Hi, HAProxy 2.8.8 was released on 2024/04/05. It added 76 new commits after version 2.8.7.
This maintenance version addresses a few issues discovered after previous release: - applets: incompletely initialized client applets (due to setup error for example) could cause a crash due to calling the regular release code that's not meant to be used on such entities. Better deal with stricter low-level freeing code instead. - "option redispatch 0" is documented as disabling redispatch on server connection failure except that it caused it to redispatch at every retry. This was fixed. Note that "no option redispatch" would properly work though. - cli: since 2.6 due to a fix on the parser when dealing with semi-colons, line feeds became more or less accepted as a delimiter for pipelined commands, while not documented. By "more or less" I mean that all those arriving inthe same packet and same buffer were handled, but that any timing hiccup in the middle of the command would stop the evaluation. In practise very short commands will usually work and long ones almost never. This had to be fixed in 3.0 but in order not to break possibly existing scripts relying on this, when this is detected in 2.9 and older, a warning will be emitted once per process so as to help detect any such unreliable script and fix it in time. - lua: preparing a socket without ever connecting it would lead to that socket not being garbage-collected when the task leaves, possibly waking it up in a partially initialized state resulting in a leak or a crash. Now the GC takes care of releasing uninitialized applets in this case. This was part of GitHub issue #2451. Another issue related to Lua sockets is if the Lua script does not consume data that arrives on a socket because it's busy doing something else, this could waste CPU cycles in endless wakeups until the data is consumed. A subtle locking issue was addressed around exception handling, where the exception code is called with locks released so that code should not try to access stack information. And similarly some code locations were called without the lock when resuming using hlua_ctx_resume(), possibly accessing the stack without any protection. These locking issues could cause crashes as shown in GitHub issue #2467. An previous attempt at addressing mixed usage of "lua-load" and "lua-load-per-thread" from the same stream overlooked the case of Lua filters which were still not covered. A different approach was taken this time and this fix was revisited. A few other cases of possible crashes in Lua filters were addressed. - dynamic servers: despite the various checks in srv_check_for_deletion(), there remained cases where "del server" could delete a server still referenced in streams (e.g. private connections) thus causing a crash when that stream is released. If the stats applet was aborted while interrupted on a dynamic server, that server's refcount wasn't decremented and the server could no longer be removed. The use of the "enabled" keyword when adding a server is currently forbidden but was silently ignored. A warning is added so that users do not engage into that direction when writing new scripts. Dynamic cookies were supported but not properly initialized, requiring a few extra hacks on the CLI, so these were fixed now to work as expected. In addition, support for cookies was also unlocked after validation that nothing prevents it from working. - server: the "interface" keyword was ignored from "default-server" directives since "source" was taken from there. - fcgi: empty chunked messages on the request path were not properly handled, the stdin record was missing while an empty one ought to have been sent. This may happen when sending POST requests with no payload. - quic: Transient send errors in listener socket mode could theoretically result in a crash (though this was only produced under fault injection). Some harmless but latent issues were also fixed (e.g. proxy protocol configuration, connection possibly being closed before streams, some invalid QPACK instructions being silently ignored, rejection of some server-only frames received by the server, or unknown frame types). If multiple bind addresses are set on a listener with no IP_PKTINFO support on the operating system, a warning will be emitted because this setup cannot reliably work (e.g. if reaching the machine via multiple addresses). - ocsp-update: the ocsp-update mechanism logs weren't reliable because their use of sess_log() relied on an unsafe session that might already have been terminated when the log is emitted. More config compatibility issues are detected and reported between instances of the cert enabling it and those disabling it. - spoe: in some cases, the expiration date could be reset, leading to a non-expirable stream. There could also be a wakeup loop when receiving too small a frame because it was ignored but not consumed instead of raising an error. Also, upon reload, applets that were waiting for a response would stick to idle mode and postpone the release of the old process. Now it's tested again, as well as on any subsequent attempt to use the idle connection. - listener: in some cases it would be possible to refrain from waking up a listener that was previously subject to a rate limit condition, and if that was the last session on the listener, nothing would later wake it up again, leaving a listener in a state where it no longer accepts any traffic, as reported in GitHub issue 2476. - log: The TCP log forwarding code relies on some code duplication whose original was subject to a race condition that was fixed in 2.4-2.7, but not this copy. The same fix was applied. The issue is not dramatic though, it may just postpone the sending of pending messages until another one arrives. - idle conns: a private backend connections could crash in H2 if a new list head cannot be allocated during