Hi Ryan.
On 2023-10-16 (Mo.) 17:49, Ryan O'Hara wrote:
Hi all.
I read the most recently HAProxy Newsletter, specifically the article
"HAProxy is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick
Ramirez [1]. A This article states that HAProxy versions 1.9 and later
are *not* affetced, which is great. This implies that haproxy-1.8 *is*
affected, but it also doesn't come right out and say that. I understand
haproxy-1.8 is EOL, but do we know for certain that haproxy-1.8 is
affected or not? Asking for a reason.
Well HTX, which was the transition to HTTP/2, was implemented in 1.9
which is the reason why 1.8 is not affected.
https://www.haproxy.com/blog/haproxy-1-9-has-arrived
And shout-out to Nick for writing such a great article! Thank you, Nick!
Ryan
Regards
Alex
[1]
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
