Am 20.09.2018 um 14:31 schrieb Willy Tarreau:
> Subject: [ANNOUNCE] haproxy-1.8.14
> To:
> Hi,
> HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
> after version 1.8.13.

Image on docker hub was updated to.


> The most important one fixes a security issue reported by Tim Düsterhus
> and which was assigned CVE-2018-14645. There is an integer signedness
> issue in the HPACK decoder used in HTTP/2 which theorically makes it
> possible to remotely crash an haproxy instance where HTTP/2 is in use.
> I want to thank Tim for his responsible reporting and Ryan O'Hara for
> quickly providing us with a CVE ID.
> The only workaround for those who for various reasons can't immediately
> update, is to disable HTTP/2. But distros will provide an updated package
> soon. If some distro maintainers need a way to test if their version is
> properly fixed, please contact me privately, I'll explain how to proceed.
> Two other major issues are fixed in this version, one of them related to
> how SSL is initialized in Lua, apparently it didn't properly consider
> the presence of threads, leading to random behaviours. The second only
> affects kqueue, I don't have the details in memory, I suspect it was
> causing some delays in connection processing there.
> The rest is the regular list of problematic but not critical issues that
> need to be fixed but for which there is no emergency. 
> Please find the usual URLs below :
>    Site index       :
>    Discourse        :
>    Sources          :
>    Git repository   :
>    Git Web browsing :
>    Changelog        :
>    Cyril's HTML doc :
> Willy
> ---
> Complete changelog :
> Baptiste Assmann (4):
>       MINOR: dns: fix wrong score computation in dns_get_ip_from_response
>       MINOR: dns: new DNS options to allow/prevent IP address duplication
>       BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and 
> server state file
>       BUG/MINOR: dns: check and link servers' resolvers right after config 
> parsing
> Bertrand Jacquin (2):
>       DOC: ssl: Use consistent naming for TLS protocols
>       DOC: Fix typos in lua documentation
> Cyril Bonté (1):
>       BUG/MEDIUM: lua: socket timeouts are not applied
> Dragan Dosen (1):
>       BUG/MEDIUM: patterns: fix possible double free when reloading a pattern 
> list
> Emeric Brun (4):
>       BUG/MINOR: ssl: empty connections reported as errors.
>       BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
>       BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable 
> error.
>       BUG/MINOR: map: fix map_regm with backref
> Emmanuel Hocdet (1):
>       BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1
> Frédéric Lécaille (3):
>       BUG/MINOR: lua: Bad HTTP client request duration.
>       BUG/MAJOR: thread: lua: Wrong SSL context initialization.
>       BUG/MINOR: server: Crash when setting FQDN via CLI.
> Jens Bissinger (1):
>       DOC: Fix spelling error in configuration doc
> Lukas Tribus (1):
>       DOC: dns: explain set server ... fqdn requires resolver
> Olivier Houchard (4):
>       MINOR: threads: Introduce double-width CAS on x86_64 and arm.
>       BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
>       BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
>       BUG/MAJOR: kqueue: Don't reset the changes number by accident.
> Patrick Hemmer (1):
>       BUG/MEDIUM: lua: reset lua transaction between http requests
> Thierry FOURNIER (1):
>       BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers
> Willy Tarreau (20):
>       BUG/MEDIUM: servers: check the queues once enabling a server
>       BUG/MEDIUM: queue: prevent a backup server from draining the proxy's 
> connections
>       BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
>       MINOR: threads: add more consistency between certain variables in 
> no-thread case
>       BUG/MEDIUM: threads: fix the no-thread case after the change to the 
> sync point
>       MEDIUM: hathreads: implement a more flexible rendez-vous point
>       BUG/MEDIUM: cli: make "show fd" thread-safe
>       BUG/MEDIUM: cli/threads: protect all "proxy" commands against 
> concurrent updates
>       BUG/MEDIUM: cli/threads: protect some server commands against 
> concurrent operations
>       BUG/MEDIUM: unix: provide a ->drain() function
>       BUG/MEDIUM: mux_pt: dereference the connection with care in 
> mux_pt_wake()
>       MINOR: thread: implement HA_ATOMIC_XADD()
>       BUG/MINOR: stream: use atomic increments for the request counter
>       BUG/MEDIUM: session: fix reporting of handshake processing time in the 
> logs
>       BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
>       BUG/MINOR: http/threads: atomically increment the error snapshot ID
>       BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
>       BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4
>       BUG/MINOR: cli: make sure the "getsock" command is only called on 
> connections
>       BUG/CRITICAL: hpack: fix improper sign check on the header index value
> ---

Reply via email to