Hi everyone,
Right after the previous announce of HTTP/2 vulnerabilities, a group of security researchers from JFrog Security have been looking for the possibility of remaining issues around the same topic. While there was nothing directly exploitable, Ori Hollander found a bug in the HTTP header name length encoding in the HTX representation by which the most significant bit of the name's length can slip into the value's least significant bit, and figured he could craft a valid request that could inject a dummy content-length on input that would be produced on output in addition to the other one, resulting in the possibility of a blind request smuggling attack ("blind" because the response never gets back to the attacker). Quite honestly they've done an excellent job at spotting this one because it's not every day that you manage to turn a single-bit overflow into an extra request, and figuring this required to dig deeply into the layers! It's likely that they'll publish something shortly about their finding. CVE-2021-40346 was assigned to this issue, which affects versions 2.0 and above. I'm going to emit new maintenance releases for 2.0, 2.2, 2.3 and 2.4 (2.5 still being in development, it will be released a bit later). A possible workaround for those who cannot upgrade is to block requests and responses featuring more than one content-length header after the overflow occured; these ones are always invalid because they're always resolved during the parsing phase, hence this condition never reaches the HTTP layer: http-request deny if { req.hdr_cnt(content-length) gt 1 } http-response deny if { res.hdr_cnt(content-length) gt 1 } I'd like to thank the usual distro maintainers for having accepted to produce yet another version of their packages in a short time. Hopefully now we can all get back to development! Thanks, Willy