On 02 Apr 15:27, Julien Pivotto wrote: > On 02 Apr 15:03, Willy Tarreau wrote: > > Hi, > > > > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits > > after version 2.1.3. > > > > The main driver for this release is that it contains a fix for a serious > > vulnerability that was responsibly reported last week by Felix Wilhelm > > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > > CVE-2020-11100 was assigned to this issue. > > > > There is no configuration-based workaround for 2.1 and above. > > > Is disabling HTTP2 a workaround? > > Thanks.
Sorry, I have only read the 2.1 mail. Thanks > > > > > This vulnerability makes it possible under certain circumstances to write > > to a wide range of memory locations within the process' heap, with the > > limitation that the attacker doesn't control the absolute address, so the > > most likely result and by a far margin will be a process crash, but it is > > not possible to completely rule out the faint possibility of a remote code > > execution, at least in a lab-controlled environment. Felix was kind enough > > to agree to delay the publication of his findings to the 20th of this month > > in order to leave enough time to haproxy users to apply updates. But please > > do not wait, as it is not very difficult to figure how to exploit the bug > > based on the fix. Distros were notified and will also have fixes available > > very shortly. > > > > Three other important fixes are present in this version: > > - a non-portable way of calculating a list pointer that breaks with > > gcc 10 unless using -fno-tree-pta. This bug results in infinite loops > > at random places in the code depending how the compiler decides to > > optimize the code. > > > > - a bug in the way TLV fields are extracted from the PROXY protocol, as > > they could be mistakenly looked up in the subsequent payload, even > > though these would have limited effects since these ones would generally > > be meaningless for the transported protocol, but could be used to hide a > > source address from logging for example. > > > > - the "tarpit" rules were partially broken in that since 1.9 they wouldn't > > prevent a connection from being sent to a server while the 500 response > > is delivered to the client. Given that they are often used to block > > suspicious activity it's problematic. > > > > The rest is less important, but still relevant to some users. Among those > > noticeable I can enumerate: > > - the O(N^2) ACL unique-id allocator that could take several minutes to > > boot on certain very large configs was reworked to follow O(NlogN) > > instead. > > > > - the default global maxconn setting when not set in the configuration was > > incorrectly set to the process' soft limit instead of the hard limit, > > resulting in much lower connection counts on some setups after upgrade > > from 1.x to 2.x. It now properly follows the hard limit. > > > > - a new thread-safe random number generator that will avoid the risk that > > the "uuid" sample fetch function returns the exact same UUID in several > > threads. > > > > - issues in HTX mode affecting filters, namely cache and compression, that > > could lead to data corruption. > > > > - alignment issues causing bus error on Sparc64 were addressed > > > > - fixed a rare case of possible segfault on soft-stop when a finishing > > thread > > flushes its pools while another one is freeing some elements. > > > > > > Please have a look at the changelog below for a more detailed list of fixes, > > and do not forget to update, either from the sources or from your regular > > distro channels. > > > > Please find the usual URLs below : > > Site index : http://www.haproxy.org/ > > Discourse : http://discourse.haproxy.org/ > > Slack channel : https://slack.haproxy.org/ > > Issue tracker : https://github.com/haproxy/haproxy/issues > > Sources : http://www.haproxy.org/download/2.1/src/ > > Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ > > Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git > > Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG > > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > > > Willy > > --- > > Complete changelog : > > Balvinder Singh Rawat (1): > > DOC: correct typo in alert message about rspirep > > > > Bjoern Jacke (1): > > DOC: fix typo about no-tls-tickets > > > > Björn Jacke (1): > > DOC: improve description of no-tls-tickets > > > > Carl Henrik Lunde (1): > > OPTIM: startup: fast unique_id allocation for acl. > > > > Christopher Faulet (26): > > BUG/MINOR: mux-fcgi: Forbid special characters when matching > > PATH_INFO param > > MINOR: mux-fcgi: Make the capture of the path-info optional in > > pathinfo regex > > MINOR: http-htx: Add a function to retrieve the headers size of an > > HTX message > > MINOR: filters: Forward data only if the last filter forwards > > something > > BUG/MINOR: filters: Count HTTP headers as filtered data but don't > > forward them > > BUG/MINOR: http-htx: Don't return error if authority is updated > > without changes > > BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive > > MINOR: http-ana: Match on the path if the monitor-uri starts by a / > > BUG/MAJOR: http-ana: Always abort the request when a tarpit is > > triggered > > BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name > > MINOR: contrib/prometheus-exporter: Add heathcheck status/code in > > server metrics > > MINOR: contrib/prometheus-exporter: Add the last heathcheck duration > > metric > > BUG/MINOR: filters: Use filter offset to decude the amount of > > forwarded data > > BUG/MINOR: filters: Forward everything if no data filters are called > > MINOR: htx: Add a function to return a block at a specific offset > > BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the > > response payload > > BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing > > the payload > > BUG/MINOR: http-ana: Reset request analysers on a response side error > > BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not > > BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action > > BUG/MINOR: http-rules: Fix a typo in the reject action function > > BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action > > BUG/MINOR: rules: Increment be_counters if backend is assigned for a > > silent-drop > > MINOR: http-rules: Add a flag on redirect rules to know the rule > > direction > > MINOR: http-rules: Handle the rule direction when a redirect is > > evaluated > > BUG/MINOR: http-ana: Reset request analysers on error when waiting > > for response > > > > Daniel Corbett (1): > > BUG/MINOR: stats: Fix color of draining servers on stats page > > > > David Carlier (1): > > BUILD: on ARM, must be linked to libatomic. > > > > Emeric Brun (1): > > BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. > > > > Frédéric Lécaille (1): > > BUG/MINOR: peers: Use after free of "peers" section. > > > > Ilya Shipitsin (4): > > DOC: configuration.txt: fix various typos > > DOC: assorted typo fixes in the documentation and Makefile > > DOC: assorted typo fixes in the documentation > > DOC: assorted typo fixes in the documentation > > > > Jerome Magnin (4): > > MINOR: ist: add an iststop() function > > BUG/MINOR: http: http-request replace-path duplicates the query string > > MINOR: listener: add so_name sample fetch > > BUG/MINOR: http_ana: make sure redirect flags don't have overlapping > > bits > > > > Lukas Tribus (2): > > BUG/MINOR: dns: ignore trailing dot > > DOC: ssl: clarify security implications of TLS tickets > > > > Miroslav Zagorac (1): > > DOC: internals: Fix spelling errors in filters.txt > > > > Olivier Houchard (8): > > BUG/MEDIUM: muxes: Use the right argument when calling the destroy > > method. > > BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; > > MINOR: mt_lists: Appease gcc. > > BUG/MEDIUM: pools: Always update free_list in pool_gc(). > > MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into > > types/signal.h. > > BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in > > __signal_process_queue(). > > MINOR: memory: Change the flush_lock to a spinlock, and don't get it > > in alloc. > > BUG/MINOR: connections: Make sure we free the connection on failure. > > > > Tim Duesterhus (5): > > CLEANUP: cfgparse: Fix type of second calloc() parameter > > BUG/MINOR: sample: Make sure to return stable IDs in the unique-id > > fetch > > BUG/MINOR: pattern: Do not pass len = 0 to calloc() > > BUG/MAJOR: proxy_protocol: Properly validate TLV lengths > > DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID > > > > William Dauchy (1): > > BUG/MINOR: namespace: avoid closing fd when socket failed in > > my_socketat > > > > William Lallemand (2): > > BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized > > BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL > > > > Willy Tarreau (38): > > SCRIPTS: make announce-release executable again > > SCRIPTS: announce-release: use mutt -H instead of -i to include the > > draft > > BUG/MEDIUM: shctx: make sure to keep all blocks aligned > > MINOR: compiler: move CPU capabilities definition from config.h and > > complete them > > BUG/MEDIUM: ebtree: don't set attribute packed without unaligned > > access support > > BUILD: fix recent build failure on unaligned archs > > BUG/MINOR: sample: fix the json converter's endian-sensitivity > > BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample > > fetch functions > > BUG/MINOR: connection: make sure to correctly tag local PROXY > > connections > > MINOR: compiler: add new alignment macros > > BUILD: ebtree: improve architecture-specific alignment > > BUG/MINOR: h2: reject again empty :path pseudo-headers > > BUG/MEDIUM: random: initialize the random pool a bit better > > MINOR: tools: add 64-bit rotate operators > > BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG > > MINOR: backend: use a single call to ha_random32() for the random LB > > algo > > BUG/MINOR: checks/threads: use ha_random() and not rand() > > BUG/MAJOR: list: fix invalid element address calculation > > MINOR: debug: report the task handler's pointer relative to main > > BUG/MEDIUM: debug: make the debug_handler check for the thread in > > threads_to_dump > > MINOR: haproxy: export main to ease access from debugger > > BUILD: tools: remove obsolete and conflicting trace() from standard.c > > BUG/MINOR: wdt: do not return an error when the watchdog couldn't be > > enabled > > DOC: fix incorrect indentation of http_auth_* > > BUG/MINOR: init: make the automatic maxconn consider the max of > > soft/hard limits > > REGTEST: make the PROXY TLV validation depend on version 2.2 > > BUILD: wdt: only test for SI_TKILL when compiled with thread support > > BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 > > BUG/MINOR: haproxy: always initialize sleeping_thread_mask > > BUG/MINOR: listener/mq: do not dispatch connections to remote threads > > when stopping > > BUG/MINOR: haproxy/threads: try to make all threads leave together > > BUILD: makefile: fix regex syntax in ARM platform detection > > BUILD: makefile: fix expression again to detect ARM platform > > REGTESTS: use "command -v" instead of "which" > > REGTEST: increase timeouts on the seamless-reload test > > BUG/MINOR: haproxy/threads: close a possible race in soft-stop > > detection > > BUILD: ssl: only pass unsigned chars to isspace() > > BUG/CRITICAL: hpack: never index a header into the headroom after > > wrapping > > > > --- > > > > -- > (o- Julien Pivotto > //\ Open-Source Consultant > V_/_ Inuits - https://www.inuits.eu -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu
signature.asc
Description: PGP signature