Hi Joao, On Mon, Apr 29, 2019 at 09:10:22PM -0300, Joao Morais wrote: > Hi list, do you know if HAProxy wasn't mentioned here[1] because it isn't > vulnerable (1.8 and 1.9) or because it wasn't tested?
I think it's both :-) Some people at F5 know haproxy's internal architecture quite well and have already reported bugs in the past. So for such people it only requires a quick look at the relevant code to see that haproxy is not vulnerable to such attacks, thus it doesn't need to be tested. The SETTINGS frame is trivial to parse for us (it can be more expensive for some implementations which would perform some realloc() for example), and slow POST requests don't cause more harm than idle connections thus (except when facing an undiscovered bug of course) everything should be fine regarding this. Thanks for the link, Willy
