Re: [ANNOUNCE] haproxy 1.4.21
Hi, Just for archive: CVE-2012-2391 http://www.openwall.com/lists/oss-security/2012/05/23/15 Kevin Decherf - M: +33 681194547 - T: @Kdecherf On Tue, May 22, 2012 at 9:30 PM, Vivek Malik vivek.ma...@gmail.com wrote: A recommended upgrade for all production users. While we are not (generally) affected by the bugs fixed in haproxy stable version. I recommend updating haproxy. I can update haproxy bin in puppet and can check it in (we distribute haproxy binary via puppetmaster). Aiman, Please update puppetmaster when you see fit and also in general, please ensure that puppet client is running on all machines. Thanks, Vivek On Mon, May 21, 2012 at 1:43 AM, Willy Tarreau w...@1wt.eu wrote: Hi all, a number of old bugs were reported recently. Some of them are quite problematic because they can lead to crashes while parsing configuration or when starting up, which is even worse considering that startup scripts will generally not notice it. Among the bugs fixed in 1.4.21, we can enumerate : - risk of crash if using reqrep/rsprep and having tune.bufsize manually configured larger than what was compiled in. The cause is the trash buffer used for the replace was still static, and I believed this was fixed months ago but only my mailbox had the fix! Thanks to Dmitry Sivachenko for reporting this bug. - risk of crash when using header captures on a TCP frontend. This is a configuration issue, and this situation is now correctly detected and reported. Thanks to Olufemi Omojola for reporting this bug. - risk of crash when some servers are declared with checks in a farm which does not use an LB algorithm (eg: option transparent or dispatch). This happens when a server state is updated and reported to the non- existing LB algorithm. Fortunately, this happens at start-up when reporting the servers either up or down, but still it's after the fork and too late for being easily recovered from by scripts. Thanks to David Touzeau for reporting this bug. - balance source did not correctly hash IPv6 addresses, so IPv4 connections to IPv6 listeners would always get the same result. Thanks to Alex Markham for reporting this bug. - the connect timeout was not properly reset upon connection establishment, resulting in a retry if the timeout struck exactly at the same millisecond the connect succeeded. The effect is that if a request was sent as part of the connect hanshake, it is not available for resend during the retry and a response timeout is reported for the server. Note that in practice, this only happens with erroneous configurations. Thanks to Yehuda Sadeh for reporting this bug. - the error captures were wrong if the buffer wrapped, which happens when capturing incorrectly encoded chunked responses. I also backported Cyril's work on the stats page to allow POST params to be posted in any order, because I know there are people who script actions on this page. This release also includes doc cleanups from Cyril, Dmitry Sivachenko and Adrian Bridgett. Distro packagers will be happy to know that I added explicit checks to shut gcc warnings about unchecked write() return value in the debug code. While it's very likely that almost nobody is affected by the bugs above, troubleshooting them is annoying enough to justify an upgrade. Sources, Linux/x86 and Solaris/sparc binaries are at the usual location : site index : http://haproxy.1wt.eu/ sources: http://haproxy.1wt.eu/download/1.4/src/ changelog : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG binaries : http://haproxy.1wt.eu/download/1.4/bin/ Willy
Re: [ANNOUNCE] haproxy 1.4.21
A recommended upgrade for all production users. While we are not (generally) affected by the bugs fixed in haproxy stable version. I recommend updating haproxy. I can update haproxy bin in puppet and can check it in (we distribute haproxy binary via puppetmaster). Aiman, Please update puppetmaster when you see fit and also in general, please ensure that puppet client is running on all machines. Thanks, Vivek On Mon, May 21, 2012 at 1:43 AM, Willy Tarreau w...@1wt.eu wrote: Hi all, a number of old bugs were reported recently. Some of them are quite problematic because they can lead to crashes while parsing configuration or when starting up, which is even worse considering that startup scripts will generally not notice it. Among the bugs fixed in 1.4.21, we can enumerate : - risk of crash if using reqrep/rsprep and having tune.bufsize manually configured larger than what was compiled in. The cause is the trash buffer used for the replace was still static, and I believed this was fixed months ago but only my mailbox had the fix! Thanks to Dmitry Sivachenko for reporting this bug. - risk of crash when using header captures on a TCP frontend. This is a configuration issue, and this situation is now correctly detected and reported. Thanks to Olufemi Omojola for reporting this bug. - risk