usual sending
path. It is a theoretical issue that should not happen, except if there are
internal issues.
The wait-for-body HTTP action was fixed to properly handle client aborts
when waiting for the response payload and when "abort-on-cloe" option is
set. The action is now interrupted as expected instead of triggering an
internal error.
Several issue were fixed on SSL. A possible user-after-free on cached TLS
session on server side. A lock was missing to protect the session release on
handshake error. Note that while this fix remains valide, this part requires
a deeper review, so it will not be backported immediately to lower versions.
But this bug is here since a while and was never triggered, so there is no
emergency. Several issues with "ssl-f-use" directive parsing were fixed: A
double free and a memory leak on error paths, too light reporting of parsing
errors and an issue when no "crt" keyword was used.
David Carlier fixed several minor issues on Device Atlas addon. He also
fixed a memory leak in the ACME code if we failed to set the issue name when
generating a temporary expired X509 certificate.
The remaining is the usual bunch of doc improvements, small internal fixes
and cleanups here and there. A fix about applets where pushed but it only
concerns the 3.2 and lowers.
Everyone running QUIC on client side should consider to upgrade to this
version.
Thanks everyone for your help.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy-3.3.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (3):
BUG/MAJOR: Revert "MEDIUM: mux-quic: add BUG_ON if sending on locally closed
QCS"
BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented
BUG/MINOR: backend: check delay MUX before conn_prepare()
Christopher Faulet (8):
BUG/MEDIUM: mux-h2/quic: Stop sending via fast-forward if stream is
closed
BUG/MEDIUM: mux-h1: Stop sending vi fast-forward for unexpected states
BUG/MEDIUM: applet: Fix test on shut flags for legacy applets (v2)
DEV: term-events: Fix hanshake events decoding
BUG/MINOR: flt-trace: Properly compute length of the first DATA block
CLEANUP: compression: Remove unused static buffers
BUG/MINOR: http-ana: Stop to wait for body on client error/abort
MINOR: stconn: Add missing SC_FL_NO_FASTFWD flag in sc_show_flags
David Carlier (10):
BUG/MINOR: deviceatlas: add missing return on error in config parsers
BUG/MINOR: deviceatlas: add NULL checks on strdup() results in config
parsers
BUG/MEDIUM: deviceatlas: fix resource leaks on init error paths
BUG/MINOR: deviceatlas: fix off-by-one in da_haproxy_conv()
BUG/MINOR: deviceatlas: fix cookie vlen using wrong length after
extraction
BUG/MINOR: deviceatlas: fix double-checked locking race in checkinst
BUG/MINOR: deviceatlas: fix resource leak on hot-reload compile failure
BUG/MINOR: deviceatlas: fix deinit to only finalize when initialized
BUG/MINOR: deviceatlas: set cache_size on hot-reloaded atlas instance
BUG/MINOR: acme: fix X509_NAME leak when X509_set_issuer_name() fails
Egor Shestakov (1):
CLEANUP: mux-h1: Remove unneeded null check
Frederic Lecaille (1):
BUG/MEDIUM: ssl: SSL backend sessions used after free
William Lallemand (8):
DOC: internals: addd mworker V3 internals
BUG/MINOR: ssl: lack crtlist_dup_ssl_conf() declaration
BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser
BUG/MINOR: ssl: fix leak in ssl-f-use parser upon error
BUG/MINOR: ssl: clarify ssl-f-use errors in post-section parsing
BUG/MINOR: ssl: error with ssl-f-use when no "crt"
CI: vtest: move the vtest2 URL to vinyl-cache.org
CI: github: disable windows.yml by default on unofficials repo
Willy Tarreau (1):
DOC: proxy-proto: underline the packed attribute for struct pp2_tlv_ssl
--
Christopher Faulet
