{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":128791889,"defaultBranch":"master","name":"haproxy","ownerLogin":"haproxy","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2018-04-09T15:17:42.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/38220289?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1719579307.0","currentOid":""},"activityList":{"items":[{"before":"a3bed52d1f84ba36af66be4317a5f746d498bdf4","after":"bbb9f8248e29e89c288ad55a0fb7c71280a335a0","ref":"refs/heads/master","pushedAt":"2024-06-28T14:29:53.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: quic: fix race-condition on trace for CID retrieval\n\nquic_rx_pkt_retrieve_conn() is used when parsing a received datagram\nfrom the listener socket. It returned the quic_conn instance\ncorresponding to the first packet DCID, unless it is mapped to another\nthread.\n\nAs expected, global CID tree access is protected by a lock in the\nfunction. However, there is a race condition due to the final trace\nwhere qc instance is dereferenced outside of the lock. Fix this by\nadding a new trace under lock protection and remove qc deferencement at\nfunction end.\n\nThis may fix first crash of github issue #2607.\n\nThis must be backported up to 2.8.","shortMessageHtmlLink":"BUG/MINOR: quic: fix race-condition on trace for CID retrieval"}},{"before":"80aba1d2844165d9c6929d31cc9c2fd2e92286ed","after":"a3bed52d1f84ba36af66be4317a5f746d498bdf4","ref":"refs/heads/master","pushedAt":"2024-06-28T12:55:43.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid\n\nEnsure pseudo-header scheme is only constitued of valid characters\naccording to RFC 9110. If an invalid value is found, the request is\nrejected and stream is resetted.\n\nIt's the same as for previous commit \"BUG/MEDIUM: h3: ensure the\n\":method\" pseudo header is totally valid\" except that this time it\napplies to the \":scheme\" pseudo header.\n\nThis must be backported up to 2.6.","shortMessageHtmlLink":"BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid"}},{"before":"a3bed52d1f84ba36af66be4317a5f746d498bdf4","after":null,"ref":"refs/heads/20240628-h3-1","pushedAt":"2024-06-28T12:55:07.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"}},{"before":null,"after":"a3bed52d1f84ba36af66be4317a5f746d498bdf4","ref":"refs/heads/20240628-h3-1","pushedAt":"2024-06-28T12:39:26.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid\n\nEnsure pseudo-header scheme is only constitued of valid characters\naccording to RFC 9110. If an invalid value is found, the request is\nrejected and stream is resetted.\n\nIt's the same as for previous commit \"BUG/MEDIUM: h3: ensure the\n\":method\" pseudo header is totally valid\" except that this time it\napplies to the \":scheme\" pseudo header.\n\nThis must be backported up to 2.6.","shortMessageHtmlLink":"BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid"}},{"before":"290659ffd3a2eead918adc387e8842c59fbff2e7","after":"80aba1d2844165d9c6929d31cc9c2fd2e92286ed","ref":"refs/heads/master","pushedAt":"2024-06-28T09:41:13.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout or error\n\nThis is a complementary patch to c16eba818 (\"BUG/MEDIUM: server/dns:\npreserve server's port upon resolution timeout or error\").\n\nIndeed, since c16eba818, the port is properly preserved, but unsetting\nserver's address this way results in server_atomic_sync() function\nthinking that we're actually setting a new address and not unsetting\nthe previous one because addr family is != AF_UNSPEC.\n\nUpon DNS timeout, this could be observed:\n\n[WARNING]  (2588257) : Server http/s1 is going DOWN for maintenance (DNS timeout status). 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.\n[WARNING]  (2588257) : Server http/s1 ('test1.localhost') is UP/READY (resolves again).\n\nNotice that server timeouts and then immediately resolves again. Of course\nin this case case the server's address was properly set to 0, meaning\nthat the server will not receive any traffic, but it is confusing and\ncould result in haproxy temporarily thinking that the server is actually\navailable while it's not.\n\nTo properly fix the issue and restore historical behavior, let's\nexplicitly set inetaddr's family to AF_UNSPEC after fetching original\nserver's address.\n\nIt should be backported in 3.0 with c16eba818.","shortMessageHtmlLink":"BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout …"}},{"before":"eec804804212374739556175f81b234d7cc8c6f0","after":"290659ffd3a2eead918adc387e8842c59fbff2e7","ref":"refs/heads/master","pushedAt":"2024-06-27T16:03:38.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: activity: make the memory profiling hash size configurable at build time\n\nThe MEMPROF_HASH_BITS variable was set to 10 without a possibility to\nchange it (beyond patching the code). After seeing a few reports already\nwith \"other\" being listed and a list with close to 1024 entries, it looks\nlike it's about time to either increase the hash size, or at least make\nit configurable for special cases. As a reminder, in order to remain\nfast, the algorithm searches no more than 16 places after the hash, so\nwhen a table is almost full, searches are long and new places are rare.\n\nThe present patch just makes it possible to redefine it by passing\n\"-DMEMPROF_HASH_BITS=11\" or \"-DMEMPROF_HASH_BITS=12\" in CFLAGS, and\nmoves the definition to defaults.h to make it easier to find. Such\nvalues should be way sufficient for the vast majority of use cases.\nMaybe in the future we'd change the default. At least this version\nshould be backported to ease rebuilds, say, till 2.8 or so.","shortMessageHtmlLink":"MINOR: activity: make the memory profiling hash size configurable at …"}},{"before":"ed90ad895c69a5f2f2b0c2016b667f1846b06a62","after":"eec804804212374739556175f81b234d7cc8c6f0","ref":"refs/heads/master","pushedAt":"2024-06-27T14:41:42.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: server: fix first server template name lookup UAF\n\nThis is a follow-up for 7223296 (\"BUG/MINOR: server: fix first server\ntemplate not being indexed\").\n\nIndeed, in 7223296 we added a new call to _srv_parse_set_id_from_prefix()\nfor the first server before handling additional ones. But we actually\noverlooked the fact that _srv_parse_set_id_from_prefix() was already\nperformed at the end of _srv_parse_tmpl_init() for the same server.\n\nSince _srv_parse_set_id_from_prefix() frees srv->id, it results in UAF\nwhen performing name lookups on the first server, because used_server_name\nnode key still uses the freed string pointer.\n\nThe early _srv_parse_set_id_from_prefix() call (added in 7223296) and\nthe original one perform the same task, except that the new one is\nfollowed by name node insertion logic required for name lookups to work\nproperly. So let's simply get rid of the old one at the end of the\nfunction.\n\n_srv_parse_set_id_from_prefix() in the 'err:' label was also removed since\nis is now useless as well starting with 7223296 and would trigger the same\nbug on error paths. Thanks to Amaury for noticing it.\n\nThis bug was discovered while trying to address GH issue #2620.\nThanks to @x-yuri for his detailed report (with working repro).\n\nIt should be backported in 3.0 with 7223296.","shortMessageHtmlLink":"BUG/MINOR: server: fix first server template name lookup UAF"}},{"before":"ad946a704dc19b1a5aa51692ca7aafb5b015ba7c","after":"ed90ad895c69a5f2f2b0c2016b667f1846b06a62","ref":"refs/heads/master","pushedAt":"2024-06-27T14:12:09.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"REORG: init: encapsulate code that reads cfg files\n\nHaproxy master process should not read its configuration the second time\nafter performing reexec and passing to MODE_MWORKER_WAIT. So, to make\nthis part of init() function more readable and to distinguish better the\npoint, where configs have been read, let's encapsulate it in a separate\nfunction.","shortMessageHtmlLink":"REORG: init: encapsulate code that reads cfg files"}},{"before":"bcf98c9b5f00855cf82eff0bcb71f142cb234bb2","after":"ad946a704dc19b1a5aa51692ca7aafb5b015ba7c","ref":"refs/heads/master","pushedAt":"2024-06-26T13:06:58.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: stick-table: Always decrement ref count before killing a session\n\nGuarded functions to kill a sticky session, stksess_kill()\nstksess_kill_if_expired(), may or may not decrement and test its reference\ncounter before really killing it. This depends on a parameter. If it is set\nto non-zero value, the ref count is decremented and if it falls to zero, the\nsession is killed. Otherwise, if this parameter is equal to zero, the\nsession is killed, regardless the ref count value.