Hi,
HAProxy 2.2.34 was released on 2025/04/23. It added 82 new commits after
version 2.2.33. This version contains one year of fixes and will be the
last one for branch 2.2 (as such it was marked EOL in haproxy -vv). I'm
picking the relevant pieces of the changelog from 2.4.27/28/29. Nothing
looks really important, as expected.
It tends to make modern compilers complain (that was already the case with
2.2.33). I've backported a few build fixes, but the CI still doesn't like
it so I've run the tests manually. I could at least build it and test it
on Linux (ubuntu 20/gcc-9 armv7/aarch64/x86_64, ubuntu 22/gcc-11 aarch64,
slackware 15 x86_64), FreeBSD 13/clang x86_64 and OpenBSD 7.6/gcc-8
mips64.
This version contains the following fixes:
- one fix was applied for better HTTP error reporting. In some cases, 502
server initial errors were incorrectly hidden and are now properly
logged.
- on the backend side, an issue was found when NTLM headers are used. This
caused the backend connection to be marked dynamically as private to
prevent HTTP reuse. However, this is conceptually wrong when using
HTTP/2 multiplexer on the backend side with http-reuse mode set to
aggressive or higher, as this connection can already be shared accross
several clients. Thus, NTLM headers are simply ignored in this case.
- for the SSL stack, cipher algorithm negotiation was adjusted as haproxy
could have chosen an ECDSA certificate even if not compatible with
client algorithms instead of fallback to RSA.
- a Solaris user reported that external checks were causing an infinite
loop. In fact, this was due to a wrong signal handling in evports,
Solaris polling mechanism, present since its first introduction in
haproxy.
- an issue in SPOE that can cause a thread to refrain from creating an
applet to connect outside, causing failures on requests processed on
this thread.
- it was possible to crash the process when performing an implicit
protocol upgrade (TCP to HTTP due to a transition from a TCP front to
an HTTP back) if an error happened on the connection just before the
transition.
- description of the command line options -dR and -dV were missing in the
management documentation. It is now fixed. Documentation about "show stat"
CLI command was also updated to reflect the renaming of "dns" counters to
"resolvers". In the configuration manual, the info about http-keep-alive
timeout and other timeouts were improved.
- The way to deal with too many headers in received H2. The maximum
number of headers allowed in HEADERS frames on sending path was lower
than on receiving path. This could lead to report sending errors while
the message was accepted. It could be confusing. In addition, unlike
H1, the number of headers must be limited when H2 messages are sent
to comply to limitation imposed by the protocol. This limit was
increased to support headers rewriting without issue.
- On the H2 multiplexer, on server side, it was possible to send
RST_STREAM frame for streams with unassigned ID, so before the
formatting of the HEADERS frame, because the session was aborted during
the connection stage. It was an issue if this happened before the H2
PREFACE was sent because this prevent the servers to recognize it as a
H2 connection, leading to an early connection closure. We now take care
to not emit RST_STREAM frame in that case.
- The request state was not properly reset on L7 retry. The request
channel flag stating some data were sent was not reset on retry. This
could lead to consider a subsequent connection error as a L7 error
while the request was never sent. In that case the request could be
lost, leading to crash.
- The SIGINT signal could be missed by HAProxy when it was started in
background in a subshell. It is the root cause of some unexpected
timeouts with Vtest scripts. To fix the issue, the default signal
handler is registered for the SIGINT signal during init.
- an API issue in the applets could have resulted in some shutdown or
error conditions to be missed in the future, so as a prevention it
was fixed. Turns out, after fixing this, it uncovered a bug in the
CLI's "_getsocks" handler that was causing an infinite loop during
reloads, and another one in the SPOE applet where the appled would
never shut down (neither appeared in a released version), and these
bug were also fixed.
- a BUG_ON() could be triggered when using filters with no http_payload
callback.
- a bug in htx_xfer_blks() could result in occasionally transfering more
blocks than requested on 32-bit platforms.
- some TLSv1.3 signature algorithms were not recognized by the
ClientHello parser which was written before TLSv1.3. The ones that
were not correctly supported were based on RSA-PSS and would have
resulted in presenting a possibly wrong certificate when both RSA and
ECDSA ones were present for the same SNI.
- a use-after-free condition was occasionally possible in Lua applets
handling CLI keywords, causing random crashes. It was apparently
difficult to trigger and did apparently not happen before 3.0.
- leading and trailing spaces are now properly trimmed from h2 header
values. It had been observed that some rare clients keep the space
after the comma when splitting "cookie" values, causing errors between
haproxy and servers.
- stick-tables could learn entries from peers with an expiration date
further in the future than what their own expire time permits, causing
entries resulting from a temporary misconfiguration to be very
difficult to evict from a cluster (e.g. mistakenly write "24d" instead
of "24h" and entries persist for 3 weeks even across reloads). Now the
entries' expiration date will be capped to the stick table's setting.
- the regsub converter, used to perform regex-based substitutions, would
check the remaining room in the buffer against the initially available
size for each replaced pattern instead of checking it against the
remaining size. This was reported by Aleandro Prudenzano of Doyensec
and Edoardo Geraci of Codean Labs, and was assigned CVE-2025-32464.
The risk is quite low since such configs are quite unlikely and in the
rare cases they will happen, the replacement will involve static
contents, thus essentially a risk of crash.
- a few issues on the peers section parser and config consistency checker
possibly causing issues or even a segfault.
- FCGI would always force the status to 302 when seeing a Location
header, possibly overwriting another status code.
- a few doc/ci/build updates
A number of lower importance fixes were just not backported from 2.4 as
not worth the effort and/or needlessly risky.
