CVSROOT: /cvs Module name: ports Changes by: d...@cvs.openbsd.org 2020/04/02 17:01:17
Modified files: net/haproxy : Makefile distinfo Log message: Update to haproxy-2.0.14 >From the Announce email: The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment.