From f2b7d7f6e10fe32fae66a8e33818273ee363fd80 Mon Sep 17 00:00:00 2001 From: Adrien Kunysz Date: Thu, 17 Jul 2025 15:28:05 +0200 Subject: [PATCH 01/10] Fix typo --- docs/content/reference/install-configuration/entrypoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/reference/install-configuration/entrypoints.md b/docs/content/reference/install-configuration/entrypoints.md index 9c0aab31c..e3bb8ad40 100644 --- a/docs/content/reference/install-configuration/entrypoints.md +++ b/docs/content/reference/install-configuration/entrypoints.md @@ -213,7 +213,7 @@ only routers with TLS enabled will be usable with HTTP/3. ### ProxyProtocol and Load-Balancers -The replacement of the remote client address will occur only for IP addresses listed in `trustedIPs`. This is where yoåu specify your load balancer IPs or CIDR ranges. +The replacement of the remote client address will occur only for IP addresses listed in `trustedIPs`. This is where you specify your load balancer IPs or CIDR ranges. When queuing Traefik behind another load-balancer, make sure to configure PROXY protocol on both sides. From 27326e6569d888224ec40a1aa719abdfc4eb44d7 Mon Sep 17 00:00:00 2001 From: Harold Ozouf Date: Fri, 18 Jul 2025 17:16:04 +0200 Subject: [PATCH 02/10] Redact logged install configuration --- cmd/traefik/traefik.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go index 9d3c7c953..b918c9f41 100644 --- a/cmd/traefik/traefik.go +++ b/cmd/traefik/traefik.go @@ -3,7 +3,6 @@ package main import ( "context" "crypto/x509" - "encoding/json" "fmt" stdlog "log" "net/http" @@ -34,6 +33,7 @@ import ( "github.com/traefik/traefik/v2/pkg/provider/acme" "github.com/traefik/traefik/v2/pkg/provider/aggregator" "github.com/traefik/traefik/v2/pkg/provider/traefik" + "github.com/traefik/traefik/v2/pkg/redactor" "github.com/traefik/traefik/v2/pkg/safe" "github.com/traefik/traefik/v2/pkg/server" "github.com/traefik/traefik/v2/pkg/server/middleware" @@ -100,12 +100,11 @@ func runCmd(staticConfiguration *static.Configuration) error { log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate) - jsonConf, err := json.Marshal(staticConfiguration) + redactedStaticConfiguration, err := redactor.RemoveCredentials(staticConfiguration) if err != nil { - log.WithoutContext().Errorf("Could not marshal static configuration: %v", err) - log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration) + log.WithoutContext().Errorf("Could not redact static configuration: %v", err) } else { - log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf)) + log.WithoutContext().Debugf("Static configuration loaded %s", redactedStaticConfiguration) } if staticConfiguration.Global.CheckNewVersion { From b2b4b66b08e6386a4e4251dc974da5fef73c6d54 Mon Sep 17 00:00:00 2001 From: Romain Date: Tue, 22 Jul 2025 11:10:05 +0200 Subject: [PATCH 03/10] Disable MPTCP by default Co-authored-by: Kevin Pollet --- docs/content/migration/v2.md | 11 +++++++++++ pkg/server/server_entrypoint_tcp.go | 10 +++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index a2106a5cd..70261ead3 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -703,3 +703,14 @@ and Traefik now keeps them encoded to avoid any ambiguity. | `/foo/../bar` | PathPrefix(`/bar`) | Match | Match | | `/foo/%2E%2E/bar` | PathPrefix(`/foo`) | Match | No match | | `/foo/%2E%2E/bar` | PathPrefix(`/bar`) | No match | Match | + +## v2.11.28 + +### MultiPath TCP + +Since `v2.11.28`, the MultiPath TCP support introduced with `v2.11.26` has been removed. +It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message: + +- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported` + +However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124). diff --git a/pkg/server/server_entrypoint_tcp.go b/pkg/server/server_entrypoint_tcp.go index 3257d6720..1036240cf 100644 --- a/pkg/server/server_entrypoint_tcp.go +++ b/pkg/server/server_entrypoint_tcp.go @@ -457,7 +457,15 @@ func buildProxyProtocolListener(ctx context.Context, entryPoint *static.EntryPoi } func buildListener(ctx context.Context, entryPoint *static.EntryPoint) (net.Listener, error) { - listener, err := net.Listen("tcp", entryPoint.GetAddress()) + config := net.ListenConfig{} + + // TODO: Look into configuring keepAlive period through listenConfig instead of our custom tcpKeepAliveListener, to reactivate MultipathTCP? + // MultipathTCP is not supported on all platforms, and