Hi James,
On Wed, Aug 18, 2021 at 04:53:09PM -0700, James Brown wrote:
> Are there CVE numbers coming for these vulnerabilities?
Yes, for what it's worth, Robert Frohl from SuSE got 3 assigned to this:
- CVE-2021-39240: -> Domain parts in ":scheme" and ":path"
-
On Thursday, 19 August 2021, James Brown wrote:
> Are there CVE numbers coming for these vulnerabilities?
>
>
CVE-2021-39240: -> 2) Domain parts in ":scheme" and ":path"
CVE-2021-39241: -> 1) Spaces in the ":method" field
CVE-2021-39242: -> 3) Mismatch between ":authority" and "Host"
Lukas
Are there CVE numbers coming for these vulnerabilities?
On Tue, Aug 17, 2021 at 8:14 AM Willy Tarreau wrote:
> Hi everyone,
>
> HAProxy is affected by 4 vulnerabilities in its HTTP/2 implementation in
> recent versions (starting with 2.0). Three of them are considered as having
> a moderate
On Tue, Aug 17, 2021 at 06:57:28PM +0200, Tim Düsterhus wrote:
> Hi Willy, Everyone,
>
> On 8/17/21 5:13 PM, Willy Tarreau wrote:
> > 2) Domain parts in ":scheme" and ":path"
> >
> > [...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed.
>
> I'd like to clarify that the
On Tue, Aug 17, 2021 at 05:56:15PM +0200, Tim Düsterhus wrote:
> Vincent,
>
> On 8/17/21 5:49 PM, Vincent Bernat wrote:
> > For users of haproxy.debian.net or Launchpad PPA, the vulnerabilities
> > are fixed by patching the previous versions. Launchpad PPA builders are
> > still running but it
Hi Willy, Everyone,
On 8/17/21 5:13 PM, Willy Tarreau wrote:
2) Domain parts in ":scheme" and ":path"
[...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed.
I'd like to clarify that the above statement is not true. The issue also
affects H2->HAProxy->H1 connections. It
Vincent,
On 8/17/21 5:49 PM, Vincent Bernat wrote:
For users of haproxy.debian.net or Launchpad PPA, the vulnerabilities
are fixed by patching the previous versions. Launchpad PPA builders are
still running but it should be available in the next hour. I will upload
the new versions later this
❦ 17 August 2021 17:13 +02, Willy Tarreau:
> HAProxy is affected by 4 vulnerabilities in its HTTP/2 implementation in
> recent versions (starting with 2.0). Three of them are considered as having
> a moderate impact as they only affect the interpretation of the authority
> (Host header field) in
Hi everyone,
HAProxy is affected by 4 vulnerabilities in its HTTP/2 implementation in
recent versions (starting with 2.0). Three of them are considered as having
a moderate impact as they only affect the interpretation of the authority
(Host header field) in H2->H2 communications in versions 2.2
9 matches
Mail list logo
