Hi,

HAProxy 1.8.8 was released on 2018/04/19. It added 8 new commits
after version 1.8.7.

The most important one fixes a vulnerability in the HTTP/2 frame parser
which can be used to remotely crash the process. Code execution is
extremely unlikely to happen given that buffer allocation from memory
pools is not quite predictable and that the surrounding memory areas
are also unpredictable in a production environment. But since it is
very easy to crash the process, H2 users must absolutely upgrade.

A CVE id was requested, unfortunately it was not delivered before this
announce but I preferred to keep everyone safe by releasing as soon as
possible. I want to address special thanks to Jordan Zebor from F5
Networks for reporting this issue responsibly.

The other relevant commits fix a min/max bug involving gcc < 4.7 with
threads which affect frequency counters, a risk of crash when a mux
failed to initialize and is destroyed, and a risk of event losses with
kqueue.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Sources          : http://www.haproxy.org/download/1.8/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
   Changelog        : http://www.haproxy.org/download/1.8/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Aurélien Nephtali (2):
      BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE
      MINOR: cli: Ensure the CLI always outputs an error when it should

Christopher Faulet (2):
      BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes
      BUG/MINOR: http: Return an error in proxy mode when url2sa fails

Olivier Houchard (2):
      BUG/MEDIUM: connection: Make sure we have a mux before calling detach().
      BUG/MEDIUM: kqueue: When adding new events, provide an output to get 
errors.

Willy Tarreau (2):
      DOC: lua: update the links to the config and Lua API
      BUG/CRITICAL: h2: fix incorrect frame length check

---


Reply via email to