Hi, HAProxy 2.6.28 was released on 2026/05/06. It added 21 new commits after version 2.6.27.
We still got a significant number of reports for 3.4 last week, a number of which affect stable releases. We'd really like to clean up the stable state before releasing 3.4 so that we know everything is in a sane state. So here's another 2.6 revision, with the following issues fixed: - h2: the fix for the possible partial request smuggling based on headers/ trailers was insufficiently fixed for trailers due to the indication of presence of the content-length header not being up-to-date while checking them. The patch had to be reworked to pass the state to the trailers parser. The impact remains moderate though, with reuse-never being the most exposed and other modes only being exploitable on totally idle systems, and with a server that responds before the end. This was reported by Pratham Gupta. - h2: the :protocol header is only permitted with extended CONNECT and when that extension was negotiated. Previously it would be silently accepted with other methods or outside of the negotiation. There should not be any impact beyond making a component developer believe their code works while it shouldn't. This issue was reported by Huangbin Zhan. - CLI: if an old worker does not respond, connections attempts to it through the master wouldn't timeout, so when the client would leave, that connection would be lost, and after a few attempts it would no longer be possible to connect to the master socket. A "server-fin" timeout was installed so that the timeout starts when a client leaves but not before. Issue reported and fixed by Alexander Stephan, Martin Strenge and William. - h1: HTX data block reservation wasn't flushed on error, possibly causing incorrect readings in health checks and in haterm. Other, lower importance / impact: - vars: some parse error in variables of scope proc were possibly ignored, which could be missed or even possibly cause a crash at boot time. - tcpcheck: some HTTP health checks wouldn't always report the failure cause upon a wrong match or when failing on "expect hdr". - http_auth_bearer() sample fetch function would return an empty string instead of not found. - various leaks on error paths (map descriptor on load error). - various reg-test updates I'd say that if you use H2 you should update (or disable it if you don't use it). Pratham requested a CVE for the first one. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.6/src/ Git repository : https://git.haproxy.org/git/haproxy-2.6.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Alexander Stephan (1): BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect Christopher Faulet (5): BUG/MINOR: resolvers: Free new requester on error when linking a resolution BUG/MINOR: resolvers: Free opts on parse error in resolv_parse_do_resolve() BUG/MINOR: tcpcheck: Properly report error for http health-checks BUG/MINOR: http-fetch: Fix http_auth_bearer() when custom header is used BUG/MEDIUM: h1_htx: Remove reverved block on error during contig chunks parsing William Lallemand (1): BUG/MINOR: mworker/cli: check ci_insert() return value in pcli_parse_request() Willy Tarreau (14): BUG/MINOR: vars: make parse_store() return error on var_set() failure BUG/MINOR: vars: don't store the variable twice with set-var-fmt BUG/MINOR: vars: only print first invalid char in fill_desc() BUG/MINOR: hpack: validate idx > 0 in hpack_valid_idx() BUG/MINOR: map: do not leak a map descriptor on load error CLEANUP: map/cli: fix some map-related help messages BUG/MEDIUM: mux-h2: fix the body_len to check when parsing request trailers BUG/MAJOR: mux-h2: preset MSGF_BODY_CL on H2_SF_DATA_CLEN in h2c_dec_hdrs() REGTESTS: add a regtest to validate various NTLM transitions REGTESTS: http-messaging: always send RFC8441 client settings to use ext connect BUG/MINOR: h2: add decoding for :protocol in traces BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting MINOR: mux-h2: add a new message flag to indicate ext connect support BUG/MINOR: h2: only accept :protocol with extended CONNECT ---
