Hi, HAProxy 2.5.10 was released on 2022/12/05. It added 80 new commits after version 2.5.9.
As announced for the 2.6.7, we are going to release a bunch of new stable versions. The 2.5.10 is pretty similar than the 2.6.7, excluding QUIC fixes and improvements. It means the 'set-uri" fix was also excluded from this release and will only be shipped with the 2.5.11. To paraphrase Willy on this point, the "set-uri" action is been bogus for a while and was not working as documented, and used to make HTTP/1 and HTTP/2 produce different outputs. The reason for being careful is that during 2.5 there was once an issue with "set-uri" and we proposed as an emergency work-around for those not having the time to upgrade to use "set-uri %[url]" and this very specific one will behave differently by sending absolute URIs just as documented (some users are currently annoyed by the bogus behavior in 2.6, so we'll have to fix it). As such, while updating to 2.5.10, take this opportunity to have a look at your config to see if you're having a old line like: http-request set-uri %[url] If so, just comment it out, it will not change anything, and will make sure that 2.5.11 doesn't cause any change. Once said, here is the list of main fixes for this release, cut-pasted from the 2.6.7 announce: * Hash indexing on idle connections was fixed on 32-bit machines. The bug was due to an alignment issue causing the connection nodes to be indexed with their lower 32-bits set to zero and the higher 32 ones containing the 32 lower bits of the hash. * A major issue on sitck-tables were fixed about a possible crash if server name indexing is used to perform stickiness when the server is an applet. This is typically what happens when a "stick-store" rule is present in a backend featuring a "stats" directive. And at the end, to fix the bug, such rules must simply be ignored when the server is an applet. * A race condition on some global tasks was fixed. The stick-table expiration task and the listeners management task were concerned. These tasks may run on any thread. Both set their expiration date to TICK_ETERNITY. On the other hand, these task may be queued or scheduled from anywhere. The race was when the both happened at same time. Indeed it is forbidden to queue a task with no expiration date. To prevent any issue, a locking mechanism is now used. * Two crashes was fixed in the httpclient. The first one with a lua HTTP client if the lua task timeout expired before the httpclient. The other one was at the release stage because the applet context was not properly clean up. * The HTTP compression filter was fixed to properly handle rewrite errors. Indeed, on rewrite error, the compression is not performed. But in this case, we must be sure to remove the "Content-Encoding" header. * The FCGI multiplexer was fixed to avoid overflow on the data length copied into a buffer when STDIN record is built. This could happen when the buffer was almost full and lead to a crash. * A race condition was fixed on the resolvers. it was possible to release a resolution on one thread when a response was processed for this resolution on another thread, leading to a crash because of a UAF issue. This was possible because the aborted resolutions were not removed from the query_ids tree. Thus, it was still possible to get a reference on an aborted resolution, which is totally unexpected. In addition, a very old bug was fixed about resolution on healthcheck failure. Indeed, it is documented a new resolution is triggered in this case but since the resolver refactoring performed in 2017, it was no longer true. * A crash during ring section parsing was fixed. If a "ring" section initialization failed (e.g. due to a duplicate name, invalid chars, or missing memory), any subsequent "server" statement found in the same section crashed the config parser by dereferencing the currently NULL cfg_sink. * In peers, messages about unkown table was not properly ignored. Those messages are now silently ignored and the upper layer continue the processing as it is done for any valid messages * Several issues was fixed on the lua, mainly on the HTTPMessage class. HTTPMessage.remove() and HTTPMessage.insert() are now working as expected. In addition, Channel.insert() was fixed to be aligned with the documentation. Finally the argument parsing when sample fetches or converters are called from lua was fixed to avoid crashes on failure and to properly handle implicit stick-table. * The pgsql healthcheck was update to support new authentication methods. Now AUTH_REQ_GSS, AUTH_REQ_GSS and AUTH_REQ_SASL are supported. * On connection retry, Turn-around, adding 1 second pause before connection retry, is now enforce only when no redispatch is performed. * A memory leak was fixed when some TXN variables were defined from a tcp-request ruleset for an HTTP session. Indeed, in this case, these variables were lost because of an extra list initialization during the HTTP transaction creation. * smtpchk healthcheck now gracefully close SMTP transaction by sending a QUIT message. * Error handling during http replies parsing was fixed to prevent any crash during arguments parsing while a log-format body was expected but not evaluated yet. * And finally, to finish this boring list, the usual fixes here and there, documentation and build improvements. Thanks everyone for your help and your contributions. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.5/src/ Git repository : https://git.haproxy.org/git/haproxy-2.5.