is notably unsupported in combination with TCP keep-alive. + if !strings.Contains(os.Getenv("GODEBUG"), "multipathtcp") { + config.SetMultipathTCP(false) + } + + listener, err := config.Listen(ctx, "tcp", entryPoint.GetAddress()) if err != nil { return nil, fmt.Errorf("error opening listener: %w", err) } From 5ef853a0c53068f69a6c229a5815a0dc6e0a8800 Mon Sep 17 00:00:00 2001 From: Zeroday BYTE Date: Tue, 22 Jul 2025 05:24:05 -0700 Subject: [PATCH 04/10] Fix client arbitrary file access during archive extraction zipslip --- pkg/plugins/client.go | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go index 642b2dc68..1cee55d3f 100644 --- a/pkg/plugins/client.go +++ b/pkg/plugins/client.go @@ -240,6 +240,8 @@ func (c *Client) Unzip(pName, pVersion string) error { return nil } + // Unzip as a generic archive if the module unzip fails. + // This is useful for plugins that have vendor directories or other structures. return c.unzipArchive(pName, pVersion) } @@ -280,24 +282,48 @@ func unzipFile(f *zipa.File, dest string) error { defer func() { _ = rc.Close() }() + // Split to discard the first part of the path, which is [organization]-[project]-[release commit sha1] when the archive is a Yaegi go plugin with vendoring. pathParts := strings.SplitN(f.Name, "/", 2) - p := filepath.Join(dest, pathParts[1]) + if len(pathParts) < 2 { + return fmt.Errorf("no root directory: %s", f.Name) + } + + // Validate and sanitize the file path. + cleanName := filepath.Clean(pathParts[1]) + if strings.Contains(cleanName, "..") { + return fmt.Errorf("invalid file path in archive: %s", f.Name) + } + + filePath := filepath.Join(dest, cleanName) + absFilePath, err := filepath.Abs(filePath) + if err != nil { + return fmt.Errorf("resolving file path: %w", err) + } + + absDest, err := filepath.Abs(dest) + if err != nil { + return fmt.Errorf("resolving destination directory: %w", err) + } + + if !strings.HasPrefix(absFilePath, absDest) { + return fmt.Errorf("file path escapes destination directory: %s", absFilePath) + } if f.FileInfo().IsDir() { - err = os.MkdirAll(p, f.Mode()) + err = os.MkdirAll(filePath, f.Mode()) if err != nil { - return fmt.Errorf("unable to create archive directory %s: %w", p, err) + return fmt.Errorf("unable to create archive directory %s: %w", filePath, err) } return nil } - err = os.MkdirAll(filepath.Dir(p), 0o750) + err = os.MkdirAll(filepath.Dir(filePath), 0o750) if err != nil { - return fmt.Errorf("unable to create archive directory %s for file %s: %w", filepath.Dir(p), p, err) + return fmt.Errorf("unable to create archive directory %s for file %s: %w", filepath.Dir(filePath), filePath, err) } - elt, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) + elt, err := os.OpenFile(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) if err != nil { return err } From 96386b1d789fda01a4c5d24aac18a86f0b5bec26 Mon Sep 17 00:00:00 2001 From: GreyXor <79602273+GreyXor@users.noreply.github.com> Date: Tue, 22 Jul 2025 14:54:04 +0200 Subject: [PATCH 05/10] Bump github.com/quic-go/quic-go to v0.54.0 --- go.mod | 3 +-- go.sum | 5 +++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index c280c5800..f670bd343 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // No tag on the repo. github.com/prometheus/client_golang v1.19.1 github.com/prometheus/client_model v0.6.1 - github.com/quic-go/quic-go v0.49.0 + github.com/quic-go/quic-go v0.54.0 github.com/redis/go-redis/v9 v9.7.3 github.com/rs/zerolog v1.33.0 github.com/sirupsen/logrus v1.9.3 @@ -205,7 +205,6 @@ require ( github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.16.0 // indirect github.com/go-resty/resty/v2 v2.16.5 // indirect - github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/go-viper/mapstructure/v2 v2.3.0 // indirect github.com/go-zookeeper/zk v1.0.3 // indirect github.com/goccy/go-json v0.10.5 // indirect diff --git a/go.sum b/go.sum index 9a9808eba..f1977e913 100644 --- a/go.sum +++ b/go.sum @@ -423,6 +423,7 @@ github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptd github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk= @@ -1035,8 +1036,8 @@ github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoG github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.49.0 h1:w5iJHXwHxs1QxyBv1EHKuC50GX5to8mJAxvtnttJp94= -github.com/quic-go/quic-go v0.49.0/go.mod