Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.


    Last release 3.3.10 was issued on 2026-05-11.  There are currently 96 
patches in the queue cut down this way:
    - 36 MEDIUM, first one merged on 2026-05-13
    - 60 MINOR, first one merged on 2026-05-21

Thus the computed ideal release date for 3.3.11 would be 2026-06-12, which was 
three weeks ago.

    Last release 3.2.19 was issued on 2026-05-11.  There are currently 83 
patches in the queue cut down this way:
    - 31 MEDIUM, first one merged on 2026-05-11
    - 52 MINOR, first one merged on 2026-05-21

Thus the computed ideal release date for 3.2.20 would be 2026-07-10, which is 
in one week or less.

    Last release 3.0.23 was issued on 2026-05-11.  There are currently 67 
patches in the queue cut down this way:
    - 25 MEDIUM, first one merged on 2026-05-21
    - 42 MINOR, first one merged on 2026-05-21

Thus the computed ideal release date for 3.0.24 would be 2026-08-13, which is 
in six weeks or less.

The current list of patches in the queue is:
 - 3.3                       - MEDIUM  : limits: properly account for 
global.maxpipes in compute_ideal_maxconn()
 - 3.0, 3.2, 3.3             - MEDIUM  : quic: handle ECONNREFUSED on RX side
 - 3.0, 3.2, 3.3             - MEDIUM  : resolvers: Fix test on dn label size 
in resolv_dn_label_to_str()
 - 3.0, 3.2, 3.3             - MEDIUM  : h1-htx: Sanitize parsing to properly 
handle upgrade requests
 - 3.3                       - MEDIUM  : regex: allocate a large enough pcre2 
match for all matches
 - 3.0, 3.2, 3.3             - MEDIUM  : h3: reject client push stream
 - 3.0, 3.2, 3.3             - MEDIUM  : applet: Properly handle receives of 
size 0
 - 3.0, 3.2, 3.3             - MEDIUM  : dns: fix long loops in additional 
records parse on name failure
 - 3.0, 3.2, 3.3             - MEDIUM  : log-forward: make sure the month is 
unsigned
 - 3.0, 3.2, 3.3             - MEDIUM  : dict: hold lock while decrementing 
refcount in dict_entry_unref
 - 3.0, 3.2, 3.3             - MEDIUM  : cache: fix a refcount leak for missed 
secondary entries
 - 3.2, 3.3                  - MEDIUM  : cpu-topo: Enforce thread-hard-limit on 
policy
 - 3.3                       - MEDIUM  : servers: Don't forget to set srv_hash 
when needed
 - 3.0, 3.2, 3.3             - MEDIUM  : applet: Fix transfer of HTX data to 
the applet
 - 3.0, 3.2, 3.3             - MEDIUM  : dns: fix memory leak of sockaddr in 
dns_session_init() error path
 - 3.3                       - MEDIUM  : h3: fix MAX_PUSH_ID handling
 - 3.3                       - MEDIUM  : http-client: Only consume input buffer 
when hc one is empty
 - 3.0, 3.2, 3.3             - MEDIUM  : cache: always verify the primary hash 
in get_secondary_entry()
 - 3.2, 3.3                  - MEDIUM  : acme: protect against risk of 
null-deref on connection failure
 - 3.0, 3.2, 3.3             - MEDIUM  : hlua: Fix integer underflow when 
receiving line from lua cosocket
 - 3.2, 3.3                  - MEDIUM  : quic: reset consecutive_losses on exit 
from recovery period (cubic)
 - 3.0, 3.2, 3.3             - MEDIUM  : mux-h1: Dup connection/upgrade value 
to parse it when making headers
 - 3.2, 3.3                  - MEDIUM  : h1: drop headers whose names contain 
invalid chars
 - 3.0, 3.2, 3.3             - MEDIUM  : resolvers: Wait a bit before calling 
the xprt prepare_srv
 - 3.0, 3.2, 3.3             - MEDIUM  : mux-fcgi: reject stream ID 0 for 
application records
 - 3.0, 3.2                  - MEDIUM  : mux_quic: adjust qcc_is_dead() to 
account detached streams
 - 3.0, 3.2, 3.3             - MEDIUM  : resolvers: fix name compression 
