{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":128791889,"defaultBranch":"master","name":"haproxy","ownerLogin":"haproxy","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2018-04-09T15:17:42.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/38220289?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1717589675.0","currentOid":""},"activityList":{"items":[{"before":"93cc23a35561cd89b353143d20962dd86aa82a9c","after":"711338e1ceb061db0a5c832acdea8edbeafa712f","ref":"refs/heads/master","pushedAt":"2024-06-07T14:11:42.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL\n\nThe ClientHello callback for WolfSSL introduced in haproxy 2.9, seems\nnot to behave correctly with TLSv1.2.\n\nIn TLSv1.2, this is the cipher that is used to chose the authentication algorithm\n(ECDSA or RSA), however an SSL client can send a signature algorithm.\n\nIn TLSv1.3, the authentication is not part of the ciphersuites, and\nis selected using the signature algorithm.\n\nThe mistake in the code is that the signature algorithm in TLSv1.2 are\noverwritting the auth that was selected using the ciphers.\n\nThis must be backported as far as 2.9.","shortMessageHtmlLink":"BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL"}},{"before":"6697e87ae5e1f569dc87cf690b5ecfc049c4aab0","after":"93cc23a35561cd89b353143d20962dd86aa82a9c","ref":"refs/heads/master","pushedAt":"2024-06-05T13:34:14.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n\nThe ClientHello Callback which is used for certificate selection uses\nboth the signature algorithms and the ciphers sent by the client.\n\nHowever, when a client is announcing both ECDSA and RSA capabilities\nwith ECSDA ciphers that are not available on haproxy side and RSA\nciphers that are compatibles, the ECDSA certificate will still be used\nbut this will result in a \"no shared cipher\" error, instead of a\nfallback on the RSA certificate.\n\nFor example, a client could send\n'ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-AES256-SHA and HAProxy could be\nconfigured with only 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA'.\n\nThis patch fixes the issue by validating that at least one ECDSA cipher\nis available on both side before chosing the ECDSA certificate.\n\nThis must be backported on all stable versions.","shortMessageHtmlLink":"BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+…"}},{"before":null,"after":"25aaf9fd8b9d93aecf2947356c891a8567671568","ref":"refs/heads/20240606-clienthello","pushedAt":"2024-06-05T12:14:35.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n\nThe ClientHello Callback which is used for certificate selection uses\nboth the signature algorithms and the ciphers sent by the client.\n\nHowever, when a client is announcing ECDSA capabilities and has ciphers\nthat are not available on haproxy side, the ECDSA certificate will still\nbe used but this will result in a \"no shared cipher\" error, instead of\na fallback on the RSA certificate.\n\nFor example, a client could send\n'ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-AES256-SHA and HAProxy could be\nconfigured with only 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA'.\n\nThis patch fixes the issue by validating that at least one ECDSA cipher\nis available on both side before chosing the ECDSA certificate.\n\nThis must be backported on all stable versions.","shortMessageHtmlLink":"BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+…"}},{"before":"2bde0d64ddf0e32257444f14e69adea8f899b74b","after":"6697e87ae5e1f569dc87cf690b5ecfc049c4aab0","ref":"refs/heads/master","pushedAt":"2024-06-05T06:52:50.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: mux-quic: Don't send an emtpy H3 DATA frame during zero-copy forwarding\n\nIt may only happens when there is no data to forward but a last stream frame\nmust be sent with the FIN bit. It is not invalid, but it is useless to send\nan empty H3 DATA frame in that case.","shortMessageHtmlLink":"MINOR: mux-quic: Don't send an emtpy H3 DATA frame during zero-copy f…"}},{"before":"f7ae84e7d1b20201b38348d9dcbaefa47eb29814","after":"2bde0d64ddf0e32257444f14e69adea8f899b74b","ref":"refs/heads/master","pushedAt":"2024-06-04T14:31:45.000Z","pushType":"push","commitsCount":7,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()\n\n'lua_insert(lua->T, -lua_gettop(lua->T))' is actually used to rotate the\ntop value with the bottom one, thus the code was overkill and the comment\nwas actually misleading, let's fix that by using explicit equivalent form\n(absolute index).