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.5.git Changelog : https://www.haproxy.org/download/2.5/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Aurelien DARRAGON (10): BUG/MINOR: hlua: fixing hlua_http_msg_del_data behavior BUG/MINOR: hlua: fixing hlua_http_msg_insert_data behavior BUG/MINOR: hlua: _hlua_http_msg_delete incorrect behavior when offset is used BUG/MINOR: hlua: hlua_channel_insert_data() behavior conflicts with documentation DOC: configuration: missing 'if' in tcp-request content example BUG/MINOR: log: fixing bug in tcp syslog_io_handler Octet-Counting BUG/MEDIUM: wdt/clock: properly handle early task hangs BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists BUG/MINOR: cfgparse-listen: fix ebpt_next_dup pointer dereference on proxy "from" inheritance BUG/MINOR: log: fix parse_log_message rfc5424 size check Christopher Faulet (25): REGTESTS: 4be_1srv_smtpchk_httpchk_layer47errors: Return valid SMTP replies BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree DOC: config: Fix pgsql-check documentation to make user param mandatory BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth() BUG/MINOR: mux-h1: Account consumed output data on synchronous connection error MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands MINOR: httpclient/lua: Don't set req_payload callback if body is empty BUG/MINOR: log: Preserve message facility when the log target is a ring buffer BUG/MINOR: ring: Properly parse connect timeout BUG/MEDIUM: compression: handle rewrite errors when updating response headers BUG/MINOR: sink: Only use backend capability for the sink proxies BUG/MINOR: sink: Set default connect/server timeout for implicit ring buffers BUG/MAJOR: stick-table: don't process store-response rules for applets BUG/MINOR: http-htx: Fix error handling during parsing http replies BUG/MINOR: resolvers: Don't wait periodic resolution on healthcheck failure BUG/MINOR: resolvers: Set port before IP address when processing SRV records BUG/MINOR: mux-fcgi: Be sure to send empty STDING record in case of zero-copy BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once REG-TESTS: cache: Remove T-E header for 304-Not-Modified responses BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task BUILD: peers: Remove unused variables BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action BUILD: http-htx: Silent build error about a possible NULL start-line BUG/MINOR: mux-h1: Fix handling of 408-Request-Time-Out Revert "BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action" Emeric Brun (1): BUG/MEDIUM: peers: messages about unkown tables not correctly ignored Erwan Le Goas (1): BUG/MINOR: config: don't count trailing spaces as empty arg (v2) Fatih Acar (1): BUG/MINOR: checks: update pgsql regex on auth packet Ilya Shipitsin (5): CI: SSL: use proper version generating when "latest" semantic is used CI: SSL: temporarily stick to LibreSSL=3.5.3 CI: add monthly gcc cross compile jobs CI: switch to the "latest" LibreSSL CI: enable QUIC for LibreSSL builds Mickael Torres (1): BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers Olivier Houchard (2): BUG/MEDIUM: lua: Don't crash in hlua_lua2arg_check on failure BUG/MEDIUM: lua: handle stick table implicit arguments right. Remi Tricot-Le Breton (2): BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading issuer BUG/MINOR: ssl: ocsp structure not freed properly in case of error Tim Duesterhus (2): CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition William Lallemand (8): BUG/MEDIUM: httpclient/lua: crash when the lua task timeout before the httpclient BUG/MEDIUM: httpclient: check if the httpclient was released in the IO handler REGTESTS: httpclient/lua: test the lua task timeout with the httpclient CI: github: dump the backtrace of coredumps in the alpine container BUILD: Makefile: add "USE_SHM_OPEN" on the linux-musl target DOC: management: add forgotten "show startup-logs" DOC: lua: add a note about compression w/ httpclient BUG/MINOR: ssl: don't initialize the keylog callback when not required Willy Tarreau (21): BUG/MAJOR: conn-idle: fix hash indexing issues on idle conns BUILD: h1: silence an initiialized warning with gcc-4.7 and -Os BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os BUG/MINOR: backend: only enforce turn-around state when not redispatching BUG/MEDIUM: config: count line arguments without dereferencing the output BUG/MAJOR: stick-tables: do not try to index a server name for applets BUG/MINOR: server: make sure "show servers state" hides private bits BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task CI: emit the compiler's version in the build reports DOC: config: fix alphabetical ordering of global section BUG/MEDIUM: ring: fix creation of server in uninitialized ring BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes BUG/MINOR: server/idle: at least use atomic stores when updating max_used_conns BUILD: listener: fix build warning on global_listener_rwlock without threads DOC: config: provide some configuration hints for "http-reuse" DOC: config: clarify the fact that SNI should not be used in HTTP scenarios DOC: config: mention that a single monitor-uri rule is supported DOC: config: explain how default matching method for ACL works DOC: config: clarify the fact that "retries" is not just for connections DOC: config: clarify the -m dir and -m dom pattern matching methods SCRIPTS: announce-release: add a link to the data plane API wrightlaw (1): BUG/MINOR: smtpchk: SMTP Service check should gracefully close SMTP transaction -- Christopher Faulet
