Hi,
This is a friendly bot that watches fixes pending for the next haproxy-stable
release! One such e-mail is sent periodically once patches are waiting in the
last maintenance branch, and an ideal release date is computed based on the
severity of these fixes and their merge date. Responses to this mail must be
sent to the mailing list.
Last release 3.3.10 was issued on 2026-05-11. There are currently 96
patches in the queue cut down this way:
- 36 MEDIUM, first one merged on 2026-05-13
- 60 MINOR, first one merged on 2026-05-21
Thus the computed ideal release date for 3.3.11 would be 2026-06-12, which was
within the last week.
Last release 3.2.19 was issued on 2026-05-11. There are currently 83
patches in the queue cut down this way:
- 31 MEDIUM, first one merged on 2026-05-11
- 52 MINOR, first one merged on 2026-05-21
Thus the computed ideal release date for 3.2.20 would be 2026-07-10, which is
in four weeks or less.
Last release 3.0.23 was issued on 2026-05-11. There are currently 67
patches in the queue cut down this way:
- 25 MEDIUM, first one merged on 2026-05-21
- 42 MINOR, first one merged on 2026-05-21
Thus the computed ideal release date for 3.0.24 would be 2026-08-13, which is
in nine weeks or less.
The current list of patches in the queue is:
- 3.0, 3.2, 3.3 - MEDIUM : cache: always verify the primary hash
in get_secondary_entry()
- 3.0, 3.2 - MEDIUM : mux_quic: adjust qcc_is_dead() to
account detached streams
- 3.0, 3.2, 3.3 - MEDIUM : dict: hold lock while decrementing
refcount in dict_entry_unref
- 3.3 - MEDIUM : limits: properly account for
global.maxpipes in compute_ideal_maxconn()
- 3.0, 3.2, 3.3 - MEDIUM : cache: fix a refcount leak for missed
secondary entries
- 3.0, 3.2, 3.3 - MEDIUM : server/cli: unlock server lock on
failure in cli_parse_set_server
- 3.0, 3.2, 3.3 - MEDIUM : mux-fcgi: reject stream ID 0 for
application records
- 3.0, 3.2, 3.3 - MEDIUM : dict: hold read lock while
incrementing refcount in dict_insert
- 3.3 - MEDIUM : regex: allocate a large enough pcre2
match for all matches
- 3.0, 3.2, 3.3 - MEDIUM : hlua: Fix integer underflow when
receiving line from lua cosocket
- 3.3 - MEDIUM : servers: Store the connection hash
with the parameter cache
- 3.0, 3.2, 3.3 - MEDIUM : h1: Skip all h2c values from Upgrade
headers during parsing
- 3.0, 3.2, 3.3 - MEDIUM : applet: Fix transfer of HTX data to
the applet
- 3.0, 3.2, 3.3 - MEDIUM : dns: fix memory leak of sockaddr in
dns_session_init() error path
- 3.0, 3.2, 3.3 - MEDIUM : auth: fix unconfigured password NULL
deref
- 3.0, 3.2, 3.3 - MEDIUM : resolvers: fix name compression
pointer validation in resolv_read_name()
- 3.3 - MEDIUM : servers: Don't forget to set srv_hash
when needed
- 3.2, 3.3 - MEDIUM : h1: drop headers whose names contain
invalid chars
- 3.0, 3.2, 3.3 - MEDIUM : resolvers: Wait a bit before calling
the xprt prepare_srv
- 3.0, 3.2, 3.3 - MEDIUM : quic: handle ECONNREFUSED on RX side
- 3.0, 3.2, 3.3 - MEDIUM : h3: reject client push stream
- 3.2, 3.3 - MEDIUM : h1: limit status codes to 3 digits by
default
- 3.0, 3.2, 3.3 - MEDIUM : resolvers: Fix test on dn label size
in resolv_dn_label_to_str()
- 3.0, 3.2, 3.3 - MEDIUM : ssl-gencert: Unlock LRU cache if
failing to generate certificate
- 3.2, 3.3 - MEDIUM : tcpcheck/spoe: bound the SPOP error
code to valid values
- 3.0, 3.2, 3.3 - MEDIUM : dns: fix long loops in additional
records parse on name failure"
- 3.0, 3.2, 3.3 - MEDIUM : quic: reset cwnd in slow_start on
persistent congestion (cubic)
- 3.0, 3.2, 3.3 - MEDIUM : h1-htx: Sanitize parsing to properly
handle upgrade requests
- 3.3 - MEDIUM : http-client: Only consume input buffer
when hc one is empty
- 3.2, 3.3 - MEDIUM : acme: protect against risk of
null-deref on connection failure
- 3.2, 3.3 - MEDIUM : quic: reset consecutive_losses on exit
from recovery period (cubic)
- 3.0, 3.2, 3.3 - MEDIUM : mux-h1: Dup connection/upgrade value
to parse it when making headers
- 3.0, 3.2, 3.3 - MEDIUM : log-forward: make sure the month is
unsigned
- 3.2, 3.3 - MEDIUM : cpu-topo: Enforce thread-hard-limit on
policy
- 3.0, 3.2, 3.3 - MEDIUM : applet: Properly handle receives of
size 0
- 3.3 - MEDIUM : h3: fix MAX_PUSH_ID handling
- 3.0, 3.2, 3.3 - MEDIUM : dns: fix long loops in additional
records parse on name failure
- 3.0, 3.2, 3.3 - MINOR : mux-h2: validate HEADERS frame length
before reading stream dep
- 3.0, 3.2, 3.3 - MINOR : qpack: fix huff_dec() error handling
in qpack_decode_fs()
- 3.0, 3.2, 3.3 - MINOR : dns: fix dangling dgram pointer on
dns_dgram_init() failure path
- 3.0, 3.2, 3.3 - MINOR : init: use more than ha_random64() for
the cluster secret
- 3.0, 3.2, 3.3 - MINOR : resolvers: fix risk of appending
garbage past the domain name
- 3.0, 3.2, 3.3 - MINOR : ssl-gencert: validate SNI characters
to prevent SAN certificate injection
- 3.3 - MINOR : h3: reject server push stream
- 3.0, 3.2, 3.3 - MINOR : resolvers: relax size checks in
authority record parsing
- 3.0, 3.2, 3.3 - MINOR : quic: fix ack range node pool_free
call passing wrong pointer type
- 3.0, 3.2, 3.3 - MINOR : resolvers: switch to a better PRNG for
query IDs
- 3.3 - MINOR : h3: add missing break on rcv_buf()
- 3.0, 3.2, 3.3 - MINOR : config/dns: properly fail on duplicate
nameserver name detection
- 3.0, 3.2, 3.3 - MINOR : addons/51d: NUL-terminate headers
before passing them to Trie API
- 3.0, 3.2, 3.3 - MINOR : backend: fix balance hash calculation
when using hash-type none
- 3.0, 3.2, 3.3 - MINOR : sample: limit the be2hex converter's
chunk size
- 3.2, 3.3 - MINOR : session/trace: use distinct flags for
SESS_EV_END and _ERR
- 3.0, 3.2, 3.3 - MINOR : tcpchecks: Limit parsing of
agent-check reply to the buffer
- 3.3 - MINOR : mux_quic: do not exceed
stream.max-concurrent on backend side
- 3.0, 3.2, 3.3 - MINOR : qpack: fix sign bit mask in
qpack_decode_fs_pfx()
- 3.0, 3.2, 3.3 - MINOR : httpclient-cli: Destroy http-client
context if failing to start it
- 3.0, 3.2, 3.3 - MINOR : mux-h2: Count padding for connection
flow control on error path
- 3.0, 3.2, 3.3 - MINOR : hlua: prevent Lua from passing
CR/LF/NUL in HTTP headers
- 3.0, 3.2, 3.3 - MINOR : base64: return empty string for empty
input in base64dec()
- 3.0, 3.2, 3.3 - MINOR : quic: fix ODCID lookup from derived
value
- 3.3 - MINOR : h3: adjust error on PUSH_PROMISE frame
