Ubuntu
haproxy package

Merge ~ahasenack/ubuntu/+source/haproxy:disco-haproxy-1.8.19 into ubuntu/+source/haproxy:ubuntu/devel

Proposed by Andreas Hasenack on 2019-02-20

Status:	Superseded
Proposed branch:	~ahasenack/ubuntu/+source/haproxy:disco-haproxy-1.8.19
Merge into:	ubuntu/+source/haproxy:ubuntu/devel
Diff against target:	1551 lines (+501/-163) (has conflicts) 35 files modified CHANGELOG (+52/-0) README (+1/-1) VERDATE (+1/-1) VERSION (+1/-1) debian/changelog (+36/-0) debian/control (+2/-1) debian/tests/proxy-localhost (+4/-0) doc/configuration.txt (+57/-43) examples/haproxy.spec (+7/-1) include/common/h2.h (+33/-0) include/common/hpack-tbl.h (+1/-0) include/common/xref.h (+5/-0) include/proto/session.h (+2/-1) include/proto/stream.h (+4/-2) include/proto/stream_interface.h (+6/-0) include/types/connection.h (+1/-0) include/types/stream_interface.h (+19/-17) scripts/announce-release (+2/-0) src/action.c (+5/-0) src/backend.c (+10/-8) src/cache.c (+6/-2) src/cfgparse.c (+52/-8) src/checks.c (+4/-3) src/flt_spoe.c (+42/-25) src/haproxy.c (+1/-0) src/hlua.c (+3/-3) src/hpack-dec.c (+6/-0) src/mux_h2.c (+48/-18) src/proto_http.c (+4/-1) src/sample.c (+7/-0) src/server.c (+22/-26) src/ssl_sock.c (+41/-0) src/stream.c (+5/-1) src/stream_interface.c (+8/-0) src/tcp_rules.c (+3/-0) Conflict in debian/changelog Conflict in debian/tests/proxy-localhost
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Canonical Server		2019-02-20	Pending
Review via email: mp+363424@code.launchpad.net

Description of the change

Merge from debian. Our single delta still applies, but it was already accepted by debian and should be in an upcoming release (https://salsa.debian.org/haproxy-team/haproxy/merge_requests/3).

I updated the test to use "service" instead of "systemctl" to match what was accepted by debian after my submission.

Unmerged commits

9132c04... by Andreas Hasenack on 2019-02-20

update-maintainer

1044ad9... by Andreas Hasenack on 2019-02-20

reconstruct-changelog

ebda99b... by Andreas Hasenack on 2019-02-20

merge-changelogs

e44336d... by Andreas Hasenack on 2019-01-24

    - d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
      generate traffic through haproxy.
      [Updated to use "service" instead of "systemctl" to match what was
      submitted to Debian.]

bd3810b... by Apollon Oikonomopoulos <email address hidden> on 2019-02-12

Import patches-unapplied version 1.8.19-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 3b885bfb277d04831405e979d38eac423793855c

New changelog entries:
  * New upstream version 1.8.19
    - BUG/MEDIUM: spoe: initialization depending on nbthread must be done last
    - BUG/MEDIUM: server: initialize the idle conns list after parsing the
                  config
    - BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck
    - BUG/MAJOR: stream: avoid double free on unique_id (Closes: #921981)

3b885bf... by Vincent Bernat on 2019-02-06

Import patches-unapplied version 1.8.18-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a1a84313d54570921ed9a0ecd52c2b23ec5e991e

