HAProxy known bugs for version v3.3.7 (maintenance branch 3.3) : 157

This version (3.3.7) is a release belonging to maintenance branch 3.3 whose latest version is 3.3.10. If your version is not the last one in the maintenance branch, you are missing fixes for known bugs, and by not updating you are needlessly taking the responsibility for the risk of unexpected service outages and exposing your web site to possible security issues.

The HAProxy development team takes a great care of maintaining stable versions so that all users can apply bug fixes without having to take the risk of upgrading to a new branch. In turn users are expected to apply the fixes when the development team estimates that they were worth being backported to stable branches.

Quick links

full changelog for 3.3 : here
browse history for 3.3 : here

Other versions in the same branch

This branch contains the following releases :

Date Version Comment

2026-05-11 3.3.10 ⇐ last

2026-05-06 3.3.9

2026-04-30 3.3.8

2026-04-23 3.3.7 ⇐ yours

2026-03-19 3.3.6

2026-03-09 3.3.5

2026-02-19 3.3.4

2026-02-12 3.3.3

2026-01-29 3.3.2

2025-12-19 3.3.1

2025-11-26 3.3.0

Date	Version	Comment
2026-05-11	3.3.10	⇐ last
2026-05-06	3.3.9
2026-04-30	3.3.8
2026-04-23	3.3.7	⇐ yours
2026-03-19	3.3.6
2026-03-09	3.3.5
2026-02-19	3.3.4
2026-02-12	3.3.3
2026-01-29	3.3.2
2025-12-19	3.3.1
2025-11-26	3.3.0

Known bugs affecting this version, and already fixed in the maintenance branch

These fixes have already been queued for a more recent 3.3 version. Some of them might have already been released in a more recent version than yours, and other ones might still be pending in the maintenance branch for a future release. The list may be empty if you're already on the latest version and no new fix was backported.

Bugs are almost always tagged with a severity (some people forget the severity tag when the bug is minor). The following severities are used :

MINOR: the bug presents a limited impact and can easily be mitigated ; users rarely upgrade just for these ones ;
MEDIUM: the bug can cause some undesired behaviour and may require some tricky configuration changes to avoid hitting it ; users normally upgrade to get rid of them, or temporarily disable a functionality.
MAJOR: the bug affects short term reliability and cannot easily be worked around without a significant performance penalty or without a significant functional loss ; such bugs don't stay long in the queue without a release and users must plan an upgrade as soon as possible ;
CRITICAL: this one very rarely happens ; it indicates a short-term reliability or security issue for which there is no workaround. A release will be emitted for this fix even if it's alone and users are urged to upgrade immediately. Some distro maintainers might have been informed in advance in order to agree on a coordinated release date.

Total known bugs in this version by category :

Total CRITICAL MAJOR MEDIUM MINOR

157 0 4 52 101

Total	CRITICAL	MAJOR	MEDIUM	MINOR
157	0	4	52	101

Click on the subjects below to get the full description of the bug :

