MGASA-2025-0242

Haproxy has a critical, a major, few medium and few minor bugs fixed in the last upstream version 2.8.16 of branch 2.8.

Fixed critical bug list: - mjson: fix possible DoS when parsing numbers

Fixed major bug list: - listeners: transfer connection accounting when switching listeners

Fixed medium bugs list: - check: Requeue healthchecks on I/O events to handle check timeout - check: Set SOCKERR by default when a connection error is reported - checks: fix ALPN inheritance from server - dns: Reset reconnect tempo when connection is finally established - fd: Use the provided tgid in fdinsert() to get tgroupinfo - h1: Allow reception if we have early data - h1/h2/h3: reject forbidden chars in the Host header field - h2/h3: reject some forbidden chars in :authority before reassembly - hlua: Add function to change the body length of an HTTP Message - hlua: Forbid any L6/L7 sample fetche functions from lua services - hlua: Report to SC when data were consumed on a lua socket - hlua: Report to SC when output data are blocked on a lua socket - http-client: Ask for more room when request data cannot be xferred - http-client: Don't wake http-client applet if nothing was xferred - http-client: Drain the request if an early response is received - http-client: Notify applet has more data to deliver until the EOM - http-client: Properly inc input data when HTX blocks are xferred - http-client: Test HTXFLEOM flag before commiting the HTX buffer - httpclient: Throw an error if an lua httpclient instance is reused - mux-h2: Properly handle connection error during preface sending - server: Duplicate healthcheck's alpn inherited from default server - ssl: ca-file directory mode must read every certificates of a file - ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - ssl: create the mux immediately on early data - ssl: Fix 0rtt to the server - ssl: fix build with AWS-LC - threads: Disable the workaround to load libgcc_s on macOS