Hi,
HAProxy 2.8.22 was released on 2026/04/30. It added 11 new commits
after version 2.8.21.
A major issue were fixed by this release. It was related to the scheme-based
normalization. The presence of commas in Host header and authority was permitted
and would be used to compare the values, which then would differ when read via
hdr(host) which splits them on commas, and under certain circumstances, trigger
crashes (at least it did in the OSS-Fuzz environment when injecting the values
directly at the HTX layer). The issue was fixed. Remains the case of the comma
characters in authorities. Even though the spec permits commas in authorities
(not in domain names), there is currently no use case for this and it causes an
ambiguity with the historical use of hdr(host), so we preferred to just deny
them. The change was performed on the 3.4-dev10 and postponed for the next 3.3
release. It will probably be backported to lower versions too.
Otherwise, a regression was introduced in 3.2.16 on the task scheduler, leading
to a deadlock with the lock held by idle connections tasks. It's difficult to
reproduce but sadly it happens much more often than the one it was fixing. A
new fix was emitted which better addresses the issue.
An issue in the FCGI multiplexer was fixed. The function responsible to emit
FCGI_PARAM records was not handling cases of full buffer in a consistant
way. The issue was quite limited, but the "http-send-name-header" option could
be silently ignored. The issue was fixed by reworking this function.
The scheme-based normalization was fixed to properly handle case of OPTIONS
requests. As stated in RFC9110#4.2.3, when the scheme-based normalization is
performed, an empty path must be normalized to "/", except for OPTIONS request.
Finally, a memory leak on error path (tools) and other minor issues were also
fixed.
Unfortunately, shortly after the 2.8.21, it is recommended to update again.
Thanks everyone for your help !
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/2.8/src/
Git repository : https://git.haproxy.org/git/haproxy-2.8.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Christopher Faulet (6):
DOC: config: Fix log-format example with last rule expressions
BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based
normalization
BUG/MEDIUM: http-htx: Don't use data from HTX message to update authority
BUG/MEDIUM: http-htx: Loop on full host value during scheme based
normalization
BUG/MEDIUM: mux-fcgi: Properly handle full buffer for FCGI_PARAM record
BUG/MINOR: http-htx: Don't normalize emtpy path for OPTIONS requests
Olivier Houchard (1):
BUG/MEDIUM: tasks: Do not loop in task_schedule() if a task is running
William Lallemand (1):
BUILD: 51d: fix bool definition on dummy lib v4
Willy Tarreau (3):
BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte
reading
BUG/MINOR: tools: fix memory leak in indent_msg() on out of memory
BUG/MINOR: payload: prevent integer overflow in distcc token parsing
--
Christopher Faulet