h1:s2wDnmCdooUQBmQfpUSTCYBl1/D4FcqbULMMkASvR6s= +github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg= +github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM= From 50931813f2eeb178e78a641e6aedd314fa000043 Mon Sep 17 00:00:00 2001 From: Jesper Noordsij <45041769+jnoordsij@users.noreply.github.com> Date: Tue, 22 Jul 2025 15:44:05 +0200 Subject: [PATCH 06/10] Remove all mentions of ordering for TLSOption CurvePreferences field --- docs/content/https/tls.md | 4 ++-- .../dynamic-configuration/kubernetes-crd-definition-v1.yml | 4 ++-- .../dynamic-configuration/traefik.containo.us_tlsoptions.yaml | 2 +- .../dynamic-configuration/traefik.io_tlsoptions.yaml | 2 +- docs/content/routing/providers/kubernetes-crd.md | 2 +- integration/fixtures/k8s/01-traefik-crd.yml | 4 ++-- .../kubernetes/crd/traefikcontainous/v1alpha1/tlsoption.go | 2 +- pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md index 0323eb2e6..505043259 100644 --- a/docs/content/https/tls.md +++ b/docs/content/https/tls.md @@ -392,11 +392,11 @@ spec: ### Curve Preferences -This option allows to set the preferred elliptic curves in a specific order. +This option allows to set the enabled elliptic curves for key exchange. The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used. -See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information. +See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information. ```yaml tab="File (YAML)" # Dynamic configuration diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml index 6f901cb57..b5c41bb8c 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml @@ -1886,7 +1886,7 @@ spec: type: object curvePreferences: description: |- - CurvePreferences defines the preferred elliptic curves in a specific order. + CurvePreferences defines the preferred elliptic curves. More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences items: type: string @@ -4316,7 +4316,7 @@ spec: type: object curvePreferences: description: |- - CurvePreferences defines the preferred elliptic curves in a specific order. + CurvePreferences defines the preferred elliptic curves. More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences items: type: string diff --git a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml index daa25640d..6c7fdc914 100644 --- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml @@ -78,7 +78,7 @@ spec: type: object curvePreferences: description: |- - CurvePreferences defines the preferred elliptic curves in a specific order. + CurvePreferences defines the preferred elliptic curves. More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences items: type: string diff --git a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml index 0fdd05bc4..20f817125 100644 --- a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml @@ -78,7 +78,7 @@ spec: type: object curvePreferences: description: |- - CurvePreferences defines the preferred elliptic curves in a specific order. + CurvePreferences defines the preferred elliptic curves. More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences items: type: string diff --git a/docs/content/routing/providers/kubernetes-crd.md b/docs/content/routing/providers/kubernetes-crd.md index 20e67ce2a..cf168ff91 100644 --- a/docs/content/routing/providers/kubernetes-crd.md +++ b/docs/content/routing/providers/kubernetes-crd.md @@ -1644,7 +1644,7 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre | [2] | `minVersion` | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable. | | [3] | `maxVersion` | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable. | | [4] | `cipherSuites` | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2. | -| [5] | `curvePreferences` | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order. | +| [5] | `curvePreferences` | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake. | | [6] | `clientAuth` | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls). | | [7] | `clientAuth.secretNames` | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace). The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. | | [8] | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert`. | diff --git a/integration/fixtures/k8s/01-traefik-crd.yml b/integration/fixtures/k8s/01-traefik-crd.yml index 6f901cb57..b5c41bb8c 100644 --- a/integration/fixtures/k8s/01-traefik-crd.yml +++ b/integration/fixtures/k8s/01-traefik-crd.yml @@ -1886,7 +1886,7 @@ spec: type: object curvePreferences: description: |- - CurvePreferences defines the preferred elliptic curves in a specific order. + CurvePreferences defines the preferred elliptic curves. More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences items: type: string @@ -4316,7 +4316,7 @@ spec: type: object curvePreferences: description: |- - CurvePreferences defines the preferred elliptic curves in a specific order. + CurvePreferences defines the preferred elliptic curves. More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences items: type: string diff --git a/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1/tlsoption.go b/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1/tlsoption.go index 0e6e2274d..74aba1a91 100644 --- a/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1/tlsoption.go +++ b/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1/tlsoption.go @@ -34,7 +34,7 @@ type TLSOptionSpec struct { // CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. // More info: https://doc.traefik.io/traefik/v2.11/https/tls/#cipher-suites CipherSuites []string `json:"cipherSuites,omitempty"` - // CurvePreferences defines the preferred elliptic curves in a specific order. + // CurvePreferences defines the preferred elliptic curves. // More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences CurvePreferences []string `json:"curvePreferences,omitempty"` // ClientAuth defines the server's policy for TLS Client Authentication. diff --git a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go index 0e6e2274d..74aba1a91 100644 --- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go +++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go @@ -34,7 +34,7 @@ type TLSOptionSpec struct { // CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. // More info: https://doc.traefik.io/traefik/v2.11/https/tls/#cipher-suites CipherSuites []string `json:"cipherSuites,omitempty"` - // CurvePreferences defines the preferred elliptic curves in a specific order. + // CurvePreferences defines the preferred elliptic curves. // More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences CurvePreferences []string `json:"curvePreferences,omitempty"` // ClientAuth defines the server's policy for TLS Client Authentication. From a59bcb29b55c2229f5376bd65fb827168e024301 Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 23 Jul 2025 09:56:04 +0200 Subject: [PATCH 07/10] Improve integration tests --- .github/workflows/test-integration.yaml | 33 ++++++++++++++++++++++--- Makefile | 2 +- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test-integration.yaml b/.github/workflows/test-integration.yaml index 806148268..9eaa2880a 100644 --- a/.github/workflows/test-integration.yaml +++ b/.github/workflows/test-integration.yaml @@ -34,7 +34,21 @@ jobs: run: touch webui/static/index.html - name: Build binary - run: make binary + run: make binary-linux-amd64 + + - name: Save go cache build + uses: actions/cache/save@v4 + with: + path: | + ~/.cache/go-build + key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} + + - name: Artifact traefik binary + uses: actions/upload-artifact@v4 + with: + name: traefik + path: ./dist/linux/amd64/traefik + retention-days: 1 test-integration: runs-on: ubuntu-latest @@ -61,8 +75,21 @@ jobs: - name: Avoid generating webui run: touch webui/static/index.html - - name: Build binary - run: make binary + - name: Download traefik binary + uses: actions/download-artifact@v4 + with: + name: traefik + path: ./dist/linux/amd64/ + + - name: Make binary executable + run: chmod +x ./dist/linux/amd64/traefik + + - name: Restore go cache build + uses: actions/cache/restore@v4 + with: + path: | + ~/.cache/go-build + key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} - name: Generate go test Slice id: test_split diff --git a/Makefile b/Makefile index f435fdc2d..b3a7f58b5 100644 --- a/Makefile +++ b/Makefile @@ -95,7 +95,7 @@ test-unit: .PHONY: test-integration #? test-integration: Run the integration tests -test-integration: binary +test-integration: GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS) .PHONY: test-ui-unit From c6daab54e33033e34c1d5c6fe236e2fb7939fc46 Mon Sep 17 00:00:00 2001 From: Romain Date: Wed, 23 Jul 2025 10:34:04 +0200 Subject: [PATCH 08/10] Prepare release v2.11.28 --- CHANGELOG.md | 11 +++++++++++ script/gcg/traefik-bugfix.toml | 6 +++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d46ff3bd..c9731bc52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +## [v2.11.28](https://github.com/traefik/traefik/tree/v2.11.28) (2025-07-23) +[All Commits](https://github.com/traefik/traefik/compare/v2.11.27...v2.11.28) + +**Bug fixes:** +- **[logs]** Redact logged install configuration ([#11907](https://github.com/traefik/traefik/pull/11907) by [jspdown](https://github.com/jspdown)) +- **[plugins]** Fix client arbitrary file access during archive extraction zipslip ([#11911](https://github.com/traefik/traefik/pull/11911) by [odaysec](https://github.com/odaysec)) +- **[server]** Disable MPTCP by default ([#11918](https://github.com/traefik/traefik/pull/11918) by [rtribotte](https://github.com/rtribotte)) + +**Documentation:** +- **[k8s/crd,k8s]** Remove all mentions of ordering for TLSOption CurvePreferences field ([#11924](https://github.com/traefik/traefik/pull/11924) by [jnoordsij](https://github.com/jnoordsij)) + ## [v2.11.27](https://github.com/traefik/traefik/tree/v2.11.27) (2025-07-11) [All Commits](https://github.com/traefik/traefik/compare/v2.11.26...v2.11.27) diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml index 6cb9289b0..6bc515de5 100644 --- a/script/gcg/traefik-bugfix.toml +++ b/script/gcg/traefik-bugfix.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example new bugfix v2.11.27 +# example new bugfix v2.11.28 CurrentRef = "v2.11" -PreviousRef = "v2.11.26" +PreviousRef = "v2.11.27" BaseBranch = "v2.11" -FutureCurrentRefName = "v2.11.27" +FutureCurrentRefName = "v2.11.28" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 From 9bf14b67644cb1da14923bda0e3144a0355b4543 Mon Sep 17 00:00:00 2001 From: Romain Date: Wed, 23 Jul 2025 11:16:04 +0200 Subject: [PATCH 09/10] Prepare release v3.4.5 --- CHANGELOG.md | 13 +++++++++++++ script/gcg/traefik-bugfix.toml | 6 +++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 05f03e159..bd5768c69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +## [v3.4.5](https://github.com/traefik/traefik/tree/v3.4.5) (2025-07-23) +[All Commits](https://github.com/traefik/traefik/compare/v3.4.4...v3.4.5) + +**Bug fixes:** +- **[http3]** Bump github.com/quic-go/quic-go to v0.54.0 ([#11919](https://github.com/traefik/traefik/pull/11919) by [GreyXor](https://github.com/GreyXor)) + +**Documentation:** +- Fix typo in entrypoints page ([#11914](https://github.com/traefik/traefik/pull/11914) by [adk-swisstopo](https://github.com/adk-swisstopo)) + +**Misc:** +- Merge branch v2.11 into v3.4 ([#11930](https://github.com/traefik/traefik/pull/11930) by [kevinpollet](https://github.com/kevinpollet)) +- Merge branch v2.11 into v3.4 ([#11926](https://github.com/traefik/traefik/pull/11926) by [rtribotte](https://github.com/rtribotte)) + ## [v2.11.28](https://github.com/traefik/traefik/tree/v2.11.28) (2025-07-23) [All Commits](https://github.com/traefik/traefik/compare/v2.11.27...v2.11.28) diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml index a1b6f4ab9..a2bdb8be3 100644 --- a/script/gcg/traefik-bugfix.toml +++ b/script/gcg/traefik-bugfix.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example new bugfix v3.4.4 +# example new bugfix v3.4.5 CurrentRef = "v3.4" -PreviousRef = "v3.4.3" +PreviousRef = "v3.4.4" BaseBranch = "v3.4" -FutureCurrentRefName = "v3.4.4" +FutureCurrentRefName = "v3.4.5" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 From 43162507e33e573f4cd4acd6d20a1297f3623e76 Mon Sep 17 00:00:00 2001 From: Romain Date: Wed, 23 Jul 2025 12:04:04 +0200 Subject: [PATCH 10/10] Add a note for the removal of default MPTCP enablement in the migration guide --- docs/content/migration/v3.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/content/migration/v3.md b/docs/content/migration/v3.md index 6581b5f39..dc29ae058 100644 --- a/docs/content/migration/v3.md +++ b/docs/content/migration/v3.md @@ -319,3 +319,14 @@ and Traefik now keeps them encoded to avoid any ambiguity. | `/foo/../bar` | PathPrefix(`/bar`) | Match | Match | | `/foo/%2E%2E/bar` | PathPrefix(`/foo`) | Match | No match | | `/foo/%2E%2E/bar` | PathPrefix(`/bar`) | No match | Match | + +## v3.4.5 + +### MultiPath TCP + +Since `v3.4.5`, the MultiPath TCP support introduced with `v3.4.2` has been removed. +It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message: + +- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported` + +However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).