Hi,
HAProxy 2.6.26 was released on 2026/04/23. It added 25 new commits
after version 2.6.25.
This version brings a significant number of bug fixes, more than usual
in part thanks to reports from multiple AI-assisted scans that found
bugs in diverse places. A few of these bugs were ranked as major since
they may have stability or even security impacts depending on configs
and deployments:
- a severe issue was found in the compression library (slz) where
specially crafted patterns with tune.bufsize above 17408 or
tune.maxrewrite below 964 (both non-default) could cause output
buffer overflows due to the overhead exceeding the promised
worst-case growth bound of 5 bytes and reach up to 1/16 of the
input contents. Given that the compression output is hardly
controllable, and the canaries at the end of the pools will catch
this at release time, the risk of exploitation by a hostile server
is close to zero, however it will cause repeated crashes if such a
crafted file is present on a server and regularly downloaded. A
workaround consists in keeping tune.maxrewrite at least 1/16 of
tune.bufsize or just not changing them since the defaults are safe.
A CVE was requested two weeks ago for this one, I'll mention it when
it arrives.
- HTTP/2 incomplete transfer detection was missing for HEADERS frames
carrying END_STREAM. When relayed to an HTTP/1.1 server that
responds before the end of the transfer, this can result in bytes
of the next request over the same connection to be ignored. Most of
the time it will cause the connection to be dropped due to an
unparsable request, but when combined with "http-reuse never", or
on totally idle servers, the client could expect the second request
to reuse the same connection and perform a content smuggling attack
that would allow to pass an unverified request to a server. For
those who can't upgrade, a temporary workaround is to disable
HTTP/2 by specifying "alpn http/1.1" on bind lines and adding
"disable-h2-upgrade" in HTTP frontends. A CVE will be requested for
this one.
- HTTP/1.1 bodyless messages announcing a non-null Content-Length did
not force close mode on the backend, potentially causing
desynchronisation between HAProxy and the server in conjunction
with other bugs.
- FCGI record length truncation with large bufsize (>=65544) could
enable request smuggling into PHP-FPM since the 16-bit
content_length field silently truncated to 65535 bytes.
- an unvalidated SNI name_len field in ClientHello could cause OOB
heap reads of up to 65KB via XXH3, smp_dup(), and log-format leaks
on any TCP frontend using req.ssl_sni, possibly causing crashes when
used.
- ECDSA JWT signatures with ES256/384/512 could cause a heap overflow
of ~14 bytes in the DER conversion before verification.
- Lua's httpclient headers conversion accepted more than 101 headers
without bound checking, causing a stack buffer overflow reachable
from any Lua action/task/service.
- peers dictionary cache updates accepted an unvalidated entry id as
array index, allowing OOB heap writes at attacker-controlled
offsets.
- Lua had a use-after-free of HTTP reason strings managed by Lua's GC
between set_status() and start_response(), potentially leaking
adjacent information from memory.
- the regsub sample function could leak ~9-50KB of stale heap data
when back-reference expansion overflowed the output buffer.
- SPOE decode_varint() had no iteration cap, allowing pointer
arithmetic to wrap and dereference memory ~64KB before the
allocation, causing SIGSEGV or parser confusion.
- in sample expressions, less common HTTP methods (PATCH etc.) are
represented by both an enum and a string. The string part was not
handled correctly in sample duplication functions, resulting in
their contents appearing empty when trying to fetch the method.
- QPACK varint decoding is now also limited to 62-bit, and had a risk
of 1-byte OOB reads on truncated streams, which could cause
incorrect header decoding.
- config: a few argument parsing errors in conditional expressions
used in ".if" could be misreported and even cause a crash during
the parsing. Also, a few keywords relying on warnif_misplaced_*
didn't check the return value and didn't count emitted warnings as
warnings.
- the accept() error messages for ENFILE and ENOMEM now print actconn
instead of global.maxsock which doesn't reflect system limits.
The rest is a few doc and CI updates.
While I usually suggest to update only if needed, here I would say that
the number of areas covered by fixes is too broad to precisely know if
some affect your usage or not, so please just update your version.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.6/src/
Git repository : https://git.haproxy.org/git/haproxy-2.6.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Christopher Faulet (5):
DOC: config: Add missing 'status-code' param for 'http-check expect'
directive
DOC: config: Reorder params for 'tcp-check expect' directive
BUG/MINOR: config: Properly test warnif_misplaced_* return values
BUG/MEDIUM: samples: Fix handling of SMP_T_METH samples
BUG/MEDIUM: mux-h1: Force close mode for bodyless message announcing a C-L
Egor Shestakov (1):
BUG/MINOR: sock: adjust accept() error messages for ENFILE and ENOMEM
Frederic Lecaille (1):
BUG/MINOR: qpack: fix 62-bit overflow and 1-byte OOB reads in decoding
Greg Kroah-Hartman (9):
BUG/MEDIUM: payload: validate SNI name_len in req.ssl_sni
BUG/MEDIUM: jwt: fix heap overflow in ECDSA signature DER conversion
BUG: hlua: fix stack overflow in httpclient headers conversion
BUG/MINOR: hlua: fix stack overflow in httpclient headers conversion
BUG/MINOR: peers: fix OOB heap write in dictionary cache update
BUG/MINOR: spoe: fix pointer arithmetic overflow in spoe_decode_buffer()
BUG/MINOR: sample: fix info leak in regsub when exp_replace fails
BUG/MEDIUM: mux-fcgi: prevent record-length truncation with large bufsize
BUG/MINOR: hlua: fix use-after-free of HTTP reason string
William Lallemand (3):
SCRIPTS: build-vtest: allow to set a TMPDIR and a DESTDIR
CI: VTest build with git clone + cache
CI: github: only enable OS X on development branches
Willy Tarreau (6):
SCRIPTS: git-show-backports: list new commits and how to review them with
-L
BUG/MINOR: cfgcond: properly set the error pointer on evaluation error
BUG/MINOR: cfgcond: always set the error string on openssl_version checks
BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature"
BUG/MAJOR: slz: always make sure to limit fixed output to less than worst
case literals
BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well
---
