Hi, HAProxy 3.3.11 was released on 2026/06/25. It added 153 new commits after version 3.3.10.
This large maintenance release addresses bugs across many subsystems. Many of them were never encountered and were only found by AI-assisted scans. The most notable areas covered are the HTTP/1 parser hardening, extensive DNS/resolver fixes, QUIC and HTTP/3 correctness improvements, multiplexer draining bugs, Lua and applet issues, cache correctness, dictionary locking bugs, SSL/TLS fixes, server connection hashing, and PCRE2 regex initialization. Users are encouraged to upgrade. Several security-relevant fixes were applied to the HTTP/1 parser. Header names containing invalid characters are now properly rejected to prevent header injection attempts. Status codes are now limited to 3 digits to prevent response splitting. All "h2c" values in Upgrade headers are now filtered out during parsing to avoid protocol confusion. Additionally, the handling of Upgrade headers when making outgoing requests was reworked to properly sanitize and deduplicate upgrade tokens. The WebSocket protocol is no longer masked when multiple protocols are listed in the Upgrade header. A large number of bugs were fixed in the DNS resolver code. A validation bug was fixed in resolv_read_name() where a name compression pointer was not validated against the response bounds, potentially causing out-of-bounds memory reads. A bug in resolv_dn_label_to_str() were fixed: the label size check used an incorrect comparison. A related fix prevents appending garbage past the domain name. When the xprt prepare_srv callback fails for a newly resolved server, HAProxy now waits a bit before retrying to avoid busy-looping. A memory leak of a sockaddr structure was fixed in the dns_session_init() error path. Authority record parsing was relaxed to be more tolerant of label sizes. Several minor error-path leaks and dangling pointer issues were also fixed. The expression error is now reported in the do-resolve() action parser. Query ID generation was switched to a better PRNG for unpredictability. Multiple bugs were fixed in the QUIC multiplexer. A potential infinite loop was possible in qcc_io_recv() when a RESET_STREAM was received while the stream was still in the recv_list; the loop is now correctly guarded. A related issue where the recv loop was unnecessarily interrupted on stream-level errors or incomplete data was also fixed. A transfer freeze could occur after a QCS rxbuf realign operation because the next Rx buffer was not reinserted into the QCS tree after the data move; this caused data loss particularly on POST requests on the frontend or on most backend transfers. Another issue in qcs_http_reset_buf() caused the entire buffer to be reset unconditionally instead of draining only the requested amount, which could discard unsent data when a filter was registered on the data forwarding stage. Various smaller fixes addressed backend connection removal on app shutdown, idle QCS not being opened on reset on the backend side, backend-side max concurrent stream limits, rxbuf settings, and Initial packet length values. The CUBIC congestion control algorithm received two fixes: the congestion window was not reset in slow start on persistent congestion, and the consecutive_losses counter was not reset when leaving the recovery period, potentially causing premature congestion control triggering. An ECONNREFUSED error on the receive side was not handled, causing the QUIC connection to stall instead of being properly terminated. In the HTTP/3 layer, a bug caused malformed chunked encoding when proxying an H3 request without Content-Length to an HTTP/1 backend. The H3 mux was assigning the cumulative data length to the stream endpoint's known input payload instead of incrementing it, producing incorrect chunk sizes for multi-frame bodies. PUSH_PROMISE frames on backend connections were also not handled properly. Client push streams and server-side push-related frames (MAX_PUSH_ID, push stream, CANCEL_PUSH) are now properly rejected where required. A missing break was added in the rcv_buf() function to prevent falling through to the wrong handler, and error codes were adjusted for various rejection cases. Several fixes were applied to the hq-interop HTTP/0.9 transcoder used for QUIC backend debugging. Response buffer wrapping was not handled, large responses with a full demux buffer were not properly paused, streams with unknown payload length were incorrectly closed with RESET_STREAM instead of FIN, and a missing buffer-full check could trigger a BUG_ON() assertion. Numerous bugs were fixed in the QPACK decoder. Index calculation in debug functions was incorrect. A potential null-pointer dereference was fixed in qpack_dht_insert() when the memory pool was exhausted. A sign bit mask was wrong in qpack_decode_fs_pfx(), potentially causing incorrect header value decoding. Error handling in huff_dec() called from qpack_decode_fs() was not properly propagating the error. Three multiplexers were affected by the same draining bug: when trying to send data to a server whose stream was closed (in error or half-closed state), the mux claimed to have consumed the buffered data without actually draining them. This means the upper stream would keep trying to send these data in a loop, potentially triggering the watchdog. The FCGI, H2, and SPOP multiplexers were all fixed. In the FCGI mux, an integer overflow was fixed: the unsigned 16-bit integer used for the record length overflowed to 0 when the record length was 65535 and padding was non-zero, causing the state machine to skip consuming buffer data and parse the remaining bytes as a new FCGI record header. This could only happen for unknown records or for STDOUT records received after the end of the response. CVE-2026-55203 was assigned to this overflow. It must be noted however that the assigned severity is excessively high relative to the actual exploitability: triggering this bug requires the FCGI backend server itself to be compromised and to craft a malicious response with exactly those values, which is well outside a normal threat model where the backend is trusted. Additionally, stream ID 0 was not rejected for application records as required by the FCGI specification, potentially causing incorrect demultiplexing. A minor fix corrected the computation of contiguous data in the demux buffer by using a relative offset. The same relative offset fix was applied to the SPOP multiplexer demux buffer, and a possible off-by-one OOB read was fixed in spop_get_varint(). The H1 multiplexer received two fixes. The connection/upgrade header value is now duplicated before being parsed when building outgoing request headers, as the parsing was modifying the value in-place which could corrupt shared data. The 'h1-case-adjust-file' directive was not resolving a relative file path to an absolute path at parse time, causing failures when multiple configuration files were loaded. The H2 multiplexer received two minor fixes: padding was not correctly accounted for in connection-level flow control on certain error paths, and the HEADERS frame length was not validated before reading the stream dependency field. A regression was fixed in the Lua HTTP applet: after migrating it to its own internal buffers, the EOS flag was no longer set when the applet exited. This caused streams with unknown payload size (i.e. with no content-length or transfer-encoding) to block indefinitely waiting for an end-of-stream signal that would never come. An integer underflow was also possible in the Lua cosocket line-read path, causing memory corruption when fewer bytes than expected were received. The HTX data transfer to applets was also reworked: data were not consumed from the channel buffer after being copied to the applet's input buffer, and changes to the input buffer were not committed back after sending HTX data. Receives of size 0 were not properly handled, potentially leaving the channel in an inconsistent state. Lua was also not filtering CR, LF, and NUL characters from HTTP headers, allowing header injection. Multiple bugs were fixed in the cache subsystem. The primary hash was not always being verified in get_secondary_entry(), which could cause incorrect cache hits. A refcount leak was fixed for missed secondary entries where the reference count was incremented on lookup but not decremented when the matching entry was not found. Cache tree iteration was broken due to an incorrect traversal condition. The maxage value was being overwritten instead of copied during parsing of cache-control directives. Cache-control directives in the "token=" form (without value) were not recognized. Two locking bugs were fixed in the dictionary subsystem. The read lock was not held while incrementing the refcount in dict_insert(), creating a race condition where two concurrent inserts could corrupt the refcount of a shared entry. The write lock was not held while decrementing the refcount in dict_entry_unref(), allowing a concurrent lookup to observe an inconsistent state. A further race was fixed on insert collision where the refcount was not properly updated when two threads inserted the same key simultaneously. Two SSL/TLS fixes are included. With kTLS, the TLS ULP was being enabled on the socket before the TCP connection was fully established; the Linux kernel requires TCP_ESTABLISHED state for this to succeed, so the operation is now deferred until the TLS handshake completes. With TLS 1.3 0-RTT, the early data buffer was freed when emptied, but more early data could still arrive; the buffer is now reset rather than freed until all early data has been received. Additionally, the LRU certificate cache lock was not released on error in the SSL certificate generation path. SNI character validation was added to the dynamic certificate generation code to prevent SAN certificate injection through crafted SNI values. The null-terminated servername is now properly used in the SSL hello parser. Various fixes were also made in the JWT and JWS code: a missing return value check for EVP_PKEY_get_bn_param(), an incorrect OpenSSL version check (> instead of >=) for OpenSSL 3.0, and a memory leak in the ECDSA signature conversion error path. The OCSP responder now handles dates that are too far in the future. Three bugs were fixed in the server connection hashing code. The connection hash computed for a server was not stored in the parameter cache, causing possible incorrect cache lookups leading to use the wrong ALPN and mux. The server lock was not properly released on failure in cli_parse_set_server(). Several minor server issues were also addressed: consistent hash balancing for newly added servers was broken; server IDs above 2^31 were incorrectly rejected with a confusing error message; dynamic server initialization order could cause incorrect state at insertion; the init-state keyword was not properly applied during startup; and the wrong source was used for pool_conn_name when copying server settings. Two PCRE2-related bugs were fixed. The JIT match array was allocated too small for expressions with many subpatterns, which could lead to memory corruption when a regex with many capture groups matched. Additionally, the per-thread PCRE2 match array was initialized too late in the boot sequence, after lua-load, meaning that any Lua script using a regex with PCRE2_JIT would crash. The initialization now happens early enough to cover the Lua loading phase. When L7 retries were configured and the maximum retry count was reached on a reused connection, the stream was silently closed on the client side to let it safely retry the request instead of returning a 502 or 425 error. The SF_SRV_REUSED flag is now ignored in this path so that the error is properly reported to the client. The http-client was consuming data from the channel input buffer even when its own internal buffer was not empty, causing data ordering issues. The set-var-fmt action was not properly evaluating empty log-format strings. The final evaluation in the HTTP pause action was not properly handled. The Forwarded header parser did not check whether sufficient data remained when reading the nodeport field. The HTTP authentication token checker was not verifying against the whole token, allowing partial matches. The HTTP client CLI now properly destroys its context if it fails to start. Several health check bugs were fixed. When a server configured with tune.max-checks-per-thread was deleted while its check was still queued, a use-after-free would occur; the fix dequeues the check before freeing the server. External checks were not being excluded from the tcpcheck post-config phase, which could cause a NULL pointer dereference. The SPOP error code used in tcpcheck/SPOE responses was not bounded to valid values. The LDAP health check could read more data than available from the buffer. The agent-check reply parser could read past the buffer end. The error code was not properly reported via errno in chk_report_conn_err(). CPU topology and thread handling received a few fixes. The thread-hard-limit was not being enforced when applying the CPU affinity policy, potentially allowing more threads than permitted. The minimum value of grp_max was not considered when mtpg was configured too small. A new