April 7, 2026 by Rene Cannao · Release
#proxysql-3-0 #security #tls #compression #open-source #ztd

Announcing ProxySQL 3.0.7, 3.1.7, and 4.0.7

Today we are releasing ProxySQL 3.0.7, 3.1.7, and 4.0.7 across all three release tiers. This release cycle focuses on three areas: security hardening, zstd compression support, and new TLS observability tables.

ProxySQL 3.0.7 (Stable Tier)

ProxySQL 3.0.7 is a recommended upgrade for all production deployments. The key improvements are:

Protocol Hardening

We hardened the MySQL protocol handler against malformed packets across multiple fronts:

  • COM_BINLOG_DUMP crash fix: Fixed a critical crash when COM_BINLOG_DUMP was received with idle backends from other hostgroups.
  • COM_CHANGE_USER validation: Added bounds checking to prevent out-of-bounds reads from truncated packets.
  • HandshakeResponse validation: String fields are now validated during the MySQL handshake.
  • PROXY protocol v1: Fixed a buffer overflow in address parsing with malformed source/destination fields.
  • COM_STMT_SEND_LONG_DATA: Fixed handling of packets shorter than expected.

zstd Compression for MySQL

ProxySQL now supports zstd compression for the MySQL protocol in addition to the existing zlib support. zstd offers significantly better compression ratios with lower CPU overhead, making it the preferred choice for high-throughput workloads over WAN connections. The zstd library is statically linked for consistent behavior across platforms.

No new configuration variables are needed. The existing mysql-have_compress variable now advertises both CLIENT_COMPRESS and CLIENT_ZSTD_COMPRESSION_ALGORITHM in server capabilities. Clients that support zstd will automatically negotiate it.

New TLS Observability Tables

Two new statistics tables provide real-time visibility into TLS configuration and certificate status:

  • stats_tls_certificates: Shows loaded certificates with subject, issuer, validity dates, days until expiry, and SHA-256 fingerprint. Ideal for monitoring certificate expiration.
  • stats_proxysql_global: Global proxy metrics including TLS load count, last load timestamp, and load result. Moves TLS metrics out of stats_mysql_global for cleaner separation.

Security Improvements

  • Admin credential redaction: Sensitive credentials are now redacted in logging output when set via administrative commands.
  • Dependabot remediation: All 48 Dependabot security alerts in test dependencies have been resolved.

Other Notable Changes

  • SHOW WARNINGS fix: Fixed incorrect warning_count when SHOW WARNINGS statements contained inline comments (#5306).
  • Listener conflict detection: ProxySQL now detects conflicting listener ports at startup and reports clear error messages.
  • REST API improvements: Routes can now be loaded from configuration aliases, with hardened config value escaping.
  • Platform support: Fixed compilation on FreeBSD and macOS.

ProxySQL 3.1.7 (Innovative Tier)

ProxySQL 3.1.7 inherits all improvements from 3.0.7 and adds FFTO enhancements:

  • FFTO error recording: Fast-Forward Traffic Observer now records MySQL and PostgreSQL errors in stats_mysql_errors and stats_pgsql_errors, providing full error visibility for previously invisible traffic.
  • FFTO default changed: FFTO is now disabled by default in 3.1.x. Administrators who need deep traffic observability must explicitly enable it via mysql-ffto_enabled or pgsql-ffto_enabled. It remains enabled by default in 4.0.x.
  • FFTO E2E tests: Added comprehensive end-to-end tests covering MySQL and PostgreSQL protocols including pipelining, transactions, error handling, and large result sets.

ProxySQL 4.0.7 (AI/MCP Tier)

ProxySQL 4.0.7 inherits all improvements from 3.1.7 and 3.0.7, with FFTO enabled by default. It also includes an MCP Bearer token authentication fix for case-insensitive token comparison.

Contributors

We would like to thank @rahim-kanji and @YujiHatakeyama for their contributions to this release.

Ready to upgrade? Check out the full release notes for 3.0.7, 3.1.7, and 4.0.7.