\n\nIn the code, these functions are always called with a non-zero parameter and\nthe ref count is always decremented and tested. So, there is no reason to\nstill have a special case. Especially because it is not really easy to say\nif it is supported or not. Does it mean it is possible to kill a sticky\nsession while it is still referenced somewhere ? probably not. So, does it\nmean it is possible to kill a unreferenced session ? This case may be\nproblematic because the session is accessed outside of any lock and thus may\nbe released by another thread because it is unreferenced. Enlarging scope of\nthe lock to avoid any issue is possible but it is a bit of shame to do so\nbecause there is no usage for now.\n\nThe best is to simplify the API and remove this case. Now, stksess_kill()\nand stksess_kill_if_expired() functions always decrement and test the ref\ncount before killing a sticky session.","shortMessageHtmlLink":"MINOR: stick-table: Always decrement ref count before killing a session"}},{"before":"bc9821fd26b3a118415f579cdfa6e430b03f96da","after":"bcf98c9b5f00855cf82eff0bcb71f142cb234bb2","ref":"refs/heads/master","pushedAt":"2024-06-26T09:06:52.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: cfgparse/log: remove leftover dead code\n\nRemove development leftover introduced by commit 15e9c7da6 (\"MINOR: log:\nadd log-profile parsing logic\").\n\nIndeed, since \"log-profile\" section keyword is registered via\nREGISTER_CONFIG_SECTION() macro, it is not relevant to declare it in\ncommon_kw_list[] from cfgparse-global.c. All it does is that it could\nconfuse the user by suggesting him to use \"log-profile\" inside a global\nsection when trying to find a best match in cfg_parse_global().","shortMessageHtmlLink":"MINOR: cfgparse/log: remove leftover dead code"}},{"before":"2d27c80288c0acee85326c0574ed70d0b2e486ef","after":"bc9821fd26b3a118415f579cdfa6e430b03f96da","ref":"refs/heads/master","pushedAt":"2024-06-26T08:18:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUILD: Missing inclusion header for ssize_t type\n\nCompilation issue detected as follows by gcc:\n\nIn file included from src/ncbuf.c:19:\nsrc/ncbuf.c: In function 'ncb_write_off':\ninclude/haproxy/bug.h:144:10: error: unknown type name 'ssize_t'\n  144 |   extern ssize_t write(int, const void *, size_t); \\","shortMessageHtmlLink":"BUILD: Missing inclusion header for ssize_t type"}},{"before":"8f204fa8aeadef3faea4471ba9cfd93d9d168960","after":"2d27c80288c0acee85326c0574ed70d0b2e486ef","ref":"refs/heads/master","pushedAt":"2024-06-26T06:06:25.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUILD: debug: also declare strlen() in __ABORT_NOW()\n\nPrevious commit 8f204fa8ae (\"MINOR: debug: print gdb hints when crashing\")\nbroken on the CI where strlen() isn't known. Let's forward-declare it in\nthe __ABORT_NOW() functions, just like write(). No backport is needed.","shortMessageHtmlLink":"BUILD: debug: also declare strlen() in __ABORT_NOW()"}},{"before":"2cd52a88bee19c8948df8a71e9494d2474f05e5b","after":"8f204fa8aeadef3faea4471ba9cfd93d9d168960","ref":"refs/heads/master","pushedAt":"2024-06-26T05:45:59.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: debug: print gdb hints when crashing\n\nTo make bug reporting easier for users, when crashing, let's suggest\nwhat to do. Typically when a BUG_ON() matches, only the current thread\nis useful the vast majority of the time, while when the watchdog\ntriggers, all threads are interesting.\n\nThe messages are printed at the end after the dump. We may adjust these\nwith wiki links in the future is more detailed instructions are relevant.","shortMessageHtmlLink":"MINOR: debug: print gdb hints when crashing"}},{"before":"a14c7d194ad27f9f84c9d42aab953a162999252a","after":"2cd52a88bee19c8948df8a71e9494d2474f05e5b","ref":"refs/heads/master","pushedAt":"2024-06-26T05:40:25.000Z","pushType":"push","commitsCount":5,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: cli/debug: show dev: show capabilities\n\nIf haproxy compiled with Linux capabilities support, let's show process\ncapabilities before applying the configuration and at runtime in 'show dev'\ncommand output. This maybe useful for debugging purposes. Especially in\ncases, when process changes its UID and GID to non-priviledged or it\nhas started and run under non-priviledged UID and needed capabilities are\nset by admin on the haproxy binary.","shortMessageHtmlLink":"MINOR: cli/debug: show dev: show capabilities"}},{"before":"d5376b7a874776b4d5d79f9b746d4654df796f85","after":"a14c7d194ad27f9f84c9d42aab953a162999252a","ref":"refs/heads/master","pushedAt":"2024-06-25T06:15:17.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DEV: flags/show-fd-to-flags: adapt to recent versions\n\nThe script hadn't been updated since it was introduced, and the\nhard-coded field 12 doesn't match anymore (it's 16 now). Let's just\nuse \"grep -o cflg...\" to extract the desired part more flexibly.\nThis can be backported at least to 3.0, probably further, but it\nwill need to be tested prior to this. Better not bring it too far,\nit's only used when debugging.","shortMessageHtmlLink":"DEV: flags/show-fd-to-flags: adapt to recent versions"}},{"before":"13e0972aeac275137b429163def950af88fecd46","after":"d5376b7a874776b4d5d79f9b746d4654df796f85","ref":"refs/heads/master","pushedAt":"2024-06-24T13:15:46.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure\n\nOn quic_tx_packet allocation failure, it is possible to trigger BUG_ON()\ncrash on INITIAL packet building. This statement is responsible to\nensure INITIAL packets are padded to 1.200 bytes as required. If a\npacket on higher encryption level allocation fails, PADDING frame cannot\nproperly encoded, despite the INITIAL packet properly built.\n\nThis crash happens due to qc_txb_store() invokation after quic_tx_packet\nallocation failure to validate already built packets. However, this\nstatement is unneeded as qc_purge_tx_buf() is called just after. Simply\nremove qc_txb_store() to fix this issue.\n\nThis was detected using -dMfail.\n\nThis should be backported up to 2.6.","shortMessageHtmlLink":"BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure"}},{"before":"b27470fd1d06acd6dc33161e1fdb6743f72770df","after":"13e0972aeac275137b429163def950af88fecd46","ref":"refs/heads/master","pushedAt":"2024-06-21T16:12:54.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: api/event_hdl: small updates, fix an example and add some precisions\n\nFix an example suggesting that using EVENT_HDL_SUB_TYPE(x, y) with y being\n0 was valid. Then add some notes to explain how to use\nEVENT_HDL_SUB_FAMILY() and EVENT_HDL_SUB_TYPE() with valid values.\n\nAlso mention that the feature is available starting from 2.8 and not 2.7.\nFinally, perform some purely cosmetic updates.\n\nThis could be backported in 2.8.","shortMessageHtmlLink":"DOC: api/event_hdl: small updates, fix an example and add some precis…"}},{"before":"5756f10cbcf0cb4108e2ef2463bdc21682213db4","after":"b27470fd1d06acd6dc33161e1fdb6743f72770df","ref":"refs/heads/master","pushedAt":"2024-06-21T13:10:00.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"SCRIPTS: git-show-backports: do not truncate git-show output\n\ngit-show-backports lists a git-show command which can be used to inspect\nall commits subject to backport. This command specifies formatting\noption to reproduce default git-show output, especially for commit\nmessages indented with 4 spaces character. However, it also add wrapping\non message line longer than 72 characters. This reduce lisibility of\nmessages where large info are written such as backtraces.\n\nImprove this by changing git-show format option. Use a limit value of 0\nto disable wrapping while preserving indentation.\n\nThis could be backported to every stable version to simplify backporting\nprocess.","shortMessageHtmlLink":"SCRIPTS: git-show-backports: do not truncate git-show output"}},{"before":"937324d493eefb54d2f68820a9afcf5cfd66bdf5","after":"5756f10cbcf0cb4108e2ef2463bdc21682213db4","ref":"refs/heads/master","pushedAt":"2024-06-20T14:39:13.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: sample: date converter takes HTTP date and output an UNIX timestamp\n\nThe `date` converter takes an HTTP date in input, it could be either a\nimf, rfc850 or asctime date. It will output an UNIX timestamp.","shortMessageHtmlLink":"MINOR: sample: date converter takes HTTP date and output an UNIX time…"}},{"before":"c714b6bb55e34c7cd2cb3ff7dbed374e6b6eae65","after":"937324d493eefb54d2f68820a9afcf5cfd66bdf5","ref":"refs/heads/master","pushedAt":"2024-06-19T13:44:37.