ha_diag_notice() function was introduced to report diagnostic-level notifications, and thread creation count reporting was switched to use it instead of ha_diag_warning(), which was causing false positives with -dW. The stick-table subsystem received a fix for a potential deadlock: table elements could be freed while the table lock was held, which was a problem if the memory allocator needed to acquire other locks. Elements are now freed after releasing the lock. A NULL pointer dereference was fixed in the HPACK table code: when the memory pool was exhausted, hpack_dht_defrag() could return NULL and be immediately dereferenced, crashing the worker process. CVE-2026-55204 was assigned to this issue. Here again the assigned severity is excessively high: the condition only arises when the process is already out of memory, at which point the allocator failure itself is likely to cause other problems before this specific code path is even reached. The probability of hitting this particular NULL dereference in a production environment is extremely thin, and a crash under memory exhaustion, while undesirable, is not a meaningful security primitive an attacker could reliably control or exploit. Several other medium-severity fixes are worth noting. A NULL pointer dereference was fixed in the authentication code when an unconfigured password entry (NULL) was accessed during authentication. In the ACME client, a connection failure could trigger a NULL dereference when attempting to cancel the request. A deadlock was fixed in the leastconn balancing algorithm: the write lock was not released on allocation failure. The maxpipes global parameter was not correctly accounted for in compute_ideal_maxconn(), potentially causing the computed max connection count to be too high. The log-forward module treated the month field as a signed integer, which could cause incorrect log timestamps when the high bit was set. Finally, a few minor issues were also addressed: the error message for ACL identifier lookup failures incorrectly said "map" instead of "ACL"; the niced_task counter was incremented for the wrong counter; the be2hex sample converter chunk size was not bounded; base64dec() returned NULL for empty input instead of an empty string; the client hello parser had incorrect bounds checks for the handshake length; the addons/51d module was not NUL-terminating headers before passing them to the Trie API; the cluster secret was initialized using only ha_random64() which does not provide sufficient entropy; parameter value validation in get_server_ph_post() had an incorrect comparison; hash calculation was wrong when using hash-type none; and log priority parsing did not check for the end of buffer properly. Some documentation improvements were also included: a few more explanations were added about http-reuse and SNI auto, the documentation now clarifies that a "default" resolver exists, and incorrect init tags were removed from the Lua documentation. Thanks to everyone for your help on this release! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy-3.3.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.3.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (23): BUG/MINOR: httpclient-cli: fix uninit variable in error label BUG/MINOR: mux_quic: do not exceed stream.max-concurrent on backend side BUG/MINOR: quic: fix ODCID lookup from derived value BUG/MEDIUM: h3: reject client push stream BUG/MINOR: h3: reject server push stream BUG/MINOR: h3: reject client CANCEL_PUSH frame BUG/MINOR: h3: adjust error on PUSH_PROMISE frame reception BUG/MINOR: h3: reject server MAX_PUSH_ID frame BUG/MINOR: h3: add missing break on rcv_buf() BUG/MINOR: quic: reject packet too short for HP decryption BUG/MINOR: mux_quic: open an idle QCS on reset on BE side BUG/MEDIUM: h3: fix MAX_PUSH_ID handling BUG/MEDIUM: mux_quic: prevent risk of infinite loop on recv BUG/MINOR: mux_quic: do not interrupt recv on error/incomplete data BUG/MINOR: quic: fix Initial length value in sent packets BUG/MINOR: server: fix add server with consistent hash balancing BUG/MINOR: quic: fix rxbuf settings on backend side BUG/MEDIUM: mux_quic: fix freeze transfer after QCS rxbuf realign BUG/MINOR: hq-interop: reject too big content BUG/MINOR: hq-interop: prevent reset if missing content-length BUG/MINOR: hq-interop: support full demux buf on large response BUG/MINOR: hq-interop: support response buffer wrapping BUG/MINOR: mux_quic: fix BE