[ANNOUNCE] haproxy-1.5.4

Tue, 02 Sep 2014 08:30:44 -0700 

Hi all,

I've issued haproxy 1.5.4 with a fix for the crash bug that James Dempsey
reported. It appears that under certain conditions with a certain dose of
server complicity (have it accept to slowly drain more than 2GB of data),
it might be remotely exploitable to crash haproxy (but no code execution
here nor data integrity attack since it's an overflow while parsing a random
location in memory). Since there's no obvious workaround, I've tagged this
bug critical. All users since 1.5-dev23 must upgrade (or backport the fix).
The good point is that it's mostly timing dependant and is really unlikely
to be exploitable outside a local network with a much faster client than
server. The only sensitive cases I'm thinking about are shared hosting
providers and backup operators with unfriendly local customers controlling
their own server and willing to deny their own access for the sole purpose
of crashing their provider's load balancer.

Another important bug was a possible busy loop in tcp-request content track-sc
rules. Other bugs are less important (hence why I didn't rush a release since
then).

Here comes the full changelog for this version :

        - BUG: config: error in http-response replace-header number of arguments
        - BUG/MINOR: Fix search for -p argument in systemd wrapper.
        - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration 
with an unknown encryption algorithm
        - BUG/MEDIUM: config: userlists should ensure that encrypted passwords 
are supported
        - MEDIUM: connection: add new bit in Proxy Protocol V2
        - BUG/MINOR: server: move the directive #endif to the end of file
        - BUG/MEDIUM: http: tarpit timeout is reset
        - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc*
        - BUG/MEDIUM: http: fix inverted condition in pat_match_meth()
        - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with 
ACLs
        - BUG/MINOR: pattern: remove useless allocation of unused trash in 
pat_parse_reg()
        - BUG/MEDIUM: acl: correctly compute the output type when a converter 
is used
        - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last 
fix
        - BUG/CRITICAL: http: don't update msg->sov once data start to leave 
the buffer

Usual URLs come below :
     Site index       : http://www.haproxy.org/
     Sources          : http://www.haproxy.org/download/1.5/src/
     Git repository   : http://git.haproxy.org/git/haproxy-1.5.git/
     Git Web browsing : http://git.haproxy.org/?p=haproxy-1.5.git
     Changelog        : http://www.haproxy.org/download/1.5/src/CHANGELOG
     Cyril's HTML doc : 
http://cbonte.github.com/haproxy-dconv/configuration-1.5.html

Note: I'll update the web site's home page later.

Best regards,
Willy

Reply via email to