On 02 Apr 15:03, Willy Tarreau wrote: > Hi, > > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits > after version 2.1.3. > > The main driver for this release is that it contains a fix for a serious > vulnerability that was responsibly reported last week by Felix Wilhelm > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > CVE-2020-11100 was assigned to this issue. > > There is no configuration-based workaround for 2.1 and above.
Is disabling HTTP2 a workaround? Thanks. > > This vulnerability makes it possible under certain circumstances to write > to a wide range of memory locations within the process' heap, with the > limitation that the attacker doesn't control the absolute address, so the > most likely result and by a far margin will be a process crash, but it is > not possible to completely rule out the faint possibility of a remote code > execution, at least in a lab-controlled environment. Felix was kind enough > to agree to delay the publication of his findings to the 20th of this month > in order to leave enough time to haproxy users to apply updates. But please > do not wait, as it is not very difficult to figure how to exploit the bug > based on the fix. Distros were notified and will also have fixes available > very shortly. > > Three other important fixes are present in this version: > - a non-portable way of calculating a list pointer that breaks with > gcc 10 unless using -fno-tree-pta. This bug results in infinite loops > at random places in the code depending how the compiler decides to > optimize the code. > > - a bug in the way TLV fields are extracted from the PROXY protocol, as > they could be mistakenly looked up in the subsequent payload, even > though these would have limited effects since these ones would generally > be meaningless for the transported protocol, but could be used to hide a > source address from logging for example. > > - the "tarpit" rules were partially broken in that since 1.9 they wouldn't > prevent a connection from being sent to a server while the 500 response > is delivered to the client. Given that they are often used to block > suspicious activity it's problematic. > > The rest is less important, but still relevant to some users. Among those > noticeable I can enumerate: > - the O(N^2) ACL unique-id allocator that could take several minutes to > boot on certain very large configs was reworked to follow O(NlogN) > instead. > > - the default global maxconn setting when not set in the configuration was > incorrectly set to the process' soft limit instead of the hard limit, > resulting in much lower connection counts on some setups after upgrade > from 1.x to 2.x. It now properly follows the hard limit. > > - a new thread-safe random number generator that will avoid the risk that > the "uuid" sample fetch function returns the exact same UUID in several > threads. > > - issues in HTX mode affecting filters, namely cache and compression, that > could lead to data corruption. > > - alignment issues causing bus error on Sparc64 were addressed > > - fixed a rare case of possible segfault on soft-stop when a finishing > thread > flushes its pools while another one is freeing some elements. > > > Please have a look at the changelog below for a more detailed list of fixes, > and do not forget to update, either from the sources or from your regular > distro channels. > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : http://www.haproxy.org/download/2.1/src/ > Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git > Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > Balvinder Singh Rawat (1): > DOC: correct typo in alert message about rspirep > > Bjoern Jacke (1): > DOC: fix typo about no-tls-tickets > > Björn Jacke (1): > DOC: improve description of no-tls-tickets > > Carl Henrik Lunde (1): > OPTIM: startup: fast unique_id allocation for acl. > > Christopher Faulet (26): > BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO > param > MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo > regex > MINOR: http-htx: Add a function to retrieve the headers size of an HTX > message > MINOR: filters: Forward data only if the last filter forwards something > BUG/MINOR: filters: Count HTTP headers as filtered data but don't > forward them > BUG/MINOR: http-htx: Don't return error if authority is updated without > changes > BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive > MINOR: http-ana: Match on the path if the monitor-uri starts by a / > BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered > BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name > MINOR: contrib/prometheus-exporter: Add heathcheck status/code in > server metrics > MINOR: contrib/prometheus-exporter: Add the last heathcheck duration > metric > BUG/MINOR: filters: Use filter offset to decude the amount of forwarded > data > BUG/MINOR: filters: Forward everything if no data filters are called > MINOR: htx: Add a function to return a block at a specific offset > BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response > payload > BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the > payload > BUG/MINOR: http-ana: Reset request analysers on a response side error > BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not > BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action > BUG/MINOR: http-rules: Fix a typo in the reject action function > BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action > BUG/MINOR: rules: Increment be_counters if backend is assigned for a > silent-drop > MINOR: http-rules: Add a flag on redirect rules to know the rule > direction > MINOR: http-rules: Handle the rule direction when a redirect is > evaluated > BUG/MINOR: http-ana: Reset request analysers on error when waiting for > response > > Daniel Corbett (1): > BUG/MINOR: stats: Fix color of draining servers on stats page > > David Carlier (1): > BUILD: on ARM, must be linked to libatomic. > > Emeric Brun (1): > BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. > > Frédéric Lécaille (1): > BUG/MINOR: peers: Use after free of "peers" section. > > Ilya Shipitsin (4): > DOC: configuration.txt: fix various typos > DOC: assorted typo fixes in the documentation and Makefile > DOC: assorted typo fixes in the documentation > DOC: assorted typo fixes in the documentation > > Jerome Magnin (4): > MINOR: ist: add an iststop() function > BUG/MINOR: http: http-request replace-path duplicates the query string > MINOR: listener: add so_name sample fetch > BUG/MINOR: http_ana: make sure redirect flags don't have overlapping > bits > > Lukas Tribus (2): > BUG/MINOR: dns: ignore trailing dot > DOC: ssl: clarify security implications of TLS tickets > > Miroslav Zagorac (1): > DOC: internals: Fix spelling errors in filters.txt > > Olivier Houchard (8): > BUG/MEDIUM: muxes: Use the right argument when calling the destroy > method. > BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; > MINOR: mt_lists: Appease gcc. > BUG/MEDIUM: pools: Always update free_list in pool_gc(). > MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into > types/signal.h. > BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in > __signal_process_queue(). > MINOR: memory: Change the flush_lock to a spinlock, and don't get it in > alloc. > BUG/MINOR: connections: Make sure we free the connection on failure. > > Tim Duesterhus (5): > CLEANUP: cfgparse: Fix type of second calloc() parameter > BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch > BUG/MINOR: pattern: Do not pass len = 0 to calloc() > BUG/MAJOR: proxy_protocol: Properly validate TLV lengths > DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID > > William Dauchy (1): > BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat > > William Lallemand (2): > BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized > BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL > > Willy Tarreau (38): > SCRIPTS: make announce-release executable again > SCRIPTS: announce-release: use mutt -H instead of -i to include the > draft > BUG/MEDIUM: shctx: make sure to keep all blocks aligned > MINOR: compiler: move CPU capabilities definition from config.h and > complete them > BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access > support > BUILD: fix recent build failure on unaligned archs > BUG/MINOR: sample: fix the json converter's endian-sensitivity > BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch > functions > BUG/MINOR: connection: make sure to correctly tag local PROXY > connections > MINOR: compiler: add new alignment macros > BUILD: ebtree: improve architecture-specific alignment > BUG/MINOR: h2: reject again empty :path pseudo-headers > BUG/MEDIUM: random: initialize the random pool a bit better > MINOR: tools: add 64-bit rotate operators > BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG > MINOR: backend: use a single call to ha_random32() for the random LB > algo > BUG/MINOR: checks/threads: use ha_random() and not rand() > BUG/MAJOR: list: fix invalid element address calculation > MINOR: debug: report the task handler's pointer relative to main > BUG/MEDIUM: debug: make the debug_handler check for the thread in > threads_to_dump > MINOR: haproxy: export main to ease access from debugger > BUILD: tools: remove obsolete and conflicting trace() from standard.c > BUG/MINOR: wdt: do not return an error when the watchdog couldn't be > enabled > DOC: fix incorrect indentation of http_auth_* > BUG/MINOR: init: make the automatic maxconn consider the max of > soft/hard limits > REGTEST: make the PROXY TLV validation depend on version 2.2 > BUILD: wdt: only test for SI_TKILL when compiled with thread support > BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 > BUG/MINOR: haproxy: always initialize sleeping_thread_mask > BUG/MINOR: listener/mq: do not dispatch connections to remote threads > when stopping > BUG/MINOR: haproxy/threads: try to make all threads leave together > BUILD: makefile: fix regex syntax in ARM platform detection > BUILD: makefile: fix expression again to detect ARM platform > REGTESTS: use "command -v" instead of "which" > REGTEST: increase timeouts on the seamless-reload test > BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection > BUILD: ssl: only pass unsigned chars to isspace() > BUG/CRITICAL: hpack: never index a header into the headroom after > wrapping > > --- > -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu
signature.asc
Description: PGP signature
