Hi,

HAProxy 2.4.36 was released on 2026/07/02. It added 23 new commits
after version 2.4.35.

HAProxy 2.4 has reached its end of life and this is expected to be its last
release. There will be no further bug or security fixes for this branch. If
you're still running 2.4 in production, please plan your upgrade now. Some
pending fixes were backported to this released:

  * In the FCGI multiplexer, an integer overflow was fixed: the unsigned
    16-bit integer used for the record length overflowed to 0 when the
    record length was 65535 and padding was non-zero, causing the state
    machine to skip consuming buffer data and parse the remaining bytes as a
    new FCGI record header. This could only happen for unknown records or
    for STDOUT records received after the end of the response.
    CVE-2026-55203 was assigned to this overflow. It must be noted however
    that the assigned severity is excessively high relative to the actual
    exploitability: triggering this bug requires the FCGI backend server
    itself to be compromised and to craft a malicious response with exactly
    those values, which is well outside a normal threat model where the
    backend is trusted. Additionally, stream ID 0 was not rejected for
    application records as required by the FCGI specification, potentially
    causing incorrect demultiplexing. When trying to forward data to a
    server whose stream was already closed, the FCGI mux claimed to have
    consumed buffered data without actually draining them, causing the upper
    layer to loop endlessly trying to send. A minor fix also corrected the
    computation of contiguous data in the demux buffer.

  * The HTTP/1 parser received a fix to filter out all "h2c" values from
    Upgrade headers during parsing, preventing protocol confusion when a
    client sends unsupported upgrade requests. The WebSocket protocol token
    is no longer masked when multiple protocols appear in the Upgrade
    header.

  * In the H1 mux, the connection/upgrade header value is now duplicated
    before being parsed when building outgoing request headers, as the
    parsing modified the value in-place and could corrupt shared data.

  * A NULL pointer dereference was fixed in the authentication code when an
    unconfigured password entry (NULL) was accessed during authentication,
    which could crash the process when a user with no password was
    configured. The log-forward module treated the month field as a signed
    integer, which could cause incorrect log timestamps when the high bit
    was set.

  * Two bugs were fixed in the cache subsystem. The primary hash was not
    always verified in get_secondary_entry(), which could lead to incorrect
    cache hits returning the wrong cached response. The maxage value was
    being overwritten instead of properly copied during parsing of
    cache-control directives.

  * Two locking bugs were fixed in the dictionary subsystem, which is used
    internally for string deduplication. The read lock was not held while
    incrementing the refcount in dict_insert(), creating a race condition
    where two concurrent inserts could corrupt the refcount of a shared
    entry. The write lock was not held while decrementing the refcount in
    dict_entry_unref(), allowing a concurrent lookup to observe an
    inconsistent state and potentially access freed memory. A further race
    on insert collision was fixed where the refcount was not properly
    updated when two threads inserted the same key simultaneously.

  * Two bugs were fixed in the Lua integration. An integer underflow was
    possible in the Lua cosocket line-read path, causing memory corruption
    when fewer bytes than expected were received. Lua was also not filtering
    CR, LF, and NUL characters from HTTP headers set by scripts, which could
    allow header injection attacks.

  * In the DNS resolver code. A validation bug was fixed in
    resolv_read_name() where a name compression pointer was not validated
    against the response bounds, potentially causing out-of-bounds memory
    reads when processing crafted DNS responses.

  * In health-check part, when a server inherited ALPN settings from a
    default server, the health check was using a reference to the default
    server's ALPN string rather than a proper copy, which could lead to
    incorrect ALPN negotiation or unexpected behavior if the default server
    configuration was modified.

  * A NULL pointer dereference was fixed in the HPACK table code: when the
    memory pool was exhausted, hpack_dht_defrag() could return NULL and be
    immediately dereferenced, crashing the worker process. CVE-2026-55204
    was assigned to this issue. Here again the assigned severity is
    excessively high: the condition only arises when the process is already
    out of memory, at which point the allocator failure itself is likely to
    cause other problems before this specific code path is even reached. The
    probability of hitting this particular NULL dereference in a production
    environment is extremely thin.

  * Finally, a few other minor issues were addressed: parameter value
    validation in get_server_ph_post() had an incorrect comparison; minor
    error-path fixes addressed a dangling pointer on dns_dgram_init()
    failure; and the client hello parser had incorrect bounds checks for the
    handshake length.

Thanks to everyone for your help on this release!

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.4/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.4.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git
   Changelog        : https://www.haproxy.org/download/2.4/src/CHANGELOG
   Dataplane API    : 
https://github.com/haproxytech/dataplaneapi/releases/latest
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages


---
Complete changelog :
Christopher Faulet (11):
      BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing
      BUG/MINOR: h1: Don't mask websocket protocol if multiple protocols used
      BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default 
server
      BUG/MEDIUM: dict: hold lock while decrementing refcount in 
dict_entry_unref
      BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua 
cosocket
      BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records
      BUG/MINOR: mux-fcgi: Use relative offset to compute contig data in demux 
buf
      Revert "BUG/MEDIUM: dns: fix long loops in additional records parse on name 
failure"
      BUG/MINOR: cache: Fix copy of value when parsing maxage
      BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making 
headers
      MINOR: version: set the EOL for the 2.4 branch

Tristan Madani (2):
      BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag()
      BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp

William Lallemand (1):
      BUG/MEDIUM: auth: fix unconfigured password NULL deref

Willy Tarreau (9):
      BUG/MEDIUM: dict: hold read lock while incrementing refcount in 
dict_insert
      BUG/MINOR: backend: correct parameter value validation in 
get_server_ph_post()
      BUG/MEDIUM: dns: fix long loops in additional records parse on name 
failure
      BUG/MEDIUM: resolvers: fix name compression pointer validation in 
resolv_read_name()
      BUG/MINOR: dns: fix dangling dgram pointer on dns_dgram_init() failure 
path
      BUG/MINOR: dict: fix refcount race on insert collision
      BUG/MEDIUM: cache: always verify the primary hash in get_secondary_entry()
      BUG/MINOR: payload: fix the handshake length bounds check 
smp_client_hello_parse()
      BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers

--
Christopher Faulet



Reply via email to