Subject: [ANNOUNCE] haproxy-1.8.14


HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
after version 1.8.13.

The most important one fixes a security issue reported by Tim Düsterhus
and which was assigned CVE-2018-14645. There is an integer signedness
issue in the HPACK decoder used in HTTP/2 which theorically makes it
possible to remotely crash an haproxy instance where HTTP/2 is in use.
I want to thank Tim for his responsible reporting and Ryan O'Hara for
quickly providing us with a CVE ID.

The only workaround for those who for various reasons can't immediately
update, is to disable HTTP/2. But distros will provide an updated package
soon. If some distro maintainers need a way to test if their version is
properly fixed, please contact me privately, I'll explain how to proceed.

Two other major issues are fixed in this version, one of them related to
how SSL is initialized in Lua, apparently it didn't properly consider
the presence of threads, leading to random behaviours. The second only
affects kqueue, I don't have the details in memory, I suspect it was
causing some delays in connection processing there.

The rest is the regular list of problematic but not critical issues that
need to be fixed but for which there is no emergency. 

Please find the usual URLs below :
   Site index       :
   Discourse        :
   Sources          :
   Git repository   :
   Git Web browsing :
   Changelog        :
   Cyril's HTML doc :

Complete changelog :
Baptiste Assmann (4):
      MINOR: dns: fix wrong score computation in dns_get_ip_from_response
      MINOR: dns: new DNS options to allow/prevent IP address duplication
      BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and 
server state file
      BUG/MINOR: dns: check and link servers' resolvers right after config 

Bertrand Jacquin (2):
      DOC: ssl: Use consistent naming for TLS protocols
      DOC: Fix typos in lua documentation

Cyril Bonté (1):
      BUG/MEDIUM: lua: socket timeouts are not applied

Dragan Dosen (1):
      BUG/MEDIUM: patterns: fix possible double free when reloading a pattern 

Emeric Brun (4):
      BUG/MINOR: ssl: empty connections reported as errors.
      BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
      BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable 
      BUG/MINOR: map: fix map_regm with backref

Emmanuel Hocdet (1):
      BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1

Frédéric Lécaille (3):
      BUG/MINOR: lua: Bad HTTP client request duration.
      BUG/MAJOR: thread: lua: Wrong SSL context initialization.
      BUG/MINOR: server: Crash when setting FQDN via CLI.

Jens Bissinger (1):
      DOC: Fix spelling error in configuration doc

Lukas Tribus (1):
      DOC: dns: explain set server ... fqdn requires resolver

Olivier Houchard (4):
      MINOR: threads: Introduce double-width CAS on x86_64 and arm.
      BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
      BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
      BUG/MAJOR: kqueue: Don't reset the changes number by accident.

Patrick Hemmer (1):
      BUG/MEDIUM: lua: reset lua transaction between http requests

Thierry FOURNIER (1):
      BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers

Willy Tarreau (20):
      BUG/MEDIUM: servers: check the queues once enabling a server
      BUG/MEDIUM: queue: prevent a backup server from draining the proxy's 
      BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
      MINOR: threads: add more consistency between certain variables in 
no-thread case
      BUG/MEDIUM: threads: fix the no-thread case after the change to the sync 
      MEDIUM: hathreads: implement a more flexible rendez-vous point
      BUG/MEDIUM: cli: make "show fd" thread-safe
      BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent 
      BUG/MEDIUM: cli/threads: protect some server commands against concurrent 
      BUG/MEDIUM: unix: provide a ->drain() function
      BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
      MINOR: thread: implement HA_ATOMIC_XADD()
      BUG/MINOR: stream: use atomic increments for the request counter
      BUG/MEDIUM: session: fix reporting of handshake processing time in the 
      BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
      BUG/MINOR: http/threads: atomically increment the error snapshot ID
      BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
      BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4
      BUG/MINOR: cli: make sure the "getsock" command is only called on 
      BUG/CRITICAL: hpack: fix improper sign check on the header index value


Reply via email to