Hi, HAProxy 1.9.13 was released on 2019/11/25. It added 39 new commits after version 1.9.12.
It addresses the same security issues as announced in 2.0.10: - The first one, found by Tim Düsterhus, lets an attacker pass control characters into header fields, leading to a possibility of content smuggling attacks on HTTP/1 backends, which is mainly a concern if http-reuse is in use. - The second, found by Christopher Faulet, is a direct consequence of a flaw in the H2 spec making no special case of HEADER frames received on an IDLE stream on the response path. As such, such a frame passes all validity checks but no stream is allocated since it's a response, and the decoding of the headers on a read-only dummy stream results in a crash of the process. It also addresses a number of issues which were already fixed in 2.0.9, such as an occasional risk of double free causing crashes in idle connections, disabling splicing on chunked responses, listeners eating CPU when reaching the frontend/process' maxconn, and improved handling of idle connections facing errors. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.9/src/ Git repository : http://git.haproxy.org/git/haproxy-1.9.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git Changelog : http://www.haproxy.org/download/1.9/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Baptiste Assmann (1): BUG: dns: timeout resolve not applied for valid resolutions Christopher Faulet (10): BUG/MAJOR: stream-int: Don't receive data from mux until SI_ST_EST is reached BUG/MEDIUM: mux-h1: Disable splicing for chunked messages BUG/MEDIUM: stream: Be sure to support splicing at the mux level to enable it BUG/MEDIUM: stream: Be sure to release allocated captures for TCP streams BUG/MEDIUM: filters: Don't call TCP callbacks for HTX streams BUG/MINOR: mux-h1: Don't set CS_FL_EOS on a read0 when receiving data to pipe BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path BUG/MINOR: stream-int: Fix si_cs_recv() return value DOC: Add documentation about the use-service action Emmanuel Hocdet (1): BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 Eric Salama (1): BUILD/MINOR: ssl: fix compiler warning about useless statement Joao Morais (1): BUG/MINOR: config: Update cookie domain warn to RFC6265 Jérôme Magnin (2): DOC: management: document reuse and connect counters in the CSV format DOC: management: document cache_hits and cache_lookups in the CSV format Lukas Tribus (1): MINOR: doc: http-reuse connection pool fix Olivier Houchard (3): MINOR: mux: Add a new method to get informations about a mux. BUG/MEDIUM: servers: Only set SF_SRV_REUSED if the connection if fully ready. BUG/MEDIUM: Make sure we leave the session list in session_free(). William Dauchy (1): MINOR: tcp: avoid confusion in time parsing init William Lallemand (2): BUG/MINOR: cli: don't call the kw->io_release if kw->parse failed BUG/MINOR: cli: fix out of bounds in -S parser Willy Tarreau (16): MINOR: config: warn on presence of "\n" in header values/replacements BUG/MINOR: mux-h2: do not emit logs on backend connections BUG/MINOR: spoe: fix off-by-one length in UUID format string BUG/MEDIUM: mux-h2: report no available stream on a connection having errors BUG/MEDIUM: mux-h2: immediately remove a failed connection from the idle list BUG/MEDIUM: mux-h2: immediately report connection errors on streams DOC: management: fix typo on "cache_lookups" stats output BUG/MINOR: queue/threads: make the queue unlinking atomic BUG/MEDIUM: listeners: always pause a listener on out-of-resource condition BUG/MINOR: log: limit the size of the startup-logs MINOR: ist: add ist_find_ctl() BUG/MAJOR: h2: reject header values containing invalid chars BUG/MAJOR: h2: make header field name filtering stronger BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state SCRIPTS: create-release: show the correct origin name in suggested commands SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands ---