Hi,
HAProxy 2.4.32 was released on 2026/04/23. It added 26 new commits
after version 2.4.31.
This version brings a significant number of bug fixes, more than usual
in part thanks to reports from multiple AI-assisted scans that found
bugs in diverse places. A few of these bugs were ranked as major since
they may have stability or even security impacts depending on configs
and deployments:
- a severe issue was found in the compression library (slz) where
specially crafted patterns with tune.bufsize above 17408 or
tune.maxrewrite below 964 (both non-default) could cause output
buffer overflows due to the overhead exceeding the promised
worst-case growth bound of 5 bytes and reach up to 1/16 of the
input contents. Given that the compression output is hardly
controllable, and the canaries at the end of the pools will catch
this at release time, the risk of exploitation by a hostile server
is close to zero, however it will cause repeated crashes if such a
crafted file is present on a server and regularly downloaded. A
workaround consists in keeping tune.maxrewrite at least 1/16 of
tune.bufsize or just not changing them since the defaults are safe.
A CVE was requested two weeks ago for this one, I'll mention it when
it arrives.
- HTTP/2 incomplete transfer detection was missing for HEADERS frames
carrying END_STREAM. When relayed to an HTTP/1.1 server that
responds before the end of the transfer, this can result in bytes
of the next request over the same connection to be ignored. Most of
the time it will cause the connection to be dropped due to an
unparsable request, but when combined with "http-reuse never", or
on totally idle servers, the client could expect the second request
to reuse the same connection and perform a content smuggling attack
that would allow to pass an unverified request to a server. For
those who can't upgrade, a temporary workaround is to disable
HTTP/2 by specifying "alpn http/1.1" on bind lines and adding
"disable-h2-upgrade" in HTTP frontends. A CVE will be requested for
this one.
- FCGI record length truncation with large bufsize (>=65544) could
enable request smuggling into PHP-FPM since the 16-bit
content_length field silently truncated to 65535 bytes.
- an unvalidated SNI name_len field in ClientHello could cause OOB
heap reads of up to 65KB via XXH3, smp_dup(), and log-format leaks
on any TCP frontend using req.ssl_sni, possibly causing crashes when
used.
- peers dictionary cache updates accepted an unvalidated entry id as
array index, allowing OOB heap writes at attacker-controlled
offsets.
- the regsub sample function could leak ~9-50KB of stale heap data
when back-reference expansion overflowed the output buffer.
- SPOE decode_varint() had no iteration cap, allowing pointer
arithmetic to wrap and dereference memory ~64KB before the
allocation, causing SIGSEGV or parser confusion.
- in sample expressions, less common HTTP methods (PATCH etc.) are
represented by both an enum and a string. The string part was not
handled correctly in sample duplication functions, resulting in
their contents appearing empty when trying to fetch the method.
- config: Also, a few keywords relying on warnif_misplaced_* didn't check the
return value and didn't count emitted warnings as warnings.
- the accept() error messages for ENFILE and ENOMEM now print actconn
instead of global.maxsock which doesn't reflect system limits.
The rest is a few doc and CI updates.
While I usually suggest to update only if needed, here I would say that
the number of areas covered by fixes is too broad to precisely know if
some affect your usage or not, so please just update your version.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.4/src/
Git repository : https://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git
Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Christopher Faulet (7):
BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX message
MINOR: htx: Add function to truncate all blocks after a specific block
BUG/MINOR: h2/h3: Never insert partial headers/trailers in an HTX message
DOC: config: Add missing 'status-code' param for 'http-check expect'
directive
DOC: config: Reorder params for 'tcp-check expect' directive
BUG/MINOR: config: Properly test warnif_misplaced_* return values
BUG/MEDIUM: samples: Fix handling of SMP_T_METH samples
Egor Shestakov (1):
BUG/MINOR: sock: adjust accept() error messages for ENFILE and ENOMEM
Greg Kroah-Hartman (5):
BUG/MEDIUM: payload: validate SNI name_len in req.ssl_sni
BUG/MINOR: peers: fix OOB heap write in dictionary cache update
BUG/MINOR: spoe: fix pointer arithmetic overflow in spoe_decode_buffer()
BUG/MINOR: sample: fix info leak in regsub when exp_replace fails
BUG/MEDIUM: mux-fcgi: prevent record-length truncation with large bufsize
Tim Duesterhus (1):
BUG/MINOR: tcpcheck: Fix typo in error error message for `http-check
expect`
Tom Braarup (1):
DOC: configuration: http-check expect example typo
William Lallemand (5):
BUG/MINOR: mworker: fix typo &= instead of & in proc list serialization
BUG/MINOR: mjson: make mystrtod() length-aware to prevent out-of-bounds
reads
SCRIPTS: build-vtest: allow to set a TMPDIR and a DESTDIR
CI: VTest build with git clone + cache
CI: github: only enable OS X on development branches
Willy Tarreau (6):
BUG/MEDIUM: peers: enforce check on incoming table key type
BUG/MINOR: mux-h2: properly ignore R bit in GOAWAY stream ID
BUG/MINOR: mux-h2: properly ignore R bit in WINDOW_UPDATE increments
SCRIPTS: git-show-backports: list new commits and how to review them with
-L
BUG/MAJOR: slz: always make sure to limit fixed output to less than worst
case literals
BUG/MAJOR: mux-h2: detect incomplete transfers on HEADERS frames as well
---
