Hi,
HAProxy 3.2-dev10 was released on 2025/04/11. It added 46 new commits
after version 3.2-dev9.
Nothing really outstanding this week. A few bugs were addressed, the most
notable ones being:
- peers: it was possible to learn entries from peers which expire after
the locally configured expiration, causing bad entries to be very
difficult to eliminate from a cluster. Now the end date it checked and
the locally-configured one serves as a bound.
- regsub() converter: Aleandro Prudenzano of Doyensec and Edoardo Geraci
of Codean Labs found a risk of buffer overflow when replacing patterns
multiple times at once (multi-reference) with longer ones. The risk is
quite low since such configs are quite unlikely and in the rare cases
they will happen, the replacement will involve static contents, thus
essentially a risk of crash. Regardless, it is a bug and it's now
fixed. CVE-2025-32464 was filed for this. It affects all versions so
the fix will be backported and we'll take this opportunity for making
a new series of stable versions.
- there was still a case where a forced shutdown on a stream could freeze
it, it's now fixed.
A new warning was added for crt-lists to report a config issue where only
negative filters were used in crt-lists, which confusingly does nothing.
However, since we normally don't add warnings between non-LTS and the
following LTS in order to guarantee a smooth upgrade, we'll only turn it
to a diag warning in 3.2 and we'll turn it back to a real warning in 3.3.
The new in-line certificate declaration for frontends added in 3.2-dev
with the "crt" keyword are now replaced with "ssl-f-use" followed by
"crt". The rationale for this is that at some point this will permit to
configure certificates without having a preliminary one (for use with
ACME). Some extra ACME updates are already pending on this point and
will be available for 3.2-dev11.
Health checks now support being sent over idle connections when the
server line has the "check-reuse-pool" keyword. While one use case may
be to save SSL handshakes for some application servers, actually the
main target is the reverse-http architecture where it will be possible
to check the servers behind a reverse connection.
The Lua API got a few additions such as core.wait() and try_receive(),
which make it a bit easiler to implement non-blocking programs.
The "show events" CLI command now supports "-0" to request that events
are delimited with a \0 instead of a line break, this allows to use rings
to emit multi-line events to their watchers (similar to xargs -0). One
predicted use case will be to pass notifications to the dataplane API.
Aside this, there were some internal changes such as a cleanup of the
proxies initialization/deinitialization code to split alloc/dealloc
from initialization and avoid manually initializing them everywhere. The
rest are the usual cleanups, CI updates, build fixes and doc cleanups.
There's still some stuff already pending and coming soon (just the time
to finish some commit messages I guess):
- a bidirectional mode for master-cli commands forwarded to workers
allowing to call blocking commands such as "show events" or "wait"
- a full batch of ACME updates
- a few fixes
- idle-ping to check idle H2 connections
- better scalability for the round-robin algo
I'm also trying to fix some rare cases of deadlock in the watchdog
warnings. It's complicated because two signal handlers are being used
in parallel, and this is hard to follow and needs to be simplified. The
first attempt is not as positive as I hoped but I'll get back to this
so that we can definitely put an end to this issue and backport the
fixes.
But all these pending things must not be a justification for not testing
dev10 :-)
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (5):
MINOR: backend: mark srv as nonnull in alloc_dst_address()
BUG/MINOR: server: ensure check-reuse-pool is copied from default-server
MINOR: server: activate automatically check reuse for rhttp@ protocol
MINOR: check/backend: support conn reuse with SNI
MINOR: check: implement check-pool-conn-name srv keyword
Aurelien DARRAGON (20):
MINOR: task: add thread safe notification_new and notification_wake
variants
BUG/MINOR: hlua_fcn: fix potential UAF with Queue:pop_wait()
MINOR: hlua_fcn: register queue class using hlua_register_metatable()
MINOR: hlua: add core.wait()
MINOR: hlua: core.wait() takes optional delay paramater
MINOR: hlua: split hlua_applet_tcp_recv_yield() in two functions
MINOR: hlua: add AppletTCP:try_receive()
MINOR: hlua_fcn: add Queue:alarm()
MEDIUM: task: make notification_* API thread safe by default
CLEANUP: log: adjust _lf_cbor_encode_byte() comment
BUG/MINOR: log: fix CBOR encoding with LOG_VARTEXT_START() +
lf_encode_chunk()
DEV: h2: fix h2-tracer.lua nil value index
BUG/MINOR: hlua: fix invalid errmsg use in hlua_init()
MINOR: proxy: add setup_new_proxy() function
MINOR: checks: mark CHECKS-FE dummy frontend as internal
MINOR: flt_spoe: mark spoe agent frontend as internal
MEDIUM: tree-wide: avoid manually initializing proxies
MINOR: proxy: add deinit_proxy() helper func
MINOR: checks: deinit checks_fe upon deinit
MINOR: flt_spoe: deinit spoe agent proxy upon agent release
Christopher Faulet (2):
BUG/MEDIUM: stream: Fix a possible freeze during a forced shut on a stream
MEDIUM: stream: Save SC and channel flags earlier in process_steam()
Emeric Brun (2):
BUG/MINOR: peers: fix expire learned from a peer not converted from ms to
ticks
BUG/MEDIUM: peers: prevent learning expiration too far in futur from
unsync node
Ilia Shipitsin (3):
CI: spell check: allow manual trigger
CI: codespell: add "pres" to spellcheck whitelist
CLEANUP: assorted typo fixes in the code, commits and doc
Olivier Houchard (1):
TESTS: Fix build for filltab25.c
William Lallemand (6):
REORG: ssl: move curves2nid and nid2nist to ssl_utils
MEDIUM: ssl: replace "crt" lines by "ssl-f-use" lines
DOC: configuration: replace "crt" by "ssl-f-use" in listeners
MEDIUM: ssl/crt-list: warn on negative wildcard filters
MEDIUM: ssl/crt-list: warn on negative filters only
DOC: configuration: rework the crt-list section
Willy Tarreau (7):
CLEANUP: atomics: remove support for gcc < 4.7
CLEANUP: atomics: also replace __sync_synchronize() with
__atomic_thread_fence()
BUILD: atomics: fix build issue on non-x86/non-arm systems
BUG/MEDIUM: sample: fix risk of overflow when replacing multiple regex
back-refs
MINOR: ring: support arbitrary delimiters through ring_dispatch_messages()
MINOR: ring/cli: support delimiting events with a trailing \0 on "show
events"
BUG/MINOR: backend: do not use the source port when hashing clientip
---