\n\nIt may be backported with 5508db9a2 (\"BUG/MINOR: hlua: fix unsafe\nlua_tostring() usage with empty stack\") to all stable versions to ease\ncode maintenance.","shortMessageHtmlLink":"CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resu…"}},{"before":"792a645ec21126c74c33820d1e0de63ee98aa810","after":"f7ae84e7d1b20201b38348d9dcbaefa47eb29814","ref":"refs/heads/master","pushedAt":"2024-06-04T13:01:45.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: quic: prevent crash on qc_kill_conn()\n\nEnsure idle_timer task is allocated in qc_kill_conn() before waking it\nup. It can be NULL if idle timer has already fired but MUX layer is\nstill present, which prevents immediate quic_conn release.\n\nqc_kill_conn() is only used on send() syscall fatal error to notify\nupper layer of an error and close the whole connection asap.\n\nThis crash occurence is pretty rare as it relies on timing issues. It\nhappens only if idle timer occurs before the MUX release (a bigger\nclient timeout is thus required) and any send() syscall detected error.\nFor now, it was only reproduced using GDB to interrupt haproxy longer\nthan the idle timeout.\n\nThis should be backported up to 2.6.","shortMessageHtmlLink":"BUG/MINOR: quic: prevent crash on qc_kill_conn()"}},{"before":"1ef6cdcd26fc3020cff3fd459d7ae37c169861a2","after":"792a645ec21126c74c33820d1e0de63ee98aa810","ref":"refs/heads/master","pushedAt":"2024-06-04T12:26:28.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be released\n\nIn done_fastfwd() callback function, if nothing was forwarding while the SD\nis blocked, it means there is not enough space in the buffer to proceed. It\nmay be because there are data to be sent. But it may also be data already\nsent waiting for an ack. In this case, no data to be sent by the mux. So the\nquic stream is not woken up when data are finally removed from the\nbuffer. The data forwarding can thus be stuck. This happens when the stats\npage is requested in QUIC/H3. Only applets are affected by this issue and\nonly with the QUIC multiplexer because it is the only mux with already sent\ndata in the TX buf.\n\nTo fix the issue, the idea is to release the txbuf if possible and then\nunblock the SD to perform a new zero-copy data forwarding attempt. Doing so,\nand thanks to the previous patch (\"MEDIUM: applet: Be able to unblock\nzero-copy data forwarding from done_fastfwd\"), the applet will be woken up.\n\nThis patch should fix the issue #2584. It must be backported to 3.0.","shortMessageHtmlLink":"BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can b…"}},{"before":"a63f2cde948e4d8049c961e94029b1fd2752a71d","after":"1ef6cdcd26fc3020cff3fd459d7ae37c169861a2","ref":"refs/heads/master","pushedAt":"2024-06-04T09:19:34.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CI: FreeBSD: upgrade image, packages\n\nFreeBSD-13.2 was removed from cirrus-ci, let's upgrade to 14.0,\nalso, pcre is EOL, let's switch to pcre2. lua is updated to 5.4","shortMessageHtmlLink":"CI: FreeBSD: upgrade image, packages"}},{"before":"dc8a2c7f43aca6cb02246da67fe0ea93cc3f14b0","after":"a63f2cde948e4d8049c961e94029b1fd2752a71d","ref":"refs/heads/master","pushedAt":"2024-06-03T15:08:21.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CLEANUP: hlua: fix CertCache class comment\n\nCLASS_CERTCACHE is used to declare CertCache global object, not Regex one\n\nThis copy-paste typo introduced was in 30fcca18 (\"MINOR: ssl/lua:\nCertCache.set() allows to update an SSL certificate file\")","shortMessageHtmlLink":"CLEANUP: hlua: fix CertCache class comment"}},{"before":"dc8a2c7f43aca6cb02246da67fe0ea93cc3f14b0","after":null,"ref":"refs/heads/20240603-readme.md","pushedAt":"2024-06-03T13:25:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"}},{"before":"45cac52212538ae16e9c232a6a73b6fe4710734c","after":"dc8a2c7f43aca6cb02246da67fe0ea93cc3f14b0","ref":"refs/heads/master","pushedAt":"2024-06-03T13:25:22.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: change the link to the FreeBSD CI in README.md\n\nChange the link to the FreeBSD CI status badge to use the cirrus.com\njobs list.","shortMessageHtmlLink":"DOC: change the link to the FreeBSD CI in README.md"}},{"before":null,"after":"dc8a2c7f43aca6cb02246da67fe0ea93cc3f14b0","ref":"refs/heads/20240603-readme.md","pushedAt":"2024-06-03T13:23:00.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: change the link to the FreeBSD CI in README.md\n\nChange the link to the FreeBSD CI status badge to use the cirrus.com\njobs list.","shortMessageHtmlLink":"DOC: change the link to the FreeBSD CI in README.md"}},{"before":"ab23d7eb690cc3d68b450d58dc1f47d1db01b3f5","after":"45cac52212538ae16e9c232a6a73b6fe4710734c","ref":"refs/heads/master","pushedAt":"2024-06-03T13:15:43.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: add the FreeBSD status badge to README.md\n\nAdd the FreeBSD status badge that comes from the Cirrus CI in the\nREADME.md","shortMessageHtmlLink":"DOC: add the FreeBSD status badge to README.md"}},{"before":"c79c3121427ca240f36e1838fba777b8e92ac81f","after":"ab23d7eb690cc3d68b450d58dc1f47d1db01b3f5","ref":"refs/heads/master","pushedAt":"2024-06-03T09:59:39.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CI: speedup apt package install\n\nwe are fine to skip some repos like languages and translations.\nthis drops number of repos twice","shortMessageHtmlLink":"CI: speedup apt package install"}},{"before":"ba958fb230d4add678913f18eb520d9d5935c968","after":"c79c3121427ca240f36e1838fba777b8e92ac81f","ref":"refs/heads/master","pushedAt":"2024-06-03T09:12:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: configuration: add an example for keywords from crt-store\n\nIn ticket #785, people are still confused about how to use the crt-store\nload parameters in a crt-list.\n\nThis patch adds an example.\n\nThis must be backported in 3.0","shortMessageHtmlLink":"DOC: configuration: add an example for keywords from crt-store"}},{"before":"f8418d3ade267e5ab28808c17af297fd1ea932a7","after":"ba958fb230d4add678913f18eb520d9d5935c968","ref":"refs/heads/master","pushedAt":"2024-05-31T16:57:33.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory\n\nIn GH issue #2586 @Bbulatov reported a theoretical null-deref in\nenv_expand() in case there's no memory anymore to expand an environment\nvariable. The function should return NULL in this case so that the only\ncaller (str2sa_range) sees it. In practice it may only happen during\nboot thus is harmless but better fix it since it's easy. This can be\nbackported to all versions where this applies.","shortMessageHtmlLink":"BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-m…"}},{"before":"f3e6dfdc9286f7fb86b6a54a6852cac9d1a61f0f","after":"f8418d3ade267e5ab28808c17af297fd1ea932a7","ref":"refs/heads/master","pushedAt":"2024-05-31T11:46:22.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"ADMIN: acme.sh: remove the old acme.sh code\n\nRemove the acme.sh script since it was merged in\nhttps://github.com/acmesh-official/acme.sh/pull/4581\n\nSo people don't try to download a script which is not up to date with\nthe current acme.sh master.","shortMessageHtmlLink":"ADMIN: acme.sh: remove the old acme.sh code"}},{"before":"485b206f61c3b03caa0d21f9e16465b1c298003b","after":"f3e6dfdc9286f7fb86b6a54a6852cac9d1a61f0f","ref":"refs/heads/master","pushedAt":"2024-05-30T15:04:41.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CI: VTest: accelerate package install a bit\n\nlet's check and install only package is required","shortMessageHtmlLink":"CI: VTest: accelerate package install a bit"}},{"before":"09db70d021d71992377c7f0c03974d65008d569e","after":"485b206f61c3b03caa0d21f9e16465b1c298003b","ref":"refs/heads/master","pushedAt":"2024-05-30T11:54:19.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: replace the README by a markdown version\n\nThis patch removes the old README file and replaces it with a more\nmodern markdown version which allows clickable links on the github page.\n\nIt also adds some of the Github Actions worfklow Status.\n\nThis patch includes the HAProxy png in the doc directory.","shortMessageHtmlLink":"DOC: replace the README by a markdown version"}},{"before":"1eb0f22ee1b64d75c8535b5a48f96b6ead91a341","after":"09db70d021d71992377c7f0c03974d65008d569e","ref":"refs/heads/master","pushedAt":"2024-05-29T20:37:45.000Z","pushType":"push","commitsCount":5,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CI: use USE_PCRE2 instead of USE_PCRE\n\nUSE_PCRE2 is recommended, I guess USE_PCRE is left unintentionally","shortMessageHtmlLink":"CI: use USE_PCRE2 instead of USE_PCRE"}},{"before":"5590ada4731a1f75004675680b4bdca61fa4c507","after":"1eb0f22ee1b64d75c8535b5a48f96b6ead91a341","ref":"refs/heads/master","pushedAt":"2024-05-29T13:02:58.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"[RELEASE] Released version 3.1-dev0\n\nReleased version 3.1-dev0 with the following main changes :\n    - MINOR: version: mention that it's development again","shortMessageHtmlLink":"[RELEASE] Released version 3.1-dev0"}},{"before":"8452a3f7c9e76a9648387882a83a13eee6e9b24f","after":"5590ada4731a1f75004675680b4bdca61fa4c507","ref":"refs/heads/master","pushedAt":"2024-05-29T12:45:48.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"[RELEASE] Released version 3.0.0\n\nReleased version 3.0.0 with the following main changes :\n    - MINOR: sample: implement the uptime sample fetch\n    - CI: scripts: fix build of vtest regarding option -C\n    - CI: scripts: build vtest using multiple CPUs\n    - MINOR: log: rename 'log-format tag' to 'log-format alias'\n    - DOC: config: document logformat item naming and typecasting features\n    - BUILD: makefile: yearly reordering of objects by build time\n    - BUILD: fd: errno is also needed without poll()\n    - DOC: config: fix two typos \"RST_STEAM\" vs \"RST_STREAM\"\n    - DOC: config: refer to the non-deprecated keywords in ocsp-update on/off\n    - DOC: streamline http-reuse and connection naming definition\n    - REGTESTS: complete http-reuse test with pool-conn-name\n    - DOC: config: add %ID logformat alias alternative\n    - CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp\n    - BUG/MINOR: ssl/ocsp: init callback func ptr as NULL\n    - CLEANUP: ssl_sock: move dirty openssl-1.0.2 wrapper to openssl-compat\n    - BUG/MINOR: activity: fix Delta_calls and Delta_bytes count\n    - CI: github: upgrade the WolfSSL job to 5.7.0\n    - DOC: install: update quick build reminders with some missing options\n    - DOC: install: update the range of tested openssl version to cover 3.3\n    - DEV: patchbot: prepare for new version 3.1-dev\n    - MINOR: version: mention that it's 3.0 LTS now.","shortMessageHtmlLink":"[RELEASE] Released version 3.0.0"}},{"before":"40cd5cc0e215ea5f649725385e052fab2ba38181","after":"8452a3f7c9e76a9648387882a83a13eee6e9b24f","ref":"refs/heads/master","pushedAt":"2024-05-29T08:26:12.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"DOC: install: update the range of tested openssl version to cover 3.3\n\nOpenSSL 3.3 is known to work since it's tested on the CI, to let's add\nit to the list of known good versions.","shortMessageHtmlLink":"DOC: install: update the range of tested openssl version to cover 3.3"}},{"before":"d5e43caaf541fa3d26f33fc399cf4d5b02e19282","after":"40cd5cc0e215ea5f649725385e052fab2ba38181","ref":"refs/heads/master","pushedAt":"2024-05-28T17:26:59.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CI: github: upgrade the WolfSSL job to 5.7.0\n\nWolfSSL 5.70 was released in March 2024,  let's upgrade our CI job to\nthis version.","shortMessageHtmlLink":"CI: github: upgrade the WolfSSL job to 5.7.0"}},{"before":"decb7c90dfbd90c53f6e098d783daa701699c64c","after":"d5e43caaf541fa3d26f33fc399cf4d5b02e19282","ref":"refs/heads/master","pushedAt":"2024-05-28T17:26:47.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: activity: fix Delta_calls and Delta_bytes count\n\nThanks to the commit 5714aff4a6bf\n\"DEBUG: pool: store the memprof bin on alloc() and update it on free()\", the\namount of memory allocations and memory \"frees\" is shown now on the same line,\ncorresponded to the caller name. This is very convenient to debug memory leaks\n(haproxy should run with -dMcaller option).\n\nThe implicit drawback of this solution is that we count twice same free_calls\nand same free_tot (bytes) values in cli_io_handler_show_profiling(), when\nwe've calculed tot_free_calls and tot_free_bytes, by adding them to the these\ntotalizators for p_alloc, malloc and calloc allocator types. See the details\nabout why this happens in a such way in __pool_free() implementation and\nalso in the commit message for 5714aff4a6bf.\n\nThis double addition of free counters falses 'Delta_calls' and 'Delta_bytes',\nsometimes we even noticed that they show negative values.\n\nSame problem was with the calculation of average allocated buffer size for\nlines, where we show simultaneously the number of allocated and freed bytes.","shortMessageHtmlLink":"BUG/MINOR: activity: fix Delta_calls and Delta_bytes count"}},{"before":"84380965a504a2a25450378de638df891c75d569","after":"decb7c90dfbd90c53f6e098d783daa701699c64c","ref":"refs/heads/master","pushedAt":"2024-05-28T17:25:15.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CLEANUP: ssl_sock: move dirty openssl-1.0.2 wrapper to openssl-compat\n\nValentine noticed this ugly SSL_CTX_get_tlsext_status_cb() macro\ndefinition inside ssl_sock.c that is dedicated to openssl-1.0.2 only.\nIt would be better placed in openssl-compat.h, which is what this\npatch does. It also addresses a missing pair of parenthesis and\nremoves an invalid extra semicolon.","shortMessageHtmlLink":"CLEANUP: ssl_sock: move dirty openssl-1.0.2 wrapper to openssl-compat"}},{"before":null,"after":"b1be86c89f61a2939585c750d5b07d3740d90a18","ref":"refs/heads/20240528-wolfssl","pushedAt":"2024-05-28T17:19:28.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"CI: github: upgrade the WolfSSL job to 5.7.0\n\nWolfSSL 5.70 was released in March 2024,  let's upgrade our CI job to\nthis version.","shortMessageHtmlLink":"CI: github: upgrade the WolfSSL job to 5.7.0"}},{"before":"f9740230fcb1c41e67491c1e8de16e80cc66cc77","after":"84380965a504a2a25450378de638df891c75d569","ref":"refs/heads/master","pushedAt":"2024-05-28T16:15:01.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: ssl/ocsp: init callback func ptr as NULL\n\nIn ssl_sock_load_ocsp() it is better to initialize local scope variable\n'callback' function pointer as NULL, while we are declaring it. According to\nSSL_CTX_get_tlsext_status_cb() API, then we will provide a pointer to this\n'on stack' variable in order to check, if the callback was already set before:\n\nOpenSSL 1.x.x and 3.x.x:\n  long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *));\n  long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *));\n\nWolfSSL 5.7.0:\n  typedef int(*tlsextStatusCb)(WOLFSSL* ssl, void*);\n  WOLFSSL_API int wolfSSL_CTX_get_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb* cb);\n  WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb cb);\n\nWhen this func ptr variable stays uninitialized, haproxy comipled with ASAN\ncrushes in ssl_sock_load_ocsp():\n\n  ./haproxy -d -f haproxy.cfg\n  ...\n  AddressSanitizer:DEADLYSIGNAL\n  =================================================================\n  ==114919==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5eab8951bb32 bp 0x7ffcdd6d8410 sp 0x7ffcdd6d82e0 T0)\n  ==114919==The signal is caused by a READ memory access.\n  ==114919==Hint: address points to the zero page.\n    #0 0x5eab8951bb32 in ssl_sock_load_ocsp /home/vk/projects/haproxy/src/ssl_sock.c:1248:22\n    #1 0x5eab89510d65 in ssl_sock_put_ckch_into_ctx /home/vk/projects/haproxy/src/ssl_sock.c:3389:6\n  ...\n\nThis happens, because callback variable is allocated on the stack. As not\nbeing explicitly initialized, it may contain some garbage value at runtime,\ndue to the linked crypto library update or recompilation.\n\nSo, following ssl_sock_load_ocsp code, SSL_CTX_get_tlsext_status_cb() may\nfail, callback will still contain its initial garbage value,\n'if (!callback) {...' test will put us on the wrong path to access some\nocsp_cbk_arg properties via its pointer, which won't be set and like this\nwe will finish with segmentation fault.\n\nMust be backported in all stable versions. All versions does not have\nthe ifdef, the previous cleanup patch is useful starting from the 2.7\nversion.","shortMessageHtmlLink":"BUG/MINOR: ssl/ocsp: init callback func ptr as NULL"}},{"before":"cb64719f668f0a4f34dff344df04c3d5de426dd1","after":"6e5caf4c00df513945ecb232d19456b5462fba54","ref":"refs/heads/20240528-ocsp-cleanup","pushedAt":"2024-05-28T16:03:17.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"BUG/MINOR: ssl/ocsp: init callback func ptr as NULL\n\nIn ssl_sock_load_ocsp() it is better to initialize local scope variable\n'callback' function pointer as NULL, while we are declaring it. According to\nSSL_CTX_get_tlsext_status_cb() API, then we will provide a pointer to this\n'on stack' variable in order to check, if the callback was already set before:\n\nOpenSSL 1.x.x and 3.x.x:\n  long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *));\n  long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *));\n\nWolfSSL 5.7.0:\n  typedef int(*tlsextStatusCb)(WOLFSSL* ssl, void*);\n  WOLFSSL_API int wolfSSL_CTX_get_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb* cb);\n  WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb cb);\n\nWhen this func ptr variable stays uninitialized, haproxy comipled with ASAN\ncrushes in ssl_sock_load_ocsp():\n\n  ./haproxy -d -f haproxy.cfg\n  ...\n  AddressSanitizer:DEADLYSIGNAL\n  =================================================================\n  ==114919==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5eab8951bb32 bp 0x7ffcdd6d8410 sp 0x7ffcdd6d82e0 T0)\n  ==114919==The signal is caused by a READ memory access.\n  ==114919==Hint: address points to the zero page.\n    #0 0x5eab8951bb32 in ssl_sock_load_ocsp /home/vk/projects/haproxy/src/ssl_sock.c:1248:22\n    #1 0x5eab89510d65 in ssl_sock_put_ckch_into_ctx /home/vk/projects/haproxy/src/ssl_sock.c:3389:6\n  ...\n\nThis happens, because callback variable is allocated on the stack. As not\nbeing explicitly initialized, it may contain some garbage value at runtime,\ndue to the linked crypto library update or recompilation.\n\nSo, following ssl_sock_load_ocsp code, SSL_CTX_get_tlsext_status_cb() may\nfail, callback will still contain its initial garbage value,\n'if (!callback) {...' test will put us on the wrong path to access some\nocsp_cbk_arg properties via its pointer, which won't be set and like this\nwe will finish with segmentation fault.\n\nMust be backported in every stable version.","shortMessageHtmlLink":"BUG/MINOR: ssl/ocsp: init callback func ptr as NULL"}},{"before":null,"after":"cb64719f668f0a4f34dff344df04c3d5de426dd1","ref":"refs/heads/20240528-ocsp-cleanup","pushedAt":"2024-05-28T15:53:35.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"haproxy-mirror","name":null,"path":"/haproxy-mirror","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/38239150?s=80&v=4"},"commit":{"message":"MINOR: ssl/ocsp: init callback func ptr as NULL\n\nIn ssl_sock_load_ocsp() it is better to initialize local scope variable\n'callback' function pointer as NULL, while we are declaring it. According to\nSSL_CTX_get_tlsext_status_cb() API, then we will provide a pointer to this\n'on stack' variable in order to check, if the callback was already set before:\n\nOpenSSL 1.x.x and 3.x.x:\n  long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *));\n  long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *));\n\nWolfSSL 5.7.0:\n  typedef int(*tlsextStatusCb)(WOLFSSL* ssl, void*);\n  WOLFSSL_API int wolfSSL_CTX_get_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb* cb);\n  WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb cb);\n\nWhen this func ptr variable stays uninitialized, haproxy comipled with ASAN\ncrushes in ssl_sock_load_ocsp():\n\n  ./haproxy -d -f haproxy.cfg\n  ...\n  AddressSanitizer:DEADLYSIGNAL\n  =================================================================\n  ==114919==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5eab8951bb32 bp 0x7ffcdd6d8410 sp 0x7ffcdd6d82e0 T0)\n  ==114919==The signal is caused by a READ memory access.\n  ==114919==Hint: address points to the zero page.\n    #0 0x5eab8951bb32 in ssl_sock_load_ocsp /home/vk/projects/haproxy/src/ssl_sock.c:1248:22\n    #1 0x5eab89510d65 in ssl_sock_put_ckch_into_ctx /home/vk/projects/haproxy/src/ssl_sock.c:3389:6\n  ...\n\nThis happens, because callback variable is allocated on the stack. As not\nbeing explicitly initialized, it may contain some garbage value at runtime,\ndue to the linked crypto library update or recompilation.\n\nSo, following ssl_sock_load_ocsp code, SSL_CTX_get_tlsext_status_cb() may\nfail, callback will still contain its initial garbage value,\n'if (!callback) {...' test will put us on the wrong path to access some\nocsp_cbk_arg properties via its pointer, which won't be set and like this\nwe will finish with segmentation fault.","shortMessageHtmlLink":"MINOR: ssl/ocsp: init callback func ptr as NULL"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEX0vVXQA","startCursor":null,"endCursor":null}},"title":"Activity · haproxy/haproxy"}