HAproxy RPM spec and builds for CentOS/RHEL 6/7/8
HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits after version 1.8.13.
The most important one fixes a security issue reported by Tim Düsterhus and which was assigned CVE-2018-14645. There is an integer signedness issue in the HPACK decoder used in HTTP/2 which theorically makes it possible to remotely crash an haproxy instance where HTTP/2 is in use. I want to thank Tim for his responsible reporting and Ryan O'Hara for quickly providing us with a CVE ID.
The only workaround for those who for various reasons can't immediately update, is to disable HTTP/2. But distros will provide an updated package soon. If some distro maintainers need a way to test if their version is properly fixed, please contact me privately, I'll explain how to proceed.
Two other major issues are fixed in this version, one of them related to how SSL is initialized in Lua, apparently it didn't properly consider the presence of threads, leading to random behaviours. The second only affects kqueue, I don't have the details in memory, I suspect it was causing some delays in connection processing there.
The rest is the regular list of problematic but not critical issues that need to be fixed but for which there is no emergency.
[RELEASE] Released version 1.8.12
Released version 1.8.12 with the following main changes : - BUG/MAJOR: stick_table: Complete incomplete SEGV fix - MINOR: stick-tables: make stktable_release() do nothing on NULL
[RELEASE] Released version 1.8.11
Released version 1.8.11 with the following main changes : - BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table - BUG/BUILD: threads: unbreak build without threads
[RELEASE] Released version 1.8.10
Released version 1.8.10 with the following main changes : - BUG/MINOR: lua: Socket.send threw runtime error: 'close' needs 1 arguments. - BUG/MEDIUM: spoe: Flags are not encoded in network order - BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags - BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags - BUG/MINOR: ssl/lua: prevent lua from affecting automatic maxconn computation - BUG/MEDIUM: cache: don't cache when an Authorization header is present - BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check failure. - BUG/BUILD: threads: unbreak build without threads - BUG/BUILD: fd: fix typo causing a warning when threads are disabled - BUG/MEDIUM: fd: Only check update_mask against all_threads_mask. - BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file - BUG/MEDIUM: lua/socket: Length required read doesn't work - BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters - BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in sync mode - MINOR: task/notification: Is notifications registered ? - BUG/MEDIUM: lua/socket: wrong scheduling for sockets - BUG/MAJOR: lua: Dead lock with sockets - BUG/MEDIUM: lua/socket: Notification error - BUG/MEDIUM: lua/socket: Sheduling error on write: may dead-lock - BUG/MEDIUM: lua/socket: Buffer error, may segfault - MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0 - BUG/MINOR: contrib/spoa_example: Don't reset the status code during disconnect - BUG/MINOR: contrib/mod_defender: Don't reset the status code during disconnect - BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect - BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame - BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame - DOC: SPOE.txt: fix a typo - DOC: contrib/modsecurity: few typo fixes - BUG/MINOR: unix: Make sure we can transfer abns sockets on seamless reload. - BUG/MEDIUM: threads: handle signal queue only in thread 0 - BUG/MINOR: don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing - BUG/MINOR: signals: ha_sigmask macro for multithreading - MINOR: lua: Increase debug information - BUG/MAJOR: map: fix a segfault when using http-request set-map - BUG/MINOR: lua: Segfaults with wrong usage of types. - BUG/MAJOR: ssl: Random crash with cipherlist capture - BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot - BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete(). - BUG/MEDIUM: threads: Use the sync point to check active jobs and exit - MINOR: threads: Be sure to remove threads from all_threads_mask on exit
[RELEASE] Released version 1.8.9
Released version 1.8.9 with the following main changes : - BUG/MINOR: pattern: Add a missing HA_SPIN_INIT() in pat_ref_newid() - BUG/MAJOR: channel: Fix crash when trying to read from a closed socket - BUG/MINOR: log: t_idle (%Ti) is not set for some requests - BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits - MINOR: h2: detect presence of CONNECT and/or content-length - BUG/MEDIUM: h2: implement missing support for chunked encoded uploads - BUG/MINOR: lua/threads: Make lua's tasks sticky to the current thread - BUG/MINOR: config: disable http-reuse on TCP proxies - BUG/MINOR: checks: Fix check->health computation for flapping servers - BUG/MEDIUM: threads: Fix the sync point for more than 32 threads - BUG/MINOR: lua: Put tasks to sleep when waiting for data - DOC/MINOR: clean up LUA documentation re: servers & array/table. - BUG/MINOR: map: correctly track reference to the last ref_elt being dumped - BUG/MEDIUM: task: Don't free a task that is about to be run. - BUG/MINOR: lua: schedule socket task upon lua connect() - BUG/MINOR: lua: ensure large proxy IDs can be represented - BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR - BUG/MEDIUM: pollers: Use a global list for fd shared between threads. - BUG/MEDIUM: ssl: properly protect SSL cert generation - BUG/MINOR: spoe: Mistake in error message about SPOE configuration
[RELEASE] Released version 1.8.8
Released version 1.8.8 with the following main changes : - BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes - BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). - BUG/MINOR: http: Return an error in proxy mode when url2sa fails - BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors. - BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE - MINOR: cli: Ensure the CLI always outputs an error when it should - DOC: lua: update the links to the config and Lua API - BUG/CRITICAL: h2: fix incorrect frame length check
[RELEASE] Released version 1.7.11
Released version 1.7.11 with the following main changes : - BUG/MINOR: lua: Fix default value for pattern in Socket.receive - DOC: lua: Fix typos in comments of hlua_socket_receive - BUG/MINOR: lua: Fix return value of Socket.settimeout - BUG/MEDIUM: stream: properly handle client aborts during redispatch - BUG/MEDIUM: srv-state: always ensure there's a warmup task before manipulating it - BUG/MEDIUM: stream-int: Don't loss write's notifs when a stream is woken up - DOC: clarify the scope of ssl_fc_is_resumed - BUG/MINOR: poll: too large size allocation for FD events - CLEANUP: sample: Fix comment encoding of sample.c - CLEANUP: sample: Fix outdated comment about sample casts functions - BUG/MINOR: sample: Fix output type of c_ipv62ip - CLEANUP: Fix typo in ARGT_MSK6 comment - BUG/MEDIUM: standard: Fix memory leak in str2ip2() - DOC: Describe routing impact of using interface keyword on bind lines - BUG/MINOR: config: don't emit a warning when global stats is incompletely configured - BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier as possible - BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk - MINOR/BUILD: fix Lua build on Mac OS X - BUILD/MINOR: fix Lua build on Mac OS X (again) - CLEANUP: ssl: Remove a duplicated #include - BUG/MINOR: cli: Fix a typo in the 'set rate-limit' usage - BUG/MINOR: force-persist and ignore-persist only apply to backends - BUG/MINOR: spoa-example: unexpected behavior for more than 127 args - BUG/MINOR: lua: return bad error messages - BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers - BUG/MINOR: tcp-check: use the server's service port as a fallback - MINOR: log: stop emitting alerts when it's not possible to write on the socket - BUG/MINOR: lua: the function returns anything - BUG/MINOR: lua funtion hlua_socket_settimeout don't check negative values - BUG/MINOR: email-alert: Set the mailer port during alert initialization - BUG/MINOR: http: Return an error in proxy mode when url2sa fails - DOC: lua: update the links to the config and Lua API - BUG/MINOR: session: Fix tcp-request session failure if handshake. - BUILD/BUG: enable -fno-strict-overflow by default - DOC: log: more than 2 log servers are allowed - DOC: don't suggest using http-server-close - BUG/MAJOR: channel: Fix crash when trying to read from a closed socket - BUG/MINOR: config: disable http-reuse on TCP proxies
[RELEASE] Released version 1.8.4
Released version 1.8.4 with the following main changes : - BUG/MEDIUM: h2: properly handle the END_STREAM flag on empty DATA frames - BUILD: ssl: silence a warning when building without NPN nor ALPN support - BUG/MEDIUM: ssl: cache doesn't release shctx blocks - BUG/MINOR: lua: Fix default value for pattern in Socket.receive - DOC: lua: Fix typos in comments of hlua_socket_receive - BUG/MEDIUM: lua: Fix IPv6 with separate port support for Socket.connect - BUG/MINOR: lua: Fix return value of Socket.settimeout - MINOR: dns: Handle SRV record weight correctly. - BUG/MEDIUM: mworker: execvp failure depending on argv[0] - MINOR: hathreads: add support for gcc < 4.7 - BUILD/MINOR: ancient gcc versions atomic fix - BUG/MEDIUM: stream: properly handle client aborts during redispatch - DOC: clarify the scope of ssl_fc_is_resumed - CONTRIB: debug: fix a few flags definitions - BUG/MINOR: poll: too large size allocation for FD events - BUG/MEDIUM: peers: fix expire date wasn't updated if entry is modified remotely. - MINOR: servers: Don't report duplicate dyncookies for disabled servers. - MINOR: global/threads: move cpu_map at the end of the global struct - MINOR: threads: add a MAX_THREADS define instead of LONGBITS - MINOR: global: add some global activity counters to help debugging - MINOR: threads/fd: Use a bitfield to know if there are FDs for a thread in the FD cache - BUG/MEDIUM: threads/polling: Use fd_cache_mask instead of fd_cache_num - BUG/MEDIUM: fd: maintain a per-thread update mask - MINOR: fd: add a bitmask to indicate that an FD is known by the poller - BUG/MEDIUM: epoll/threads: use one epoll_fd per thread - BUG/MEDIUM: kqueue/threads: use one kqueue_fd per thread - BUG/MEDIUM: threads/mworker: fix a race on startup - BUG/MINOR: mworker: only write to pidfile if it exists - MINOR: threads: Fix build when we're not compiling with threads. - BUG/MINOR: threads: always set an owner to the thread_sync pipe - BUG/MEDIUM: threads/server: Fix deadlock in srv_set_stopping/srv_set_admin_flag - BUG/MEDIUM: checks: Don't try to release undefined conn_stream when a check is freed - BUG/MINOR: kqueue/threads: Don't forget to close kqueue_fd[tid] on each thread - MINOR: threads: Use __decl_hathreads instead of #ifdef/#endif - BUILD: epoll/threads: Add test on MAX_THREADS to avoid warnings when complied without threads - BUILD: kqueue/threads: Add test on MAX_THREADS to avoid warnings when complied without threads - CLEANUP: sample: Fix comment encoding of sample.c - CLEANUP: sample: Fix outdated comment about sample casts functions - BUG/MINOR: sample: Fix output type of c_ipv62ip - CLEANUP: Fix typo in ARGT_MSK6 comment - BUG/MINOR: cli: use global.maxsock and not maxfd to list all FDs - BUG/MINOR: threads: Update labels array because of changes in lock_label enum - BUG/MINOR: epoll/threads: only call epoll_ctl(DEL) on polled FDs - BUG/MEDIUM: spoe: Always try to receive or send the frame to detect shutdowns - BUG/MEDIUM: spoe: Allow producer to read and to forward shutdown on request side - BUG/MINOR: time/threads: ensure the adjusted time is always correct - BUG/MEDIUM: standard: Fix memory leak in str2ip2() - MINOR: init: emit warning when -sf/-sd cannot parse argument - DOC: Describe routing impact of using interface keyword on bind lines - DOC: Mention -Ws in the list of available options - BUG/MINOR: config: don't emit a warning when global stats is incompletely configured
[RELEASE] Released version 1.7.10
Released version 1.7.10 with the following main changes : - BUG/MEDIUM: connection: remove useless flag CO_FL_DATA_RD_SH - BUG/MEDIUM: lua: HTTP services must take care of body-less status codes - BUG/MEDIUM: stream: properly set the required HTTP analysers on use-service - BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in TUNNEL mode - BUG/MEDIUM: epoll: ensure we always consider HUP and ERR - BUG/MEDIUM: http: Close streams for connections closed before a redirect - BUG/MINOR: Lua: The socket may be destroyed when we try to access. - BUG/MEDIUM: compression: Fix check on txn in smp_fetch_res_comp_algo - BUG/MINOR: compression: Check response headers before http-response rules eval - BUG/MINOR: log: fixing small memory leak in error code path. - BUG/MINOR: contrib/halog: fixing small memory leak - BUG/MEDIUM: tcp/http: set-dst-port action broken - BUG/MEDIUM: tcp-check: properly indicate polling state before performing I/O - BUG/MINOR: tcp-check: don't quit with pending data in the send buffer - BUG/MEDIUM: tcp-check: don't call tcpcheck_main() from the I/O handlers! - BUG/MINOR: tcp-check: don't initialize then break a connection starting with a comment - BUG/MEDIUM: http: Return an error when url_dec sample converter failed - BUG/MAJOR: stream-int: don't re-arm recv if send fails - DOC: 51d: add 51Degrees git URL that points to release version 3.2.12.12 - DOC: 51d: Updated git URL and instructions for getting Hash Trie data files. - DOC: fix some typos - BUILD/MINOR: 51d: fix warning when building with 51Degrees