Hi,

HAProxy 1.8.15 was released on 2018/12/13. It added 69 new commits
after version 1.8.14.

Yes I know 1.8 has been lagging behind a little bit during these last few
months, but all the people able to emit a release were all totally booked
on finishing 1.9.

So here comes the long-expected 1.8.15 which fixes an assorted number of
issues.

The most visible bugs are a failure to properly configure the connection
window size in H2 which affects upload speed in 1.8, the HPACK encoding
of the accept-ranges header field in H2 responses which was replaced by
accept-language, an alignment issue on stick tables causing some strict
aligned architectures to crash when using stick tables, an improper
locking around crypt() which is not thread-safe, resulting in auth
requests to randomly fail in thread environments, a change on the way
401/407 are handled so that the last server preference is only applied
to non-deterministic algorithms (don't break hashing), a crash if someone
configures the cache size to be larger than 2047 MB, a risk of deadlocks
when using threads with queues or health checks state change depending
on the compiler's optimizations, an obscure bug in master-worker and
threads related to the handling of SIGUSR1 followed by SIGTERM, and
thread-safe Cur/CumSslConns counters (the current one could wrap in
either direction).

In addition, Rémi Gacogne found, reported, and fixed 5 bugs in the DNS
handling code which could be used to crash haproxy by spoofing response
packets from a server. I don't consider them dramatic since nobody
should make their LB rely on public, non-protected communication
channels to configure their farms, so I think that the DNS is always
in a safe area, but still we don't know. Rémi provided the fixes, and
Karol Babioch from SuSE obtained the following CVE IDs if that helps :

- CVE-2018-20102 -> out-of-bounds read in dns_validate_dns_response in
  dns.c

- CVE-2018-20103 -> infinite recursion by making the pointer point to
  itself in DNS reply

BTW, a quick point regarding the CVEs, I know that sometimes distros
want to have them to ease their backports. Doing this is crap. 100% of
the bugs cited above have much more likeliness to hit someone stronger
than these ones. The only way to correctly use CVEs is as an indicator
that's really time to emit a new version which contains 100% of the
other fixes as well.

Last but not least, Dirkjan Bussink brought the support for the new
ciphersuite option that really is mandatory to support TLSv1.3, so we
backported it to 1.8.

Finally most of Joseph Herlant's user-visible doc fixes were backported
as well.

I won't claim it's the last 1.8 of the year because someone will want
to prove me wrong. So let's say I'll just hope for it :-)

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Sources          : http://www.haproxy.org/download/1.8/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
   Changelog        : http://www.haproxy.org/download/1.8/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Baptiste Assmann (1):
      BUG/MINOR: ssl: ssl_sock_parse_clienthello ignores session id

Bertrand Jacquin (1):
      DOC: Fix a few typos

Christopher Faulet (3):
      BUG/MINOR: config: Copy default error messages when parsing of a backend 
starts
      BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name
      BUG/MINOR: cfgparse: Fix the call to post parser of the last sections 
parsed

Dirkjan Bussink (2):
      MEDIUM: ssl: add support for ciphersuites option for TLSv1.3
      CLEANUP: stick-tables: Remove unneeded double (()) around conditional 
clause

Emeric Brun (2):
      BUG/MEDIUM: Cur/CumSslConns counters not threadsafe.
      BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM.

Frédéric Lécaille (4):
      BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB).
      BUG/MINOR: cache: Wrong usage of shctx_init().
      BUG/MINOR: ssl: Wrong usage of shctx_init().
      DOC: cache: Missing information about "total-max-size"

Ilya Shipitsin (1):
      BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2

Joseph Herlant (3):
      DOC: Fix typos in README and CONTRIBUTING
      DOC: Fix typos in different subsections of the documentation
      DOC: fix a few typos in the documentation

Jérôme Magnin (2):
      DOC: clarify that check-sni needs an argument.
      DOC: refer to check-sni in the documentation of sni

Lukas Tribus (5):
      DOC: clarify force-private-cache is an option
      DOC: fix reference to map files in MAINTAINERS
      BUG/MINOR: only mark connections private if NTLM is detected
      BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic
      DOC: restore note about "independant" typo

Moemen MHEDHBI (1):
      DOC: Update configuration doc about the maximum number of stick counters.

Olivier Houchard (10):
      MINOR: threads: Make sure threads_sync_pipe is initialized before using 
it.
      BUG/MEDIUM: buffers: Make sure we don't wrap in 
buffer_insert_line2/replace2.
      MINOR: server: Use memcpy() instead of strncpy().
      MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80.
      MINOR: peers: use defines instead of enums to appease clang.
      BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF.
      BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent.
      BUG/MEDIUM: Make sure stksess is properly aligned.
      BUG/MEDIUM: sample: Don't treat SMP_T_METH as SMP_T_STR.
      MINOR: servers: Free [idle|safe|priv]_conns on exit.

Remi Gacogne (5):
      BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name
      BUG: dns: Prevent out-of-bounds read in dns_read_name()
      BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response()
      BUG: dns: Fix out-of-bounds read via signedness error in 
dns_validate_dns_response()
      BUG: dns: Fix off-by-one write in dns_validate_dns_response()

Willy Tarreau (28):
      BUG/MINOR: backend: check that the mux installed properly
      BUG/MEDIUM: stream: don't crash on out-of-memory
      BUILD: ssl: fix null-deref warning in ssl_fc_cipherlist_str sample fetch
      BUILD: ssl: fix another null-deref warning in ssl_sock_switchctx_cbk()
      BUILD: stick-table: make sure not to fail on task_new() during 
initialization
      BUILD: peers: check allocation error during peers_init_sync()
      BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous 
point
      BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile
      BUILD: compiler: add a new statement "__unreachable()"
      MINOR: lua: all functions calling lua_yieldk() may return
      BUILD: lua: silence some compiler warnings about potential null derefs 
(#2)
      BUILD: lua: silence some compiler warnings after WILL_LJMP
      BUILD: Makefile: add a "make opts" target to simply show the build options
      BUILD: Makefile: speed up compiler options detection
      BUILD: Makefile: silence an option conflict warning with clang
      BUILD: compiler: rename __unreachable() to my_unreachable()
      BUILD: Makefile: add the new ERR variable to force -Werror
      BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
      BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe
      BUG/MINOR: config: better detect the presence of the h2 pattern in 
npn/alpn
      BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field
      BUG/MINOR: lb-map: fix unprotected update to server's score
      BUG/MINOR: hpack: fix off-by-one in header name encoding length 
calculation
      BUG/MINOR: mux-h2: refrain from muxing during the preface
      BUG/MINOR: mux-h2: advertise a larger connection window size
      BUILD: compression: fix build error with DEFAULT_MAXZLIBMEM
      BUILD: threads: fix minor build warnings when threads are disabled
      MINOR: stats: report the number of active jobs and listeners in "show 
info"

mildis (1):
      BUG/MINOR: checks: queues null-deref

---

Reply via email to