Hi,
HAProxy 2.6.22 was released on 2025/04/22. It added 69 new commits
after version 2.6.21.
Just like 2.8.15, this version resyncs with the fixes that were part
of 3.0.9 and 3.0.10:
- in API issue in the applets could have resulted in some shutdown or
error conditions to be missed in the future, so as a prevention it
was fixed. Turns out, after fixing this, it uncovered a bug in the
CLI's "_getsocks" handler that was causing an infinite loop during
reloads, and another one in the SPOE applet where the appled would
never shut down (neither appeared in a released version), and these
bug were also fixed.
- reloads that transfer listening sockets to the new worker process could
make the older worker consume a lot of CPU for no apparent reason for
the time it remained present. The cause was that these FDs were
registered in epoll and when a new connection arrived to the new
process, the old one would also be notified without being able to
unregister it since already closed (well-known epoll pitfall). Now
these FDs are properly unregistered after being transfered so it's
possible that some users with long-running old processes will observe
a lower CPU usage on these old processes.
- a BUG_ON() could be triggered when using filters with no http_payload
callback.
- a bug in htx_xfer_blks() could result in occasionally transfering more
blocks than requested on 32-bit platforms.
- some TLSv1.3 signature algorithms were not recognized by the
ClientHello parser which was written before TLSv1.3. The ones that
were not correctly supported were based on RSA-PSS and would have
resulted in presenting a possibly wrong certificate when both RSA and
ECDSA ones were present for the same SNI.
- disabling the send-proxy-v2 feature on a "server" line after some fields
had been enabled in the defaults section would result in an attempt to
send a PROXY-v1 line because the presence of any field was tested to
decide to send the PROXY header.
- a startup race can randomly affect the setting of CPU affinity of
certain threads during boot, if the thread starts faster than the
parent updates the pthread identifier upon return. When it happens,
the affinity setting will often be silently ignored, but on some libs
such as musl, it can also result in a segfault at boot.
- a use-after-free condition was occasionally possible in Lua applets
handling CLI keywords, causing random crashes. It was apparently
difficult to trigger and did apparently not happen before 3.0.
- SPOE applets could be woken in loops during stopping, thus eating a lot
of CPU until the process stopped.
- transparent proxy connections at the proxy level ("option transparent")
would not include the destination address in the connection hash
calculation, meaning that idle connections for a different address
than expected could be reused between requests.
- usesrc clientip would accidentally include the client's port in the
hash calculation, resulting in a very low connection reuse ratio.
- leading and trailing spaces are now properly trimmed from both h2 and
h3 header values. In h2 it had been observed that some rare clients
keep the space after the comma when splitting "cookie" values, causing
errors between haproxy and servers, so we can reasonably expect that
this would happen with h3 too if the same clients support both
protocols. In addition, he H3 header sanitization was synchronized
with the latest fixes applied to H2 (filter "upgrade", block invalid
chars in URI, etc).
- stick-tables could learn entries from peers with an expiration date
further in the future than what their own expire time permits, causing
entries resulting from a temporary misconfiguration to be very
difficult to evict from a cluster (e.g. mistakenly write "24d" instead
of "24h" and entries persist for 3 weeks even across reloads). Now the
entries' expiration date will be capped to the stick table's setting.
- the regsub converter, used to perform regex-based substitutions, would
check the remaining room in the buffer against the initially available
size for each replaced pattern instead of checking it against the
remaining size. This was reported by Aleandro Prudenzano of Doyensec
and Edoardo Geraci of Codean Labs, and was assigned CVE-2025-32464.
The risk is quite low since such configs are quite unlikely and in the
rare cases they will happen, the replacement will involve static
contents, thus essentially a risk of crash.
And there were a few other less important ones among which:
- a few issues on the peers section parser and config consistency checker
possibly causing issues or even a segfault.
- servers attached to a ring wouldn't wait before trying to reconnect,
causing connection storms in case of a server failure.
- a few minor memory leaks were found in error paths (auth, _getsock,
flt-trace)
- only one "users" option in userlist "group" directive is supported,
but extraneous ones were still accepted and silently leaked, which
is no longer the case (an alert is now displayed when "users" is
repeated).
- FCGI would always force the status to 302 when seeing a Location
header, possibly overwriting another status code.
- a few crashes could happen in the QUIC mux failed to initialize.
- some QUIC crypto frames could be 1 to 2 bytes smaller than permitted
by the MTU. Also, related to packet length, some packets can use a
long header, and some room could be missing in the buffer to store
their length field, resulting in errors.
- the signature algorithms were not listed on "show ssl crt-list". They
now are.
- a pending close from the server could be forwarded to the client
despite a pending tcp-response content evaluation.
- one case where QUIC could crash on out-of-memory condition when trying
to allocate CRYPTO buffers was addressed. It could be triggered in
memory-constrained environments (i.e. containers). This fix was also
added to 3.1 after the release.