release version 3.2.12.12 - MINOR: tcp-check: make tcpcheck_main() take a check, not a connection - MINOR: checks: don't create then kill a dummy connection before tcp-checks - DOC: 1.7 is stable - BUG/MEDIUM: ssl: fix OCSP expiry calculation - MINOR: server: Handle weight increase in consistent hash. - BUG/MINOR: stats: Clear a bit more counters with in cli_parse_clear_counters(). - BUG/MINOR: ssl: ocsp response with 'revoked' status is correct - BUG/MINOR: ssl: OCSP_single_get0_status can return -1 - BUG/MINOR: cli: restore "set ssl tls-key" command - BUG/MEDIUM: prevent buffers being overwritten during build_logline() execution - BUG/MINOR: spoe: Don't compare engine name and SPOE scope when both are NULL - BUG/MINOR: dns: Fix CLI keyword declaration - BUG/MINOR: mailers: Fix a memory leak when email alerts are released - BUG/MINOR: cli: do not perform an invalid action on "set server check-port" - BUG/MEDIUM: stream: don't ignore res.analyse_exp anymore - MEDIUM: http: always reject the "PRI" method - BUG/MEDIUM: deviceatlas: ignore not valuable HTTP request data - BUG/MAJOR: stream: ensure analysers are always called upon close - BUG/MEDIUM: deinit: correctly deinitialize the proxy and global listener tasks - BUG/MINOR: Use crt_base instead of ca_base when crt is parsed on a server line - BUG/MINOR: stream: fix tv_request calculation for applets - BUG/MINOR: listener: Allow multiple "process" options on "bind" lines - DOC/MINOR: intro: typo, wording, formatting fixes - CONTRIB: halog: Add help text for -s switch in halog program - CONTRIB: iprange: Fix compiler warning in iprange.c - CONTRIB: halog: Fix compiler warnings in halog.c - BUG/MINOR: http: properly detect max-age=0 and s-maxage=0 in responses - BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. - BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface - BUG/MEDIUM: http: don't disable lingering on requests with tunnelled responses - BUG/MEDIUM: lua: fix crash when using bogus mode in register_service() - BUG/MEDIUM: http: don't automatically forward request close
[RELEASE] Released version 1.6.14
Released version 1.6.14 with the following main changes : - BUG/MINOR: Wrong peer task expiration handling during synchronization processing. - BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed - BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range 1..32767 - BUG/MINOR: haproxy/cli : fix for solaris/illumos distros for CMSG* macros - BUG/MINOR: log: pin the front connection when front ip/ports are logged - BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue - BUG/MAJOR: map: fix segfault during 'show map/acl' on cli. - DOC: fix references to the section about time format. - BUG/MEDIUM: map/acl: fix unwanted flags inheritance. - BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel - BUG/MINOR: http: properly handle all 1xx informational responses - BUG/MINOR: peers: peer synchronization issue (with several peers sections). - BUG/MINOR: Fix the sending function in Lua's cosocket - BUG/MINOR: lua: In error case, the safe mode is not removed - BUG/MINOR: lua: executes the function destroying the Lua session in safe mode - BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted - BUG/MEDIUM: lua: bad memory access - DOC: update CONTRIBUTING regarding optional parts and message format - DOC: update the list of OpenSSL versions in the README - DOC: Updated 51Degrees git URL to point to a stable version. - BUG/MINOR: lua: always detach the tcp/http tasks before freeing them - BUG/MEDIUM: connection: remove useless flag CO_FL_DATA_RD_SH - BUG/MEDIUM: lua: HTTP services must take care of body-less status codes - BUG/MEDIUM: stream: properly set the required HTTP analysers on use-service - BUG/MEDIUM: epoll: ensure we always consider HUP and ERR - BUG/MINOR: Lua: The socket may be destroyed when we try to access. - BUG/MINOR: contrib/halog: fixing small memory leak - BUG/MEDIUM: tcp-check: properly indicate polling state before performing I/O - BUG/MINOR: tcp-check: don't quit with pending data in the send buffer - BUG/MEDIUM: tcp-check: don't call tcpcheck_main() from the I/O handlers! - BUG/MINOR: tcp-check: don't initialize then break a connection starting with a comment - BUG/MEDIUM: http: Return an error when url_dec sample converter failed - BUG/MAJOR: stream-int: don't re-arm recv if send fails - DOC: fix some typos - BUG/MEDIUM: ssl: fix OCSP expiry calculation - MINOR: server: Handle weight increase in consistent hash. - BUG/MINOR: stats: Clear a bit more counters with in