Hi, HAProxy 1.8.17 was released on 2019/01/08. It added 12 new commits after version 1.8.16.
One of them fixes a security issue discovered by Tim Düsterhus (CVE-2018-20615) : BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used An incorrect frame length check is performed on HEADERS frame having the PRIORITY flag, possibly resulting in a read-past-bound which can cause a crash depending how the frame is crafted. All 1.9 and 1.8 versions are affected. As a result, all HTTP/2 users must either upgrade or temporarily disable HTTP/2 by commenting the "npn h2" and "alpn h2" statements on their related "bind" lines. Another issue which is very hard to trigger in 1.8 is a lack of timeout for certain tasks when running from applets. Since 1.8's cache only supports small objects, it cannot trigger it. In theory extra large stats page could trigger them but the fact that output contents almost never end on a buffer boundary makes this very unlikely as well. So I guess nobody has ever faced it before we had support for large objects in the 1.9 cache. The rest is pretty minor. Please do not forget to update! Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (2): BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() BUG/MINOR: lua: Return an error if a legacy HTTP applet doesn't send anything Olivier Houchard (1): BUG/MEDIUM: server: Also copy "check-sni" for server templates. Thierry FOURNIER (2): BUG/MINOR: lua: bad args are returned for Lua actions BUG/MEDIUM: lua: dead lock when Lua tasks are trigerred Willy Tarreau (7): MINOR: mux-h2: only increase the connection window with the first update BUG/MEDIUM: mux-h2: mark that we have too many CS once we have more than the max MINOR: lb: allow redispatch when using consistent hash MINOR: stream/cli: fix the location of the waiting flag in "show sess all" MINOR: stream/cli: report more info about the HTTP messages on "show sess all" BUG/MEDIUM: cli: make "show sess" really thread-safe BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used ---