Again like for 2.8.15, this version accumulates almost 3 months worth
of fixes, there are probably a bit for everyone in it, though nothing
critical. All 2.6 users are encouraged to start to plan for testing it
and updating once the tests are conclusive.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.6/src/
Git repository : https://git.haproxy.org/git/haproxy-2.6.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (17):
BUG/MINOR: h1: do not forward h2c upgrade header token
BUG/MINOR: h2: reject extended connect for h2c protocol
BUG/MINOR: quic: reserve length field for long header encoding
BUG/MINOR: quic: fix CRYPTO payload size calcul for encoding
BUG/MINOR: quic: prevent crash on conn access after MUX init failure
CLEANUP: h3: fix documentation of h3_rcv_buf()
BUG/MINOR: backend: do not overwrite srv dst address on reuse
BUG/MEDIUM: backend: fix reuse with set-dst/set-dst-port
MINOR: h3: check return values of htx_add_* on headers parsing
BUG/MEDIUM: h3: trim whitespaces when parsing headers value
BUG/MEDIUM: h3: trim whitespaces in header value prior to QPACK encoding
BUG/MINOR: h3: filter upgrade connection header
BUG/MINOR: h3: reject invalid :path in request
BUG/MINOR: h3: reject request URI with invalid characters
BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure
BUG/MINOR: mux-h2: prevent past scheduling with idle connections
BUG/MINOR: mux-quic: fix BUG_ON() crash on init failure after app-ops
Aurelien DARRAGON (9):
DOC: management: rename some last occurences from domain "dns" to
"resolvers"
BUG/MINOR: sink: add tempo between 2 connection attempts for sft servers
BUG/MINOR: cfgparse/peers: fix inconsistent check for missing peer server
BUG/MINOR: cfgparse/peers: properly handle ignored local peer case
BUG/MINOR: server: dont return immediately from parse_server() when
skipping checks
MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or
"server" lines
BUG/MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup()
BUG/MINOR: hlua: fix invalid errmsg use in hlua_init()
BUG/MINOR: sink: add tempo between 2 connection attempts for sft servers
(2)
Christopher Faulet (18):
MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state
BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only
REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades
BUG/MINOR: http-ana: Disable fast-fwd for unfinished req waiting for
upgrade
BUG/MINOR: spoe: Check the shared waiting queue to shut applets during
stopping
BUG/MINOR: spoe: Allow applet creation when closing the last one during
stopping
BUG/MEDIUM: spoe: Don't wakeup idle applets in loop during stopping
REGTESTS: Fix truncated.vtc to send 0-CRLF
BUG/MINOR: cli: Wait for the last ACK when FDs are xferred from the old
worker
BUG/MEDIUM: filters: Handle filters registered on data with no payload
callback
BUG/MINOR: fcgi: Don't set the status to 302 if it is already set
BUG/MINOR: tcp-rules: Don't forward close during tcp-response content
rules eval
BUG/MINOR: cli: Fix memory leak on error for _getsocks command
BUG/MINOR: cli: Fix a possible infinite loop in _getsocks()
BUG/MINOR: config/userlist: Support one 'users' option for 'group'
directive
BUG/MINOR: auth: Fix a leak on error path when parsing user's groups
BUG/MINOR: flt-trace: Support only one name option
BUG/MINOR: stats-json: Define JSON_INT_MAX as a signed integer
Dragan Dosen (1):
BUG/MINOR: server: fix the "server-template" prefix memory leak
Emeric Brun (2):
BUG/MINOR: peers: fix expire learned from a peer not converted from ms to
ticks
BUG/MEDIUM: peers: prevent learning expiration too far in futur from
unsync node
Ilia Shipitsin (1):
BUG/MINOR: namespace: handle a possible strdup() failure
Lukas Tribus (1):
DOC: option redispatch should mention persist options
Olivier Houchard (1):
TESTS: Fix build for filltab25.c
Valentine Krasnobaeva (3):
BUG/MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers
BUG/MEIDUM: startup: return to initial cwd only after
check_config_validity()
BUG/MINOR: log: fix gcc warn about truncating NUL terminator while init
char arrays
William Lallemand (4):
BUG/MEDIUM: ssl: chosing correct certificate using RSA-PSS with TLSv1.3
BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks()
DOC: htx: clarify <mark> parameter for htx_xfer_blks()
TESTS: ist: fix wrong array size
Willy Tarreau (12):
BUG/MINOR: ssl_sock: fix xprt_set_used() to properly clear the
TASK_F_USR1 bit
REGTESTS: shorten a bit the delay for the h1/h2 upgrade test
BUG/MEDIUM: clock: make sure now_ms cannot be TICK_ETERNITY
BUG/MEDIUM: fd: mark FD transferred to another process as FD_CLONED
BUG/MEDIUM: thread: use pthread_self() not ha_pthread[tid] in set_affinity
BUG/MINOR: h2: always trim leading and trailing LWS in header values
BUG/MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer
MINOR: cli: export cli_io_handler() to ease symbol resolution
DOC: config: fix two missing "content" in "tcp-request" examples
BUG/MEDIUM: sample: fix risk of overflow when replacing multiple regex
back-refs
BUG/MINOR: backend: do not use the source port when hashing clientip
DOC: config: add the missing "profiling.memory" to the global kw index
---