session_add_conn() because that would leave a NULL owner that is used later on. In practice it should only be reproducible under extremely low memory condition. - random algo: when "balance random" is used, each thread uses its own pseudo-random generator. But for historical (read: stupid) reasons, that PRNG used to be seeded only by the thread number. Given that at low loads, incoming connections are assigned to threads in round robin mode, it resulted in the first server of the farm always being used first after a reload. Usually that's not an issue, until users restart every second or so while running at low loads. The seeding was fixed so as to properly support this condition as well. - h2: the H2 glitches counter that allows to detect protocol abuses and to automatically kill a connection was backported after having been reported as effective in field by some users. This should even help get rid faster of annoying script kiddies playing with CONTINUATION frames to try to see if we do funny things with them (response: no we don't). This also adds the new sample fetch functions "fc_glitches" and "bc_glitches". Note, however that the dynamic tracking with stick-tables was not backported, 3.0 will be preferred for this. - there was a memroy leak when a proxy was freed if a use_backend rule was based on an expression. - the previously backported aes_gcm_enc() converter could be subject to a small memory leak. - and other lower importance fixes at various places, such as incorrect line location in certain error messages, etc. - doc updates, namely about the ciphersuite usage, quic tuning. - build fixes for Solaris. And that's about all. ############################################################################################# Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (16): BUG/MAJOR: promex: fix crash on deleted server BUG/MINOR: quic: reject unknown frame type BUG/MINOR: quic: reject HANDSHAKE_DONE as server BUG/MINOR: qpack: reject invalid increment count decoding BUG/MINOR: qpack: reject invalid dynamic table capacity BUG/MEDIUM: quic: fix transient send error with listener socket DOC: quic: fix recommandation for bind on multiple address MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support BUG/MINOR: ist: allocate nul byte on istdup BUG/MINOR: stats: drop srv refcount on early release BUG/MAJOR: server: fix stream crash due to deleted server BUG/MINOR: quic: fix output of show quic BUG/MINOR: session: ensure conn owner is set after insert into session BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet MINOR: server: allow cookie for dynamic servers BUG/MINOR: server: ignore 'enabled' for dynamic servers Aurelien DARRAGON (20): LICENSE: event_hdl: fix GPL license version LICENSE: http_ext: fix GPL license version BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load BUG/MINOR: hlua: improper lock usage in hlua_filter_callback() BUG/MINOR: hlua: improper lock usage in hlua_filter_new() BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP() BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume() BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe() BUG/MINOR: cfgparse: report proper location for log-format-sd errors BUG/MINOR: hlua: segfault when loading the same filter from different contexts BUG/MINOR: hlua: missing lock in hlua_filter_new() BUG/MINOR: hlua: fix missing lock in hlua_filter_delete() DEBUG: lua: precisely identify if stream is stuck inside lua or not MINOR: hlua: use accessors for stream hlua ctx BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6} BUG/MINOR: server: 'source' interface ignored from 'default-server' directive BUG/MINOR: proxy: fix logformat expression leak in use_backend rules Christopher Faulet (14): BUG/MEDIUM: applet: Immediately free appctx on early error BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel MINOR: hlua: Be able to disable logging from lua BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release BUG/MINOR: listener: Don't schedule frontend without task in listener_release() BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block MINOR: cli: Remove useless loop on commands to find unescaped semi-colon BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n Damien Claisse (1): BUG/MINOR: server: fix persistence cookie for dynamic servers Dragan Dosen (1): BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm() Frederic Lecaille (1): DOC: quic: Missing tuning setting in "Global parameters" Ilia Shipitsin (1): CI: temporarily adjust kernel entropy to work with ASAN/clang Ilya Shipitsin (1): CI: skip scheduled builds on forks Remi Tricot-Le Breton (3): BUG/MEDIUM: ssl: Fix crash in ocsp-update log function BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities William Lallemand (4): BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist DOC: configuration: clarify ciphersuites usage BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description DOC: configuration: clarify ciphersuites usage (V2) Willy Tarreau (13): MINOR: mux-h2: add a counter of "glitches" on a connection BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control MINOR: mux-h2: count excess of CONTINUATION frames as a glitch MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch MINOR: mux-h2: always use h2c_report_glitch() MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection MINOR: connection: add a new mux_ctl to report number of connection glitches MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES MINOR: connection: add sample fetches to report per-connection glitches BUG/MINOR: ist: only store NUL byte on succeeded alloc BUG/MINOR: tools: seed the statistical PRNG slightly better BUG/MINOR: sink: fix a race condition in the TCP log forwarding code BUG/MINOR: backend: properly handle redispatch 0 matthias sweertvaegher (1): BUILD: solaris: fix compilation errors -- Christopher Faulet