Hi, HAProxy 2.4.34 was released on 2026/05/06. It added 12 new commits after version 2.4.33.
We still got a significant number of reports for 3.4 last week, a number of which affect stable releases. We'd really like to clean up the stable state before releasing 3.4 so that we know everything is in a sane state. So here's another 2.4 revision, with the following issues fixed: - h2: the fix for the possible partial request smuggling based on headers/ trailers was insufficiently fixed for trailers due to the indication of presence of the content-length header not being up-to-date while checking them. The patch had to be reworked to pass the state to the trailers parser. The impact remains moderate though, with reuse-never being the most exposed and other modes only being exploitable on totally idle systems, and with a server that responds before the end. This was reported by Pratham Gupta. - CLI: if an old worker does not respond, connections attempts to it through the master wouldn't timeout, so when the client would leave, that connection would be lost, and after a few attempts it would no longer be possible to connect to the master socket. A "server-fin" timeout was installed so that the timeout starts when a client leaves but not before. Issue reported and fixed by Alexander Stephan, Martin Strenge and William. Other, lower importance / impact: - tcpcheck: some HTTP health checks wouldn't always report the failure cause upon a wrong match or when failing on "expect hdr". - various leaks on error paths (map descriptor on load error). - various reg-test updates I'd say that if you use H2 you should update (or disable it if you don't use it). Pratham requested a CVE for the first one. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Alexander Stephan (1): BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect Christopher Faulet (3): BUG/MINOR: resolvers: Free opts on parse error in resolv_parse_do_resolve() BUG/MINOR: tcpcheck: Properly report error for http health-checks REGTEST: Fix scripts testing NTLM to remove configurable timeouts William Lallemand (1): BUG/MINOR: mworker/cli: check ci_insert() return value in pcli_parse_request() Willy Tarreau (7): BUG/MINOR: hpack: validate idx > 0 in hpack_valid_idx() BUG/MINOR: map: do not leak a map descriptor on load error CLEANUP: map/cli: fix some map-related help messages BUG/MEDIUM: mux-h2: fix the body_len to check when parsing request trailers BUG/MAJOR: mux-h2: preset MSGF_BODY_CL on H2_SF_DATA_CLEN in h2c_dec_hdrs() REGTESTS: add a regtest to validate various NTLM transitions CI: github: fix build matrix after latest osx backport ---