New changelog entries:
  * New upstream version 1.8.18
    - BUG/MAJOR: cache: fix confusion between zero and uninitialized cache
                 key
    - BUG/MAJOR: config: verify that targets of track-sc and stick rules
                 are present
    - BUG/MAJOR: spoe: verify that backends used by SPOE cover all their
                 callers' processes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/CHANGELOG b/CHANGELOG
 index 6a8554b..d489531 100644
 --- a/CHANGELOG
 +++ b/CHANGELOG
@@ -1,6 +1,58 @@
  ChangeLog :
  ===========
++2019/02/11 : 1.8.19
++    - DOC: ssl: Clarify when pre TLSv1.3 cipher can be used
++    - DOC: ssl: Stop documenting ciphers example to use
++    - BUG/MINOR: spoe: do not assume agent->rt is valid on exit
++    - BUG/MINOR: lua: initialize the correct idle conn lists for the SSL sockets
++    - BUG/MEDIUM: spoe: initialization depending on nbthread must be done last
++    - BUG/MEDIUM: server: initialize the idle conns list after parsing the config
++    - BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck
++    - BUG/MAJOR: stream: avoid double free on unique_id
++    - BUG/MINOR: config: Reinforce validity check when a process number is parsed
++
++2019/02/06 : 1.8.18
++    - DOC: http-request cache-use / http-response cache-store expects cache name
++    - BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key
++    - BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT.
++    - DOC: Be a bit more explicit about allow-0rtt security implications.
++    - BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file
++    - BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH
++    - BUG/MINOR: backend: balance uri specific options were lost across defaults
++    - BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit
++    - BUG/MINOR: stick_table: Prevent conn_cur from underflowing
++    - BUG/MINOR: server: don't always trust srv_check_health when loading a server state
++    - BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk()
++    - BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages
++    - DOC: mention the effect of nf_conntrack_tcp_loose on src/dst
++    - MINOR: h2: add a bit-based frame type representation
++    - MINOR: h2: declare new sets of frame types
++    - BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY
++    - BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error
++    - BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream
++    - BUG/MINOR: hpack: return a compression error on invalid table size updates
++    - DOC: nbthread is no longer experimental.
++    - BUG/MINOR: spoe: corrected fragmentation string size
++    - BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit
++    - SCRIPTS: add the slack channel URL to the announce script
++    - SCRIPTS: add the issue tracker URL to the announce script
++    - BUG/MINOR: stream: don't close the front connection when facing a backend error
++    - MINOR: xref: Add missing barriers.
++    - BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update
++    - BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions
++    - BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams
++    - BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection
++    - MINOR: stream-int: expand the flags to 32-bit
++    - MINOR: stream-int: add a new flag to mention that we want the connection to be killed
++    - MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection
++    - BUG/MEDIUM: mux-h2: do not close the connection on aborted streams
++    - BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free().
++    - BUG/MINOR: config: fix bind line thread mask validation
++    - BUG/MAJOR: config: verify that targets of track-sc and stick rules are present
++    - BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes
++    - BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules
++
 /01/08 : 1.8.17
      - BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify()
      - MINOR: mux-h2: only increase the connection window with the first update
 diff --git a/README b/README
 index 07e095a..e66b5fd 100644
 --- a/README
 +++ b/README
@@ -3,7 +3,7 @@
                           ----------------------
                                version 1.8
                               willy tarreau
--                               2019/01/08
++                               2019/02/11
 ) How to build it
 diff --git a/VERDATE b/VERDATE
 index 944f490..ddc7727 100644
 --- a/VERDATE
 +++ b/VERDATE
@@ -1,2 +1,2 @@
  $Format:%ci$
--2019/01/08
++2019/02/11
 diff --git a/VERSION b/VERSION
 index f49e8ed..c8f955a 100644
 --- a/VERSION
 +++ b/VERSION
@@ -1 +1 @@
--1.8.17
++1.8.19
 diff --git a/debian/changelog b/debian/changelog
 index 3f24b6e..f461719 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,39 @@
++<<<<<<< debian/changelog
++=======
++haproxy (1.8.19-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
++      generate traffic through haproxy.
++      [Updated to use "service" instead of "systemctl" to match what was
++      submitted to Debian.]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 20 Feb 2019 14:18:15 +0100
++
++haproxy (1.8.19-1) unstable; urgency=medium
++
++  * New upstream version 1.8.19
++    - BUG/MEDIUM: spoe: initialization depending on nbthread must be done last
++    - BUG/MEDIUM: server: initialize the idle conns list after parsing the
++                  config
++    - BUG/MAJOR:  spoe: Don't try to get agent config during SPOP healthcheck
++    - BUG/MAJOR:  stream: avoid double free on unique_id (Closes: #921981)
++
++ -- Apollon Oikonomopoulos <apoikos@debian.org>  Tue, 12 Feb 2019 10:30:54 +0200
++
++haproxy (1.8.18-1) unstable; urgency=medium
++
++  * New upstream version 1.8.18
++    - BUG/MAJOR: cache: fix confusion between zero and uninitialized cache
++                 key
++    - BUG/MAJOR: config: verify that targets of track-sc and stick rules
++                 are present
++    - BUG/MAJOR: spoe: verify that backends used by SPOE cover all their
++                 callers' processes
++
++ -- Vincent Bernat <bernat@debian.org>  Wed, 06 Feb 2019 18:44:54 +0100
++
++>>>>>>> debian/changelog
  haproxy (1.8.17-1ubuntu1) disco; urgency=medium
    * d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
 diff --git a/debian/control b/debian/control
 index 941d92f..a85b34f 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: haproxy
  Section: net
  Priority: optional
--Maintainer: Debian HAProxy Maintainers <haproxy@tracker.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian HAProxy Maintainers <haproxy@tracker.debian.org>
  Uploaders: Apollon Oikonomopoulos <apoikos@debian.org>,
             Prach Pongpanich <prach@debian.org>,
             Vincent Bernat <bernat@debian.org>
 diff --git a/debian/tests/proxy-localhost b/debian/tests/proxy-localhost
 index 2824287..b7762d5 100644
 --- a/debian/tests/proxy-localhost
 +++ b/debian/tests/proxy-localhost
@@ -33,7 +33,11 @@ backend test-back
      server test-1 localhost:80
  EOF
++<<<<<<< debian/tests/proxy-localhost
  systemctl restart haproxy
++=======
++service haproxy restart
++>>>>>>> debian/tests/proxy-localhost
  # index.html is shipped with apache2
  # Download it via haproxy and compare
 diff --git a/doc/configuration.txt b/doc/configuration.txt
 index 4f999e2..8d75d56 100644
 --- a/doc/configuration.txt
 +++ b/doc/configuration.txt
@@ -4,7 +4,7 @@
                           ----------------------
                                version 1.8
                               willy tarreau
--                              2019/01/08
++                              2019/02/11
  This document covers the configuration language as implemented in the version
@@ -917,14 +917,14 @@ nbproc <number>
    mode. By default, only one process is created, which is the recommended mode
    of operation. For systems limited to small sets of file descriptors per
    process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
--  IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
++  IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and
++  "nbthread".
  nbthread <number>
    This setting is only available when support for threads was built in. It
    creates <number> threads for each created processes. It means if HAProxy is
    started in foreground, it only creates <number> threads for the first
--  process. FOR NOW, THREADS SUPPORT IN HAPROXY IS HIGHLY EXPERIMENTAL AND IT
--  MUST BE ENABLED WITH CAUTION AND AT YOUR OWN RISK. See also "nbproc".
++  process. See also "nbproc".
  pidfile <pidfile>
    Writes PIDs of all daemons into file <pidfile>. This option is equivalent to
@@ -986,12 +986,14 @@ setenv <name> <value>
  ssl-default-bind-ciphers <ciphers>
    This setting is only available when support for OpenSSL was built in. It sets
    the default string describing the list of cipher algorithms ("cipher suite")
--  that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all
++  that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
