Hi, HAProxy 1.8.8 was released on 2018/04/19. It added 8 new commits after version 1.8.7.
The most important one fixes a vulnerability in the HTTP/2 frame parser which can be used to remotely crash the process. Code execution is extremely unlikely to happen given that buffer allocation from memory pools is not quite predictable and that the surrounding memory areas are also unpredictable in a production environment. But since it is very easy to crash the process, H2 users must absolutely upgrade. A CVE id was requested, unfortunately it was not delivered before this announce but I preferred to keep everyone safe by releasing as soon as possible. I want to address special thanks to Jordan Zebor from F5 Networks for reporting this issue responsibly. The other relevant commits fix a min/max bug involving gcc < 4.7 with threads which affect frequency counters, a risk of crash when a mux failed to initialize and is destroyed, and a risk of event losses with kqueue. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Aurélien Nephtali (2): BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE MINOR: cli: Ensure the CLI always outputs an error when it should Christopher Faulet (2): BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes BUG/MINOR: http: Return an error in proxy mode when url2sa fails Olivier Houchard (2): BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors. Willy Tarreau (2): DOC: lua: update the links to the config and Lua API BUG/CRITICAL: h2: fix incorrect frame length check ---