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MAJOR: quic: do not loop on emission on closing/draining state\n\nTo emit CONNECTION_CLOSE frame, a special buffer is allocated via\nqc_txb_store(). This is due to QUIC_FL_CONN_IMMEDIATE_CLOSE flag.\nHowever this flag is reset after qc_send_ppkts() invocation to prevent\nreemission of CONNECTION_CLOSE frame.\n\nqc_send() can invoke multiple times a series of qc_prep_pkts() +\nqc_send_ppkts() to emit several datagrams. However, this may cause a\ncrash if on first loop a CONNECTION_CLOSE is emitted. On the next loop\niteration, QUIC_FL_CONN_IMMEDIATE_CLOSE is resetted, thus qc_prep_pkts()\nwill use the wrong buffer size as end delimiter. In some cases, this may\ncause a BUG_ON() crash due to b_add() outside of buffer.\n\nThis bug can be reproduced by using a while loop of ngtcp2-client and\ninterrupting them randomly via Ctrl+C.\n\nHere is the patch which introduce this regression :\n  cdfceb10ae136b02e51f9bb346321cf0045d58e0\n  MINOR: quic: refactor qc_prep_pkts() loop","shortMessageHtmlLink":"BUG/MAJOR: quic: do not loop on emission on closing/draining state"}},{"before":"7422f16da3b84829f2ecf3ff393584b5c5682e06","after":"c714b6bb55e34c7cd2cb3ff7dbed374e6b6eae65","ref":"refs/heads/master","pushedAt":"2024-06-19T09:36:42.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MAJOR: quic: fix padding with short packets\n\nQUIC sending functions were extended to be more flexible. Of all the\nchanges, they support now iterating over a variable instance of QEL\ninstance of only 2 previously. This change has rendered PADDING emission\nless previsible, which was adjusted via the following patch :\n\n  a60609f1aa3e5f61d2a2286fdb40ebf6936a80ee\n  BUG/MINOR: quic: fix padding of INITIAL packets\n\nIts main purpose was to ensure PADDING would only be generated for the\nlast iterated QEL instance, to avoid unnecessary padding. In parallel, a\nBUG_ON() statement ensure that built INITIAL packets are always padded\nto 1.200 bytes as necessary before emitted them.\n\nThis BUG_ON() statement caused crash in one particular occurence : when\nbuilding datagrams that mixed Initial long packets and 1-RTT short\npackets. This last occurence type does not have a length field in its\nheader, contrary to Long packets. This caused a miscalculation for the\nnecessary padding size, with INITIAL packets not padded enough to reach\nthe necessary 1.200 bytes size.\n\nThis issue was detected on 3.0.2. It can be reproduced by using 0-RTT\ncombined with latency. Here are the used commands :\n\n  $ ngtcp2-client --tp-file=/tmp/ngtcp2-tp.txt \\\n    --session-file=/tmp/ngtcp2-session.txt --exit-on-all-streams-close \\\n    127.0.0.1 20443 \"https://[::]/?s=32o\"\n  $ sudo tc qdisc add dev lo root netem latency 500ms\n\nNote that this issue cannot be reproduced on current dev version.\nIndeed, it seems that the following patch introduce a slight change in\npacket building ordering :\n\n  cdfceb10ae136b02e51f9bb346321cf0045d58e0\n  MINOR: quic: refactor qc_prep_pkts() loop\n\nThis must be backported to 3.0.\n\nThis should fix github issue #2609.","shortMessageHtmlLink":"BUG/MAJOR: quic: fix padding with short packets"}},{"before":"0cc2913aec965dabc579cd90a3d91a440f29967c","after":"7422f16da3b84829f2ecf3ff393584b5c5682e06","ref":"refs/heads/master","pushedAt":"2024-06-19T08:28:38.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: management: document ptr lookup for table commands\n\nAdd missing documentation and examples for the optional ptr lookup method\nfor table {show,set,clear} commands introduced in commit 9b2717e7 (\"MINOR:\nstktable: use {show,set,clear} table with ptr\"), as initially described in\nGH #2118.\n\nIt may be backported in 3.0.","shortMessageHtmlLink":"DOC: management: document ptr lookup for table commands"}},{"before":"9d312212dfa3eaf678c5fabcc6f1045192b8ef19","after":"0cc2913aec965dabc579cd90a3d91a440f29967c","ref":"refs/heads/master","pushedAt":"2024-06-18T10:16:40.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: configuration: fix alphabetical order of bind options\n\nPut the curves, ecdhe, severity-output, v4v6 and v6only keyword at the\nright place.\n\nFix issue #2594.