    "bind" lines which do not explicitly define theirs. The format of the string
--  is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
--  a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
--  TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites"
--  keyword. Please check the "bind" keyword for more information.
++  is defined in "man 1 ciphers" from OpenSSL man pages. For background
++  information and recommendations see e.g.
++  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
++  (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
++  cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
++  Please check the "bind" keyword for more information.
  ssl-default-bind-ciphersuites <ciphersuites>
    This setting is only available when support for OpenSSL was built in and
@@ -999,11 +1001,9 @@ ssl-default-bind-ciphersuites <ciphersuites>
    describing the list of cipher algorithms ("cipher suite") that are negotiated
    during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
    theirs. The format of the string is defined in
--  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can
--  be for instance a string such as
--  "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
--  (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
--  the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
++  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
++  cipher configuration for TLSv1.2 and earlier, please check the
++  "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
    information.
  ssl-default-bind-options [<option>]...
@@ -1018,11 +1018,15 @@ ssl-default-bind-options [<option>]...
  ssl-default-server-ciphers <ciphers>
    This setting is only available when support for OpenSSL was built in. It
    sets the default string describing the list of cipher algorithms that are
--  negotiated during the SSL/TLS handshake except for TLSv1.3 with the server,
++  negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
    for all "server" lines which do not explicitly define theirs. The format of
--  the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
--  please check the "ssl-default-server-ciphersuites" keyword. Please check the
--  "server" keyword for more information.
++  the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
++  information and recommendations see e.g.
++  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
++  (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
++  For TLSv1.3 cipher configuration, please check the
++  "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
++  for more information.
  ssl-default-server-ciphersuites <ciphersuites>
    This setting is only available when support for OpenSSL was built in and
@@ -1030,9 +1034,10 @@ ssl-default-server-ciphersuites <ciphersuites>
    string describing the list of cipher algorithms that are negotiated during
    the TLSv1.3 handshake with the server, for all "server" lines which do not
    explicitly define theirs. The format of the string is defined in
--  "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for
--  TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword.
--  Please check the "server" keyword for more information.
++  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
++  cipher configuration for TLSv1.2 and earlier, please check the
++  "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
++  more information.
  ssl-default-server-options [<option>]...
    This setting is only available when support for OpenSSL was built in. It sets
@@ -10483,7 +10488,10 @@ accept-proxy
  allow-0rtt
    Allow receiving early data when using TLSv1.3. This is disabled by default,
--  due to security considerations.
++  due to security considerations. Because it is vulnerable to replay attacks,
++  you should only allow if for requests that are safe to replay, ie requests
++  that are idempotent. You can use the "wait-for-handshake" action for any
++  request that wouldn't be safe with early data.
  alpn <protocols>
    This enables the TLS ALPN extension and advertises the specified protocol
@@ -10545,11 +10553,8 @@ ca-sign-pass <passphrase>
  ciphers <ciphers>
    This setting is only available when support for OpenSSL was built in. It sets
    the string describing the list of cipher algorithms ("cipher suite") that are
--  negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the
--  string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
--  instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
--  quotes). Depending on the compatibility and security requirements, the list
--  of suitable ciphers depends on a variety of variables. For background
++  negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
++  string is defined in "man 1 ciphers" from OpenSSL man pages. For background
    information and recommendations see e.g.
    (https://wiki.mozilla.org/Security/Server_Side_TLS) and
    (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
@@ -10560,11 +10565,8 @@ ciphersuites <ciphersuites>
    OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
    the list of cipher algorithms ("cipher suite") that are negotiated during the
    TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
--  OpenSSL man pages under the "ciphersuites" section, and can be for instance a
--  string such as
--  "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
--  (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
--  the "ciphers" keyword.
++  OpenSSL man pages under the "ciphersuites" section. For cipher configuration
++  for TLSv1.2 and earlier, please check the "ciphers" keyword.
  crl-file <crlfile>
    This setting is only available when support for OpenSSL was built in. It
@@ -11278,19 +11280,20 @@ ciphers <ciphers>
    This setting is only available when support for OpenSSL was built in. This
    option sets the string describing the list of cipher algorithms that is
    negotiated during the SSL/TLS handshake with the server. The format of the
--  string is defined in "man 1 ciphers". When SSL is used to communicate with
--  servers on the local network, it is common to see a weaker set of algorithms
--  than what is used over the internet. Doing so reduces CPU usage on both the
--  server and haproxy while still keeping it compatible with deployed software.
--  Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
--  is needed and just connectivity, using DES can be appropriate.
++  string is defined in "man 1 ciphers" from OpenSSL man pages. For background
++  information and recommendations see e.g.
++  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
++  (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
++  cipher configuration, please check the "ciphersuites" keyword.
  ciphersuites <ciphersuites>
    This setting is only available when support for OpenSSL was built in and
    OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
    describing the list of cipher algorithms that is negotiated during the TLS
 .3 handshake with the server. The format of the string is defined in
--  "man 1 ciphers" under the "ciphersuites" section.
++  "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
++  For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
++  keyword.
  cookie <value>
    The "cookie" parameter sets the cookie value assigned to the server to
@@ -13819,7 +13822,12 @@ dst : ip
    which is the address the client connected to. It can be useful when running
    in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
    On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
--  RFC 4291.
++  RFC 4291. When the incoming connection passed through address translation or
++  redirection involving connection tracking, the original destination address
++  before the redirection will be reported. On Linux systems, the source and
++  destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
++  is set, because a late response may reopen a timed out connection and switch
++  what is believed to be the source and the destination.
  dst_conn : integer
    Returns an integer value corresponding to the number of currently established
@@ -14124,7 +14132,13 @@ src : ip
    behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
    directive is used, it can be the address of a client behind another
    PROXY-protocol compatible component for all rule sets except
--  "tcp-request connection" which sees the real address.
++  "tcp-request connection" which sees the real address. When the incoming
++  connection passed through address translation or redirection involving
++  connection tracking, the original destination address before the redirection
++  will be reported. On Linux systems, the source and destination may seldom
++  appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
++  response may reopen a timed out connection and switch what is believed to be
++  the source and the destination.
    Example:
         # add an HTTP header in requests with the originating address' country
@@ -17157,13 +17171,13 @@ max-age <seconds>
 .2.2. Proxy section
  ---------------------
--http-request cache-use <name>
++http-request cache-use <name> [ { if | unless } <condition> ]
    Try to deliver a cached object from the cache <name>. This directive is also
    mandatory to store the cache as it calculates the cache hash. If you want to
    use a condition for both storage and delivering that's a good idea to put it
    after this one.
--http-response cache-store <name>
++http-response cache-store <name> [ { if | unless } <condition> ]
    Store an http-response within the cache. The storage of the response headers
    is done at this step, which means you can use others http-response actions
    to modify headers before or after the storage of the response. This action
 diff --git a/examples/haproxy.spec b/examples/haproxy.spec
 index 15f0850..aaa83c8 100644
 --- a/examples/haproxy.spec
 +++ b/examples/haproxy.spec
@@ -1,6 +1,6 @@
  Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
  Name: haproxy
--Version: 1.8.17
++Version: 1.8.19
  Release: 1
  License: GPL
  Group: System Environment/Daemons
@@ -74,6 +74,12 @@ fi
  %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
  %changelog
++* Mon Feb 11 2019 Willy Tarreau <w@1wt.eu>
++- updated to 1.8.19
++
++* Wed Feb  6 2019 Willy Tarreau <w@1wt.eu>
++- updated to 1.8.18
++
  * Tue Jan  8 2019 Willy Tarreau <w@1wt.eu>
  - updated to 1.8.17
 diff --git a/include/common/h2.h b/include/common/h2.h
 index 576ed10..dec1763 100644
 --- a/include/common/h2.h
 +++ b/include/common/h2.h
@@ -81,6 +81,30 @@ enum h2_ft {
  	H2_FT_ENTRIES /* must be last */
  } __attribute__((packed));
++/* frame types, turned to bits or bit fields */
++enum {
++	/* one bit per frame type */
++	H2_FT_DATA_BIT          = 1U << H2_FT_DATA,
++	H2_FT_HEADERS_BIT       = 1U << H2_FT_HEADERS,
++	H2_FT_PRIORITY_BIT      = 1U << H2_FT_PRIORITY,
++	H2_FT_RST_STREAM_BIT    = 1U << H2_FT_RST_STREAM,
++	H2_FT_SETTINGS_BIT      = 1U << H2_FT_SETTINGS,
++	H2_FT_PUSH_PROMISE_BIT  = 1U << H2_FT_PUSH_PROMISE,
++	H2_FT_PING_BIT          = 1U << H2_FT_PING,
++	H2_FT_GOAWAY_BIT        = 1U << H2_FT_GOAWAY,
++	H2_FT_WINDOW_UPDATE_BIT = 1U << H2_FT_WINDOW_UPDATE,
++	H2_FT_CONTINUATION_BIT  = 1U << H2_FT_CONTINUATION,
++	/* padded frames */
++	H2_FT_PADDED_MASK       = H2_FT_DATA_BIT | H2_FT_HEADERS_BIT | H2_FT_PUSH_PROMISE_BIT,
++	/* flow controlled frames */
++	H2_FT_FC_MASK           = H2_FT_DATA_BIT,
++	/* header frames */
++	H2_FT_HDR_MASK          = H2_FT_HEADERS_BIT | H2_FT_PUSH_PROMISE_BIT | H2_FT_CONTINUATION_BIT,
++	/* frames allowed to arrive late on a stream */
++	H2_FT_LATE_MASK         = H2_FT_WINDOW_UPDATE_BIT | H2_FT_RST_STREAM_BIT | H2_FT_PRIORITY_BIT,
++};
++
++
  /* flags defined for each frame type */
  // RFC7540 #6.1
@@ -109,6 +133,9 @@ enum h2_ft {
  // RFC7540 #6.8 : GOAWAY defines no flags
  // RFC7540 #6.9 : WINDOW_UPDATE defines no flags
++// PADDED is the exact same among DATA, HEADERS and PUSH_PROMISE (8)
++#define H2_F_PADDED              0x08
++
  /* HTTP/2 error codes - RFC7540 #7 */
  enum h2_err {
  	H2_ERR_NO_ERROR            = 0x0,
@@ -159,6 +186,12 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize, unsigned int
   * Some helpful debugging functions.
   */
++/* returns a bit corresponding to the frame type */
++static inline unsigned int h2_ft_bit(enum h2_ft ft)
++{
++	return 1U << ft;
++}
++
  /* returns the frame type as a string */
  static inline const char *h2_ft_str(int type)
+ {
 diff --git a/include/common/hpack-tbl.h b/include/common/hpack-tbl.h
 index 385f386..2cbc2bf 100644
 --- a/include/common/hpack-tbl.h
 +++ b/include/common/hpack-tbl.h
@@ -127,6 +127,7 @@ enum {
  	HPACK_ERR_MISSING_AUTHORITY,  /* :authority is missing with CONNECT */
  	HPACK_ERR_SCHEME_NOT_ALLOWED, /* :scheme not allowed with CONNECT */
  	HPACK_ERR_PATH_NOT_ALLOWED,   /* :path not allowed with CONNECT */
++	HPACK_ERR_INVALID_ARGUMENT,   /* an invalid argument was passed */
  };
  /* static header table as in RFC7541 Appendix A. [0] unused. */
 diff --git a/include/common/xref.h b/include/common/xref.h
 index 6dfa7b6..a6291f5 100644
 --- a/include/common/xref.h
 +++ b/include/common/xref.h
@@ -32,6 +32,7 @@ static inline struct xref *xref_get_peer_and_lock(struct xref *xref)
  		/* Get the local pointer to the peer. */
  		local = HA_ATOMIC_XCHG(&xref->peer, XREF_BUSY);
++		__ha_barrier_store();
  		/* If the local pointer is NULL, the peer no longer exists. */
  		if (local == NULL) {
@@ -53,6 +54,7 @@ static inline struct xref *xref_get_peer_and_lock(struct xref *xref)
  		/* The remote lock is BUSY, We retry the process. */
  		if (remote == XREF_BUSY) {
  			xref->peer = local;
++			__ha_barrier_store();
  			continue;
+ 		}
@@ -66,6 +68,8 @@ static inline void xref_unlock(struct xref *xref, struct xref *peer)
  	/* Release the peer. */
  	peer->peer = xref;
++	__ha_barrier_store();
++
  	/* Release myself. */
  	xref->peer = peer;
+ }
@@ -73,6 +77,7 @@ static inline void xref_unlock(struct xref *xref, struct xref *peer)
  static inline void xref_disconnect(struct xref *xref, struct xref *peer)
+ {
  	peer->peer = NULL;
++	__ha_barrier_store();
  	xref->peer = NULL;
+ }
 diff --git a/include/proto/session.h b/include/proto/session.h
 index f48c0d4..7265f5a 100644
 --- a/include/proto/session.h
 +++ b/include/proto/session.h
@@ -59,7 +59,8 @@ static inline void session_store_counters(struct session *sess)
  		if (ptr) {
  			HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
--			stktable_data_cast(ptr, conn_cur)--;
++			if (stktable_data_cast(ptr, conn_cur) > 0)
++				stktable_data_cast(ptr, conn_cur)--;
  			HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
 diff --git a/include/proto/stream.h b/include/proto/stream.h
 index 8521957..c9bcac3 100644
 --- a/include/proto/stream.h
 +++ b/include/proto/stream.h
@@ -104,7 +104,8 @@ static inline void stream_store_counters(struct stream *s)
  		if (ptr) {
  			HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
--			stktable_data_cast(ptr, conn_cur)--;
++			if (stktable_data_cast(ptr, conn_cur) > 0)
++				stktable_data_cast(ptr, conn_cur)--;
  			HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
@@ -142,7 +143,8 @@ static inline void stream_stop_content_counters(struct stream *s)
  		if (ptr) {
  			HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
--			stktable_data_cast(ptr, conn_cur)--;
++			if (stktable_data_cast(ptr, conn_cur) > 0)
++				stktable_data_cast(ptr, conn_cur)--;
  			HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
 diff --git a/include/proto/stream_interface.h b/include/proto/stream_interface.h
 index ee1fa12..9db7920 100644
 --- a/include/proto/stream_interface.h
 +++ b/include/proto/stream_interface.h
@@ -320,6 +320,12 @@ static inline void si_shutw(struct stream_interface *si)
  	si->ops->shutw(si);
+ }
++/* Marks on the stream-interface that next shutw must kill the whole connection */
++static inline void si_must_kill_conn(struct stream_interface *si)
++{
++	si->flags |= SI_FL_KILL_CONN;
++}
++
  /* Updates the stream interface and timers, then updates the data layer below */
  static inline void si_update(struct stream_interface *si)
+ {
 diff --git a/include/types/connection.h b/include/types/connection.h
 index b9e4604..c1d1b35 100644
 --- a/include/types/connection.h
 +++ b/include/types/connection.h
@@ -70,6 +70,7 @@ enum {
  	CS_FL_ERROR         = 0x00000100,  /* a fatal error was reported */
  	CS_FL_RCV_MORE      = 0x00000200,  /* more bytes to receive but not enough room */
  	CS_FL_EOS           = 0x00001000,  /* End of stream */
++	CS_FL_KILL_CONN     = 0x00002000,  /* must kill the connection when the CS closes */
  };
  /* cs_shutr() modes */
 diff --git a/include/types/stream_interface.h b/include/types/stream_interface.h
 index 0c83759..c805685 100644
 --- a/include/types/stream_interface.h
 +++ b/include/types/stream_interface.h
@@ -59,22 +59,23 @@ enum {
  	SI_ET_DATA_ABRT  = 0x0400,  /* data phase aborted by external cause */
  };
--/* flags set after I/O (16 bit) */
++/* flags set after I/O (32 bit) */
  enum {
--	SI_FL_NONE       = 0x0000,  /* nothing */
--	SI_FL_EXP        = 0x0001,  /* timeout has expired */
--	SI_FL_ERR        = 0x0002,  /* a non-recoverable error has occurred */
--	SI_FL_WAIT_ROOM  = 0x0004,  /* waiting for space to store incoming data */
--	SI_FL_WAIT_DATA  = 0x0008,  /* waiting for more data to send */
--	SI_FL_ISBACK     = 0x0010,  /* 0 for front-side SI, 1 for back-side */
--	SI_FL_DONT_WAKE  = 0x0020,  /* resync in progress, don't wake up */
--	SI_FL_INDEP_STR  = 0x0040,  /* independent streams = don't update rex on write */
--	SI_FL_NOLINGER   = 0x0080,  /* may close without lingering. One-shot. */
--	SI_FL_NOHALF     = 0x0100,  /* no half close, close both sides at once */
--	SI_FL_SRC_ADDR   = 0x1000,  /* get the source ip/port with getsockname */
--	SI_FL_WANT_PUT   = 0x2000,  /* an applet would like to put some data into the buffer */
--	SI_FL_WANT_GET   = 0x4000,  /* an applet would like to get some data from the buffer */
--	SI_FL_CLEAN_ABRT = 0x8000,  /* SI_FL_ERR is used to report aborts, and not SHUTR */
++	SI_FL_NONE       = 0x00000000,  /* nothing */
++	SI_FL_EXP        = 0x00000001,  /* timeout has expired */
++	SI_FL_ERR        = 0x00000002,  /* a non-recoverable error has occurred */
++	SI_FL_WAIT_ROOM  = 0x00000004,  /* waiting for space to store incoming data */
++	SI_FL_WAIT_DATA  = 0x00000008,  /* waiting for more data to send */
++	SI_FL_ISBACK     = 0x00000010,  /* 0 for front-side SI, 1 for back-side */
++	SI_FL_DONT_WAKE  = 0x00000020,  /* resync in progress, don't wake up */
++	SI_FL_INDEP_STR  = 0x00000040,  /* independent streams = don't update rex on write */
++	SI_FL_NOLINGER   = 0x00000080,  /* may close without lingering. One-shot. */
++	SI_FL_NOHALF     = 0x00000100,  /* no half close, close both sides at once */
++	SI_FL_SRC_ADDR   = 0x00001000,  /* get the source ip/port with getsockname */
++	SI_FL_WANT_PUT   = 0x00002000,  /* an applet would like to put some data into the buffer */
++	SI_FL_WANT_GET   = 0x00004000,  /* an applet would like to get some data from the buffer */
++	SI_FL_CLEAN_ABRT = 0x00008000,  /* SI_FL_ERR is used to report aborts, and not SHUTR */
++	SI_FL_KILL_CONN  = 0x00010000,  /* next shutw must kill the whole conn, not just the stream */
  };
  /* A stream interface has 3 parts :
@@ -92,10 +93,11 @@ struct stream_interface {
  	/* struct members used by the "buffer" side */
  	enum si_state state;     /* SI_ST* */
  	enum si_state prev_state;/* SI_ST*, copy of previous state */
--	unsigned short flags;    /* SI_FL_* */
--	unsigned int exp;       /* wake up time for connect, queue, turn-around, ... */
++	/* 16-bit hole here */
++	unsigned int flags;     /* SI_FL_* */
  	enum obj_type *end;     /* points to the end point (connection or appctx) */
  	struct si_ops *ops;     /* general operations at the stream interface layer */
++	unsigned int exp;       /* wake up time for connect, queue, turn-around, ... */
  	/* struct members below are the "remote" part, as seen from the buffer side */
  	unsigned int err_type;  /* first error detected, one of SI_ET_* */
 diff --git a/scripts/announce-release b/scripts/announce-release
 index c4045ae..972d6ea 100755
 --- a/scripts/announce-release
 +++ b/scripts/announce-release
@@ -155,6 +155,8 @@ fi
  (echo "Please find the usual URLs below :"
   echo "   Site index       : http://www.haproxy.org/"
   echo "   Discourse        : http://discourse.haproxy.org/"
++ echo "   Slack channel    : https://slack.haproxy.org/"
++ echo "   Issue tracker    : https://github.com/haproxy/haproxy/issues"
   echo "   Sources          : http://www.haproxy.org/download/${BRANCH}/src/"
   echo "   Git repository   : http://git.haproxy.org/git/${gitdir}/"
   echo "   Git Web browsing : http://git.haproxy.org/?p=${gitdir}"
 diff --git a/src/action.c b/src/action.c
 index 54d27a0..7574fba 100644
 --- a/src/action.c
 +++ b/src/action.c
@@ -51,6 +51,11 @@ int check_trk_action(struct act_rule *rule, struct proxy *px, char **err)
  			  trk_idx(rule->action));
  		return 0;
+ 	}
++	else if (px->bind_proc & ~target->bind_proc) {
++		memprintf(err, "stick-table '%s' referenced by 'track-sc%d' rule not present on all processes covered by proxy '%s'",
++			  target->id, trk_idx(rule->action), px->id);
++		return 0;
++	}
  	else {
  		free(rule->arg.trk_ctr.table.n);
  		rule->arg.trk_ctr.table.t = &target->table;
 diff --git a/src/backend.c b/src/backend.c
 index 87327f1..0cf14cf 100644
 --- a/src/backend.c
 +++ b/src/backend.c
@@ -183,7 +183,7 @@ static struct server *get_server_sh(struct proxy *px, const char *addr, int len,
  	if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
  		h = full_hash(h);
   hash_done:
--	if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
++	if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  		return chash_get_server_hash(px, h, avoid);
  	else
  		return map_get_server_hash(px, h);
@@ -236,7 +236,7 @@ static struct server *get_server_uh(struct proxy *px, char *uri, int uri_len, co
  	if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
  		hash = full_hash(hash);
   hash_done:
--	if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
++	if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  		return chash_get_server_hash(px, hash, avoid);
  	else
  		return map_get_server_hash(px, hash);
@@ -293,7 +293,7 @@ static struct server *get_server_ph(struct proxy *px, const char *uri, int uri_l
  				if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
  					hash = full_hash(hash);
--				if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
++				if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  					return chash_get_server_hash(px, hash, avoid);
  				else
  					return map_get_server_hash(px, hash);
@@ -367,7 +367,7 @@ static struct server *get_server_ph_post(struct stream *s, const struct server *
  				if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
  					hash = full_hash(hash);
--				if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
++				if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  					return chash_get_server_hash(px, hash, avoid);
  				else
  					return map_get_server_hash(px, hash);
@@ -463,7 +463,7 @@ static struct server *get_server_hh(struct stream *s, const struct server *avoid
  	if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
  		hash = full_hash(hash);
   hash_done:
--	if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
++	if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  		return chash_get_server_hash(px, hash, avoid);
  	else
  		return map_get_server_hash(px, hash);
@@ -507,7 +507,7 @@ static struct server *get_server_rch(struct stream *s, const struct server *avoi
  	if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL)
  		hash = full_hash(hash);
   hash_done:
--	if (px->lbprm.algo & BE_LB_LKUP_CHTREE)
++	if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  		return chash_get_server_hash(px, hash, avoid);
  	else
  		return map_get_server_hash(px, hash);
@@ -615,7 +615,7 @@ int assign_server(struct stream *s)
  		case BE_LB_LKUP_CHTREE:
  		case BE_LB_LKUP_MAP:
  			if ((s->be->lbprm.algo & BE_LB_KIND) == BE_LB_KIND_RR) {
--				if (s->be->lbprm.algo & BE_LB_LKUP_CHTREE)
++				if ((s->be->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  					srv = chash_get_next_server(s->be, prev_srv);
  				else
  					srv = map_get_server_rr(s->be, prev_srv);
@@ -691,7 +691,7 @@ int assign_server(struct stream *s)
  			 * back to round robin on the map.
  			 */
  			if (!srv) {
--				if (s->be->lbprm.algo & BE_LB_LKUP_CHTREE)
++				if ((s->be->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE)
  					srv = chash_get_next_server(s->be, prev_srv);
  				else
  					srv = map_get_server_rr(s->be, prev_srv);
@@ -1516,6 +1516,8 @@ int backend_parse_balance(const char **args, char **err, struct proxy *curproxy)
  		curproxy->lbprm.algo |= BE_LB_ALGO_UH;
  		curproxy->uri_whole = 0;
++		curproxy->uri_len_limit = 0;
++		curproxy->uri_dirs_depth1 = 0;
  		while (*args[arg]) {
  			if (!strcmp(args[arg], "len")) {
 diff --git a/src/cache.c b/src/cache.c
 index 667cede..3d8ed24 100644
 --- a/src/cache.c
 +++ b/src/cache.c
@@ -400,7 +400,7 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
  	struct cache *cache = (struct cache *)rule->arg.act.p[0];
  	struct shared_context *shctx = shctx_ptr(cache);
  	struct cache_entry *object;
--
++	unsigned int key = *(unsigned int *)txn->cache_hash;
  	/* Don't cache if the response came from a cache */
  	if ((obj_type(s->target) == OBJ_TYPE_APPLET) &&
@@ -420,6 +420,10 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
  	if (txn->meth != HTTP_METH_GET)
  		goto out;
++	/* cache key was not computed */
++	if (!key)
++		goto out;
++
  	/* cache only 200 status code */
  	if (txn->status != 200)
  		goto out;
@@ -478,7 +482,7 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
  					cache_ctx->first_block = first;
--					object->eb.key = (*(unsigned int *)&txn->cache_hash);
++					object->eb.key = key;
  					memcpy(object->hash, txn->cache_hash, sizeof(object->hash));
  					/* Insert the node later on caching success */
 diff --git a/src/cfgparse.c b/src/cfgparse.c
 index 94f2963..c178538 100644
 --- a/src/cfgparse.c
 +++ b/src/cfgparse.c
@@ -613,16 +613,20 @@ int parse_process_number(const char *arg, unsigned long *proc, int *autoinc, cha
  	else if (strcmp(arg, "even") == 0)
  		*proc |= (~0UL/3UL) << 1; /* 0xAAA...AAA */
  	else {
--		char *dash;
++		const char *p, *dash = NULL;
  		unsigned int low, high;
--		if (!isdigit((int)*arg)) {
--			memprintf(err, "'%s' is not a valid number.\n", arg);
--			return -1;
++		for (p = arg; *p; p++) {
++			if (*p == '-' && !dash)
++				dash = p;
++			else if (!isdigit((int)*p)) {
++				memprintf(err, "'%s' is not a valid number/range.", arg);
++				return -1;
++			}
+ 		}
  		low = high = str2uic(arg);
--		if ((dash = strchr(arg, '-')) != NULL)
++		if (dash)
  			high = ((!*(dash+1)) ? LONGBITS : str2uic(dash + 1));
  		if (high < low) {
@@ -2844,7 +2848,10 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
  			if (defproxy.url_param_name)
  				curproxy->url_param_name = strdup(defproxy.url_param_name);
--			curproxy->url_param_len = defproxy.url_param_len;
++			curproxy->url_param_len   = defproxy.url_param_len;
++			curproxy->uri_whole       = defproxy.uri_whole;
++			curproxy->uri_len_limit   = defproxy.uri_len_limit;
++			curproxy->uri_dirs_depth1 = defproxy.uri_dirs_depth1;
  			if (defproxy.hh_name)
  				curproxy->hh_name = strdup(defproxy.hh_name);
@@ -7648,9 +7655,9 @@ int check_config_validity()
  			/* detect and address thread affinity inconsistencies */
  			nbproc = 0;
  			if (bind_conf->bind_proc)
--				nbproc = my_ffsl(bind_conf->bind_proc);
++				nbproc = my_ffsl(bind_conf->bind_proc) - 1;
--			mask = bind_conf->bind_thread[nbproc - 1];
++			mask = bind_conf->bind_thread[nbproc];
  			if (mask && !(mask & all_threads_mask)) {
  				unsigned long new_mask = 0;
@@ -7996,6 +8003,11 @@ int check_config_validity()
  					 curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id);
  				cfgerr++;
+ 			}
++			else if (curproxy->bind_proc & ~target->bind_proc) {
++				ha_alert("Proxy '%s': stick-table '%s' referenced 'stick-store' rule not present on all processes covered by proxy '%s'.\n",
++				         curproxy->id, target->id, curproxy->id);
++				cfgerr++;
++			}
  			else {
  				free((void *)mrule->table.name);
  				mrule->table.t = &(target->table);
@@ -8029,6 +8041,11 @@ int check_config_validity()
  					 curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id);
  				cfgerr++;
+ 			}
++			else if (curproxy->bind_proc & ~target->bind_proc) {
++				ha_alert("Proxy '%s': stick-table '%s' referenced 'stick-store' rule not present on all processes covered by proxy '%s'.\n",
++				         curproxy->id, target->id, curproxy->id);
++				cfgerr++;
++			}
  			else {
  				free((void *)mrule->table.name);
  				mrule->table.t = &(target->table);
@@ -8829,6 +8846,33 @@ out_uri_auth_compat:
+ 				}
+ 			}
+ 		}
++
++		/* initialize idle conns lists */
++		for (newsrv = curproxy->srv; newsrv; newsrv = newsrv->next) {
++			int i;
++
++			newsrv->priv_conns = calloc(global.nbthread, sizeof(*newsrv->priv_conns));
++			newsrv->idle_conns = calloc(global.nbthread, sizeof(*newsrv->idle_conns));
++			newsrv->safe_conns = calloc(global.nbthread, sizeof(*newsrv->safe_conns));
++
++			if (!newsrv->priv_conns || !newsrv->idle_conns || !newsrv->safe_conns) {
++				free(newsrv->safe_conns); newsrv->safe_conns = NULL;
++				free(newsrv->idle_conns); newsrv->idle_conns = NULL;
++				free(newsrv->priv_conns); newsrv->priv_conns = NULL;
++				ha_alert("parsing [%s:%d] : failed to allocate idle connections for server '%s'.\n",
++					 newsrv->conf.file, newsrv->conf.line, newsrv->id);
++				cfgerr++;
++				continue;
++			}
++
++			for (i = 0; i < global.nbthread; i++) {
++				LIST_INIT(&newsrv->priv_conns[i]);
++				LIST_INIT(&newsrv->idle_conns[i]);
++				LIST_INIT(&newsrv->safe_conns[i]);
++			}
++
++			LIST_INIT(&newsrv->update_status);
++		}
+ 	}
  	/***********************************************************/
 diff --git a/src/checks.c b/src/checks.c
 index 74958b2..e04f114 100644
 --- a/src/checks.c
 +++ b/src/checks.c
@@ -1403,12 +1403,13 @@ static int wake_srv_chk(struct conn_stream *cs)
+ 	}
  	if (check->result != CHK_RES_UNKNOWN) {
--		/* We're here because nobody wants to handle the error, so we
--		 * sure want to abort the hard way.
--		 */
++		/* Check complete or aborted. If connection not yet closed do it
++		 * now and wake the check task up to be sure the result is
++		 * handled ASAP. */
  		conn_sock_drain(conn);
  		cs_close(cs);
  		ret = -1;
++		task_wakeup(check->task, TASK_WOKEN_IO);
+ 	}
  	HA_SPIN_UNLOCK(SERVER_LOCK, &check->server->lock);
 diff --git a/src/flt_spoe.c b/src/flt_spoe.c
 index 4009c2a..e445388 100644
 --- a/src/flt_spoe.c
 +++ b/src/flt_spoe.c
@@ -170,8 +170,10 @@ spoe_release_agent(struct spoe_agent *agent)
  		LIST_DEL(&grp->list);
  		spoe_release_group(grp);
+ 	}
--	for (i = 0; i < global.nbthread; ++i)
--		HA_SPIN_DESTROY(&agent->rt[i].lock);
++	if (agent->rt) {
++		for (i = 0; i < global.nbthread; ++i)
++			HA_SPIN_DESTROY(&agent->rt[i].lock);
++	}
  	free(agent->rt);
  	free(agent);
+ }
@@ -444,7 +446,7 @@ spoe_prepare_hahello_frame(struct appctx *appctx, char *frame, size_t size)
  	if (agent != NULL && (agent->flags & SPOE_FL_RCV_FRAGMENTATION)) {
  		if (chk->len) chk->str[chk->len++] = ',';
  		memcpy(chk->str+chk->len, "fragmentation", 13);
--		chk->len += 5;
++		chk->len += 13;
+ 	}
  	if (spoe_encode_buffer(chk->str, chk->len, &p, end) == -1)
  		goto too_big;
@@ -817,10 +819,14 @@ spoe_handle_agenthello_frame(struct appctx *appctx, char *frame, size_t size)
  		SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_NO_FRAME_SIZE;
  		return -1;
+ 	}
--	if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING))
--		flags &= ~SPOE_APPCTX_FL_PIPELINING;
--	if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC))
--		flags &= ~SPOE_APPCTX_FL_ASYNC;
++	if (!agent)
++		flags &= ~(SPOE_APPCTX_FL_PIPELINING|SPOE_APPCTX_FL_ASYNC);
++	else {
++		if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING))
++			flags &= ~SPOE_APPCTX_FL_PIPELINING;
++		if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC))
++			flags &= ~SPOE_APPCTX_FL_ASYNC;
++	}
  	SPOE_APPCTX(appctx)->version        = (unsigned int)vsn;
  	SPOE_APPCTX(appctx)->max_frame_size = (unsigned int)max_frame_size;
@@ -2881,6 +2887,7 @@ spoe_check(struct proxy *px, struct flt_conf *fconf)
  	struct flt_conf    *f;
  	struct spoe_config *conf = fconf->conf;
  	struct proxy       *target;
++	int i;
  	/* Check all SPOE filters for proxy <px> to be sure all SPOE agent names
  	 * are uniq */
@@ -2918,6 +2925,34 @@ spoe_check(struct proxy *px, struct flt_conf *fconf)
  		return 1;
+ 	}
++	if (px->bind_proc & ~target->bind_proc) {
++		ha_alert("Proxy %s : backend '%s' used by SPOE agent '%s' declared"
++			 " at %s:%d does not cover all of its processes.\n",
++			 px->id, target->id, conf->agent->id,
++			 conf->agent->conf.file, conf->agent->conf.line);
++		return 1;
++	}
++
++	/* finish per-thread agent initialization */
++	if (global.nbthread == 1)
++		conf->agent->flags |= SPOE_FL_ASYNC;
++
++	if ((curagent->rt = calloc(global.nbthread, sizeof(*curagent->rt))) == NULL) {
++		ha_alert("Proxy %s : out of memory initializing SPOE agent '%s' declared at %s:%d.\n",
++			 px->id, conf->agent->id, conf->agent->conf.file, conf->agent->conf.line);
++		return 1;
++	}
++	for (i = 0; i < global.nbthread; ++i) {
++		curagent->rt[i].frame_size   = curagent->max_frame_size;
++		curagent->rt[i].applets_act  = 0;
++		curagent->rt[i].applets_idle = 0;
++		curagent->rt[i].sending_rate = 0;
++		LIST_INIT(&curagent->rt[i].applets);
++		LIST_INIT(&curagent->rt[i].sending_queue);
++		LIST_INIT(&curagent->rt[i].waiting_queue);
++		HA_SPIN_INIT(&curagent->rt[i].lock);
++	}
++
  	free(conf->agent->b.name);
  	conf->agent->b.name = NULL;
  	conf->agent->b.be = target;
@@ -3196,8 +3231,6 @@ cfg_parse_spoe_agent(const char *file, int linenum, char **args, int kwm)
  		curagent->var_pfx        = NULL;
  		curagent->var_on_error   = NULL;
  		curagent->flags          = (SPOE_FL_PIPELINING | SPOE_FL_SND_FRAGMENTATION);
--		if (global.nbthread == 1)
--			curagent->flags |= SPOE_FL_ASYNC;
  		curagent->cps_max        = 0;
  		curagent->eps_max        = 0;
  		curagent->max_frame_size = MAX_FRAME_SIZE;
@@ -3208,22 +3241,6 @@ cfg_parse_spoe_agent(const char *file, int linenum, char **args, int kwm)
  			LIST_INIT(&curagent->events[i]);
  		LIST_INIT(&curagent->groups);
  		LIST_INIT(&curagent->messages);
--
--		if ((curagent->rt = calloc(global.nbthread, sizeof(*curagent->rt))) == NULL) {
--			ha_alert("parsing [%s:%d] : out of memory.\n", file, linenum);
--			err_code |= ERR_ALERT | ERR_ABORT;
--			goto out;
--		}
--		for (i = 0; i < global.nbthread; ++i) {
--			curagent->rt[i].frame_size   = curagent->max_frame_size;
--			curagent->rt[i].applets_act  = 0;
--			curagent->rt[i].applets_idle = 0;
--			curagent->rt[i].sending_rate = 0;
--			LIST_INIT(&curagent->rt[i].applets);
--			LIST_INIT(&curagent->rt[i].sending_queue);
--			LIST_INIT(&curagent->rt[i].waiting_queue);
--			HA_SPIN_INIT(&curagent->rt[i].lock);
--		}
+ 	}
  	else if (!strcmp(args[0], "use-backend")) {
  		if (!*args[1]) {
 diff --git a/src/haproxy.c b/src/haproxy.c
 index ad6d069..6836762 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -2155,6 +2155,7 @@ void deinit(void)
+ 		}
  		deinit_tcp_rules(&p->tcp_req.inspect_rules);
++		deinit_tcp_rules(&p->tcp_rep.inspect_rules);
  		deinit_tcp_rules(&p->tcp_req.l4_rules);
  		deinit_stick_rules(&p->storersp_rules);
 diff --git a/src/hlua.c b/src/hlua.c
 index efeee31..93cb86d 100644
 --- a/src/hlua.c
 +++ b/src/hlua.c
@@ -7984,9 +7984,9 @@ void hlua_init(void)
  	socket_ssl.obj_type = OBJ_TYPE_SERVER;
  	LIST_INIT(&socket_ssl.actconns);
  	LIST_INIT(&socket_ssl.pendconns);
--	socket_tcp.priv_conns = NULL;
--	socket_tcp.idle_conns = NULL;
--	socket_tcp.safe_conns = NULL;
++	socket_ssl.priv_conns = NULL;
++	socket_ssl.idle_conns = NULL;
++	socket_ssl.safe_conns = NULL;
  	socket_ssl.next_state = SRV_ST_RUNNING; /* early server setup */
  	socket_ssl.last_change = 0;
  	socket_ssl.id = "LUA-SSL-CONN";
 diff --git a/src/hpack-dec.c b/src/hpack-dec.c
 index 99d40f9..3fd4224 100644
 --- a/src/hpack-dec.c
 +++ b/src/hpack-dec.c
@@ -213,6 +213,12 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
  				ret = -HPACK_ERR_TRUNCATED;
  				goto leave;
+ 			}
++
++			if (idx > dht->size) {
++				hpack_debug_printf("##ERR@%d##\n", __LINE__);
++				ret = -HPACK_ERR_INVALID_ARGUMENT;
++				goto leave;
++			}
  			continue;
+ 		}
  		else if (!(*raw & (*raw - 0x10))) {
 diff --git a/src/mux_h2.c b/src/mux_h2.c
 index b57ba6f..b2f3096 100644
 --- a/src/mux_h2.c
 +++ b/src/mux_h2.c
@@ -548,12 +548,15 @@ static inline __maybe_unused void h2c_error(struct h2c *h2c, enum h2_err err)
  	h2c->st0 = H2_CS_ERROR;
+ }
--/* marks an error on the stream */
++/* marks an error on the stream. It may also update an already closed stream
++ * (e.g. to report an error after an RST was received).
++ */
  static inline __maybe_unused void h2s_error(struct h2s *h2s, enum h2_err err)
+ {
--	if (h2s->st > H2_SS_IDLE && h2s->st < H2_SS_ERROR) {
++	if (h2s->id && h2s->st != H2_SS_ERROR) {
  		h2s->errcode = err;
--		h2s->st = H2_SS_ERROR;
++		if (h2s->st < H2_SS_ERROR)
++			h2s->st = H2_SS_ERROR;
  		if (h2s->cs)
  			h2s->cs->flags |= CS_FL_ERROR;
+ 	}
@@ -1140,6 +1143,14 @@ static void h2c_update_all_ws(struct h2c *h2c, int diff)
  	while (node) {
  		h2s = container_of(node, struct h2s, by_id);
  		h2s->mws += diff;
++
++		if (h2s->mws > 0 && (h2s->flags & H2_SF_BLK_SFCTL)) {
++			h2s->flags &= ~H2_SF_BLK_SFCTL;
++			if (h2s->cs && LIST_ISEMPTY(&h2s->list) &&
++			    (h2s->cs->flags & CS_FL_DATA_WR_ENA))
++				LIST_ADDQ(&h2c->send_list, &h2s->list);
++		}
++
  		node = eb32_next(node);
+ 	}
+ }
@@ -1766,7 +1777,11 @@ static int h2c_frt_handle_data(struct h2c *h2c, struct h2s *h2s)
  	/* last frame */
  	if (h2c->dff & H2_F_DATA_END_STREAM) {
--		h2s->st = H2_SS_HREM;
++		if (h2s->st == H2_SS_OPEN)
++			h2s->st = H2_SS_HREM;
++		else
++			h2s_close(h2s);
++
  		h2s->flags |= H2_SF_ES_RCVD;
+ 	}
@@ -1891,10 +1906,14 @@ static void h2_process_demux(struct h2c *h2c)
  		if (h2s->st == H2_SS_HREM && h2c->dft != H2_FT_WINDOW_UPDATE &&
  		    h2c->dft != H2_FT_RST_STREAM && h2c->dft != H2_FT_PRIORITY) {
  			/* RFC7540#5.1: any frame other than WU/PRIO/RST in
--			 * this state MUST be treated as a stream error
++			 * this state MUST be treated as a stream error.
++			 * 6.2, 6.6 and 6.10 further mandate that HEADERS/
++			 * PUSH_PROMISE/CONTINUATION cause connection errors.
  			 */
--			h2s_error(h2s, H2_ERR_STREAM_CLOSED);
--			h2c->st0 = H2_CS_FRAME_E;
++			if (h2_ft_bit(h2c->dft) & H2_FT_HDR_MASK)
++				h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
++			else
++				h2s_error(h2s, H2_ERR_STREAM_CLOSED);
  			goto strm_err;
+ 		}
@@ -1910,7 +1929,7 @@ static void h2_process_demux(struct h2c *h2c)
  		 * Some frames have to be silently ignored as well.
  		 */
  		if (h2s->st == H2_SS_CLOSED && h2c->dsi) {
--			if (h2c->dft == H2_FT_HEADERS || h2c->dft == H2_FT_PUSH_PROMISE) {
++			if (h2_ft_bit(h2c->dft) & H2_FT_HDR_MASK) {
  				/* #5.1.1: The identifier of a newly
  				 * established stream MUST be numerically
  				 * greater than all streams that the initiating
@@ -1949,7 +1968,7 @@ static void h2_process_demux(struct h2c *h2c)
  			 * over which it ignores frames and treat frames that
  			 * arrive after this time as being in error.
  			 */
--			if (!(h2s->flags & H2_SF_RST_SENT)) {
++			if (h2s->id && !(h2s->flags & H2_SF_RST_SENT)) {
  				/* RFC7540#5.1:closed: any frame other than
  				 * PRIO/WU/RST in this state MUST be treated as
  				 * a connection error
@@ -2561,7 +2580,6 @@ static void h2_detach(struct conn_stream *cs)
  	if (eb_is_empty(&h2c->streams_by_id) &&     /* don't close if streams exist */
  	    ((h2c->conn->flags & CO_FL_ERROR) ||    /* errors close immediately */
  	     (h2c->st0 >= H2_CS_ERROR && !h2c->task) || /* a timeout stroke earlier */
--	     (h2c->flags & (H2_CF_GOAWAY_FAILED | H2_CF_GOAWAY_SENT)) ||
  	     (!h2c->mbuf->o &&  /* mux buffer empty, also process clean events below */
  	      (conn_xprt_read0_pending(h2c->conn) ||
  	       (h2c->last_sid >= 0 && h2c->max_id >= h2c->last_sid))))) {
@@ -2588,11 +2606,17 @@ static void h2_shutr(struct conn_stream *cs, enum cs_shr_mode mode)
  	if (h2s->st == H2_SS_HLOC || h2s->st == H2_SS_ERROR || h2s->st == H2_SS_CLOSED)
  		return;
--	/* if no outgoing data was seen on this stream, it means it was
--	 * closed with a "tcp-request content" rule that is normally
--	 * used to kill the connection ASAP (eg: limit abuse). In this
--	 * case we send a goaway to close the connection.
++	/* a connstream may require us to immediately kill the whole connection
++	 * for example because of a "tcp-request content reject" rule that is
++	 * normally used to limit abuse. In this case we schedule a goaway to
++	 * close the connection.
  	 */
++	if ((h2s->cs->flags & CS_FL_KILL_CONN) &&
++	    !(h2s->h2c->flags & (H2_CF_GOAWAY_SENT|H2_CF_GOAWAY_FAILED))) {
++		h2c_error(h2s->h2c, H2_ERR_ENHANCE_YOUR_CALM);
++		h2s_error(h2s, H2_ERR_ENHANCE_YOUR_CALM);
++	}
++
  	if (!(h2s->flags & H2_SF_RST_SENT) &&
  	    h2s_send_rst_stream(h2s->h2c, h2s) <= 0)
  		goto add_to_list;
@@ -2635,11 +2659,17 @@ static void h2_shutw(struct conn_stream *cs, enum cs_shw_mode mode)
  		else
  			h2s->st = H2_SS_HLOC;
  	} else {
--		/* if no outgoing data was seen on this stream, it means it was
--		 * closed with a "tcp-request content" rule that is normally
--		 * used to kill the connection ASAP (eg: limit abuse). In this
--		 * case we send a goaway to close the connection.
++		/* a connstream may require us to immediately kill the whole connection
++		 * for example because of a "tcp-request content reject" rule that is
++		 * normally used to limit abuse. In this case we schedule a goaway to
++		 * close the connection.
  		 */
++		if ((h2s->cs->flags & CS_FL_KILL_CONN) &&
++		    !(h2s->h2c->flags & (H2_CF_GOAWAY_SENT|H2_CF_GOAWAY_FAILED))) {
++			h2c_error(h2s->h2c, H2_ERR_ENHANCE_YOUR_CALM);
++			h2s_error(h2s, H2_ERR_ENHANCE_YOUR_CALM);
++		}
++
  		if (!(h2s->flags & H2_SF_RST_SENT) &&
  		    h2s_send_rst_stream(h2s->h2c, h2s) <= 0)
  			goto add_to_list;
 diff --git a/src/proto_http.c b/src/proto_http.c
 index 7e4a835..efd318e 100644
 --- a/src/proto_http.c
 +++ b/src/proto_http.c
@@ -3935,7 +3935,8 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
  	 * that parameter. This will be done in another analyser.
  	 */
  	if (!(s->flags & (SF_ASSIGNED|SF_DIRECT)) &&
--	    s->txn->meth == HTTP_METH_POST && s->be->url_param_name != NULL &&
++	    s->txn->meth == HTTP_METH_POST &&
++	    (s->be->lbprm.algo & BE_LB_ALGO) == BE_LB_ALGO_PH &&
  	    (msg->flags & (HTTP_MSGF_CNT_LEN|HTTP_MSGF_TE_CHNK))) {
  		channel_dont_connect(req);
  		req->analysers |= AN_REQ_HTTP_BODY;
@@ -8210,6 +8211,7 @@ void http_init_txn(struct stream *s)
  	txn->flags = 0;
  	txn->status = -1;
++	*(unsigned int *)txn->cache_hash = 0;
  	txn->cookie_first_date = 0;
  	txn->cookie_last_date = 0;
@@ -12106,6 +12108,7 @@ enum act_parse_ret parse_http_set_status(const char **args, int *orig_arg, struc
  enum act_return http_action_reject(struct act_rule *rule, struct proxy *px,
                                     struct session *sess, struct stream *s, int flags)
+ {
++	si_must_kill_conn(chn_prod(&s->req));
  	channel_abort(&s->req);
  	channel_abort(&s->res);
  	s->req.analysers = 0;
 diff --git a/src/sample.c b/src/sample.c
 index 139d976..4c6b99d 100644
 --- a/src/sample.c
 +++ b/src/sample.c
@@ -1261,6 +1261,13 @@ int smp_resolve_args(struct proxy *p)
  				break;
+ 			}
++			if (p->bind_proc & ~px->bind_proc) {
++				ha_alert("parsing [%s:%d] : stick-table '%s' not present on all processes covered by proxy '%s'.\n",
++					 cur->file, cur->line, px->id, p->id);
++				cfgerr++;
++				break;
++			}
++
  			free(arg->data.str.str);
  			arg->data.str.str = NULL;
  			arg->unresolved = 0;
 diff --git a/src/server.c b/src/server.c
 index a86db3d..0dded5b 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -1534,7 +1534,6 @@ static void srv_settings_cpy(struct server *srv, struct server *src, int srv_tmp
  static struct server *new_server(struct proxy *proxy)
+ {
  	struct server *srv;
--	int i;
  	srv = calloc(1, sizeof *srv);
  	if (!srv)
@@ -1545,21 +1544,6 @@ static struct server *new_server(struct proxy *proxy)
  	LIST_INIT(&srv->actconns);
  	LIST_INIT(&srv->pendconns);
--	if ((srv->priv_conns = calloc(global.nbthread, sizeof(*srv->priv_conns))) == NULL)
--		goto free_srv;