pointer validation in resolv_read_name()
 - 3.0, 3.2, 3.3             - MEDIUM  : dict: hold read lock while 
incrementing refcount in dict_insert
 - 3.0, 3.2, 3.3             - MEDIUM  : ssl-gencert: Unlock LRU cache if 
failing to generate certificate
 - 3.2, 3.3                  - MEDIUM  : tcpcheck/spoe: bound the SPOP error 
code to valid values
 - 3.0, 3.2, 3.3             - MEDIUM  : server/cli: unlock server lock on 
failure in cli_parse_set_server
 - 3.0, 3.2, 3.3             - MEDIUM  : auth: fix unconfigured password NULL 
deref
 - 3.2, 3.3                  - MEDIUM  : h1: limit status codes to 3 digits by 
default
 - 3.3                       - MEDIUM  : servers: Store the connection hash 
with the parameter cache
 - 3.0, 3.2, 3.3             - MEDIUM  : dns: fix long loops in additional 
records parse on name failure"
 - 3.0, 3.2, 3.3             - MEDIUM  : h1: Skip all h2c values from Upgrade 
headers during parsing
 - 3.0, 3.2, 3.3             - MEDIUM  : quic: reset cwnd in slow_start on 
persistent congestion (cubic)
 - 3.2, 3.3                  - MINOR   : session/trace: use distinct flags for 
SESS_EV_END and _ERR
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: fix room for trailing zero 
in resolv_dn_label_to_str()
 - 3.2, 3.3                  - MINOR   : jws: Add missing return value check 
(EVP_PKEY_get_bn_param)
 - 3.0, 3.2, 3.3             - MINOR   : http-fetch: check against the whole 
token in get_http_auth()
 - 3.3                       - MINOR   : h3: reject server push stream
 - 3.0, 3.2, 3.3             - MINOR   : log: look for the end of priority 
before the end of the buffer
 - 3.0, 3.2, 3.3             - MINOR   : httpclient-cli: Destroy http-client 
context if failing to start it
 - 3.3                       - MINOR   : httpclient-cli: fix uninit variable in 
error label
 - 3.2, 3.3                  - MINOR   : server: Properly handle init-state 
value during haproxy startup
 - 3.0, 3.2, 3.3             - MINOR   : mux-h2: Count padding for connection 
flow control on error path
 - 3.3                       - MINOR   : h3: reject server MAX_PUSH_ID frame
 - 3.3                       - MINOR   : server: accept server IDs above 2^31 
and clarify error message
 - 3.0, 3.2, 3.3             - MINOR   : sample: limit the be2hex converter's 
chunk size
 - 3.0, 3.2, 3.3             - MINOR   : mux-h2: validate HEADERS frame length 
before reading stream dep
 - 3.3                       - MINOR   : mux_quic: do not exceed 
stream.max-concurrent on backend side
 - 3.0, 3.2, 3.3             - MINOR   : check: properly report errno in 
chk_report_conn_err()
 - 3.0, 3.2, 3.3             - MINOR   : init: use more than ha_random64() for 
the cluster secret
 - 3.0, 3.2, 3.3             - MINOR   : cache: fix cache tree iteration
 - 3.0, 3.2, 3.3             - MINOR   : cache: Fix copy of value when parsing 
maxage
 - 3.0, 3.2, 3.3             - MINOR   : qpack: fix potential null-pointer 
dereference in qpack_dht_insert()
 - 3.0, 3.2, 3.3             - MINOR   : mux-fcgi: Use relative offset to 
compute contig data in demux buf
 - 3.0, 3.2, 3.3             - MINOR   : http-ext: always check remaining data 
when reading rfc7239 nodeport
 - 3.0, 3.2, 3.3             - MINOR   : quic: fix ack range node pool_free 
call passing wrong pointer type
 - 3.2, 3.3                  - MINOR   : jws: fix OpenSSL 3.0 version check 
from > to >=
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: switch to a better PRNG for 
query IDs
 - 3.2, 3.3                  - MINOR   : servers: use proper source of 
pool_conn_name in srv_settings_cpy()
 - 3.0, 3.2, 3.3             - MINOR   : qpack: fix sign bit mask in 
