CVSROOT: /cvs
Module name: ports
Changes by: d...@cvs.openbsd.org 2020/04/02 17:01:17
Modified files:
net/haproxy : Makefile distinfo
Log message:
Update to haproxy-2.0.14
>From the Announce email:
The main driver for this release is that it contains a fix for a
serious vulnerability that was responsibly reported last week by
Felix Wilhelm from Google Project Zero, affecting the HPACK
decoder used for HTTP/2. CVE-2020-11100 was assigned to this
issue.
This vulnerability makes it possible under certain circumstances
to write to a wide range of memory locations within the process'
heap, with the limitation that the attacker doesn't control the
absolute address, so the most likely result and by a far margin
will be a process crash, but it is not possible to completely
rule out the faint possibility of a remote code execution, at
least in a lab-controlled environment.
