Hi,
HAProxy 2.4.3 was released on 2021/08/17. It added 46 new commits
after version 2.4.2.
This version contains the fixes for the H2 vulnerabilities reported by
Tim that were described in previous message, and which affect Host name
consistency with H2 backend servers when Host and :authority differ or
when garbage is placed in the ":scheme" or ":path" headers, and the one
which allows to abuse the H2 ":method" pseudo-header to forge some
malformed HTTP/1 messages that some vulnerable servers might possibly
accept to parse (though we're not aware of any among the usual
mainstream ones).
All users of 2.4 which skipped previous updates *MUST* program an update
to this one. In the mean time, the previous message about the issue
suggests several possible workarounds.
Aside these, the following issues were addressed in this version:
- a config containing only a log forwarder would refuse to start, claiming
there was no listener.
- in rare situations, under extreme thread contention and connection
sharing between threads, it was possible to dereference a connection
while it was in the process of being freed, causing the process'
death. I doubt anyone ever faced it considering that I had to shorten
the server timeouts to one millisecond to trigger it, but knowing this
one was knocked out makes me feel more comfortable.
- there was yet another case where a partial H2 frame could leave an H2
connection in a stuck state. This time it's okay (famous last words).
- checking a config with -W could cause an attempt to re-execute the
process and crash. It does not bring anything to use -W during a
config check but it usually remains from hard-coded command line
arguments in scripts. And actually that was also missing from the
systemd unit file and was added there.
- when using pollers evports or poll (i.e. non-linux nor BSD systems),
inter-thread wakeups wouldn't work, causing some inter-thread activity
to be slow (e.g. multi-queue accept(), server queues).
- SPOE was fixed regarding the connection close strategy in multi-threading
so that there are always available connections for each active thread.
- since muxes started to emit their own customizable "invalid request" logs
in 2.2, using some sample fetch functions in log-format could crash the
process on invalid requests because they were never designed to be used
outside of a valid stream (essentially "ssl_s_*").
- muxes were not respecting "dontlognull" when dealing with H2 prefaces
followed by a close, but this happens often with ALPN when clients
tentatively set up multiple connections for the case where H2 will not
be available. This was fixed.
- port-less servers would not accept tcp-check connect rules and report
a bogus error message that doesn't correspond to the configuration.
- a run-time check on integer wrapping was added upon startup to make
sure haproxy is not accidentally built with incorrect CFLAGS which
cause incorrect/insecure code to be emitted. If the error happens on
startup, haproxy will indicate what to do (i.e. rebuild without
dropping critical options from CFLAGS). There is no soft-fail possible
here as this can only be a runtime check and once the executable code
is damaged there's nothing you can do to make it run reliably again.
Nobody will face this unless they were using a bogus binary without
knowing it.
- the default-server SSL configuration was ignored by the servers (e.g.
client certificate to present to a server).
- the last_change field of a server was not properly updated when the
server got out of maintenance, resulting in wrong values in the stats,
and accelerated slowstarts.
- the enable/disable health/agent CLI commands that were mistakenly
marked as deprecated while cleaning up the CLI help have been fixed
as they are not deprecated.
- a new global config option "h2-workaround-bogus-websocket-clients"
was added to temporarily disable RFC8441 support for websocket over
H2 in case anyone faces a bogus client or suspects so.
- plus a handful of very minor ones
And that's about all. A few lower importance fixes were left pending for
a future version to make sure the upgrade to this one is totally safe.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (6):
BUILD: http_htx: fix ci compilation error with isdigit for Windows
MINOR: mux_h2: define config to disable h2 websocket support
BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request
BUG/MINOR: server: remove srv from px list on CLI 'add server' error
MINOR: server: unmark deprecated on enable health/agent cli
REGTESTS: add a test to prevent h2 desync attacks
Christopher Faulet (12):
BUG/MINOR: stats: Add missing agent stats on servers
BUG/MINOR: resolvers: Use a null-terminated string to lookup in servers
tree
BUG/MINOR: mux-h1: Obey dontlognull option for empty requests
BUG/MINOR: mux-h2: Obey dontlognull option during the preface
BUG/MINOR: mux-h1: Be sure to swap H1C to splice mode when rcv_pipe() is
called
BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
MINOR: spoe: Add a pointer on the filter config in the spoe_agent
structure
BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is
released
BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer
DOC: Improve the lua documentation
DOC: config: Fix 'http-response send-spoe-group' documentation
BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are
queued
David CARLIER (1):
BUILD/MINOR: memprof fix macOs build.
Emeric Brun (1):
BUG/MEDIUM: cfgcheck: verify existing log-forward listeners during config
check
Ilya Shipitsin (1):
CLEANUP: assorted typo fixes in the code and comments
Jonathon Lacher (1):
DOC/MINOR: fix typo in management document
Miroslav Zagorac (1):
BUILD: opentracing: fixed build when using pkg-config utility
Remi Tricot-Le Breton (2):
BUG/MINOR: ssl: Default-server configuration ignored by server
BUG/MINOR: connection: Add missing error labels to conn_err_code_str
William Lallemand (2):
BUG/MINOR: systemd: must check the configuration using -Ws
BUG/MINOR: buffer: fix buffer_dump() formatting
Willy Tarreau (19):
BUILD: add detection of missing important CFLAGS
BUILD: lua: silence a build warning with TCC
BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
BUG/MINOR: check: fix the condition to validate a port-less server
BUG/MEDIUM: connection: close a rare race between idle conn close and
takeover
BUG/MEDIUM: pollers: clear the sleeping bit after waking up, not before
BUG/MINOR: select: fix excess number of dead/skip reported
BUG/MINOR: poll: fix abnormally high skip_fd counter
BUG/MINOR: pollers: always program an update for migrated FDs
BUG/MINOR: fd: protect fd state harder against a concurrent takeover
DOC: internals: document the FD takeover process
BUG/MINOR: server: update last_change on maint->ready transitions too
ADMIN: dyncookie: implement a simple dynamic cookie calculator
MINOR: http: add a new function http_validate_scheme() to validate a
scheme
BUG/MAJOR: h2: verify early that non-http/https schemes match the valid
syntax
BUG/MAJOR: h2: verify that :path starts with a '/' before concatenating it
BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
BUG/MEDIUM: h2: give :authority precedence over Host
---
