HAProxy 1.8.25 was released on 2020/04/02. It added 37 new commits
after version 1.8.24.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

For version 1.8 it is enough to remove "npn h2" and "alpn h2" on "bind"
lines to disable HTTP/2 support and stay away from the issue. But upgrading
will be way easier and safer!

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.

Two other important fixes are present in this version:
  - a non-portable way of calculating a list pointer that breaks with
    gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
    at random places in the code depending how the compiler decides to
    optimize the code.

  - a bug in the way TLV fields are extracted from the PROXY protocol, as
    they could be mistakenly looked up in the subsequent payload, even
    though these would have limited effects since these ones would generally
    be meaningless for the transported protocol, but could be used to hide a
    source address from logging for example.

The rest is less important, but still relevant to some users. Please have a
look at the changelog below for a more detailed list of fixes, and do not
forget to update, either from the sources or from your regular distro channels.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/1.8/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
   Changelog        : http://www.haproxy.org/download/1.8/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Bjoern Jacke (1):
      DOC: fix typo about no-tls-tickets

Björn Jacke (1):
      DOC: improve description of no-tls-tickets

Christopher Faulet (8):
      BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
      BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
      BUG/MINOR: http-rules: Fix a typo in the reject action function
      BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
      BUG/MINOR: rules: Increment be_counters if backend is assigned for a 
      MINOR: http-rules: Add a flag on redirect rules to know the rule direction
      MINOR: http-rules: Handle the rule direction when a redirect is evaluated
      BUG/MINOR: http-ana: Reset request analysers on error when waiting for 

Daniel Corbett (1):
      BUG/MINOR: stats: Fix color of draining servers on stats page

Ilya Shipitsin (1):
      DOC: assorted typo fixes in the documentation

Jerome Magnin (1):
      BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits

Lukas Tribus (1):
      DOC: ssl: clarify security implications of TLS tickets

Miroslav Zagorac (1):
      DOC: internals: Fix spelling errors in filters.txt

Tim Duesterhus (3):
      BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
      BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
      DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID

William Dauchy (1):
      BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat

William Lallemand (2):
      BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
      BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL

Willy Tarreau (16):
      SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
      CONTRIB: debug: add the possibility to decode the value as certain types 
      CONTRIB: debug: support reporting multiple values at once
      CONTRIB: debug: also support reading values from stdin
      BUG/MEDIUM: shctx: make sure to keep all blocks aligned
      MINOR: compiler: move CPU capabilities definition from config.h and 
complete them
      BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access 
      BUILD: fix recent build failure on unaligned archs
      MINOR: compiler: add new alignment macros
      BUILD: ebtree: improve architecture-specific alignment
      BUG/MINOR: sample: fix the json converter's endian-sensitivity
      BUG/MAJOR: list: fix invalid element address calculation
      DOC: fix incorrect indentation of http_auth_*
      REGTEST: make the PROXY TLV validation depend on version 2.2
      BUG/MEDIUM: http: unbreak redirects in legacy mode
      BUG/CRITICAL: hpack: never index a header into the headroom after wrapping


Reply via email to