qpack_decode_fs_pfx()
 - 3.0, 3.2, 3.3             - MINOR   : dns: fix dangling dgram pointer on 
dns_dgram_init() failure path
 - 3.0, 3.2, 3.3             - MINOR   : tcpcheck: Check LDAP response to not 
read more data than available
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: relax size checks in 
authority record parsing
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: report the expression error 
in the do-resolve() action parser
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: fix leaked dgram and 
dns_ring struct in parse_resolve_conf()
 - 3.0, 3.2, 3.3             - MINOR   : ocsp: Manage date too far away in the 
future
 - 3.0, 3.2, 3.3             - MINOR   : ssl-hello: make use of the 
null-terminated servername
 - 3.3                       - MINOR   : h3: add missing break on rcv_buf()
 - 3.0, 3.2, 3.3             - MINOR   : payload: fix the handshake length 
bounds check smp_client_hello_parse()
 - 3.2, 3.3                  - MINOR   : mux-spop: Use relative offset to 
compute contig data in demux buf
 - 3.0, 3.2, 3.3             - MINOR   : h3: reject client CANCEL_PUSH frame
 - 3.0, 3.2, 3.3             - MINOR   : backend: fix balance hash calculation 
when using hash-type none
 - 3.0, 3.2, 3.3             - MINOR   : tcpchecks: Limit parsing of 
agent-check reply to the buffer
 - 3.0, 3.2, 3.3             - MINOR   : resolvers: fix risk of appending 
garbage past the domain name
 - 3.0, 3.2, 3.3             - MINOR   : jwt: fix possible memory leak in 
convert_ecdsa_sig() error path
 - 3.2, 3.3                  - MINOR   : cache: also recognize directives in 
the form "token="
 - 3.0, 3.2, 3.3             - MINOR   : quic: fix ODCID lookup from derived 
value
 - 3.0, 3.2, 3.3             - MINOR   : addons/51d: NUL-terminate headers 
before passing them to Trie API
 - 3.0, 3.2, 3.3             - MINOR   : qpack: Fix index calculation in debug 
functions
 - 3.2, 3.3                  - MINOR   : quic: update drs->lost before calling 
on_ack_recv
 - 3.0, 3.2, 3.3             - MINOR   : ssl-gencert: validate SNI characters 
to prevent SAN certificate injection
 - 3.0, 3.2, 3.3             - MINOR   : qpack: fix huff_dec() error handling 
in qpack_decode_fs()
 - 3.2, 3.3                  - MINOR   : resolvers: fix dangling list pointer 
in resolvers_new() error paths
 - 3.0, 3.2, 3.3             - MINOR   : h1: Don't mask websocket protocol if 
multiple protocols used
 - 3.0, 3.2, 3.3             - MINOR   : backend: correct parameter value 
validation in get_server_ph_post()
 - 3.3                       - MINOR   : mux_quic: open an idle QCS on reset on 
BE side
 - 3.0, 3.2, 3.3             - MINOR   : base64: return empty string for empty 
input in base64dec()
 - 3.3                       - MINOR   : h3: adjust error on PUSH_PROMISE frame 
reception
 - 3.2, 3.3                  - MINOR   : threads: set at least grp_max when 
mtpg is too small
 - 3.0, 3.2, 3.3             - MINOR   : hlua: prevent Lua from passing 
CR/LF/NUL in HTTP headers
 - 3.0, 3.2, 3.3             - MINOR   : quic: reject packet too short for HP 
decryption
 - 3.0, 3.2, 3.3             - MINOR   : config/dns: properly fail on duplicate 
nameserver name detection
 - 3.0, 3.2, 3.3             - MINOR   : dict: fix refcount race on insert 
collision

-- 
The haproxy stable-bot is freely provided by HAProxy Technologies to help 
improve the quality of each HAProxy release.  If you have any issue with these 
emails or if you want to suggest some improvements, please post them on the 
list so that the solutions suiting the most users can be found.


Reply via email to