Hi Salvatore I must have thought that the patch could not be applied as I can see that I have looked at the path to see if I could NMU.
Cheers Luk On 04/02/2013 09:34 PM, Salvatore Bonaccorso wrote: > Control: reopen -1 > > Hi Luk > > On Sat, Jun 23, 2012 at 10:03:21AM +0000, Debian Bug Tracking System wrote: >> This is an automatic notification regarding your Bug report >> which was filed against the haproxy package: >> >> #674447: CVE-2012-2391 >> >> It has been closed by Luk Claes <[email protected]>. >> >> Their explanation is attached below along with your original report. >> If this explanation is unsatisfactory and you have not received a >> better one in a separate message then please contact Luk Claes >> <[email protected]> by >> replying to this email. > > I was currently looking at the list of bugs with security tag but not > tracked in the security tracker[1] and noticed #674447. > > [1]: > http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;[email protected];exclude=tracked > > Noticed that you closed this bug with version 1.4.15-1. Is this > correct? Looking at the code and the information the pach from [2] > still applies and corrects the trash and trashlen. However > /usr/share/doc/haproxy/configuration.txt.gz clearly says: > > tune.bufsize <number> > Sets the buffer size to this size (in bytes). Lower values allow more > sessions to coexist in the same amount of RAM, and higher values allow some > applications with very large cookies to work. The default value is 16384 and > can be changed at build time. It is strongly recommended not to change this > from the default value, as very low values will break some services such as > statistics, and values larger than default size will increase memory usage, > possibly causing the system to run out of memory. At least the global > maxconn > parameter should be decreased by the same factor as this one is increased. > > So changing this from non-default value can result in the problem > (downgrading severity for the bugreport?) > > [2]: > http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commitdiff;h=30297cb17147a8d339eb160226bcc08c91d9530b > > The mentioned patch was only applied 1.4.21 upstream. > > Would be great if you could doublecheck my comment above. Or why is it > fixed in 1.4.15? > > Regards, > Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
