Hi, HAProxy 2.0.3 was released on 2019/07/23. It added 19 new commits after version 2.0.2.
This release contains a security fix in the HTX analyzers, in the code responsible of the client-side or the server-side cookies parsing. The bug happens when a Cookie or a Set-Cookie header value starts by a delimiter (a colon or a semicolon). In such case, HAProxy enters in an infinte loop. Depending on the operating system, the service may become degraded, unresponsive, or may trigger haproxy's watchdog causing a service stop or automatic restart. CVE-2019-14241 was assigned to this bug. It contains a configuration workaround. It could help to quickly mitigate the bug For those who want to quickly deploy a fix, please use the following patch for the 2.0 : http://git.haproxy.org/?p=haproxy-2.0.git;a=commitdiff;h=fc7f52eb0 Outside from this critical bug, some other issues were fixed here and there: * In the H1 multiplexer, if some pending data remains on the server-side at the end of the transaction, the server connection is now systematically closed to be sure to not use these data as the response for the next transaction. Most of time, the reponse is be invalid and the client receives a 502 error message. * Two medium bugs on tcp-check were fixed. The first one happens when the function tcpcheck_main() is called while the connection is already subscribed for receiving. In such situation, there isq no reason to try to receive more data again. The second one leads to a crash of HAProxy because of a NULL pointer dereference when tcpcheck_main() is called with no conn_stream and a known check result. * The option http_proxy is fixed. The bug was introduced during 1.8-rc1 development. The temporary connection used to hold the target connection's address was missing a valid target, resulting in a 500 server error being reported when trying to connect to a remote host. * Several minor bugs on the HTX were fixed. It is now possible to have empty error files to bypass default messages without sending anything, just like in the legacy HTTP mode. The sample fetches http_auth() and http_auth_group() are fixed to use a valid HTX message when called from TCP rules for a TCP proxy. The lua function txn:done() is now HTX aware. And finally, the cache filter is now able to parse the header "Cache-Control" on the response to find "max-age" or "s-maxage" values. * When a connection is accepted, if the session accept fails, we take care to have an H1 connection to return a 500 error message to the client. We also return a default HTTP error message at this stage to be sure to not use a chunk owning an HTX message instead of a raw HTTP message. So for anyone using HAproxy-2.0 or considering trying it, please use the release 2.0.3. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.0/src/ Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Christopher Faulet (12): BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP rules BUG/MINOR: http_htx: Initialize HTX error messages for TCP proxies BUG/MINOR: cache/htx: Make maxage calculation HTX aware BUG/MINOR: hlua: Make the function txn:done() HTX aware DOC: htx: Update comments in HTX files BUG/MINOR: debug: Remove flags CO_FL_SOCK_WR_ENA/CO_FL_SOCK_RD_ENA BUG/MINOR: session: Emit an HTTP error if accept fails only for H1 connection BUG/MINOR: session: Send a default HTTP error if accept fails for a H1 socket BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction BUG/MINOR: mux-h1: Close server connection if input data remains in h1_detach() BUG/MINOR: http_ana: Be sure to have an allocated buffer to generate an error BUG/MINOR: http_htx: Support empty errorfiles Olivier Houchard (2): BUG/MEDIUM: checks: Don't attempt to receive data if we already subscribed. BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by a delimiter Willy Tarreau (5): BUG/MINOR: dns: remove irrelevant dependency on a client connection BUG/MEDIUM: http/htx: unbreak option http_proxy BUG/MINOR: backend: do not try to install a mux when the connection failed BUG/MINOR: checks: do not exit tcp-checks from the middle of the loop BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream -- Christopher Faulet
