Hi,
HAProxy 2.0.24 was released on 2021/08/17. It added 18 new commits
after version 2.0.23.
This version contains the fixes for the H2 vulnerabilities reported by
Tim that were described in previous message, and which allows to abuse
the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages
that some vulnerable servers might possibly accept to parse (though
we're not aware of any among the usual mainstream ones).
All users of 2.0 which skipped previous updates *MUST* program an update
to this one. In the mean time, the previous message about the issue
suggests several possible workarounds.
Aside these, the following issues were addressed in this version:
- there was yet another case where a partial H2 frame could leave an H2
connection in a stuck state. This time it's okay (famous last words).
- checking a config with -W could cause an attempt to re-execute the
process and crash. It does not bring anything to use -W during a
config check but it usually remains from hard-coded command line
arguments in scripts. And actually that was also missing from the
systemd unit file and was added there.
- SPOE was fixed regarding the connection close strategy in multi-threading
so that there are always available connections for each active thread.
- a previous fix for an issue in tcp-checks where a dead connection could
occasionally be dereferenced was incomplete in the 2.0 backport since
the newer code had been refactored. It was completely addressed here.
- muxes were not respecting "dontlognull" when dealing with H2 prefaces
followed by a close, but this happens often with ALPN when clients
tentatively set up multiple connections for the case where H2 will not
be available. This was fixed.
- support for "option disable-h2-upgrade" was backported from 2.2 to
help users forcefully disable H1->H2 upgrades when desired.
- a run-time check on integer wrapping was added upon startup to make
sure haproxy is not accidentally built with incorrect CFLAGS which
cause incorrect/insecure code to be emitted. If the error happens on
startup, haproxy will indicate what to do (i.e. rebuild without
dropping critical options from CFLAGS). There is no soft-fail possible
here as this can only be a runtime check and once the executable code
is damaged there's nothing you can do to make it run reliably again.
Nobody will face this unless they were using a bogus binary without
knowing it.
- the last_change field of a server was not properly updated when the
server got out of maintenance, resulting in wrong values in the stats,
and accelerated slowstarts.
- plus a handful of very minor ones
And that's about all. A few lower importance fixes were left pending for
a future version to make sure the upgrade to this one is totally safe.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.0/src/
Git repository : http://git.haproxy.org/git/haproxy-2.0.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (1):
REGTESTS: add a test to prevent h2 desync attacks
Christopher Faulet (9):
BUG/MEDIUM: tcp-check: Do not dereference inexisting connection
BUG/MINOR: mux-h2: Obey dontlognull option during the preface
BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
MINOR: spoe: Add a pointer on the filter config in the spoe_agent
structure
BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is
released
BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are
queued
DOC: Improve the lua documentation
DOC: config: Fix 'http-response send-spoe-group' documentation
MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade
Jonathon Lacher (1):
DOC/MINOR: fix typo in management document
Remi Tricot-Le Breton (1):
BUG/MINOR: connection: Add missing error labels to conn_err_code_str
William Lallemand (1):
BUG/MINOR: systemd: must check the configuration using -Ws
Willy Tarreau (5):
BUILD: add detection of missing important CFLAGS
BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
BUG/MINOR: server: update last_change on maint->ready transitions too
BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
---
