Hi, HAProxy 3.3.9 was released on 2026/05/06. It added 33 new commits after version 3.3.8.
We still got a significant number of reports for 3.4 last week, a number of which affect stable releases. We'd really like to clean up the stable state before releasing 3.4 so that we know everything is in a sane state. So here's another 3.3 revision, with the following issues fixed: - h2: the fix for the possible partial request smuggling based on headers/ trailers was insufficiently fixed for trailers due to the indication of presence of the content-length header not being up-to-date while checking them. The patch had to be reworked to pass the state to the trailers parser. The impact remains moderate though, with reuse-never being the most exposed and other modes only being exploitable on totally idle systems, and with a server that responds before the end. This was reported by Pratham Gupta. - h2: the :protocol header is only permitted with extended CONNECT and when that extension was negotiated. Previously it would be silently accepted with other methods or outside of the negotiation. There should not be any impact beyond making a component developer believe their code works while it shouldn't. This issue was reported by Huangbin Zhan. - http: the presence of commas in an authority is technically permitted by RFC3986 but is not really supported since everyone uses req.hdr(host) and not req.fhdr(host). Since this is not used for regular hosts as used with HTTP and can make the host validate differently to what is passed, we preferred to simply reject them instead of working dirty tricks around them. Note that the worst we could do was to cause the header to multiply during normalization and cause a crash. This was reported by OSS Fuzz. - CLI: the master CLI privilege level was not passed to the worker when using @@pid, so a script that would potentially try to lower its privilege before passing improperly sanitized user inputs could leave them executed at admin level. This was reported by Omkhar Arasaratnam. - CLI: if an old worker does not respond, connections attempts to it through the master wouldn't timeout, so when the client would leave, that connection would be lost, and after a few attempts it would no longer be possible to connect to the master socket. A "server-fin" timeout was installed so that the timeout starts when a client leaves but not before. Issue reported and fixed by Alexander Stephan, Martin Strenge and William. - h1: HTX data block reservation wasn't flushed on error, possibly causing incorrect readings in health checks and in haterm. - dns: since we dropped connect() that didn't resist to network topology changes, and switched to sendto(), we forgot to validate that responses came from the correct source. This opens the possibility of someone spoofing a response without having to guess the server's IP, even though DNS server IP addresses are generally well known and what is used for filtering is actually the requester's source port and transaction ID. This was found and fixed by Omkhar Arasaratnam. Other, lower importance / impact: - acme: contact mail is optional, and the temsOfServiceAgreed boolean shouldn't be passed to requests containing onlyReturnExisting. This was found and fixed by Mia Kanashi. - vars: some parse error in variables of scope proc were possibly ignored, which could be missed or even possibly cause a crash at boot time. - tcpcheck: some HTTP health checks wouldn't always report the failure cause upon a wrong match or when failing on "expect hdr". - http_auth_bearer() sample fetch function would return an empty string instead of not found. - various leaks on error paths (map descriptor on load error, reference pattern on file load error, various in resolvers, double free in sink allocation error). - various doc, reg-test and CI updates I'd say that if you use H2 you should update (or disable it if you don't use it). Pratham requested a CVE for the first one. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Alexander Stephan (1): BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect Christopher Faulet (8): BUG/MINOR: tcpcheck: Properly report error for http health-checks BUG/MINOR: resolvers: Free new requester on error when linking a resolution BUG/MINOR: resolvers: Fix lookup for a hostname in the state-file tree BUG/MINOR: resolvers: Free opts on parse error in resolv_parse_do_resolve() BUG/MINOR: http-fetch: Fix http_auth_bearer() when custom header is used BUG/MEDIUM: h1_htx: Remove reverved block on error during contig chunks parsing BUG/MAJOR: http: forbid comma character in authority value BUG/MEDIUM: h1: Enforce the authority validation during H1 request parsing Mia Kanashi (2): BUG/MINOR: acme: contact mail should be optional, don't pass ToS bool BUG/MINOR: tools: read_line_to_trash() handle empty files without \n William Lallemand (4): CI: github: add DEBUG_STRICT=2 to ASAN jobs BUG/MEDIUM: mworker/cli: fix user and operator permission via @@<pid> in master CLI BUG/MINOR: mworker/cli: check ci_insert() return value in pcli_parse_request() DOC: acme: document missing acme-vars and provider-name keywords Willy Tarreau (18): BUG/MINOR: sink: do not free existing sinks on allocation error BUG/MINOR: vars: make parse_store() return error on var_set() failure BUG/MINOR: vars: don't store the variable twice with set-var-fmt BUG/MINOR: vars: only print first invalid char in fill_desc() BUG/MINOR: hpack: validate idx > 0 in hpack_valid_idx() BUG/MINOR: acl: fix a possible arg corruption in smp_fetch_acl_parse() BUG/MINOR: map: do not leak a map descriptor on load error CLEANUP: map/cli: fix some map-related help messages BUG/MINOR: pattern: release the reference on failure to load from file BUG/MEDIUM: mux-h2: fix the body_len to check when parsing request trailers BUG/MAJOR: mux-h2: preset MSGF_BODY_CL on H2_SF_DATA_CLEN in h2c_dec_hdrs() BUG/MINOR: dns: always validate the source address in responses REGTESTS: add a regtest to validate various NTLM transitions REGTESTS: http-messaging: always send RFC8441 client settings to use ext connect BUG/MINOR: h2: add decoding for :protocol in traces BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting MINOR: mux-h2: add a new message flag to indicate ext connect support BUG/MINOR: h2: only accept :protocol with extended CONNECT ---