Merge date	Subject - Severity (minor, medium, major, critical)
2026-06-01	BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making headers
2026-06-01	BUG/MINOR: cache: Fix copy of value when parsing maxage
2026-06-01	BUG/MEDIUM: h3: fix MAX_PUSH_ID handling
2026-06-01	BUG/MEDIUM: resolvers: Wait a bit before calling the xprt prepare_srv
2026-06-01	BUG/MINOR: cache: fix cache tree iteration
2026-06-01	BUG/MINOR: threads: set at least grp_max when mtpg is too small
2026-06-01	BUG/MINOR: quic: update drs->lost before calling on_ack_recv
2026-06-01	BUG/MEDIUM: quic: reset consecutive_losses on exit from recovery period (cubic)
2026-06-01	BUG/MEDIUM: quic: reset cwnd in slow_start on persistent congestion (cubic)
2026-06-01	BUG/MINOR: quic: fix ack range node pool_free call passing wrong pointer type
2026-06-01	BUG/MINOR: mux_quic: open an idle QCS on reset on BE side
2026-06-01	BUG/MINOR: mux-h2: Count padding for connection flow control on error path
2026-06-01	BUG/MEDIUM: quic: handle ECONNREFUSED on RX side
2026-06-01	BUG/MINOR: qpack: fix huff_dec() error handling in qpack_decode_fs()
2026-06-01	BUG/MINOR: qpack: fix sign bit mask in qpack_decode_fs_pfx()
2026-06-01	BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()
2026-06-01	BUG/MINOR: qpack: Fix index calculation in debug functions
2026-05-27	Revert "BUG/MEDIUM: dns: fix long loops in additional records parse on name failure"
2026-05-27	BUG/MEDIUM: cpu-topo: Enforce thread-hard-limit on policy
2026-05-27	BUG/MINOR: ssl-gencert: validate SNI characters to prevent SAN certificate injection
2026-05-27	BUG/MINOR: tcpcheck: Check LDAP response to not read more data than available
2026-05-27	BUG/MINOR: mux-spop: Use relative offset to compute contig data in demux buf
2026-05-27	BUG/MINOR: mux-fcgi: Use relative offset to compute contig data in demux buf
2026-05-27	BUG/MEDIUM: h1-htx: Sanitize parsing to properly handle upgrade requests
2026-05-27	BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records
2026-05-27	BUG/MINOR: quic: reject packet too short for HP decryption
2026-05-27	BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers
2026-05-27	BUG/MINOR: h3: add missing break on rcv_buf()
2026-05-27	BUG/MEDIUM: auth: fix unconfigured password NULL deref
2026-05-27	BUG/MINOR: h3: reject server MAX_PUSH_ID frame
2026-05-27	BUG/MINOR: h3: adjust error on PUSH_PROMISE frame reception
2026-05-27	BUG/MINOR: h3: reject client CANCEL_PUSH frame
2026-05-27	BUG/MINOR: h3: reject server push stream
2026-05-27	BUG/MEDIUM: h3: reject client push stream
2026-05-27	BUG/MINOR: addons/51d: NUL-terminate headers before passing them to Trie API
2026-05-27	BUG/MINOR: resolvers: switch to a better PRNG for query IDs
2026-05-27	BUG/MINOR: ssl-hello: make use of the null-terminated servername
2026-05-27	BUG/MINOR: payload: fix the handshake length bounds check smp_client_hello_parse()
2026-05-27	BUG/MINOR: base64: return empty string for empty input in base64dec()
2026-05-27	BUG/MINOR: http-ext: always check remaining data when reading rfc7239 nodeport
2026-05-27	BUG/MEDIUM: acme: protect against risk of null-deref on connection failure
2026-05-27	BUG/MINOR: http-fetch: check against the whole token in get_http_auth()
2026-05-27	BUG/MINOR: resolvers: relax size checks in authority record parsing
2026-05-27	BUG/MINOR: cache: also recognize directives in the form "token="
2026-05-27	BUG/MEDIUM: cache: always verify the primary hash in get_secondary_entry()
2026-05-27	BUG/MEDIUM: h1: limit status codes to 3 digits by default
2026-05-27	BUG/MEDIUM: h1: drop headers whose names contain invalid chars
2026-05-27	BUG/MINOR: sample: limit the be2hex converter's chunk size
2026-05-27	BUG/MINOR: init: use more than ha_random64() for the cluster secret
2026-05-27	BUG/MINOR: dict: fix refcount race on insert collision
2026-05-27	BUG/MINOR: log: look for the end of priority before the end of the buffer
2026-05-27	BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep
2026-05-27	BUG/MINOR: resolvers: fix risk of appending garbage past the domain name
2026-05-27	BUG/MINOR: resolvers: fix room for trailing zero in resolv_dn_label_to_str()
2026-05-27	BUG/MEDIUM: cache: fix a refcount leak for missed secondary entries
2026-05-27	BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values
2026-05-27	BUG/MEDIUM: regex: allocate a large enough pcre2 match for all matches
2026-05-27	BUG/MEDIUM: log-forward: make sure the month is unsigned
2026-05-27	BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket
2026-05-27	BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer
2026-05-27	BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref
2026-05-27	BUG/MINOR: quic: fix ODCID lookup from derived value
2026-05-27	BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate
2026-05-27	BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()
2026-05-27	BUG/MEDIUM: applet: Properly handle receives of size 0
2026-05-27	BUG/MINOR: ocsp: Manage date too far away in the future
2026-05-21	BUG/MINOR: mux_quic: do not exceed stream.max-concurrent on backend side
2026-05-21	BUG/MEDIUM: servers: Don't forget to set srv_hash when needed
2026-05-21	BUG/MEDIUM: servers: Store the connection hash with the parameter cache
2026-05-21	BUG/MINOR: server: Properly handle init-state value during haproxy startup
2026-05-21	BUG/MINOR: backend: fix balance hash calculation when using hash-type none
2026-05-21	BUG/MINOR: server: accept server IDs above 2^31 and clarify error message
2026-05-21	BUG/MINOR: httpclient-cli: fix uninit variable in error label
2026-05-21	BUG/MINOR: h1: Don't mask websocket protocol if multiple protocols used
2026-05-21	BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing
2026-05-21	BUG/MINOR: httpclient-cli: Destroy http-client context if failing to start it
2026-05-21	BUG/MINOR: jws: Add missing return value check (EVP_PKEY_get_bn_param)
2026-05-21	BUG/MINOR: jws: fix OpenSSL 3.0 version check from > to >=
2026-05-21	BUG/MEDIUM: limits: properly account for global.maxpipes in compute_ideal_maxconn()
2026-05-21	BUG/MINOR: jwt: fix possible memory leak in convert_ecdsa_sig() error path
2026-05-21	BUG/MINOR: check: properly report errno in chk_report_conn_err()
2026-05-21	BUG/MINOR: session/trace: use distinct flags for SESS_EV_END and _ERR
2026-05-21	BUG/MINOR: resolvers: fix leaked dgram and dns_ring struct in parse_resolve_conf()
2026-05-21	BUG/MINOR: resolvers: report the expression error in the do-resolve() action parser
2026-05-21	BUG/MINOR: dns: fix dangling dgram pointer on dns_dgram_init() failure path
2026-05-21	BUG/MINOR: resolvers: fix dangling list pointer in resolvers_new() error paths
2026-05-21	BUG/MEDIUM: server/cli: unlock server lock on failure in cli_parse_set_server
2026-05-21	BUG/MINOR: servers: use proper source of pool_conn_name in srv_settings_cpy()
2026-05-21	BUG/MEDIUM: dns: fix memory leak of sockaddr in dns_session_init() error path
2026-05-21	BUG/MEDIUM: resolvers: fix name compression pointer validation in resolv_read_name()
2026-05-21	BUG/MEDIUM: dns: fix long loops in additional records parse on name failure
2026-05-21	BUG/MINOR: config/dns: properly fail on duplicate nameserver name detection
2026-05-21	BUG/MINOR: backend: correct parameter value validation in get_server_ph_post()
2026-05-21	BUG/MEDIUM: applet: Fix transfer of HTX data to the applet
2026-05-13	BUG/MEDIUM: http-client: Only consume input buffer when hc one is empty
2026-05-13	BUG/MEDIUM: dict: hold read lock while incrementing refcount in dict_insert
2026-05-11	BUG/MEDIUM: tasks: Keep the TASK_RUNNING flag until queued
2026-05-11	BUG/MINOR: cfgparse-listen: do not emit extraneous line in rule order warnings
2026-05-11	BUG/MEDIUM: servers: Only requeue servers if they are up
2026-05-11	BUG/MINOR: mux_quic: refresh timeout only if I/O performed
2026-05-11	BUG/MEDIUM: mux_quic: adjust qcc_is_dead() to account detached streams
2026-05-07	BUG/MEDIUM: stick-table: properly check permissions on CLI's set/clear cmd
2026-05-07	BUG/MEDIUM: mux-h2: fix the detection of the ext connect support
2026-05-07	Revert "BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting"
2026-05-07	Revert "BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect"
2026-05-07	BUG/MEDIUM: mux-h2: Properly consume padding for DATA frames
2026-05-07	BUG/MINOR: mux_quic: fix max stream ID reuse estimation
2026-05-07	BUG/MINOR: ssl: Use the sequence number with kTLS and TLS 1.2
2026-05-06	BUG/MEDIUM: h1: Enforce the authority validation during H1 request parsing