conn removal on app shutdown Andrea Cocito (2): BUG/MEDIUM: h3: increment unknown request payload length REGTESTS: quic: test H3 request without content-length Christian Ruppert (1): REGTESTS: Don't try to use real nameservers for testcases Christopher Faulet (38): BUG/MEDIUM: http-client: Only consume input buffer when hc one is empty MINOR: htx: Add htx_move_blks() to move blocks from a message to another BUG/MEDIUM: applet: Fix transfer of HTX data to the applet BUG/MINOR: httpclient-cli: Destroy http-client context if failing to start it BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing BUG/MINOR: h1: Don't mask websocket protocol if multiple protocols used BUG/MINOR: server: Properly handle init-state value during haproxy startup BUG/MEDIUM: applet: Properly handle receives of size 0 BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str() BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records MINOR: http: Add function to remove all occurrences of a value in a header MINOR: h1: Add a H1M flag to specify a non-empty 'Upgrade:' header was parsed BUG/MEDIUM: h1-htx: Sanitize parsing to properly handle upgrade requests BUG/MINOR: mux-fcgi: Use relative offset to compute contig data in demux buf BUG/MINOR: mux-spop: Use relative offset to compute contig data in demux buf BUG/MINOR: tcpcheck: Check LDAP response to not read more data than available Revert "BUG/MEDIUM: dns: fix long loops in additional records parse on name failure" BUG/MINOR: mux-h2: Count padding for connection flow control on error path BUG/MINOR: cache: Fix copy of value when parsing maxage BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making headers BUG/MINOR: applet: Commit changes into input buffer after sending HTX data BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in spop_get_varint() BUG/MINOR: http-act: Properly handle final evaluation in pause action BUG/MEDIUM: vars: Properly eval set-var-fmt action for emtpy log-format string BUG/MEDIUM: check: Skip tcpcheck post-config for external checks MINOR: check: Don't dump buffers state in check traces for external checks BUG/MINOR: http-ana: Remove a debugging memset on redirect BUG/MEDIUM: http-ana: Don't ignore L7 retry errors BUG/MINOR: mux-h1: Properly resolve file path for 'h1-case-adjust-file' BUG/MEDIUM: hlua: Properly report EOS when http applet exits BUG/MEDIUM: mux-fcgi: Truly drain outgoing HTX data when the stream is closed BUG/MEDIUM: mux-h2: Truly drain outgoing HTX data when the stream is closed BUG/MEDIUM: mux-spop: Truly drain outgoing data when the stream is closed BUG/MEDIUM: mux-quic: Drain the given amount of data in qcs_http_reset_buf() Frederic Lecaille (14): BUG/MINOR: qpack: Fix index calculation in debug functions BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert() CLEANUP: qpack: fix copy-paste typo in value Huffman debug string BUG/MINOR: qpack: fix sign bit mask in qpack_decode_fs_pfx() CLEANUP: qpack: fix copy-paste typo in value Huffman debug string for WLN BUG/MINOR: qpack: fix huff_dec() error handling in qpack_decode_fs() CLEANUP: qpack: move encoded macros to qpack-t.h to avoid duplication BUG/MEDIUM: quic: handle ECONNREFUSED on RX side BUG/MINOR: quic: fix ack range node pool_free call passing wrong pointer type MEDIUM: quic: optimize HKDF operations by reusing per-thread contexts BUG/MEDIUM: quic: reset cwnd in slow_start on persistent congestion (cubic) BUG/MEDIUM: quic: reset consecutive_losses on exit from recovery period (cubic) BUG/MINOR: quic: update drs->lost before calling on_ack_recv Revert "MEDIUM: quic: optimize HKDF operations by reusing per-thread contexts" Ilia Shipitsin (1): BUILD: 51d.c: cleanup, fix preprocessor ifdefs Karol Kucharski (1): BUG/MEDIUM: ktls: defer enabling TLS ULP on a socket until connected Maxime Henrion (1): BUG/MINOR: cache: fix cache tree iteration Olivier Houchard (11): MEDIUM: stick-tables: Avoid freeing elements while holding a lock BUG/MEDIUM: servers: Store the connection hash with the parameter cache BUG/MEDIUM: servers: Don't forget to set srv_hash when needed BUG/MEDIUM: cpu-topo: Enforce thread-hard-limit on policy BUG/MEDIUM: resolvers: Wait a bit before calling the xprt prepare_srv BUG/MEDIUM: ssl: Make sure the alpn length is small enough BUG/MEDIUM: leastconn: Unlock the write lock on allocation failure BUG/MINOR: tasks: Increase the right niced_task counter BUG/MEDIUM: checks: Dequeue checks on purge BUG/MEDIUM: h3: Properly handle PUSH_PROMISE on backend connections BUG/MEDIUM: ssl: Don't free the early data buffer too early Remi Tricot-Le Breton (2): BUG/MINOR: jws: Add missing return value check (EVP_PKEY_get_bn_param) BUG/MINOR: ocsp: Manage date too far away in the future Thayne McCombs (1): DOC: lua: remove incorrect init tags Tristan Madani (2): BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag() BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp William Lallemand (2): BUG/MEDIUM: auth: fix unconfigured password NULL deref BUG/MINOR: ssl-gencert: validate SNI characters to prevent SAN certificate injection Willy Tarreau (54): BUG/MEDIUM: dict: hold read lock while incrementing refcount in dict_insert BUG/MINOR: backend: correct parameter value validation in get_server_ph_post() BUG/MINOR: config/dns: properly fail on duplicate nameserver name detection BUG/MEDIUM: dns: fix long loops in additional records parse on name failure BUG/MEDIUM: resolvers: fix name compression pointer validation in resolv_read_name() BUG/MEDIUM: dns: fix memory leak of sockaddr in dns_session_init() error path CLEANUP: proxy: fix tiny mistakes in parse error messages BUG/MINOR: servers: use proper source of pool_conn_name in srv_settings_cpy() BUG/MEDIUM: server/cli: unlock server lock on failure in cli_parse_set_server BUG/MINOR: resolvers: fix dangling list pointer in resolvers_new() error paths BUG/MINOR: dns: fix dangling dgram pointer on dns_dgram_init() failure path BUG/MINOR: resolvers: report the expression error in the do-resolve() action parser BUG/MINOR: resolvers: fix leaked dgram and dns_ring struct in parse_resolve_conf() BUG/MINOR: session/trace: use distinct flags for SESS_EV_END and _ERR BUG/MINOR: check: properly report errno in chk_report_conn_err() BUG/MINOR: jwt: fix possible memory leak in convert_ecdsa_sig() error path DOC: config: further clarify that resolvers "default" exists BUG/MEDIUM: limits: properly account for global.maxpipes in compute_ideal_maxconn() BUG/MINOR: jws: fix OpenSSL 3.0 version check from > to >= BUG/MINOR: server: accept server IDs above 2^31 and clarify error message BUG/MINOR: backend: fix balance hash calculation when using hash-type none BUG/MEDIUM: log-forward: make sure the month is unsigned BUG/MEDIUM: regex: allocate a large enough pcre2 match for all matches BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values BUG/MEDIUM: cache: fix a refcount leak for missed secondary entries BUG/MINOR: resolvers: fix room for trailing zero in resolv_dn_label_to_str() BUG/MINOR: resolvers: fix risk of appending garbage past the domain name BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep BUG/MINOR: log: look for the end of priority before the end of the buffer BUG/MINOR: dict: fix refcount race on insert collision BUG/MINOR: init: use more than ha_random64() for the cluster secret BUG/MINOR: sample: limit the be2hex converter's chunk size BUG/MEDIUM: h1: drop headers whose names contain invalid chars BUG/MEDIUM: h1: limit status codes to 3 digits by default BUG/MEDIUM: cache: always verify the primary hash in get_secondary_entry() BUG/MINOR: cache: also recognize directives in the form "token=" BUG/MINOR: resolvers: relax size checks in authority record parsing BUG/MINOR: http-fetch: check against the whole token in get_http_auth() BUG/MEDIUM: acme: protect against risk of null-deref on connection failure BUG/MINOR: http-ext: always check remaining data when reading rfc7239 nodeport BUG/MINOR: base64: return empty string for empty input in base64dec() BUG/MINOR: payload: fix the handshake length bounds check smp_client_hello_parse() BUG/MINOR: ssl-hello: make use of the null-terminated servername BUG/MINOR: resolvers: switch to a better PRNG for query IDs BUG/MINOR: addons/51d: NUL-terminate headers before passing them to Trie API BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers BUG/MINOR: threads: set at least grp_max when mtpg is too small DOC: config: add a few more explanation in http-reusee regarding sni-auto BUG/MEDIUM: regex: initialize the match array earlier during boot CLEANUP: sessions: simplify the sess_priv_conns pool name BUG/MINOR: acl: report "ACL" not "map" in ACL ID lookup failures MINOR: errors: add ha_diag_notice() to report diag-level notifications BUG/MINOR: cpu-topo: use ha_diag_notice() to report thread creations BUG/MINOR: server: adjust initialization order for dynamic servers -- Christopher Faulet