\n\nCould be backported in every stable versions.","shortMessageHtmlLink":"DOC: configuration: fix alphabetical order of bind options"}},{"before":"c268313f60fa220a9927eb9d86ab09714959b998","after":"9d312212dfa3eaf678c5fabcc6f1045192b8ef19","ref":"refs/heads/master","pushedAt":"2024-06-17T17:38:01.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: proxy: fix email-alert leak on deinit() (2nd try)\n\nAs shown in GH #2608 and (\"BUG/MEDIUM: proxy: fix email-alert invalid\nfree\"), simply calling free_email_alert() from free_proxy() is not the\nright thing to do.\n\nIn this patch, we reuse proxy->email_alert.set memory space to introduce\nproxy->email_alert.flags in order to support 2 flags:\nPR_EMAIL_ALERT_SET (to mimic proxy->email_alert.set) and\nPR_EMAIL_ALERT_RESOLVED (set once init_email_alert() was called on the\nproxy to resolve email_alert.mailer pointer).\n\nThanks to PR_EMAIL_ALERT_RESOLVED flag, free_email_alert() may now\nproperly handle the freeing of proxy email_alert settings: if the RESOLVED\nflag is set, then it means the .email_alert.mailers.name parsing hint was\nreplaced by the actual mailers pointer, thus no free should be attempted.\n\nNo backport needed: as described in (\"BUG/MEDIUM: proxy: fix email-alert\ninvalid free\"), this historical leak is not sensitive as it cannot be\ntriggered during runtime.. thus given that the fix is not backport-\nfriendly, it's not worth the trouble.","shortMessageHtmlLink":"BUG/MINOR: proxy: fix email-alert leak on deinit() (2nd try)"}},{"before":"6da0879083749d5f098b8b2f4d459a70260491d2","after":"c268313f60fa220a9927eb9d86ab09714959b998","ref":"refs/heads/master","pushedAt":"2024-06-17T15:48:52.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"REGTESTS: ssl: activate new SSL reg-tests with AWS-LC\n\nPrerequisites are now available in AWS-LC, so we can enable these\nreg-tests.\n\nWith this patch, aws-lc only has 5 reg-tests that are not working:\n- reg-tests/ssl/ssl_reuse.vtc: stateful session resumption is only supported with TLSv1.2\n- reg-tests/ssl/ssl_curve_name.vtc: function to extract curve name is not available\n- reg-tests/ssl/ssl_errors.vtc: errors are not the same than OpenSSL\n- reg-tests/ssl/ssl_dh.vtc: AWS-LC does not support DH\n- reg-tests/ssl/ssl_curves.vtc: not working correctly\n\nWhich means most of the features are working correctly.","shortMessageHtmlLink":"REGTESTS: ssl: activate new SSL reg-tests with AWS-LC"}},{"before":"983513d901bb7511ea6b1e8c3bb00d58a9d432f2","after":"6da0879083749d5f098b8b2f4d459a70260491d2","ref":"refs/heads/master","pushedAt":"2024-06-17T14:27:21.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"REGTESTS: ssl: fix some regtests 'feature cmd' start condition\n\nSince patch fde517b (\"REGTESTS: wolfssl: temporarly disable some failing\nreg-tests\") some 'feature cmd' lines have an extra quotation mark, so\nthey were disable in every cases.\n\nMust be backported to 2.9.","shortMessageHtmlLink":"REGTESTS: ssl: fix some regtests 'feature cmd' start condition"}},{"before":null,"after":"6da0879083749d5f098b8b2f4d459a70260491d2","ref":"refs/heads/20240617-feature-cmd","pushedAt":"2024-06-17T14:13:42.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"REGTESTS: ssl: fix some regtests 'feature cmd' start condition\n\nSince patch fde517b (\"REGTESTS: wolfssl: temporarly disable some failing\nreg-tests\") some 'feature cmd' lines have an extra quotation mark, so\nthey were disable in every cases.\n\nMust be backported to 2.9.","shortMessageHtmlLink":"REGTESTS: ssl: fix some regtests 'feature cmd' start condition"}},{"before":null,"after":"9fbd08fa748effc4a60005c9733c007ee15d940e","ref":"refs/heads/20240613-awslc-crt-list","pushedAt":"2024-06-17T13:35:25.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"REGTESTS: ssl: enable the crt-list filters test for AWS-LC\n\nPrerequisites are now available in AWS-LC, so we can enable this\nreg-tests.","shortMessageHtmlLink":"REGTESTS: ssl: enable the crt-list filters test for AWS-LC"}},{"before":"dc1bca4e9f3dde1da2fcc57b2aaf7fc130fd1f87","after":"983513d901bb7511ea6b1e8c3bb00d58a9d432f2","ref":"refs/heads/master","pushedAt":"2024-06-14T16:31:57.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DEBUG: hlua: distinguish burst timeout errors from exec timeout errors\n\nhlua burst timeout was introduced in 58e36e5b1 (\"MEDIUM: hlua: introduce\ntune.lua.burst-timeout\").