Hi,
HAProxy 3.1.3 was released on 2025/01/29. It added 17 new commits
after version 3.1.2.
This release is pretty light but it fixes some annoying bugs. First one is
about the way QUIC CRYPTO frames were stored internally to handle unordered
frames reception. There was no control on the relative frame position that
could lead to a crash when this position was too high to be stored. Now, when
this happens, the connection is closed with CRYPTO_BUFFER_EXCEEDED error, as
required by the QUIC specification. The second one is about the logs and
rings. Log messages were sent to all servers sharing the same name but
defined in distinct log backends, because all these servers shared the same
sink. To fix the issue, the sink name used for a log server is now prefixed
with the backend name, making it truly unique. Finally, the last major bug
is about the Prometheus exporter. When backends extra counters were dumped,
the wrong pointer was used in the promex context to retrieve the
corresponding stats module, leading to memory corruptions and crashes. This
issue is mitigated by the fact the Prometheus exporter should never be
exposed.
Other bugs fixed by this released are more usual:
* Some locks were missing on some stick-table converters. No issue was
reported about this bug but it could lead to inconsistent values being
reported by "table_*" converters.
* In H1, it was possible to have unusable client connections waiting for
the client timeout while they should be closed. This happened when a
connection error was immediately encountered after the connection
establishment, in same time of the connection closure. It was not a leak
because connections were finally closed but it was a waste of
ressources, especially with a high client timeout.
* Crashes could be encountered because of a use-after-free bug after two
QUIC packets were coalesced.
* QUIC NEW_TOKEN frames emitted by clients were not reject as expected. Now
when this happens, the connection is closed with PROTOCOL_VIOLATION error
code.
* The QUIC congestion window was increased each time a new acknowledge was
received without considering the window filling level. On a network
condition with negligible loss, this would cause the window to be
incremented until the maximum value, even though the application does not
have enough data to fill it. In most case, this issue was not
noticeable. However, it could lead to an excessive memory consumption when a
QUIC connection was suddenly interrupted, as in this case HAProxy would
fill the window with retransmission. It even caused OOM crash when thousands
of clients were interrupted at once on a local network benchmark.
* "on-marked-up shutdown-backup-sessions" action was no longer working. It was
broken when the shutdown of a stream was modified to be async-safe. When
this part was fixed, the active stream shutdowns, via the CLI for instance,
and "on-marked-down shutdown-sessions" action were properly handled. But not
the shutdown of backup sessions.
* An issue could be experienced on big-endian architecture in stick-table
sample fetch functions and converters because of conversions from 64-bit
integers and 32-bit ones.
* The HAPROXY_STARTUP_VERSION environment variable, defined during the init
stage, was set from a macro instead of being set from a variable. Depending
on how HAProxy is rebuilt, this could make debugging sessions confusing
because the version exposed in the environment was not necessarily the same
as the one presented in "haproxy -vv".
Thanks everyone for your help ! New releases should be expected for other stable
versions, most probably as far as 2.6.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.1/src/
Git repository : https://git.haproxy.org/git/haproxy-3.1.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.1.git
Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (4):
BUG/MINOR: quic: reject NEW_TOKEN frames from clients
BUG/MAJOR: quic: reject too large CRYPTO frames
BUG/MINOR: quic: do not increase congestion window if app limited
CLEANUP: quic: remove unused prototype
Aurelien DARRAGON (3):
BUG/MINOR: stktable: fix big-endian compatiblity in smp_to_stkey()
BUG/MEDIUM: stktable: fix missing lock on some table converters
BUG/MAJOR: log/sink: possible sink collision in sink_new_from_srv()
Christopher Faulet (3):
BUG/MEDIUM: promex: Use right context pointers to dump backends
extra-counters
BUG/MEDIUM: mux-h1: Properly close H1C if an error is reported before
sending data
BUG/MINOR: stream: Properly handle "on-marked-up shutdown-backup-sessions"
Frederic Lecaille (3):
BUG/MINOR: quic: ensure a detached coalesced packet can't access its
neighbours
MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount
BUILD: quic: Move an ASSUME_NONNULL() for variable which is not null
Valentine Krasnobaeva (1):
BUG/MINOR: ssl: put ssl_sock_load_ca under SSL_NO_GENERATE_CERTIFICATES
William Lallemand (2):
BUILD: ssl: allow to build without the renegotiation API of WolfSSL
BUILD: ssl: more cleaner approach to WolfSSL without renegotiation
Willy Tarreau (1):
BUG/MINOR: init: set HAPROXY_STARTUP_VERSION from the variable, not the
macro
--
Christopher Faulet
