On Thu, Nov 28, 2019 at 11:19:10AM +0100, Tim Düsterhus wrote: > The commit message says: > > > This fix is only for 2.0 and older versions as legacy mode was > > removed from 2.1. It should be backported to all maintained versions. > > Which is not 2.0 only, but 2.0 and older. Specifically the bugfix was > backported as far as 1.6 already: > http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=76dd4aef279030761f0c466b6d6af5a0852c86aa > > The bugfix is present in all the most recent "third digit versions" for > 1.6, 1.7, 1.8, 1.9, 2.0, and 2.1. > > Not sure whether 1.5 will also receive another update for this, seeing > that support for that version will end soon.
I've thought about it when doing all the backports, but it's not worth it, 1.5 doesn't have http-reuse, which is necessary to exploit this weakness. Cheers, Willy