\n\nIt is a safety measure that allows to detect when too much time is spent\non a single lua execution (between 2 interruptions/yields), meaning that\nthe current thread is not able to perform other tasks. Such scenario\nshould be avoided because it will cause thread contention which may have\nnegative performance impact and could cause the watchdog to trigger. When\nthe burst timeout is exceeded, the current Lua execution is aborted and a\ntimeout error is reported to the user.\n\nUnfortunately, the same error is currently being reported for cumulative\n(AKA execution) timeout and for burst timeout, which may be confusing to\nthe user.\n\nIndeed, \"execution timeout\" error historically results from the current\nhlua context exceeding the total (cumulative) time it's allowed to run.\nIt is set per lua context using the dedicated tunables:\n - tune.lua.session-timeout\n - tune.lua.task-timeout\n - tune.lua.service-timeout\n\nWe've already faced an user report where the user was able to trigger the\nburst timeout and got \"Lua task: execution timeout.\" error while the user\ndidn't set cumulative timeout. Thus the error was actually confusing\nbecause it was indeed the burst timeout which was causing it due to the\nuse of cpu-intensive call from within the task without sufficient manual\n\"yield\" keypoints around the cpu-intensive call to ensure it runs on a\ndedicated scheduler cycle.\n\nIn this patch we make it so burst timeout related errors are reported as\n\"burst timeout\" errors instead of \"execution timeout\" errors (which\nin fact became the generic timeout errors catchall with 58e36e5b1).\n\nTo do this, hlua_timer_check() now returns a different value depending if\nthe exeeded timeout is the burst one or the cumulative one, which allows\nus to return either HLUA_E_ETMOUT or HLUA_E_BTMOUT in hlua_ctx_resume().\n\nIt should improve the situation described in GH #2356 and may possibly be\nbackported with 58e36e5b1 to improve error reporting if it applies without\nresistance.","shortMessageHtmlLink":"DEBUG: hlua: distinguish burst timeout errors from exec timeout errors"}},{"before":"5e361c77670dc7c5ea7f18a2449695df4ba345c7","after":"dc1bca4e9f3dde1da2fcc57b2aaf7fc130fd1f87","ref":"refs/heads/master","pushedAt":"2024-06-14T14:04:35.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"[RELEASE] Released version 3.1-dev1\n\nReleased version 3.1-dev1 with the following main changes :\n    - REGTESTS: Remove REQUIRE_VERSION=2.1 from all tests\n    - REGTESTS: Remove REQUIRE_VERSION=2.2 from all tests\n    - CI: use \"--no-install-recommends\" for apt-get\n    - CI: switch to lua 5.4\n    - CI: use USE_PCRE2 instead of USE_PCRE\n    - DOC: replace the README by a markdown version\n    - CI: VTest: accelerate package install a bit\n    - ADMIN: acme.sh: remove the old acme.sh code\n    - BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning\n    - BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser\n    - BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory\n    - DOC: configuration: add an example for keywords from crt-store\n    - CI: speedup apt package install\n    - DOC: add the FreeBSD status badge to README.md\n    - DOC: change the link to the FreeBSD CI in README.md\n    - MINOR: stktable: avoid ambiguous stktable_data_ptr() usage in cli_io_handler_table()\n    - BUG/MINOR: hlua: use CertCache.set() from various hlua contexts\n    - CLEANUP: hlua: fix CertCache class comment\n    - CI: FreeBSD: upgrade image, packages\n    - BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless\n    - MEDIUM: stconn: Be able to unblock zero-copy data forwarding from done_fastfwd\n    - BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be released\n    - BUG/MINOR: quic: prevent crash on qc_kill_conn()\n    - CLEANUP: hlua: use hlua_pusherror() where relevant\n    - BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP\n    - BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage\n    - BUG/MINOR: hlua: prevent LJMP in hlua_traceback()\n    - CLEANUP: hlua: get rid of hlua_traceback() security checks\n    - BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path\n    - CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()\n    - BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during nego\n    - MINOR: mux-quic: Don't send an emtpy H3 DATA frame during zero-copy forwarding\n    - BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n    - BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL\n    - BUG/MINOR: quic: fix computed length of emitted STREAM frames\n    - BUG/MINOR: quic: ensure Tx buf is always purged\n    - BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts\n    - BUG/MAJOR: mux-h1:  Properly copy chunked input data during zero-copy nego\n    - BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE flag\n    - DOC: install: remove boringssl from the list of supported libraries\n    - MINOR: log: fix \"http-send-name-header\" ignore warning message\n    - BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()\n    - BUG/MINOR: proxy: fix log_tag leak on deinit()\n    - BUG/MINOR: proxy: fix email-alert leak on deinit()\n    - BUG/MINOR: proxy: fix check_{command,path} leak on deinit()\n    - BUG/MINOR: proxy: fix dyncookie_key leak on deinit()\n    - BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()\n    - BUG/MINOR: proxy: fix header_unique_id leak on deinit()\n    - MINOR: proxy: add proxy_free_common() helper function\n    - BUG/MEDIUM: proxy: fix UAF with {tcp,http}checks logformat expressions\n    - MINOR: log: change wording in lf_expr_postcheck() error message\n    - BUG/MEDIUM: log: fix lf_expr_postcheck() behavior with default section\n    - CLEANUP: log/proxy: fix comment in proxy_free_common()\n    - DOC: config: move \"hash-key\" from proxy to server options\n    - DOC: config: add missing section hint for \"guid\" proxy keyword\n    - DOC: config: add missing context hint for new server and proxy keywords\n    - BUG/MINOR: promex: Skip resolvers metrics when there is no resolver section\n    - DOC: internals: add a documentation about the master worker\n    - BUG/MAJOR: mux-h1: Prevent any UAF on H1 connection after draining a request\n    - BUG/MINOR: quic: fix padding of INITIAL packets\n    - OPTIM: quic: fill whole Tx buffer if needed\n    - MINOR: quic: refactor qc_build_pkt() error handling\n    - MINOR: quic: use global datagram headlen definition\n    - MINOR: quic: refactor qc_prep_pkts() loop\n    - DOC/MINOR: management: add missed -dR and -dv options\n    - DOC/MINOR: management: add -dZ option\n    - DOC: management: rename show stats domain cli \"dns\" to \"resolvers\"\n    - REORG: log: reorder send log helpers by dependency order\n    - MINOR: session: expose session_embryonic_build_legacy_err() function\n    - MEDIUM: log/session: handle embryonic session log within sess_log()\n    - MINOR: log: provide sending log context to process_send_log() when available\n    - MINOR: log: add log_orig_to_str() function\n    - MINOR: log: provide log origin in logformat expressions using '%OG'\n    - CLEANUP: log: remove ambiguous legacy comment for resolve_logger()\n    - MINOR: log/backend: always free parsing hints in resolve_logger()\n    - MINOR: log: make resolve_logger() static\n    - MINOR: log: provide proxy context to resolve_logger()\n    - MINOR: log: add __send_log_set_metadata_sd helper\n    - MINOR: log: add logger flags\n    - MINOR: log: add log-profile parsing logic\n    - MINOR: log: add log profile buildlines\n    - MEDIUM: log: handle log-profile in process_send_log()\n    - DOC: config: add documentation for log profiles\n    - REGTESTS: log: add a test for log-profile\n    - MINOR: ssl: add ssl_sock_bind_verifycbk() in ssl_sock.h\n    - REORG: ssl: move the SNI selection code in ssl_clienthello.c\n    - BUILD: ssl: fix build with wolfSSL\n    - CI: github: upgrade aws-lc to 1.29.0\n    - Revert \"CI: github: upgrade aws-lc to 1.29.0\"\n    - MEDIUM: ssl: support for ECDA+RSA certificate selection with AWS-LC\n    - BUILD: ssl: disable deprecated functions for AWS-LC 1.29.0\n    - MINOR: ssl: relax the 'ssl.default-dh-param' keyword parsing\n    - CI: github: upgrade aws-lc to 1.29.0\n    - DOC: INSTALL: minimum AWS-LC version is v1.22.0\n    - CI: github: do the AWS-LC weekly build with ERR=1","shortMessageHtmlLink":"[RELEASE] Released version 3.1-dev1"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEcfQ97gA","startCursor":null,"endCursor":null}},"title":"Activity · haproxy/haproxy"}