[ANNOUNCE] haproxy-1.7.6
Hi,
HAProxy 1.7.6 was released on 2017/06/16. It added 37 new commits
after version 1.7.5.
As you may know, I'm now part of the stable release team of HAProxy along
with Willy and Cyril.
This is my first stable release which fixes a few major bugs:
- Olivier fixed a hang reported on FreeBSD. HAProxy was relying on an undefined
behavior in C to compute the timer which lead to various hangs every 49.7 days.
We now use the -fwrapv flag at compilation time to force the behavior of the
compiler. Binaries compiled with clang are more suited to be impacted by this
bug.
- Fred fixed a hang which is related to the DNS polling system. The fd of the
resolver was not unregistered but closed which lead to a hang of any new
connection using the same fd number.
- Willy fixed a runtime segfault caused by cookies and tarpit rules.
- Fred fixed a segfault occuring upon reload when parsing a server state file
in the case one of the servers was deleted from the configuration file.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse: http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.7/src/
Git repository : http://git.haproxy.org/git/haproxy-1.7.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Adam Spiers (1):
DOC: stick-table is available in frontend sections
Andrew Rodland (1):
BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
Christopher Faulet (4):
BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next
request
BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map
BUG/MINOR: http/filters: Be sure to wait if a filter loops in
HTTP_MSG_ENDING
Frédéric Lécaille (5):
BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
BUG/MINOR: server: missing default server 'resolvers' setting duplication.
BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
BUG/MEDIUM: peers: Peers CLOSE_WAIT issue.
BUG/MAJOR: server: Segfault after parsing server state file.
Glenn Strauss (2):
DOC: update sample code for PROXY protocol
DOC: mention lighttpd 1.4.46 implements PROXY
Jarno Huuskonen (4):
DOC: changed "block"(deprecated) examples to http-request deny
DOC: add few comments to examples.
DOC: add layer 4 links/cross reference to "block" keyword.
DOC: errloc/errorloc302/errorloc303 missing status codes.
Jim Freeman (1):
CLEANUP: logs: typo: simgle => single
Lukas Tribus (1):
DOC: update RFC references
Nan Liu (1):
BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04
Olivier Houchard (2):
BUG/MAJOR: Use -fwrapv.
BUG/MINOR: server: don't use "proxy" when px is really meant.
Thierry FOURNIER (3):
BUG/MEDIUM: lua: memory leak
MINOR/DOC: lua: just precise one thing
BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return
anything
Willy Tarreau (12):
BUG/MINOR: config: missing goto out after parsing an incorrect ACL
character
BUG/MINOR: arg: don't try to add an argument on failed memory allocation
BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on
error
BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
MINOR: lua: ensure the memory allocator is used all the time
BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
MEDIUM: config: don't check config validity when there are fatal errors
BUG/MINOR: checks: don't send proxy protocol with agent checks
BUG/MAJOR: http: call manage_client_side_cookies() before erasing the
buffer
BUG/MEDIUM: unix: never unlink a unix socket from the file system
scripts: create-release pass -n to tail
SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity
--
William Lallemand
Re: [ANNOUNCE] haproxy-1.7.6
Any chance of getting the SNI pass-through to verifyhost supported into
the next release? Bit of a security issue..
--
Kevin
On 2017-06-16 6:31 AM, William Lallemand wrote:
Hi,
HAProxy 1.7.6 was released on 2017/06/16. It added 37 new commits
after version 1.7.5.
As you may know, I'm now part of the stable release team of HAProxy along
with Willy and Cyril.
This is my first stable release which fixes a few major bugs:
- Olivier fixed a hang reported on FreeBSD. HAProxy was relying on an undefined
behavior in C to compute the timer which lead to various hangs every 49.7 days.
We now use the -fwrapv flag at compilation time to force the behavior of the
compiler. Binaries compiled with clang are more suited to be impacted by this
bug.
- Fred fixed a hang which is related to the DNS polling system. The fd of the
resolver was not unregistered but closed which lead to a hang of any new
connection using the same fd number.
- Willy fixed a runtime segfault caused by cookies and tarpit rules.
- Fred fixed a segfault occuring upon reload when parsing a server state file
in the case one of the servers was deleted from the configuration file.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse: http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.7/src/
Git repository : http://git.haproxy.org/git/haproxy-1.7.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Adam Spiers (1):
DOC: stick-table is available in frontend sections
Andrew Rodland (1):
BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
Christopher Faulet (4):
BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next
request
BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
BUG/MINOR: acls: Set the right refflag when patterns are loaded from a
map
BUG/MINOR: http/filters: Be sure to wait if a filter loops in
HTTP_MSG_ENDING
Frédéric Lécaille (5):
BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
BUG/MINOR: server: missing default server 'resolvers' setting
duplication.
BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
BUG/MEDIUM: peers: Peers CLOSE_WAIT issue.
BUG/MAJOR: server: Segfault after parsing server state file.
Glenn Strauss (2):
DOC: update sample code for PROXY protocol
DOC: mention lighttpd 1.4.46 implements PROXY
Jarno Huuskonen (4):
DOC: changed "block"(deprecated) examples to http-request deny
DOC: add few comments to examples.
DOC: add layer 4 links/cross reference to "block" keyword.
DOC: errloc/errorloc302/errorloc303 missing status codes.
Jim Freeman (1):
CLEANUP: logs: typo: simgle => single
Lukas Tribus (1):
DOC: update RFC references
Nan Liu (1):
BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04
Olivier Houchard (2):
BUG/MAJOR: Use -fwrapv.
BUG/MINOR: server: don't use "proxy" when px is really meant.
Thierry FOURNIER (3):
BUG/MEDIUM: lua: memory leak
MINOR/DOC: lua: just precise one thing
BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return
anything
Willy Tarreau (12):
BUG/MINOR: config: missing goto out after parsing an incorrect ACL
character
BUG/MINOR: arg: don't try to add an argument on failed memory allocation
BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on
error
BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
MINOR: lua: ensure the memory allocator is used all the time
BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
MEDIUM: config: don't check config validity when there are fatal errors
BUG/MINOR: checks: don't send proxy protocol with agent checks
BUG/MAJOR: http: call manage_client_side_cookies() before erasing the
buffer
BUG/MEDIUM: unix: never unlink a unix socket from the file system
scripts: create-release pass -n to tail
SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity
Re: [ANNOUNCE] haproxy-1.7.6
On Fri, Jun 16, 2017 at 07:49:16AM -0700, Kevin McArthur wrote: > Any chance of getting the SNI pass-through to verifyhost supported into the > next release? Bit of a security issue.. Unfortunately it cannot be backported since it doesn't exist at all in mainline. Someone has to figure out how to do it and to implement it first before it has a chance to exist in a maintenance branch. For the short term, I guess the easiest we could do would possibly be to at least emit a warning when SNI is configured on a server with verifyhost, indicating that it can represent a risk since the cert's names are not checked against the ones in the SNI. Then we can remove the warning when the check is implemented. Just my 2 cents, Willy
