We use haproxy for https termination for one of our services. We are trying
to upgrade to late model haproxy, but have run into a problem. In old
haproxy versions, it allowed 1k header names and we told our customers
that. In modern versions, it is checked and limited to 254.
I saw that this check was in response to a CVE. If I understand the issue,
it was that it was only 255 that produced the problem, not all lengths
beyond 255. Is this a correct assessment? Are there any ways around this
that I haven't found?
I will need to take this to the folks that own the product requirements and
I want to give them the right information.
thanks,
jerry
--
Jerry Scharf
Pure Storage
