From: Christopher Faulet Date: Fri, 3 Oct 2025 10:59:17 +0000 (+0200) Subject: [RELEASE] Released version 3.0.12 X-Git-Tag: v3.0.12^0 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=21a355d3bbe6003772ea069fe7af88400b0d9a9a;p=haproxy-3.0.git [RELEASE] Released version 3.0.12 Released version 3.0.12 with the following main changes : - BUG/MEDIUM: peers: also limit the number of incoming updates - BUG/MINOR: mux-quic: do not decode if conn in error - MINOR: quic: rename min/max fields for congestion window algo - BUG/MINOR: quic: ensure cwnd limits are always enforced - BUILD: tools: properly define ha_dump_backtrace() to avoid a build warning - DOC: config: Fix a typo in 2.7 (Name format for maps and ACLs) - BUG/MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout - BUG/MINOR: quic: Missing SSL session object freeing - BUG/MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info - BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing - BUG/MINOR: config/server: reject QUIC addresses - BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available - MINOR: cli: handle EOS/ERROR first - BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported - BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - BUG/MINOR: hlua_fcn: restore server pairs iterator pointer consistency - BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator - MINOR: compiler: add __nonstring macro - MINOR: http: add a function to validate characters of :authority - BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly - BUG/MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field - DOC: config: prefer-last-server: add notes for non-deterministic algorithms - BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream - BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself - BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation - DOC: configuration: add details on prefer-client-ciphers - BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding - MINOR: quic: Useless TX buffer size reduction in closing state - SCRIPTS: drop the HTML generation from announce-release - BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services - BUG/MEDIUM: mux-h2: Properly handle connection error during preface sending - BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter - DOC: Fix 'jwt_verify' converter doc - BUG/MINOR: httpclient: wrongly named httpproxy flag - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations. - DOC: deviceatlas build clarifications - BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet - BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket - BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket - BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established - BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options - BUG/MINOR: hlua: take default-path into account with lua-load-per-thread - DOC: management: clarify usage of -V with -c - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory - BUG/MINOR: listener: really assign distinct IDs to shards - BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred - BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred - BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred - BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode - BUG/MINOR: http-client: Reject any 101-switching-protocols response - BUG/MEDIUM: http-client: Drain the request if an early response is received - BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM - BUG/MINOR: quic: Wrong source address use on FreeBSD - BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init - BUG/MINOR: halog: exit with error when some output filters are set simultaneosly - BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS - DOC: list missing global QUIC settings - BUILD: compat: provide relaxed versions of the MIN/MAX macros - BUILD: compat: always set _POSIX_VERSION to ease comparisons - BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR - BUG/MEDIUM: ssl: Fix 0rtt to the server - BUG/MEDIUM: ssl: fix build with AWS-LC - BUG/MINOR: init: Initialize random seed earlier in the init process - DOC: management: fix typo in commit f4f93c56 - DOC: config: recommend single quoting passwords - BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer - BUG/MINOR: mux-h1: fix wrong lock label - BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested - BUG/MAJOR: quic: fix INITIAL padding with probing packet only - MINOR: quic: centralize padding for HP sampling on packet building - BUG/MEDIUM: stconn: Fix conditions to know an applet can get data from stream - BUG/MEDIUM: Remove sync sends from streams to applets - BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets - MINOR: quic: remove ->offset qf_crypto struct field - BUG/MINOR: mux-quic: trace with non initialized qcc - BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found - BUG/MINOR: connection: rearrange union list members - BUG/MINOR: connection: remove extra session_unown_conn() on reverse - BUG/MINOR: server: decrement session idle_conns on del server - DOC: unreliable sockpair@ on macOS - DOC: configuration: confuse "strict-mode" with "zero-warning" - MINOR: doc: add missing statistics column - MINOR: doc: add missing statistics column - CLEANUP: quic: remove a useless CRYPTO frame variable assignment - BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete() - BUG/MAJOR: mux-quic: fix crash on reload during emission - REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method - BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server - BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url() - BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger() - BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse() - BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen() - BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options() - BUG/MINOR: tools: Add OOM check for malloc() in indent_msg() - BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames - BUG/MINOR: quic: fix room check if padding requested - BUG/MINOR: quic: fix padding issue on INITIAL retransmit - BUG/MINOR: haproxy: be sure not to quit too early on soft stop - BUILD: acl: silence a possible null deref warning in parse_acl_expr() - MINOR: quic: Add more information about RX packets - REGTESTS: explicitly use "balance roundrobin" where RR is needed - BUG/MEDIUM: conn: fix UAF on connection after reversal on edge - BUG/MINOR: connection: streamline conn detach from lists - BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list() - BUILD: trace: silence a bogus build warning at -Og - BUG/MINOR: cpu_topo: work around a small bug in musl's CPU_ISSET() - CLEANUP: quic: fix typo in quic_tx trace - OPTIM: check: do not delay MUX for ALPN if SSL not active - BUG/MEDIUM: checks: fix ALPN inheritance from server - BUG/MEDIUM: h1: Allow reception if we have early data - BUG/MEDIUM: ssl: create the mux immediately on early data - BUG/MINOR: activity: fix reporting of task latency - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval - BUG/MAJOR: stream: Force channel analysis on successful synchronous send - BUG/MINOR: ocsp: Crash when updating CA during ocsp updates - BUG/MINOR: resolvers: always normalize FQDN from response - BUG/MEDIUM: ring: invert the length check to avoid an int overflow - MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function - BUG/MEDIUM: server: Use sni as pool connection name for SSL server only - BUG/MINOR: server: Update healthcheck when server settings are changed via CLI - OPTIM: sink: reduce contention on sink_announce_dropped() - BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt - BUILD: halog: misleading indentation in halog.c - MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI - BUG/MINOR: pattern: Properly flag virtual maps as using samples - BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix - BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file - DOC: config: clarify some known limitations of the json_query() converter - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers - BUG/MINOR: h2: forbid 'Z' as well in header field names checks - BUG/MINOR: h3: forbid 'Z' as well in header field names checks - Revert "MINOR: quic: Useless TX buffer size reduction in closing state" --- diff --git a/CHANGELOG b/CHANGELOG index f33b06b..d4d30d2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,140 @@ ChangeLog : =========== +2025/10/03 : 3.0.12 + - BUG/MEDIUM: peers: also limit the number of incoming updates + - BUG/MINOR: mux-quic: do not decode if conn in error + - MINOR: quic: rename min/max fields for congestion window algo + - BUG/MINOR: quic: ensure cwnd limits are always enforced + - BUILD: tools: properly define ha_dump_backtrace() to avoid a build warning + - DOC: config: Fix a typo in 2.7 (Name format for maps and ACLs) + - BUG/MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout + - BUG/MINOR: quic: Missing SSL session object freeing + - BUG/MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info + - BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing + - BUG/MINOR: config/server: reject QUIC addresses + - BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available + - MINOR: cli: handle EOS/ERROR first + - BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported + - BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers + - BUG/MINOR: hlua_fcn: restore server pairs iterator pointer consistency + - BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator + - MINOR: compiler: add __nonstring macro + - MINOR: http: add a function to validate characters of :authority + - BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly + - BUG/MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field + - DOC: config: prefer-last-server: add notes for non-deterministic algorithms + - BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream + - BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself + - BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation + - DOC: configuration: add details on prefer-client-ciphers + - BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding + - MINOR: quic: Useless TX buffer size reduction in closing state + - SCRIPTS: drop the HTML generation from announce-release + - BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services + - BUG/MEDIUM: mux-h2: Properly handle connection error during preface sending + - BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter + - DOC: Fix 'jwt_verify' converter doc + - BUG/MINOR: httpclient: wrongly named httpproxy flag + - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations. + - DOC: deviceatlas build clarifications + - BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet + - BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket + - BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket + - BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established + - BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options + - BUG/MINOR: hlua: take default-path into account with lua-load-per-thread + - DOC: management: clarify usage of -V with -c + - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory + - BUG/MINOR: listener: really assign distinct IDs to shards + - BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred + - BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred + - BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred + - BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode + - BUG/MINOR: http-client: Reject any 101-switching-protocols response + - BUG/MEDIUM: http-client: Drain the