Hi, [if you've already read the 1.5-dev18 announce, you don't need to read this one]
I'm announcing haproxy 1.4.23. It contains a security fix, users of 1.4 MUST upgrade or MUST apply the patch. Please read. Configurations at risk are those which combine use of HTTP keywords in TCP content inspection rules, client-side keep-alive, header rewriting rules and which receive pipelined requests. These configurations may be remotely crashed when run with haproxy 1.4 up to and including 1.4.22 or development versions up to and including 1.5-dev17. Versions 1.4.23 and 1.5-dev18 are safe. This issue was reported and troubleshooted by Yves Lafon from the W3C. Thanks Yves for the time you spent on this and all the efforts you made to get this core! For those who want to quickly deploy a fix, please use this patch for 1.4 : http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=dc80672211 Around 25 bugs were fixed since 1.4.22 which was released in August 2012. Most of them are minor. The vulnerability above aside, another important one is a workaround for a recent change in glibc which adds bounds check to FD_SET/FD_CLR/FD_ISSET() to prevent use of more than FD_SETSIZE fds with select() while it used to work well for the last 15 years. The nasty thing is that it crashes the process when it's at its maximum load... I thought it was time to get rid of this, so now select() refuses to run with more than 1024 fds, and poll() is enabled by default including on exotic platforms. Another issue was plaguing debugging sessions. Sending "show sess" too often on the CLI could result in corrupting an internal list due to a race condition. I'm appending the changelog at the end of this e-mail. I would have liked to release this version much sooner, but since some rare reports of crashes on 1.5-dev17 were floating around, I wanted to ensure 1.4 was not affected first. And it was! Usual links below : Site index : http://haproxy.1wt.eu/ Sources : http://haproxy.1wt.eu/download/1.4/src/ Changelog : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.4.html Changelog : - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read - BUG: fix garbage data when http-send-name-header replaces an existing header - BUG/MEDIUM: remove supplementary groups when changing gid - BUG/MINOR: Correct logic in cut_crlf() - BUG/MINOR: config: use a copy of the file name in proxy configurations - BUG/MINOR: epoll: correctly disable FD polling in fd_rem() - MINOR: halog: sort output by cookie code - BUG/MINOR: halog: -ad/-ac report the correct number of output lines - BUG/MINOR: halog: fix help message for -ut/-uto - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode - BUG/MEDIUM: command-line option -D must have precedence over "debug" - OPTIM: halog: keep a fast path for the lines-count only - MINOR: halog: add a parameter to limit output line count - BUG: halog: fix broken output limitation - MEDIUM: checks: avoid accumulating TIME_WAITs during checks - MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts - BUG/MAJOR: cli: show sess <id> may randomly corrupt the back-ref list - BUG/MINOR: http: don't report client aborts as server errors - BUG/MINOR: http: don't log a 503 on client errors while waiting for requests - BUG/MEDIUM: tcp: process could theorically crash on lack of source ports - BUG/MINOR: http: don't abort client connection on premature responses - BUILD: no need to clean up when making git-tar - MINOR: http: always report PR-- flags for redirect rules - BUG/MINOR: time: frequency counters are not totally accurate - BUG/MINOR: http: don't process abortonclose when request was sent - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait() - BUG/MINOR: config: fix improper check for failed memory alloc in ACL parser - BUG/MEDIUM: checks: ensure the health_status is always within bounds - CLEANUP: http: remove a useless null check - BUG/MEDIUM: signal: signal handler does not properly check for signal bounds - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage - CLEANUP: config: slowstart is never negative - BUILD: improve the makefile's support for libpcre - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a - MEDIUM: halog: add support for counting per source address (-ic) - DOC: mention the new HTTP 307 and 308 redirect statues (cherry picked from commit b67fdc4cd8bde202f2805d98683ddab929469a05) - MEDIUM: poll: do not use FD_* macros anymore - BUG/MAJOR: ev_select: disable the select() poller if maxsock > FD_SETSIZE - BUILD: enable poll() by default in the makefile - BUILD: add explicit support for Mac OS/X - BUG/CRITICAL: using HTTP information in tcp-request content may crash the process - MEDIUM: http: implement redirect 307 and 308 - MINOR: http: status 301 should not be marked non-cacheable Cheers, Willy
