HAProxy 2.0.10 was released on 2019/11/25. It added 37 new commits
after version 2.0.9.

This version addresses two potential security issues in the H2 decoder.

The first one, found by Tim Düsterhus, lets an attacker pass control
characters into header fields, leading to a possibility of content
smuggling attacks on HTTP/1 backends, which is mainly a concern if
http-reuse is in use.

The second, found by Christopher Faulet, is a direct consequence of a
flaw in the H2 spec making no special case of HEADER frames received
on an IDLE stream on the response path. As such, such a frame passes
all validity checks but no stream is allocated since it's a response,
and the decoding of the headers on a read-only dummy stream results
in a crash of the process.

New versions of 1.9 and 1.8 will be issued to fix these flaws as well
(1.8 is only affected by the first one).

A few other issues were addressed, such as certain cases of server errors
being reported while the client closed first, and some peers
desynchronization issues.

At the HAProxyConf, a few people asked for the "h1-case-adjust" feature
to be backported to help them fix bogus applications and smoothly
transition to HTX. Indeed, since HTX, header field names are lower cased
(as is the case in HTTP/2) and it was reported that a few decades-old
application still living in field incorrectly expect various CaMeLCaSe.
As 2.1 dropped support for legacy mode it's not convenient for users
to quickly switch between one mode and the other when trying to work
around problems. With this patch backported into 2.0, it now becomes
easier to address one application at a time using h1-case-adjust and
h1-case-adjust-file and only switch once all applications work in HTX.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.0/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.0.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
   Changelog        : http://www.haproxy.org/download/2.0/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Christopher Faulet (19):
      BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is 
      BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON 
      BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path
      BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding
      MINOR: freq_ctr: Make the sliding window sums thread-safe
      MINOR: stream: Remove the lock on the proxy to update time stats
      MINOR: counters: Add fields to store the max observed for {q,c,d,t}_time
      MINOR: contrib/prometheus-exporter: Report metrics about max times for 
      BUG/MINOR: contrib/prometheus-exporter: Rename some metrics
      MINOR: contrib/prometheus-exporter: report the number of idle conns per 
      MINOR: contrib/prometheus-exporter: filter exported metrics by scope
      MINOR: contrib/prometheus-exporter: Add a param to ignore servers in 
      BUG/MINOR: stream-int: Fix si_cs_recv() return value
      MINOR: stats: Report max times in addition of the averages for sessions
      MEDIUM: mux-h1: Add the support of headers adjustment for bogus HTTP/1 
      BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser()
      BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a 
      DOC: Add missing stats fields in the management manual
      DOC: Add documentation about the use-service action

Emmanuel Hocdet (1):
      BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1

Eric Salama (1):
      BUILD/MINOR: ssl: fix compiler warning about useless statement

Frédéric Lécaille (5):
      MINOR: peers: Alway show the table info for disconnected peers.
      MINOR: peers: Add TX/RX heartbeat counters.
      MINOR: peers: Add debugging information to "show peers".
      BUG/MINOR: peers: Wrong null "server_name" data field handling.
      BUG/MINOR: peers: "peer alive" flag not reset when deconnecting.

Jerome Magnin (1):
      REGTEST: vtest can now enable mcli with its own flag

Lukas Tribus (1):
      BUG/MINOR: ssl: fix curve setup with LibreSSL

William Dauchy (1):
      BUG/MINOR: init: fix set-dumpable when using uid/gid

William Lallemand (2):
      BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec
      BUG/MINOR: cli: fix out of bounds in -S parser

Willy Tarreau (6):
      MINOR: ist: add ist_find_ctl()
      BUG/MAJOR: h2: reject header values containing invalid chars
      BUG/MAJOR: h2: make header field name filtering stronger
      BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle 
      SCRIPTS: create-release: show the correct origin name in suggested 
      SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands


Reply via email to