❦ 17 August 2021 17:13 +02, Willy Tarreau:
> HAProxy is affected by 4 vulnerabilities in its HTTP/2 implementation in
> recent versions (starting with 2.0). Three of them are considered as having
> a moderate impact as they only affect the interpretation of the authority
> (Host header field) in H2->H2 communications in versions 2.2 and above.
> One only affects a risk of misinterpretation from lenient HTTP/1 backend
> servers, and affects version 2.0 and above, though at the time of writing
> we're not aware of any such vulnerable server among the mainstream ones
> that are commonly found behind HAProxy (Apache, NGINX, Varnish, etc).
For users of haproxy.debian.net or Launchpad PPA, the vulnerabilities
are fixed by patching the previous versions. Launchpad PPA builders are
still running but it should be available in the next hour. I will upload
the new versions later this week.
Check the changelog (in /usr/share/doc/haproxy/changelog.Debian.gz) if
you want to know if you are running a fixed version. The list of fixed
versions are:
haproxy_2.4.2-2~bpo10+1
haproxy_2.4.2-2~bpo11+1
haproxy_2.4.2-2ppa1~bionic
haproxy_2.4.2-2ppa1~focal
haproxy_2.2.9-2+deb11u1 (should be available from debian-security soon)
haproxy_2.3.12-2~bpo10+1
haproxy_2.3.12-2ppa1~bionic
haproxy_2.3.12-2ppa1~focal
haproxy_2.2.15-3~bpo9+1
haproxy_2.2.15-3~bpo10+1
haproxy_2.2.15-3ppa1~bionic
haproxy_2.2.15-3ppa1~focal
haproxy_2.0.23-3~bpo9+1
haproxy_2.0.23-3~bpo10+1
haproxy_2.0.23-3ppa1~xenial
haproxy_2.0.23-3ppa1~bionic
haproxy_2.0.23-3ppa1~focal
--
Make input easy to proofread.
- The Elements of Programming Style (Kernighan & Plauger)
