Hi, HAProxy 3.2.15 was released on 2026/03/19. It added 42 new commits after version 3.2.14. The most notable changes are in the HTTP/3 and HTTP/2 parsers, mixed with a serie of less important ones in the rest of the code.
HTTP/3 is responsible to check that the received payload size is equal to the content-length header if advertised. This prevents any risk of desynchronization with the backend side which could be exploited for request smuggling. This check is already performed most of the times, but it was missing when the stream was closed with an empty STREAM frame. This major flaw has been reported by Martino Spagnuolo. Thanks to him, a proper fix has been integrated with the necessary check now also performed when parsing empty frames. A CVE will be requested soon. Another issue in the HTTP/3 parser was the manipulation of unaligned non-DATA frames which resulted in undefined behavior. In practice, currently this condition never happens in a real-case scenario. As such, the safest solution is implemented for now with the connection immediately closed and glitch counter incremented. HTTP/2 and HTTP/3 parsers are also improved together to ensure any partial headers or trailers are properly removed on error from the HTX message. Also, the accounting for maximum trailers was not correct. An interoperability issue has been found in HTTP/2 multiplexer. The handling of GOAWAY and WINDOW_UPDATE is corrected to properly ignore the R bit when reading the stream ID as specified by the standard. This could have cause haproxy to ignore a received GOAWAY frame and continue to open new streams. This issue has been reported by Haruto Kimura and fixed thanks to him. Parser for the peers protocol is strengthened. Now received key type is always checked for conformity to prevent any risk of crash. In practice, as the peer protocol is only used in trusted network, the risk remains very low though. Thanks again to Haruto Kimura for having also found this one. Several minor fixes are related to the master process and the reload operation. The most important one is the correction of a file-descriptor leak present since 3.1 which can occur during the transfer of FDs via sockpair from a worker process to the master. Output of "show proc" command has also been fixed as some entries could have been missing. SPOE filter processing is now properly interrupted if a client abort occured due to abortonclose option. Coredump loading is a procedure frequently performed by developers when debugging a crash. This is now easier with an utility to automatically find the post-mortem section in the coredump. It is also possible to include all loaded libraries in the dump itself with the option "set-dumpable libs". This should only be activated on developer request. Thanks to everyone who contributed to this release, ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy-3.2.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Alexander Stephan (2): MINOR: mworker/cli: extract worker "show proc" row printer BUG/MINOR: mworker/cli: fix show proc pagination losing entries on resume Amaury Denoyelle (2): BUG/MAJOR: h3: check body size with content-length on empty FIN BUG/MEDIUM: h3: reject unaligned frames except DATA Christopher Faulet (9): BUG/MINOR: spoe: Properly switch SPOE filter to WAITING_ACK state BUG/MEDIUM: spoe: Properly abort processing on client abort BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX message MINOR: htx: Add function to truncate all blocks after a specific block BUG/MINOR: h2/h3: Never insert partial headers/trailers in an HTX message BUG/MINOR: http-ana: Swap L7 buffer with request buffer by hand BUG/MINOR: stream: Fix crash in stream dump if the current rule has no keyword BUG/MINOR: spoe: Fix condition to abort processing on client abort BUILD: spoe: Remove unsused variable Egor Shestakov (1): DOC/CLEANUP: config: update mentions of the old "Global parameters" section Mia Kanashi (1): BUG/MINOR: jws: fix memory leak in jws_b64_signature Tim Duesterhus (1): BUG/MINOR: tcpcheck: Fix typo in error error message for `http-check expect` Tom Braarup (1): DOC: configuration: http-check expect example typo William Lallemand (10): BUG/MINOR: mworker: don't set the PROC_O_LEAVING flag on master process BUG/MINOR: mworker: always stop the receiving listener BUG/MINOR: mworker: only match worker processes when looking for unspawned proc BUG/MINOR: mworker: fix typo &= instead of & in proc list serialization BUG/MINOR: mworker: set a timeout on the worker socketpair read at startup BUG/MINOR: mworker: avoid passing NULL version in proc list serialization BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS BUG/MINOR: mjson: make mystrtod() length-aware to prevent out-of-bounds reads BUG/MINOR: mworker: don't try to access an initializing process CI: github: treat vX.Y.Z release tags as stable like haproxy-* branches Willy Tarreau (15): BUG/MINOR: memprof: avoid a small memory leak in "show profiling" MINOR: tools: extend the pointer hashing code to ease manipulations MINOR: memprof: attempt different retry slots for different hashes on collision BUG/MINOR: proxy: do not forget to validate quic-initial rules DEV: gdb: add a utility to find the post-mortem address from a core MINOR: tools: add a function to create a tar file header MINOR: tools: add a function to load a file into a tar archive MINOR: config: support explicit "on" and "off" for "set-dumpable" MINOR: debug: read all libs in memory when set-dumpable=libs DEV: gdb: add a new utility to extract libs from a core dump: libs-from-core MINOR: debug: copy debug symbols from /usr/lib/debug when present MINOR: debug: opportunistically load libthread_db.so.1 with set-dumpable=libs BUG/MEDIUM: peers: enforce check on incoming table key type BUG/MINOR: mux-h2: properly ignore R bit in GOAWAY stream ID BUG/MINOR: mux-h2: properly ignore R bit in WINDOW_UPDATE increments --- -- Amaury Denoyelle