cli_parse_clear_counters(). - BUG/MINOR: ssl: ocsp response with 'revoked' status is correct - BUG/MINOR: ssl: OCSP_single_get0_status can return -1 - BUG/MEDIUM: prevent buffers being overwritten during build_logline() execution - BUG/MINOR: mailers: Fix a memory leak when email alerts are released - BUG/MEDIUM: stream: don't ignore res.analyse_exp anymore - MEDIUM: http: always reject the "PRI" method - BUG/MAJOR: stream: ensure analysers are always called upon close - BUG/MEDIUM: deinit: correctly deinitialize the proxy and global listener tasks - BUG/MINOR: Use crt_base instead of ca_base when crt is parsed on a server line - BUG/MINOR: listener: Allow multiple "process" options on "bind" lines - DOC/MINOR: intro: typo, wording, formatting fixes - CONTRIB: halog: Add help text for -s switch in halog program - CONTRIB: iprange: Fix compiler warning in iprange.c - CONTRIB: halog: Fix compiler warnings in halog.c - BUG/MINOR: http: properly detect max-age=0 and s-maxage=0 in responses - BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. - BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface - BUG/MEDIUM: lua: fix crash when using bogus mode in register_service() - BUG/MEDIUM: http: don't automatically forward request close
2017/04/04 : 1.6.12 - DOC: Add timings events schemas - BUG/MINOR: option prefer-last-server must be ignored in some case - BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0 - BUG/MAJOR: channel: Fix the definition order of channel analyzers - BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options - BUG/MINOR: tools: fix off-by-one in port size check - BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family - MINOR: proto_http.c 502 error txt typo. - DOC: add deprecation notice to "block" - BUG/MEDIUM: tcp: don't poll for write when connect() succeeds - BUG/MINOR: unix: fix connect's polling in case no data are scheduled - BUG/MINOR: lua: Map.end are not reliable because "end" is a reserved keyword - MINOR: chunks: implement a simple dynamic allocator for trash buffers - BUG/MEDIUM: http: prevent redirect from overwriting a buffer - BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer - BUG/MINOR: http: Return an error when a replace-header rule failed on the response - BUG/MINOR: sendmail: The return of vsnprintf is not cleanly tested - BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1' - BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer - BUG/MAJOR: stream-int: do not depend on connection flags to detect connection - BUG/MEDIUM: connection: ensure to always report the end of handshakes - BUG/MEDIUM: listener: do not try to rebind another process' socket - BUG/MEDIUM: stream: fix client-fin/server-fin handling - BUG/MEDIUM: tcp: don't require privileges to bind to device - BUG/MEDIUM: config: reject anything but "if" or "unless" after a use-backend rule - BUG/MINOR: checks: attempt clean shutw for SSL check - MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller - BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available - BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity(). - BUG: payload: fix payload not retrieving arbitrary lengths - MINOR: server: irrelevant error message with 'default-server' config file keyword. - MINOR: config: warn when some HTTP rules are used in a TCP proxy - MINOR: doc: 2.4. Examples should be 2.5. Examples - DOC/MINOR: Fix typos in proxy protocol doc - DOC: Protocol doc: add checksum, TLV type ranges - DOC: Protocol doc: add SSL TLVs, rename CHECKSUM - DOC: Protocol doc: add noop TLV - MINOR: doc: fix use-server example (imap vs mail) - MINOR: dns: give ability to dns_init_resolvers() to close a socket when requested - BUG/MAJOR: dns: restart sockets after fork() - BUG/MEDIUM: peers: fix buffer overflow control in intdecode. - BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers - DOC: fix parenthesis and add missing "Example" tags - DOC: log-format/tcplog/httplog update - DOC: Spelling fixes - DOC: update the contributing file
2017/04/03 : 1.7.5 - BUG/MEDIUM: peers: fix buffer overflow control in intdecode. - BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers - BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled - BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze - DOC: fix parenthesis and add missing "Example" tags - DOC: update the contributing file - DOC: log-format/tcplog/httplog update - MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections
HAProxy 1.7.2 was released on 2017/01/13. It added 40 new commits after version 1.7.1.