--	if ((srv->idle_conns = calloc(global.nbthread, sizeof(*srv->idle_conns))) == NULL)
--		goto free_priv_conns;
--	if ((srv->safe_conns = calloc(global.nbthread, sizeof(*srv->safe_conns))) == NULL)
--		goto free_idle_conns;
--
--	for (i = 0; i < global.nbthread; i++) {
--		LIST_INIT(&srv->priv_conns[i]);
--		LIST_INIT(&srv->idle_conns[i]);
--		LIST_INIT(&srv->safe_conns[i]);
--	}
--
--	LIST_INIT(&srv->update_status);
--
  	srv->next_state = SRV_ST_RUNNING; /* early server setup */
  	srv->last_change = now.tv_sec;
@@ -1572,14 +1556,6 @@ static struct server *new_server(struct proxy *proxy)
  	srv->xprt  = srv->check.xprt = srv->agent.xprt = xprt_get(XPRT_RAW);
  	return srv;
--
--  free_idle_conns:
--	free(srv->idle_conns);
--  free_priv_conns:
--	free(srv->priv_conns);
--  free_srv:
--	free(srv);
--	return NULL;
+ }
  /*
@@ -2843,16 +2819,37 @@ static void srv_update_state(struct server *srv, int version, char **params)
  			HA_SPIN_LOCK(SERVER_LOCK, &srv->lock);
  			/* recover operational state and apply it to this server
  			 * and all servers tracking this one */
++			srv->check.health = srv_check_health;
  			switch (srv_op_state) {
  				case SRV_ST_STOPPED:
  					srv->check.health = 0;
  					srv_set_stopped(srv, "changed from server-state after a reload", NULL);
  					break;
  				case SRV_ST_STARTING:
++					/* If rise == 1 there is no STARTING state, let's switch to
++					 * RUNNING
++					 */
++					if (srv->check.rise == 1) {
++						srv->check.health = srv->check.rise + srv->check.fall - 1;
++						srv_set_running(srv, "", NULL);
++						break;
++					}
++					if (srv->check.health < 1 || srv->check.health >= srv->check.rise)
++						srv->check.health = srv->check.rise - 1;
  					srv->next_state = srv_op_state;
  					break;
  				case SRV_ST_STOPPING:
--					srv->check.health = srv->check.rise + srv->check.fall - 1;
++					/* If fall == 1 there is no STOPPING state, let's switch to
++					 * STOPPED
++					 */
++					if (srv->check.fall == 1) {
++						srv->check.health = 0;
++						srv_set_stopped(srv, "changed from server-state after a reload", NULL);
++						break;
++					}
++					if (srv->check.health < srv->check.rise ||
++					    srv->check.health > srv->check.rise + srv->check.fall - 2)
++						srv->check.health = srv->check.rise;
  					srv_set_stopping(srv, "changed from server-state after a reload", NULL);
  					break;
  				case SRV_ST_RUNNING:
@@ -2906,7 +2903,6 @@ static void srv_update_state(struct server *srv, int version, char **params)
  			srv->last_change = date.tv_sec - srv_last_time_change;
  			srv->check.status = srv_check_status;
  			srv->check.result = srv_check_result;
--			srv->check.health = srv_check_health;
  			/* Only case we want to apply is removing ENABLED flag which could have been
  			 * done by the "disable health" command over the stats socket
 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 index 24ccc4b..7736c32 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
@@ -1406,6 +1406,10 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
  	BIO *write_bio;
  	(void)ret; /* shut gcc stupid warning */
++#ifndef SSL_OP_NO_RENEGOTIATION
++	/* Please note that BoringSSL defines this macro to zero so don't
++	 * change this to #if and do not assign a default value to this macro!
++	 */
  	if (where & SSL_CB_HANDSHAKE_START) {
  		/* Disable renegotiation (CVE-2009-3555) */
  		if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) {
@@ -1413,6 +1417,7 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
  			conn->err_code = CO_ER_SSL_RENEG;
+ 		}
+ 	}
++#endif
  	if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
  		if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) {
@@ -3806,6 +3811,11 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
  		options |= SSL_OP_NO_TICKET;
  	if (bind_conf->ssl_options & BC_SSL_O_PREF_CLIE_CIPH)
  		options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
++
++#ifdef SSL_OP_NO_RENEGOTIATION
++	options |= SSL_OP_NO_RENEGOTIATION;
++#endif
++
  	SSL_CTX_set_options(ctx, options);
  #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
@@ -3821,6 +3831,10 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
  	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
  	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
  #elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++	if (bind_conf->ssl_conf.early_data) {
++		SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
++		SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
++	}
  	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
  	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
  #else
@@ -7623,15 +7637,36 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
+ 	}
  	keys_ref = malloc(sizeof(*keys_ref));
++	if (!keys_ref) {
++		if (err)
++			 memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
++		return ERR_ALERT | ERR_FATAL;
++	}
++
  	keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
++	if (!keys_ref->tlskeys) {
++		free(keys_ref);
++		if (err)
++			 memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
++		return ERR_ALERT | ERR_FATAL;
++	}
  	if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
++		free(keys_ref->tlskeys);
++		free(keys_ref);
  		if (err)
  			memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]);
  		return ERR_ALERT | ERR_FATAL;
+ 	}
  	keys_ref->filename = strdup(args[cur_arg + 1]);
++	if (!keys_ref->filename) {
++		free(keys_ref->tlskeys);
++		free(keys_ref);
++		if (err)
++			 memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
++		return ERR_ALERT | ERR_FATAL;
++	}
  	while (fgets(thisline, sizeof(thisline), f) != NULL) {
  		int len = strlen(thisline);
@@ -7643,6 +7678,9 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
  			thisline[--len] = 0;
  		if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
++			free(keys_ref->filename);
++			free(keys_ref->tlskeys);
++			free(keys_ref);
  			if (err)
  				memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
  			fclose(f);
@@ -7652,6 +7690,9 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
+ 	}
  	if (i < TLS_TICKETS_NO) {
++		free(keys_ref->filename);
++		free(keys_ref->tlskeys);
++		free(keys_ref);
  		if (err)
  			memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
  		fclose(f);
 diff --git a/src/stream.c b/src/stream.c
 index 507cd2f..f443cc7 100644
 --- a/src/stream.c
 +++ b/src/stream.c
@@ -339,6 +339,9 @@ static void stream_free(struct stream *s)
  		offer_buffers(NULL, tasks_run_queue + applets_active_queue);
+ 	}
++	pool_free(pool_head_uniqueid, s->unique_id);
++	s->unique_id = NULL;
++
  	hlua_ctx_destroy(s->hlua);
  	s->hlua = NULL;
  	if (s->txn)
@@ -593,7 +596,8 @@ static int sess_update_st_con_tcp(struct stream *s)
  			 */
  			si->state    = SI_ST_EST;
  			si->err_type = SI_ET_DATA_ERR;
--			rep->flags |= CF_READ_ERROR | CF_WRITE_ERROR;
++			req->flags |= CF_WRITE_ERROR;
++			rep->flags |= CF_READ_ERROR;
  			return 1;
+ 		}
  		si->exp   = TICK_ETERNITY;
 diff --git a/src/stream_interface.c b/src/stream_interface.c
 index f17980a..47a100d 100644
 --- a/src/stream_interface.c
 +++ b/src/stream_interface.c
@@ -830,6 +830,9 @@ static void stream_int_shutr_conn(struct stream_interface *si)
  	if (si->state != SI_ST_EST && si->state != SI_ST_CON)
  		return;
++	if (si->flags & SI_FL_KILL_CONN)
++		cs->flags |= CS_FL_KILL_CONN;
++
  	if (si_oc(si)->flags & CF_SHUTW) {
  		cs_close(cs);
  		si->state = SI_ST_DIS;
@@ -880,6 +883,9 @@ static void stream_int_shutw_conn(struct stream_interface *si)
  		 * However, if SI_FL_NOLINGER is explicitly set, we know there is
  		 * no risk so we close both sides immediately.
  		 */
++		if (si->flags & SI_FL_KILL_CONN)
++			cs->flags |= CS_FL_KILL_CONN;
++
  		if (si->flags & SI_FL_ERR) {
  			/* quick close, the socket is alredy shut anyway */
+ 		}
@@ -914,6 +920,8 @@ static void stream_int_shutw_conn(struct stream_interface *si)
  		/* we may have to close a pending connection, and mark the
  		 * response buffer as shutr
  		 */
++		if (si->flags & SI_FL_KILL_CONN)
++			cs->flags |= CS_FL_KILL_CONN;
  		cs_close(cs);
  		/* fall through */
  	case SI_ST_CER:
 diff --git a/src/tcp_rules.c b/src/tcp_rules.c
 index feee441..72a7015 100644
 --- a/src/tcp_rules.c
 +++ b/src/tcp_rules.c
@@ -162,6 +162,7 @@ resume_execution:
  				break;
+ 			}
  			else if (rule->action == ACT_ACTION_DENY) {
++				si_must_kill_conn(chn_prod(req));
  				channel_abort(req);
  				channel_abort(&s->res);
  				req->analysers = 0;
@@ -340,6 +341,7 @@ resume_execution:
  				break;
+ 			}
  			else if (rule->action == ACT_ACTION_DENY) {
++				si_must_kill_conn(chn_prod(rep));
  				channel_abort(rep);
  				channel_abort(&s->req);
  				rep->analysers = 0;
@@ -357,6 +359,7 @@ resume_execution:
+ 			}
  			else if (rule->action == ACT_TCP_CLOSE) {
  				chn_prod(rep)->flags |= SI_FL_NOLINGER | SI_FL_NOHALF;
++				si_must_kill_conn(chn_prod(rep));
  				si_shutr(chn_prod(rep));
  				si_shutw(chn_prod(rep));
  				break;

Ubuntuhaproxy package