Hi, HAProxy 3.0.21 was released on 2026/04/30. It added 17 new commits after version 3.0.20.
Two major issues were fixed by this release. The first one was related to the scheme-based normalization. The presence of commas in Host header and authority was permitted and would be used to compare the values, which then would differ when read via hdr(host) which splits them on commas, and under certain circumstances, trigger crashes (at least it did in the OSS-Fuzz environment when injecting the values directly at the HTX layer). The issue was fixed. Remains the case of the comma characters in authorities. Even though the spec permits commas in authorities (not in domain names), there is currently no use case for this and it causes an ambiguity with the historical use of hdr(host), so we preferred to just deny them. The change was performed on the 3.4-dev10 and postponed for the next 3.3 release. It will probably be backported to lower versions too. The other major issue was about the H1 multiplexer and the way size of chunks were emitted on 32-bit machines. Only the 32 lower bits of the chunk size were advertise, which could be used to form request or response smuggling. All 3.x versions were affected. Otherwise, a regression was introduced in 3.2.16 on the task scheduler, leading to a deadlock with the lock held by idle connections tasks. It's difficult to reproduce but sadly it happens much more often than the one it was fixing. A new fix was emitted which better addresses the issue. An issue in the FCGI multiplexer was fixed. The function responsible to emit FCGI_PARAM records was not handling cases of full buffer in a consistant way. The issue was quite limited, but the "http-send-name-header" option could be silently ignored. The issue was fixed by reworking this function. The scheme-based normalization was fixed to properly handle case of OPTIONS requests. As stated in RFC9110#4.2.3, when the scheme-based normalization is performed, an empty path must be normalized to "/", except for OPTIONS request. Finally, some memory leaks on error path here and there (sample, tools) and minor issues were also fixed. Unfortunately, shortly after the 3.0.20, it is recommended to update again. Thanks everyone for your help ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.0/src/ Git repository : https://git.haproxy.org/git/haproxy-3.0.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.0.git Changelog : https://www.haproxy.org/download/3.0/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Christopher Faulet (7): DOC: config: Fix log-format example with last rule expressions BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based normalization BUG/MEDIUM: http-htx: Don't use data from HTX message to update authority BUG/MEDIUM: http-htx: Loop on full host value during scheme based normalization BUG/MAJOR: mux-h1: Deal with true 64-bits integer to emit chunks size BUG/MEDIUM: mux-fcgi: Properly handle full buffer for FCGI_PARAM record BUG/MINOR: http-htx: Don't normalize emtpy path for OPTIONS requests Olivier Houchard (1): BUG/MEDIUM: tasks: Do not loop in task_schedule() if a task is running William Lallemand (1): BUILD: 51d: fix bool definition on dummy lib v4 Willy Tarreau (8): BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte reading BUG/MINOR: tools: fix memory leak in indent_msg() on out of memory BUG/MINOR: sample: fix memory leak in check_when_cond() when ACL is not found BUG/MINOR: peers: fix logical "and" when checking for local in PEER_APP_ST_STARTING BUG/MINOR: peers: fix wrong flag reported twice for dump_flags BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size() BUG/MINOR: fix various typos and spelling mistakes in user-visible messages BUG/MINOR: payload: prevent integer overflow in distcc token parsing -- Christopher Faulet