Let me insist again that this version now reached end of life, so in
theory it should not be deployed, or only as a temporary solution to help
with a transition to a newer one. If you're still on 2.2 and don't know
what version to choose, first, skip 2.4 which dies next year. If you want
something super stable, 2.6 is a good one. For more responsiveness from
developers and the community in general, better pick 3.0 or above. Note
that counter-intuitively, the reliabilty of 3.x could actually surpass
that of older versions thanks to a cleaner architecture and better
troubleshooting tools in general. Now's time to say good bye to 2.2.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.2/src/
Git repository : https://git.haproxy.org/git/haproxy-2.2.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.2.git
Changelog : https://www.haproxy.org/download/2.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (2):
BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
SCRIPTS: git-show-backports: do not truncate git-show output
Aurelien DARRAGON (10):
BUG/MINOR: log: fix lf_text_len() truncate inconsistency
BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
BUG/MEDIUM: fd: prevent memory waste in fdtab array
CLEANUP: hlua: use hlua_pusherror() where relevant
DOC: management: rename show stats domain cli "dns" to "resolvers"
BUG/MINOR: hlua: report proper context upon error in
hlua_cli_io_handler_fct()
DOC: lua: fix yield-dependent methods expected contexts
BUG/MINOR: stktable: fix big-endian compatiblity in smp_to_stkey()
BUG/MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup()
Bertrand Jacquin (1):
MINOR: build: force CC to set a return code when probing options
Christopher Faulet (25):
BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server
connection
BUG/MEDIUM: stconn: Don't forward channel data if input data must be
filtered
BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L
header
BUG/MINOR: stats: Don't state the 303 redirect response is chunked
BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current
thread
BUG/MINOR: cli: Atomically inc the global request counter between CLI
commands
BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no
longer ready
BUG/MEDIUM: cli: Always release back endpoint between two commands on the
mcli
BUG/MINOR: server: Don't warn fallback IP is used during init-addr
resolution
BUG/MEDIUM: mux-h2: Don't send RST_STREAM frame for streams with no ID
BUG/MINOR: http_ana: Report -1 for %Tr for invalid response only
DOC: config: Slightly improve the %Tr documentation
BUG/MEDIUM: mux-h2: Increase max number of headers when encoding HEADERS
frames
BUG/MEDIUM: mux-h2: Check the number of headers in HEADERS frame after
decoding
BUG/MEDIUM: http-ana: Reset request flag about data sent to perform a L7
retry
BUG/MINOR: h1-htx: Use default reason if not set when formatting the
response
BUG/MINOR: spoe: Check the shared waiting queue to shut applets during
stopping
BUG/MINOR: spoe: Allow applet creation when closing the last one during
stopping
REGTESTS: Fix truncated.vtc to send 0-CRLF
BUG/MINOR: cli: Wait for the last ACK when FDs are xferred from the old
worker
BUG/MEDIUM: filters: Handle filters registered on data with no payload
callback
BUG/MINOR: fcgi: Don't set the status to 302 if it is already set
BUG/MINOR: cli: Fix a possible infinite loop in _getsocks()
BUG/MINOR: stats-json: Define JSON_INT_MAX as a signed integer
BUILD: makefile: Redirect stderr to /dev/null when probing options
Emeric Brun (2):
BUG/MINOR: peers: fix expire learned from a peer not converted from ms to
ticks
BUG/MEDIUM: peers: prevent learning expiration too far in futur from
unsync node
Ilia Shipitsin (2):
BUG/MINOR: fcgi-app: handle a possible strdup() failure
BUG/MINOR: namespace: handle a possible strdup() failure
Ilya Shipitsin (1):
CI: introduce scripts/build-vtest.sh for installing VTest
Lukas Tribus (1):
DOC: option redispatch should mention persist options
Valentine Krasnobaeva (8):
BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
BUG/MINOR: haproxy: only tid 0 must not sleep if got signal
DOC/MINOR: management: add missed -dR and -dv options
BUG/MINOR: cfgparse-global: fix allowed args number for setenv
BUG/MINOR: mworker: fix mworker-max-reloads parser
BUG/MINOR: signal: register default handler for SIGINT in signal_init()
BUG/MINOR: ssl: put ssl_sock_load_ca under SSL_NO_GENERATE_CERTIFICATES
BUG/MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers
William Lallemand (8):
DOC: configuration: clarify ciphersuites usage
DOC: configuration: clarify ciphersuites usage (V2)
BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA
configuration
DOC: configuration: fix alphabetical order of bind options
BUG/MINOR: ssl: can't load a separated key file with openssl > 3.0
BUG/MEDIUM: ssl: chosing correct certificate using RSA-PSS with TLSv1.3
BUG/MEDIUM: htx: wrong count computation in htx_xfer_blks()
TESTS: ist: fix wrong array size
Willy Tarreau (22):
BUG/MEDIUM: connection: report connection errors even when no mux is
installed
BUG/MEDIUM: evports: do not clear returned events list on signal
BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of
sockets
BUG/MINOR: h1: fix detection of upper bytes in the URI
BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
BUILD: fd: errno is also needed without poll()
BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state
warning
CI: scripts: fix build of vtest regarding option -C
BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
BUG/MINOR: polling: fix time reporting when using busy polling
DOC: config: improve the http-keep-alive section
BUG/MEDIUM: checks: make sure to always apply offsets to now_ms in
expiration
BUG/MINOR: peers: make sure to always apply offsets to now_ms in
expiration
MINOR: cli: export cli_io_handler() to ease symbol resolution
BUG/MEDIUM: sample: fix risk of overflow when replacing multiple regex
back-refs
BUILD: makefile: silence deprecated declarations when using OpenSSL
MINOR: version: set the EOL for the 2.2 branch
BUILD: config: fix again bugs gcc warnings on calloc [try 2]
BUG/MINOR: h2: always trim leading and trailing LWS in header values
---