request if an early response is received + - BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM + - BUG/MINOR: quic: Wrong source address use on FreeBSD + - BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init + - BUG/MINOR: halog: exit with error when some output filters are set simultaneosly + - BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS + - DOC: list missing global QUIC settings + - BUILD: compat: provide relaxed versions of the MIN/MAX macros + - BUILD: compat: always set _POSIX_VERSION to ease comparisons + - BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR + - BUG/MEDIUM: ssl: Fix 0rtt to the server + - BUG/MEDIUM: ssl: fix build with AWS-LC + - BUG/MINOR: init: Initialize random seed earlier in the init process + - DOC: management: fix typo in commit f4f93c56 + - DOC: config: recommend single quoting passwords + - BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer + - BUG/MINOR: mux-h1: fix wrong lock label + - BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested + - BUG/MAJOR: quic: fix INITIAL padding with probing packet only + - MINOR: quic: centralize padding for HP sampling on packet building + - BUG/MEDIUM: stconn: Fix conditions to know an applet can get data from stream + - BUG/MEDIUM: Remove sync sends from streams to applets + - BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets + - MINOR: quic: remove ->offset qf_crypto struct field + - BUG/MINOR: mux-quic: trace with non initialized qcc + - BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found + - BUG/MINOR: connection: rearrange union list members + - BUG/MINOR: connection: remove extra session_unown_conn() on reverse + - BUG/MINOR: server: decrement session idle_conns on del server + - DOC: unreliable sockpair@ on macOS + - DOC: configuration: confuse "strict-mode" with "zero-warning" + - MINOR: doc: add missing statistics column + - MINOR: doc: add missing statistics column + - CLEANUP: quic: remove a useless CRYPTO frame variable assignment + - BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete() + - BUG/MAJOR: mux-quic: fix crash on reload during emission + - REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method + - BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server + - BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url() + - BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger() + - BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse() + - BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen() + - BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options() + - BUG/MINOR: tools: Add OOM check for malloc() in indent_msg() + - BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames + - BUG/MINOR: quic: fix room check if padding requested + - BUG/MINOR: quic: fix padding issue on INITIAL retransmit + - BUG/MINOR: haproxy: be sure not to quit too early on soft stop + - BUILD: acl: silence a possible null deref warning in parse_acl_expr() + - MINOR: quic: Add more information about RX packets + - REGTESTS: explicitly use "balance roundrobin" where RR is needed + - BUG/MEDIUM: conn: fix UAF on connection after reversal on edge + - BUG/MINOR: connection: streamline conn detach from lists + - BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list() + - BUILD: trace: silence a bogus build warning at -Og + - BUG/MINOR: cpu_topo: work around a small bug in musl's CPU_ISSET() + - CLEANUP: quic: fix typo in quic_tx trace + - OPTIM: check: do not delay MUX for ALPN if SSL not active + - BUG/MEDIUM: checks: fix ALPN inheritance from server + - BUG/MEDIUM: h1: Allow reception if we have early data + - BUG/MEDIUM: ssl: create the mux immediately on early data + - BUG/MINOR: activity: fix reporting of task latency + - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval + - BUG/MAJOR: stream: Force channel analysis on successful synchronous send + - BUG/MINOR: ocsp: Crash when updating CA during ocsp updates + - BUG/MINOR: resolvers: always normalize FQDN from response + - BUG/MEDIUM: ring: invert the length check to avoid an int overflow + - MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function + - BUG/MEDIUM: server: Use sni as pool connection name for SSL server only + - BUG/MINOR: server: Update healthcheck when server settings are changed via CLI + - OPTIM: sink: reduce contention on sink_announce_dropped() + - BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt + - BUILD: halog: misleading indentation in halog.c + - MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI + - BUG/MINOR: pattern: Properly flag virtual maps as using samples + - BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix + - BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file + - DOC: config: clarify some known limitations of the json_query() converter + - BUG/CRITICAL: mjson: fix possible DoS when parsing numbers + - BUG/MINOR: h2: forbid 'Z' as well in header field names checks + - BUG/MINOR: h3: forbid 'Z' as well in header field names checks + - Revert "MINOR: quic: Useless TX buffer size reduction in closing state" + 2025/06/02 : 3.0.11 - BUG/MEDIUM: mux-fcgi: Try to fully fill demux buffer on receive if not empty - BUG/MINOR: cli: Issue an error when too many args are passed for a command diff --git a/VERDATE b/VERDATE index 8b46fb9..0e8fcef 100644 --- a/VERDATE +++ b/VERDATE @@ -1,2 +1,2 @@ $Format:%ci$ -2025/06/02 +2025/10/03 diff --git a/VERSION b/VERSION index 778bf95..f93fc9f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.0.11 +3.0.12 diff --git a/doc/configuration.txt b/doc/configuration.txt index 45ee86e..1f77080 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -3,7 +3,7 @@ Configuration Manual ---------------------- version 3.0 - 2025/06/02 + 2025/10/03 This document covers the configuration language as implemented in the version