of crash when some servers are declared with checks in a farm which does not use an LB algorithm (eg: option transparent or dispatch). This happens when a server state is updated and reported to the non- existing LB algorithm. Fortunately, this happens at start-up when reporting the servers either up or down, but still it's after the fork and too late for being easily recovered from by scripts. Thanks to David Touzeau for reporting this bug. - balance source did not correctly hash IPv6 addresses, so IPv4 connections to IPv6 listeners would always get the same result. Thanks to Alex Markham for reporting this bug. - the connect timeout was not properly reset upon connection establishment, resulting in a retry if the timeout struck exactly at the same millisecond the connect succeeded. The effect is that if a request was sent as part of the connect hanshake, it is not available for resend during the retry and a response timeout is reported for the server. Note that in practice, this only happens with erroneous configurations. Thanks to Yehuda Sadeh for reporting this bug. - the error captures were wrong if the buffer wrapped, which happens when capturing incorrectly encoded chunked responses. I also backported Cyril's work on the stats page to allow POST params to be posted in any order, because I know there are people who script actions on this page. This release also includes doc cleanups from Cyril, Dmitry Sivachenko and Adrian Bridgett. Distro packagers will be happy to know that I added explicit checks to shut gcc warnings about unchecked write() return value in the debug code. While it's very likely that almost nobody is affected by the bugs above, troubleshooting them is annoying enough to justify an upgrade. Sources, Linux/x86 and Solaris/sparc binaries are at the usual location : site index : http://haproxy.1wt.eu/ sources: http://haproxy.1wt.eu/download/1.4/src/ changelog : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG binaries : http://haproxy.1wt.eu/download/1.4/bin/ Willy
[ANNOUNCE] haproxy 1.4.21
Hi all, a number of old bugs were reported recently. Some of them are quite problematic because they can lead to crashes while parsing configuration or when starting up, which is even worse considering that startup scripts will generally not notice it. Among the bugs fixed in 1.4.21, we can enumerate : - risk of crash if using reqrep/rsprep and having tune.bufsize manually configured larger than what was compiled in. The cause is the trash buffer used for the replace was still static, and I believed this was fixed months ago but only my mailbox had the fix! Thanks to Dmitry Sivachenko for reporting this bug. - risk of crash when using header captures on a TCP frontend. This is a configuration issue, and this situation is now correctly detected and reported. Thanks to Olufemi Omojola for reporting this bug. - risk of crash when some servers are declared with checks in a farm which does not use an LB algorithm (eg: option transparent or dispatch). This happens when a server state is updated and reported to the non- existing LB algorithm. Fortunately, this happens at start-up when reporting the servers either up or down, but still it's after the fork and too late for being easily recovered from by scripts. Thanks to David Touzeau for reporting this bug. - balance source did not correctly hash IPv6 addresses, so IPv4 connections to IPv6 listeners would always get the same result. Thanks to Alex Markham for reporting this bug. - the connect timeout was not properly reset upon connection establishment, resulting in a retry if the timeout struck exactly at the same millisecond the connect succeeded. The effect is that if a request was sent as part of the connect hanshake, it is not available for resend during the retry and a response timeout is reported for the server. Note that in practice, this only happens with erroneous configurations. Thanks to Yehuda Sadeh for reporting this bug. - the error captures were wrong if the buffer wrapped, which happens when capturing incorrectly encoded chunked responses. I also backported Cyril's work on the stats page to allow POST params to be posted in any order, because I know there are people who script actions on this page. This release also includes doc cleanups from Cyril, Dmitry Sivachenko and Adrian Bridgett. Distro packagers will be happy to know that I added explicit checks to shut gcc warnings about unchecked write() return value in the debug code. While it's very likely that almost nobody is affected by the bugs above, troubleshooting them is annoying enough to justify an upgrade. Sources, Linux/x86 and Solaris/sparc binaries are at the usual location : site index : http://haproxy.1wt.eu/ sources: http://haproxy.1wt.eu/download/1.4/src/ changelog : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG binaries : http://haproxy.1wt.eu/download/1.4/bin/ Willy