The most important fix here is for a regression introduced right before 1.7 release and randomly causing fragmented requests to be flagged as bad requests depending on the previous buffer contents ; this is more noticeable under low load with authenticated requests.
A few users having IPv6-only hosts have noticed that we broke support for resolving such addresses with the recent dynamic resolution changes. This has been fixed now.
Two users reported an issue with SNI not being properly sent to the server when health checks were enabled. This was due to the reuse of the SSL session, which must not be done if the SNI changes. This has also been fixed.
A few minor improvements were brought as well. Now when configuring http-reuse with either send-proxy or usesrc clientip, a warning will be emitted. It's now possible to select all servers on the stats page to perform a grouped action. It's possible to change the HTTP reason field in responses, and there's a new sample fetch function "fc_rcvd_proxy" to know whether or not the proxy protocol was used on the front connection (ie the connection comes from a trusted client).
The rest is mostly internal infrastructure fixes which doesn't directly translate into immediately visible bugs.
Overall things are getting better, and aside the 2 or 3 late regressions everything is pretty normal.
Due to the bad request bug, I encourage every user of 1.7.x to upgrade to 1.7.2.
Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.7/src/ Git repository : http://git.haproxy.org/git/haproxy-1.7.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git Changelog : http://www.haproxy.org/download/1.7/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Complete changelog : Christopher Faulet (2): BUG/MINOR: Fix the sending function in Lua's cosocket BUG/MAJOR: channel: Fix the definition order of channel analyzers
David Harrigan (1): MINOR: stats: Support "select all" for backend actions
Emeric Brun (1): MINOR: connection: add sample fetch "fc_rcvd_proxy"
Emmanuel Hocdet (1): BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage
Guillaume de Lafond (1): DOC: Add timings events schemas
Jarno Huuskonen (2): MINOR: proto_http.c 502 error txt typo. DOC: add deprecation notice to "block"
Marcin Deranek (2): DOC: fix small typo in fe_id (backend instead of frontend) BUG/MINOR: backend: nbsrv() should return 0 if backend is disabled
Olivier Doucet (1): BUG/MINOR: option prefer-last-server must be ignored in some case
Robin H. Johnson (1): MINOR: http: custom status reason.
Ryabin Sergey (1): BUG/MINOR: Reset errno variable before calling strtol(3)
Thierry FOURNIER (9): BUG/MEDIUM: lua: In some case, the return of sample-fetches is ignored (2) DOC: lua: documentation about time parser functions DOC: lua: section declared twice BUG/MINOR: lua/cli: bad error message BUG/MINOR: lua: memory leak executing tasks BUG/MINOR: lua: bad return code BUG/MINOR: stats: fix be/sessions/current out in typed stats BUILD: lua: build failed on FreeBSD. BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0
William Lallemand (1): BUG/MINOR: systemd: potential zombie processes
Willy Tarreau (18): SCRIPTS: git-show-backports: fix a harmless typo SCRIPTS: git-show-backports: add -H to use the hash of the commit message BUG/MINOR: stream-int: automatically release SI_FL_WAIT_DATA on SHUTW_NOW BUG/MEDIUM: ssl: properly reset the reused_sess during a forced handshake BUG/MEDIUM: ssl: avoid double free when releasing bind_confs BUG/MEDIUM: ssl: for a handshake when server-side SNI changes BUG/MINOR: http: report real parser state in error captures BUILD: scripts: automatically update the branch in version.h when releasing BUG/MAJOR: http: fix risk of getting invalid reports of bad requests BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options BUG/MINOR: tools: fix off-by-one in port size check BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family MEDIUM: server: split the address and the port into two different fields MINOR: tools: make str2sa_range() return the port in a separate argument MINOR: server: take the destination port from the port field, not the addr MEDIUM: server: disable protocol validations when the server doesn't resolve BUG/MEDIUM: tools: do not force an unresolved address to AF_INET:0.0.0.0 [RELEASE] Released version 1.7.2