Hi, HAProxy 2.4.14 was released on 2022/02/25. It added 26 new commits after version 2.4.13.
The main issues fixed in this version are: - A major issue in the H2 multiplexer. An error during the response processing, after the HEADERS frame parsing, led to a wakeup loop consuming all the CPU because the error was not properly reported to the upper layer. For instance, this happened if an invalid header value, an invalid status code or a forbidden header was found in the response. Note that only HAProxy >= 2.4 are affected by this issue. - A FD leak on reload failures. When the master process is reloaded on a new config, it will try to connect to the previous process' socket to retrieve all known listening FDs to be reused by the new listeners. If listeners were removed, their unused FDs are simply closed. However there's a catch. In case a socket fails to bind, the master will cancel its startup and switch to wait mode for a new operation to happen. In this case it didn't close the possibly remaining FDs that were left unused. - A FD leak of a sockpair upon a failed reload. When starting HAProxy in master-worker, the master pre-allocate a struct mworker_proc and do a socketpair() before the configuration parsing. If the configuration loading failed, the FD was never closed because they aren't part of listener, they are not even in the fdtab. - Some issues about errors on buffers allocation. First, in the H1 multiplexer. If we failed to send data because we failed to allocate the H1 output buffer, the H1 stream was erroneously woken up. This led to a wakeup loop to send more data while it is not possible because there is no output buffer. Then, in process_stream(), if we failed to allocate the channel response buffer while a connect or an analysis timeout occurred, the stream was woken up in loop because its task was requeued with an expired date. Now an error is reported when this happens and the stream processing is interrupted. Note there is a mechanism to deal with errors on buffers allocation. Unfortunately, since the 1.7, this mechanism is broken. And it is even worse now with the multiplexers. All this part must be refactored. But for now, HAProxy may be partially frozen if too many entities are waiting for a buffer. - Some alignment problems that were found when using gcc-11 + RHEL8, resulting in instant crashes on startup. - An issue with multi-line ESMTP response in the mailer code. - An issue in the resolvers code with domain names with a trailing dot. The trailing dot was not ignored as expected and a junk character was added at the end of the encoded part of the domain name. The remaining is the usual bunch of fixes and improvements. As usual, people using the 2.4 branch are encouraged to migrate to this version. Thanks everyone for your help and your contributions! Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.4/src/ Git repository : http://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Christopher Faulet (6): BUG/MINOR: sink: Use the right field in appctx context in release callback BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer BUG/MEDIUM: stream: Abort processing if response buffer allocation fails Ilya Shipitsin (4): BUILD: adopt script/build-ssl.sh for OpenSSL-3.0.0beta2 CI: github actions: add OpenSSL-3.0.0 builds CI: github actions: relax OpenSSL-3.0.0 version comparision CI: github actions: update OpenSSL to 3.0.1 Lukas Tribus (1): BUG/MINOR: mailers: negotiate SMTP, not ESMTP William Lallemand (5): BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload BUILD: fix compilation for OpenSSL-3.0.0-alpha17 CI: github actions: -Wno-deprecated-declarations with OpenSSL 3.0.0 CI: github: switch to OpenSSL 3.0.0 BUG/MINOR: tools: url2sa reads ipv4 too far Willy Tarreau (10): MINOR: sock: move the unused socket cleaning code into its own function BUG/MEDIUM: mworker: close unused transferred FDs on load failure BUG/MEDIUM: fd: always align fdtab[] to 64 bytes BUG/MAJOR: compiler: relax alignment constraints on certain structures CI: ssl: enable parallel builds for OpenSSL on Linux CI: ssl: do not needlessly build the OpenSSL docs CI: ssl: keep the old method for ancient OpenSSL versions BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy() REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks CI: github: enable pool debugging by default -- Christopher Faulet