2026-05-06	BUG/MAJOR: http: forbid comma character in authority value
2026-05-06	BUG/MINOR: tools: read_line_to_trash() handle empty files without \n
2026-05-06	BUG/MEDIUM: h1_htx: Remove reverved block on error during contig chunks parsing
2026-05-06	BUG/MINOR: http-fetch: Fix http_auth_bearer() when custom header is used
2026-05-06	BUG/MINOR: acme: contact mail should be optional, don't pass ToS bool
2026-05-06	BUG/MINOR: h2: only accept :protocol with extended CONNECT
2026-05-06	BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting
2026-05-06	BUG/MINOR: h2: add decoding for :protocol in traces
2026-05-04	BUG/MINOR: mworker/cli: check ci_insert() return value in pcli_parse_request()
2026-05-04	BUG/MEDIUM: mworker/cli: fix user and operator permission via @@ in master CLI
2026-05-04	BUG/MINOR: resolvers: Free opts on parse error in resolv_parse_do_resolve()
2026-05-04	BUG/MINOR: resolvers: Fix lookup for a hostname in the state-file tree
2026-05-04	BUG/MINOR: resolvers: Free new requester on error when linking a resolution
2026-05-04	BUG/MINOR: tcpcheck: Properly report error for http health-checks
2026-05-04	BUG/MINOR: dns: always validate the source address in responses
2026-05-04	BUG/MAJOR: mux-h2: preset MSGF_BODY_CL on H2_SF_DATA_CLEN in h2c_dec_hdrs()
2026-05-04	BUG/MEDIUM: mux-h2: fix the body_len to check when parsing request trailers
2026-05-04	CI: github: add DEBUG_STRICT=2 to ASAN jobs
2026-05-04	BUG/MINOR: pattern: release the reference on failure to load from file
2026-05-04	BUG/MINOR: map: do not leak a map descriptor on load error
2026-05-04	BUG/MINOR: acl: fix a possible arg corruption in smp_fetch_acl_parse()
2026-05-04	BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect
2026-05-04	BUG/MINOR: hpack: validate idx > 0 in hpack_valid_idx()
2026-05-04	BUG/MINOR: vars: only print first invalid char in fill_desc()
2026-05-04	BUG/MINOR: vars: don't store the variable twice with set-var-fmt
2026-05-04	BUG/MINOR: vars: make parse_store() return error on var_set() failure
2026-05-04	BUG/MINOR: sink: do not free existing sinks on allocation error
2026-04-30	BUG/MINOR: acme: skip auth/challenge steps when newOrder returns a certificate
2026-04-30	BUG/MEDIUM: acme: fix segfault on newOrder with empty authorizations
2026-04-29	BUG/MINOR: http-htx: Don't normalize emtpy path for OPTIONS requests
2026-04-29	BUG/MEDIUM: mux-fcgi: Properly handle full buffer for FCGI_PARAM record
2026-04-29	BUG/MINOR: payload: prevent integer overflow in distcc token parsing
2026-04-29	BUG/MINOR: payload: validate minimum keyshare_len in smp_fetch_ssl_keyshare_groups
2026-04-29	BUG/MINOR: fix various typos and spelling mistakes in user-visible messages
2026-04-29	BUG/MEDIUM: tasks: Do not loop in task_schedule() if a task is running
2026-04-29	BUG/MAJOR: mux-h1: Deal with true 64-bits integer to emit chunks size
2026-04-29	BUG/MEDIUM: http-htx: Loop on full host value during scheme based normalization
2026-04-29	BUG/MEDIUM: http-htx: Don't use data from HTX message to update authority
2026-04-29	BUG/MAJOR: http-htx: Store new host in a chunk for scheme-based normalization
2026-04-29	BUG/MINOR: http_ana: use scf to report term_evts in http_wait_for_request()
2026-04-29	BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size()
2026-04-29	BUG/MINOR: peers: fix wrong flag reported twice for dump_flags
2026-04-29	BUG/MINOR: peers: fix logical "and" when checking for local in PEER_APP_ST_STARTING
2026-04-29	BUG/MINOR: sample: fix NULL strm dereference in sample_conv_when
2026-04-29	BUG/MINOR: sample: fix memory leak in check_when_cond() when ACL is not found
2026-04-29	BUG/MINOR: tools: free previously allocated strings on strdup failure in backup_env()
2026-04-29	BUG/MINOR: tools: fix memory leak in indent_msg() on out of memory
2026-04-29	BUG/MINOR: tools: my_memspn/my_memcspn wrong cast causing incorrect byte reading
2026-04-29	BUG/MINOR: ssl: fix double-free on failed realloc in ssl_sock.c
2026-04-29	BUG/MINOR: ssl: fix memory leaks on realloc failure in ssl_sock.c
2026-04-29	BUG/MINOR: ssl: fix memory leaks on realloc failure in ssl_ckch.c
2026-04-29	BUG/MINOR: tcpcheck: Allow connection reuse without prior traffic

Back to the list of branches and versions
Back to the HAProxy page