HAProxy 2.0.3 was released on 2019/07/23. It added 19 new commits after version

This release contains a security fix in the HTX analyzers, in the code
responsible of the client-side or the server-side cookies parsing. The bug
happens when a Cookie or a Set-Cookie header value starts by a delimiter (a
colon or a semicolon). In such case, HAProxy enters in an infinte
loop. Depending on the operating system, the service may become degraded,
unresponsive, or may trigger haproxy's watchdog causing a service stop or
automatic restart.

CVE-2019-14241 was assigned to this bug. It contains a configuration
workaround. It could help to quickly mitigate the bug

For those who want to quickly deploy a fix, please use the following patch for
the 2.0 :


Outside from this critical bug, some other issues were fixed here and there:

  * In the H1 multiplexer, if some pending data remains on the server-side at
    the end of the transaction, the server connection is now systematically
    closed to be sure to not use these data as the response for the next
    transaction. Most of time, the reponse is be invalid and the client receives
    a 502 error message.

  * Two medium bugs on tcp-check were fixed. The first one happens when the
    function tcpcheck_main() is called while the connection is already
    subscribed for receiving. In such situation, there isq no reason to try to
    receive more data again. The second one leads to a crash of HAProxy because
    of a NULL pointer dereference when tcpcheck_main() is called with no
    conn_stream and a known check result.

  * The option http_proxy is fixed. The bug was introduced during 1.8-rc1
    development. The temporary connection used to hold the target connection's
    address was missing a valid target, resulting in a 500 server error being
    reported when trying to connect to a remote host.

  * Several minor bugs on the HTX were fixed. It is now possible to have empty
    error files to bypass default messages without sending anything, just like
    in the legacy HTTP mode. The sample fetches http_auth() and
    http_auth_group() are fixed to use a valid HTX message when called from TCP
    rules for a TCP proxy. The lua function txn:done() is now HTX aware. And
    finally, the cache filter is now able to parse the header "Cache-Control" on
    the response to find "max-age" or "s-maxage" values.

  * When a connection is accepted, if the session accept fails, we take care to
    have an H1 connection to return a 500 error message to the client. We also
    return a default HTTP error message at this stage to be sure to not use a
    chunk owning an HTX message instead of a raw HTTP message.

So for anyone using HAproxy-2.0 or considering trying it, please use the release

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.0/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.0.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
   Changelog        : http://www.haproxy.org/download/2.0/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Christopher Faulet (12):
      BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP 
      BUG/MINOR: http_htx: Initialize HTX error messages for TCP proxies
      BUG/MINOR: cache/htx: Make maxage calculation HTX aware
      BUG/MINOR: hlua: Make the function txn:done() HTX aware
      DOC: htx: Update comments in HTX files
      BUG/MINOR: debug: Remove flags CO_FL_SOCK_WR_ENA/CO_FL_SOCK_RD_ENA
      BUG/MINOR: session: Emit an HTTP error if accept fails only for H1 
      BUG/MINOR: session: Send a default HTTP error if accept fails for a H1 
      BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction
      BUG/MINOR: mux-h1: Close server connection if input data remains in 
      BUG/MINOR: http_ana: Be sure to have an allocated buffer to generate an 
      BUG/MINOR: http_htx: Support empty errorfiles

Olivier Houchard (2):
      BUG/MEDIUM: checks: Don't attempt to receive data if we already 
      BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by a 

Willy Tarreau (5):
      BUG/MINOR: dns: remove irrelevant dependency on a client connection
      BUG/MEDIUM: http/htx: unbreak option http_proxy
      BUG/MINOR: backend: do not try to install a mux when the connection failed
      BUG/MINOR: checks: do not exit tcp-checks from the middle of the loop
      BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream

Christopher Faulet

Reply via email to