Hi, HAProxy 3.2.14 was released on 2026/03/09. It added 19 new commits after version 3.2.13.
- H2/HPACK: the varint decoder would accept integers larger than 32-bit but would keep the value as valid, though the spec mandates that an error should be reported in this case. The only effect would be that haproxy could decode a stream of bytes that an observer on the wire (e.g. wireshark) could fail to parse. It will now properly return an error. - H2: glitches were not counted for invalid trailers, making it harder to stop floods involving them. "tune.h2.log-errors" was backported. It permits to disable emission of logs for H2 errors that result in aborting the requests or the connection, and save precious CPU cycles (and disk space) under flood attacks. Last, some pending errors were not immediately reported to the stream if they happened before the stream was instantiated, resulting in the stream being created and waiting for a timeout before failing. - H3/QPACK: a crash can be caused by an out-of-bounds read if a malformed HPACK instruction is passed to the huffman decoder. A CVE was requested for this one. The same issue with varints as with the HPACK decoder above was also addressed (except that it's 64-bit in QPACK). - H1: while the request was properly tested, a test was missing on the response to ensure that the version starts with "HTTP/". There's normally no impact on this since users who could rely on such a thing are expected to already use "accept-unsafe-violations-in-http-response". - prometheus: the iterator wasn't robust against dynamic server deletion, possibly resulting in crashes if the exporter had to stop on a server that was deleted before the exporter could resume sending. - streams: an internal task message (TASK_WOKEN_RES) was not properly converted to a stream event (STRM_EVT_RES) so that if a request got dequeued at the same moment a timeout triggered, the stream would stay blocked till the queue timeout expiration. - resolvers: domain name conversion to lowercase in responses was performed on the whole string, hence on the length delimiters as well. For very long names (65 to 90 chars per component) this would result on artificially inflating the name and possibly even crash the process in some cases. - FastCGI: a crash might be triggered by a non-compliant server sending records with malformed names/values. In addition, a theoretically possible case of crash was addressed in the fcgi_send() function where a stream might possibly remove itself from a list that is being scanned, though we're not sure how this could be triggered. - a bit more debugging (currently running rule in stream dump, last rule also committed when a filter fails). - minor stuff (missing check for allocation failure when calling EVP_Digest* in the sha2() converter, upgrade to websocket for dispatch/ transparent). Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (1): BUG/MINOR: promex: fix server iteration when last server is deleted Christopher Faulet (9): BUG/MEDIUM: stream: Handle TASK_WOKEN_RES as a stream event BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/" DEBUG: stream: Display the currently running rule in stream dump MINOR: filters: Set last_entity when a filter fails on stream_start callback BUG/MAJOR: fcgi: Fix param decoding by properly checking its size BUG/MAJOR: resolvers: Properly lowered the names found in DNS response BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for sending BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures BUG/MINOR: backend: Don't get proto to use for webscoket if there is no server Frederic Lecaille (3): BUG/MAJOR: qpack: unchecked length passed to huffman decoder BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx() BUG/MEDIUM: qpack: correctly deal with too large decoded numbers Willy Tarreau (6): MINOR: mux-h2: also count glitches on invalid trailers MINOR: mux-h2: add a new setting, "tune.h2.log-errors" to tweak error logging BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream BUG/MEDIUM: hpack: correctly deal with too large decoded numbers SCRIPTS: git-show-backports: hide the common ancestor warning in quiet mode SCRIPTS: git-show-backports: add a restart-from-last option ---
