Hi, HAProxy 2.9.1 was released on 2023/12/15. It added 20 new commits after version 2.9.0.
This release addresses several issues discovered since the last version and introduces some new features. Firstly, there have been improvements to the SSL handling of the software. A double free bug in ssl_sock_free_cert_key_and_chain_contents has been fixed, which could lead to memory corruption and potential crashes when updating certificates. Another issue related to SSL certificates has been addressed, specifically with OpenSSL QUIC compatibility module. A possible buffer overflow was discovered during the building of TLS records which could lead to unexpected behavior or crashes. This bug only affected users who had enabled this specific feature and has now been resolved. Secondly, a new feature has been added to the ssl/cli subsystem. The 'warning' and 'alert' messages from ha_warning() and ha_alert() are now prefixed in the CLI when using the commit ssl cert command. This will make it easier for users to identify these important messages among other output. In addition, the "set serverity-ouput" command was fixed to be also supported on the master CLI socket. Additionally, a regression in map/acl handling has been corrected. The pat_ref_{set,delete}_by_id functions were not properly unlinking and freeing removed references, leading to unexpected behavior when manipulating maps or access control lists. A mistake in the code that prevented the default configuration of "external-check" without an argument was corrected. Thirdly, there have been improvements to the mux handling of the software. A bug where data from input buffers could be counted twice during zero-copy forwarding has been fixed, and a regression related to Content-Length headers in bodyless requests was resolved. These changes should improve performance and correctness for users working with HTTP/2 or QUIC protocols. In addition, zero-copy forwarding is now blocked when an error is reported by the consumer side. It was especially an issue for the QUIC. This reveals another bug in QUIC when a STOP_SENDING frame is received early, before the stream-connector is created. In this case, stream layer was never notified about the underlying error and the response could be sent when the zero-copy forwarding was in-use, leading to a crash because of a BUG_ON() statement. This was fixed by creating the stream-connector in an error state. Then, the parsing of trailers in H2 was fixed to not erroneously detect a too large HEADERS frame if data of other streams fully fill the demux buffer. It is not a 2.9 regression. All stable versions are affected. An issue about the OSCP after an SSL certificate update was fixed. The OSCP CID was not refreshed. The CLI and the LUA were both affected. Lastly, there have been various cleanups and documentation updates throughout the codebase. These changes do not directly impact users but help maintain the quality of the software. If you are running on the 2.9.0, you should update because fixed bugs, especially those regarding zero-copy forwarding, may impact everyone. Thanks everyone for your help and your contributions ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.9/src/ Git repository : https://git.haproxy.org/git/haproxy-2.9.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (1): BUG/MEDIUM: mux-quic: report early error on stream Aurelien DARRAGON (2): BUG/MEDIUM: map/acl: pat_ref_{set,delete}_by_id regressions BUG/MINOR: ext-check: cannot use without preserve-env Christopher Faulet (6): MINOR: version: mention that it's stable now BUG/MEDIUM: stconn: Block zero-copy forwarding if EOS/ERROR on consumer side BUG/MEDIUM: mux-h1: Cound data from input buf during zero-copy forwarding BUG/MEDIUM: mux-h1: Explicitly skip request's C-L header if not set originally CLEANUP: mux-h1: Fix a trace message about C-L header addition BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty Frédéric Lécaille (6): BUG/MINOR: ssl: Double free of OCSP Certificate ID MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) BUG/MEDIUM: quic: Possible buffer overflow when building TLS records BUG/MEDIUM: quic: QUIC CID removed from tree without locking William Lallemand (3): DOC: configuration: typo req.ssl_hello_type BUG/MINOR: mworker/cli: fix set severity-output support BUILD: ssl: update types in wolfssl cert selection callback Willy Tarreau (2): DOC: config: add arguments to sample fetch methods in the table DOC: config: also add arguments to the converters in the table -- Christopher Faulet