reception
- 3.0, 3.2, 3.3 - MINOR : check: properly report errno in
chk_report_conn_err()
- 3.2, 3.3 - MINOR : cache: also recognize directives in
the form "token="
- 3.0, 3.2, 3.3 - MINOR : cache: fix cache tree iteration
- 3.2, 3.3 - MINOR : mux-spop: Use relative offset to
compute contig data in demux buf
- 3.0, 3.2, 3.3 - MINOR : payload: fix the handshake length
bounds check smp_client_hello_parse()
- 3.3 - MINOR : server: accept server IDs above 2^31
and clarify error message
- 3.0, 3.2, 3.3 - MINOR : tcpcheck: Check LDAP response to not
read more data than available
- 3.0, 3.2, 3.3 - MINOR : ssl-hello: make use of the
null-terminated servername
- 3.3 - MINOR : h3: reject server MAX_PUSH_ID frame
- 3.2, 3.3 - MINOR : servers: use proper source of
pool_conn_name in srv_settings_cpy()
- 3.0, 3.2, 3.3 - MINOR : h3: reject client CANCEL_PUSH frame
- 3.2, 3.3 - MINOR : resolvers: fix dangling list pointer
in resolvers_new() error paths
- 3.0, 3.2, 3.3 - MINOR : quic: reject packet too short for HP
decryption
- 3.0, 3.2, 3.3 - MINOR : resolvers: fix room for trailing zero
in resolv_dn_label_to_str()
- 3.0, 3.2, 3.3 - MINOR : cache: Fix copy of value when parsing
maxage
- 3.0, 3.2, 3.3 - MINOR : dict: fix refcount race on insert
collision
- 3.0, 3.2, 3.3 - MINOR : http-fetch: check against the whole
token in get_http_auth()
- 3.0, 3.2, 3.3 - MINOR : mux-fcgi: Use relative offset to
compute contig data in demux buf
- 3.0, 3.2, 3.3 - MINOR : resolvers: report the expression error
in the do-resolve() action parser
- 3.0, 3.2, 3.3 - MINOR : h1: Don't mask websocket protocol if
multiple protocols used
- 3.2, 3.3 - MINOR : server: Properly handle init-state
value during haproxy startup
- 3.0, 3.2, 3.3 - MINOR : qpack: Fix index calculation in debug
functions
- 3.0, 3.2, 3.3 - MINOR : ocsp: Manage date too far away in the
future
- 3.0, 3.2, 3.3 - MINOR : http-ext: always check remaining data
when reading rfc7239 nodeport
- 3.0, 3.2, 3.3 - MINOR : backend: correct parameter value
validation in get_server_ph_post()
- 3.3 - MINOR : mux_quic: open an idle QCS on reset on
BE side
- 3.0, 3.2, 3.3 - MINOR : resolvers: fix leaked dgram and
dns_ring struct in parse_resolve_conf()
- 3.2, 3.3 - MINOR : quic: update drs->lost before calling
on_ack_recv
- 3.2, 3.3 - MINOR : jws: Add missing return value check
(EVP_PKEY_get_bn_param)
- 3.2, 3.3 - MINOR : threads: set at least grp_max when
mtpg is too small
- 3.0, 3.2, 3.3 - MINOR : qpack: fix potential null-pointer
dereference in qpack_dht_insert()
- 3.3 - MINOR : httpclient-cli: fix uninit variable in
error label
- 3.2, 3.3 - MINOR : jws: fix OpenSSL 3.0 version check
from > to >=
- 3.0, 3.2, 3.3 - MINOR : log: look for the end of priority
before the end of the buffer
- 3.0, 3.2, 3.3 - MINOR : jwt: fix possible memory leak in
convert_ecdsa_sig() error path
--
The haproxy stable-bot is freely provided by HAProxy Technologies to help
improve the quality of each HAProxy release. If you have any issue with these
emails or if you want to suggest some improvements, please post them on the
list so that the solutions suiting the most users can be found.
