BUILD: tools: gets the absolute path on NetBSD
Hi, here a little patch proposal. Thanks in advance. From 30a530f3b352e907a3dd9daebfda2bb94dccbdbc Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 17 Aug 2021 08:44:25 +0100 Subject: [PATCH] BUILD: tools: get the absolute path of the current binary on NetBSD. NetBSD stores the absolute path into the auxiliary vector as well. --- src/tools.c | 13 + 1 file changed, 13 insertions(+) diff --git a/src/tools.c b/src/tools.c index bd6bf4edc..545fd9e8d 100644 --- a/src/tools.c +++ b/src/tools.c @@ -16,6 +16,11 @@ #include #endif +#if defined(__NetBSD__) +#include +#include +#endif + #include #include #include @@ -4761,6 +4766,14 @@ const char *get_exec_path() if (execfn && execfn != ENOENT) ret = (const char *)execfn; +#elif defined(__NetBSD__) + AuxInfo *auxv; + for (auxv = _dlauxinfo(); auxv->a_type != AT_NULL; ++auxv) { + if (auxv->a_type == AT_SUN_EXECNAME) { + ret = (const char *)auxv->a_v; + break; + } + } #endif return ret; } -- 2.32.0
Re: BUILD: tools: gets the absolute path on NetBSD
Hi David, On Tue, Aug 17, 2021 at 08:49:29AM +0100, David CARLIER wrote: > Hi, > > here a little patch proposal. Applied, thank you! Willy
Re: [External] Re: [PATCH] JA3 TLS Fingerprinting (take 2)
Hi Marcin, On Mon, Aug 16, 2021 at 01:55:02PM +0200, Marcin Deranek wrote: > Hi, > > Do you have any update on merging this? Sorry, I think we've missed it :-( Worse, I was wondering if you managed to make any progress on it :-/ I'm currently working on preparing a set of stable branches, I'll have a look after that. Thanks for the ping! Willy
Re: [PATCH] DOC: Minor typo fix - 'question mark' -> 'exclamation mark'
looks good, now applied, thank you! Willy
Re: [PR] DOC/MINOR: fix typo in management document
On Wed, Aug 04, 2021 at 09:17:21AM +0200, PR Bot wrote: > Dear list! > > Author: Jonathon Lacher <6679714+jonathonlac...@users.noreply.github.com> > Number of patches: 1 > > This is an automated relay of the Github pull request: >DOC/MINOR: fix typo in management document > > Patch title(s): >DOC/MINOR: fix typo in management document Looks good, now applied. Sorry for the delay. Willy
BUILD: tools: get the absolute path on FreeBSD
Hi, same as earlier but for FreeBSD this time. Thanks. From 07be546638949864ef678b0e39871b7febceeaed Mon Sep 17 00:00:00 2001 From: DC Date: Tue, 17 Aug 2021 12:55:49 +0100 Subject: [PATCH] BUILD: tools: get the absolute path of the current binary on FreeBSD. FreeBSD stores the absolute path into the auxiliary vector as well. --- src/tools.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/src/tools.c b/src/tools.c index 545fd9e8d..1961689dd 100644 --- a/src/tools.c +++ b/src/tools.c @@ -16,6 +16,12 @@ #include #endif +#if defined(__FreeBSD__) +#include +#include +extern void *__elf_aux_vector; +#endif + #if defined(__NetBSD__) #include #include @@ -4766,6 +4772,14 @@ const char *get_exec_path() if (execfn && execfn != ENOENT) ret = (const char *)execfn; +#elif defined(__FreeBSD__) + Elf_Auxinfo *auxv; + for (auxv = __elf_aux_vector; auxv->a_type != AT_NULL; ++auxv) { + if (auxv->a_type == AT_EXECPATH) { + ret = (const char *)auxv->a_un.a_ptr; + break; + } + } #elif defined(__NetBSD__) AuxInfo *auxv; for (auxv = _dlauxinfo(); auxv->a_type != AT_NULL; ++auxv) { -- 2.32.0
Clarification about http-reuse
Hi. In the doc is this part http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-http-reuse ``` By default, a connection established between HAProxy and the backend server which is considered safe for reuse is moved back to the server's idle connections pool so that any other request can make use of it. This is the "safe" strategy below. ``` and in the code this. http://git.haproxy.org/?p=haproxy-2.4.git;a=blob;f=src/cfgparse.c;hb=2883fcf65bc09d4acf25561bcd955c6ca27c0438#l3424 ``` 3424 if ((curproxy->mode != PR_MODE_HTTP) && (curproxy->options & PR_O_REUSE_MASK) != PR_O_REUSE_NEVR) 3425 curproxy->options &= ~PR_O_REUSE_MASK; ``` Does this mean that even when no "http-reuse ..." is set will the "http-reuse safe" set on the proxy? Regards Alex
Re: Clarification about http-reuse
Hi Alex, On Tue, Aug 17, 2021 at 02:19:38PM +0200, Aleksandar Lazic wrote: > ``` > 3424 if ((curproxy->mode != PR_MODE_HTTP) && > (curproxy->options & PR_O_REUSE_MASK) != PR_O_REUSE_NEVR) > 3425 curproxy->options &= ~PR_O_REUSE_MASK; > ``` > > Does this mean that even when no "http-reuse ..." is set will the "http-reuse > safe" set on the proxy? Yes, that's since 2.0. Reuse in "safe" mode is enabled by default. You can forcefully disable it using "http-reuse never" if you want (e.g. for debugging or if you suspect a bug in the server). But "safe" is as safe as regular keep-alive. Hoping this helps, Willy
[ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev
Hi everyone, HAProxy is affected by 4 vulnerabilities in its HTTP/2 implementation in recent versions (starting with 2.0). Three of them are considered as having a moderate impact as they only affect the interpretation of the authority (Host header field) in H2->H2 communications in versions 2.2 and above. One only affects a risk of misinterpretation from lenient HTTP/1 backend servers, and affects version 2.0 and above, though at the time of writing we're not aware of any such vulnerable server among the mainstream ones that are commonly found behind HAProxy (Apache, NGINX, Varnish, etc). Background: on Aug 05 a research article was published about flaws affecting some HTTP/2 to HTTP/1 proxies or gateways: https://portswigger.net/research/http2 A first analysis of the article compared to some selected pieces of code concluded that haproxy was safe. This was actually wrong as only older versions are safe (2.0 in "legacy" mode and 1.8). Tim Düsterhus conducted some additional tests and found some problems, which after digging for a few days, revealed to be significantly more embarrassing. In practice, version 2.0 in the default "HTX" mode and all later versions are affected to some degrees. 1) Spaces in the ":method" field The first problem is based on the ":method" field. By passing a space in the method, it is possible to build an invalid HTTP/1 request on the backend side, which some lenient servers might possibly interpret as valid, resulting in a different request between the one seen by haproxy and by the server. This might be abused to circumvent some switching rules for example, and get a request to be routed to a wrong server. Example: H2 request :method: "GET /admin? HTTP/1.1" :path: "/static/images" HAProxy would route all "/static" requests to the static server farm, but once the request is reassembled it would become this: GET /admin? HTTP/1.1 /static/images HTTP/1.1 This is not valid but if a server fails to properly validate this input, it might be fooled into thinking this is a request for /admin. Please note that HTTP/2 backend servers are not affect as the request is sent as a new ":method" field there. Additionally, dangerous characters like CR, LF or NUL are always blocked on input so is is not possible to perform a request smuggling attack, and the risks are limited to HTTP/1 servers which fail to properly parse the request line (note that all major server implementations are safe against this). A workaround for this issue for those having to rely on possibly unsafe servers is to reject invalid characters in the method by placing such a filtering rule on the request path either in the frontend or the backend: http-request reject if { method -m reg [^A-Z0-9] } A second workaround that may only be used on version 2.0 consists in disabling the HTX internal representation in the affected backends and the frontends that route to them: no option http-use-htx This will have for effect to transform the HTTP/2 requests to HTTP/1 that will then be submitted to the internal HTTP/1 parser which will reject the poorly formatted request. This older representation called "legacy" is not available any more in version 2.1 and above, and is not compatible with HTTP/2 nor FastCGI backend servers. This issue affects all versions from 2.0 and above, in HTX mode, with HTTP/1 on the server side. 2) Domain parts in ":scheme" and ":path" The ":scheme" HTTP/2 header field contains the scheme that prefixes the request URI, typically "http" or "https". ":path" contains the part that is local to the target host, and that usually starts with the "/". By appending a part of a request to ":scheme" or by prepending a part of a domain name to ":path", it is possible to make haproxy and a backend server see a different authority or URL prefix. Please note that this only affects HTTP/2 servers on versions 2.2 and above. These versions are indeed capable of passing an absolute URI from end to end, while earlier versions were limited to origin URIs. In addition, HTTP/2 requests are always forwarded in origin form to HTTP/1 backend servers (i.e. they do not have a scheme nor authority parts). As such HTTP/1 servers are safe and only HTTP/2 servers are exposed. What happens is that on the entry point, the :scheme, :authority and :path fields are concatenated to rebuild a full URI that is then passed along the chain, but the Host header is set from :authority before this concatenation is performed. As such, the Host header field used internally may not always match the authority part of the recomposed URI. Examples: H2 request :method: "GET" :scheme: "http://localhost/?orig="; :authority "example.org" :path: "/" or: H2 request :method: "GET" :scheme: "http" :authority "example.org" :path: ".local/" An internal Host header will be build with "example.org" then the complete URI will become "http://localhost/?orig
[ANNOUNCE] haproxy-2.5-dev4
Hi, HAProxy 2.5-dev4 was released on 2021/08/17. It added 82 new commits after version 2.5-dev3. This version was expected to be emitted last week but was slightly delayed so that it contains the final fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which affect Host name consistency with H2 backend servers when Host and :authority differ or when garbage is placed in the ":scheme" or ":path" headers, and the one which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). In addition to this, this version contains a number of improvements: - The filters support was added to Lua. It is now possible to write Lua scripts to filter HTTP or TCP sessions. For now, this feature is highly experimental and must not be used in production as the API might possibly still change a little bit (see lua-api/index.rst for the details). The API of the Channel class was revisited and an HTTPMessage class was added to help writing filters. It comes with some limitations. First, it is not possible to yield inside a filter callback and it is not really clear for now if this limitation will ever be lifted. Second, most functions exposed by the Channel class are forbidden when an HTTP message is filtered. Finally, only few filter callbacks are supported for now: start_analyze, end_analyze, http_headers, http_payload, http_end and tcp_payload. This feature was not heavily tested. Thus, if you try it, you will most probably encounter several bugs. Be gentle but don't hesitate to report them and feel free to criticize the API. It is the first stage of this feature and inputs and feedback will help us to improve it. - health checks and agent checks can now be enabled on dynamically added servers. Out of my head, I think it was the last missing feature to get fully functional hot addition/removal of servers, so testers are really welcome! - the enable/disable health/agent CLI commands that were mistakenly marked as deprecated while cleaning up the CLI help have been fixed as they are not deprecated. - the stats page now always continues to list stopped proxies during reloads, and only skips the internal ones (there was no such notion of internal proxies in the past, forcing us to resort to some tricks to avoid listing the ones used by the master CLI for example). This means that it finally is possible to collect the last stats of a stopping process. And 25 bugs were fixed, mostly on dynamic servers, Lua, and of course, H2. Given that 2.5 is focused on technical improvements, I'm fine with merging patches reasonably late in the release cycle, so let's fix a freeze of important code submissions on September 15th, which should allow one or two round trips before the 30th, after which anything too sensitive should be postponed to -next, and the focus will move towards fixing (or reverting) what was already merged, and cleaning it up. This should leave us with about one month for this and will allow us to release between late October and early November just like we did for 2.3. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.5/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog: http://www.haproxy.org/download/2.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (24): BUG/MINOR: server: fix race on error path of 'add server' CLI if track BUG/MINOR: server: remove srv from px list on CLI 'add server' error MINOR: server: unmark deprecated on enable health/agent cli MEDIUM: task: implement tasklet kill MINOR: server: initialize fields for dynamic server check MINOR: check: allocate default check ruleset for every backends MINOR: check: export check init functions MINOR: check: do not increment global maxsock at runtime MINOR: server: implement a refcount for dynamic servers MEDIUM: check: implement check deletion for dynamic servers MINOR: check: enable safe keywords for dynamic servers MEDIUM: server: implement check for dynamic servers MEDIUM: server: implement agent check for dynamic servers REGTESTS: server: add dynamic check server test MINOR: doc: specify ulimit-n usage for dynamic servers REGTESTS: server: fix dynamic server with checks test
[ANNOUNCE] haproxy-2.4.3
Hi, HAProxy 2.4.3 was released on 2021/08/17. It added 46 new commits after version 2.4.2. This version contains the fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which affect Host name consistency with H2 backend servers when Host and :authority differ or when garbage is placed in the ":scheme" or ":path" headers, and the one which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). All users of 2.4 which skipped previous updates *MUST* program an update to this one. In the mean time, the previous message about the issue suggests several possible workarounds. Aside these, the following issues were addressed in this version: - a config containing only a log forwarder would refuse to start, claiming there was no listener. - in rare situations, under extreme thread contention and connection sharing between threads, it was possible to dereference a connection while it was in the process of being freed, causing the process' death. I doubt anyone ever faced it considering that I had to shorten the server timeouts to one millisecond to trigger it, but knowing this one was knocked out makes me feel more comfortable. - there was yet another case where a partial H2 frame could leave an H2 connection in a stuck state. This time it's okay (famous last words). - checking a config with -W could cause an attempt to re-execute the process and crash. It does not bring anything to use -W during a config check but it usually remains from hard-coded command line arguments in scripts. And actually that was also missing from the systemd unit file and was added there. - when using pollers evports or poll (i.e. non-linux nor BSD systems), inter-thread wakeups wouldn't work, causing some inter-thread activity to be slow (e.g. multi-queue accept(), server queues). - SPOE was fixed regarding the connection close strategy in multi-threading so that there are always available connections for each active thread. - since muxes started to emit their own customizable "invalid request" logs in 2.2, using some sample fetch functions in log-format could crash the process on invalid requests because they were never designed to be used outside of a valid stream (essentially "ssl_s_*"). - muxes were not respecting "dontlognull" when dealing with H2 prefaces followed by a close, but this happens often with ALPN when clients tentatively set up multiple connections for the case where H2 will not be available. This was fixed. - port-less servers would not accept tcp-check connect rules and report a bogus error message that doesn't correspond to the configuration. - a run-time check on integer wrapping was added upon startup to make sure haproxy is not accidentally built with incorrect CFLAGS which cause incorrect/insecure code to be emitted. If the error happens on startup, haproxy will indicate what to do (i.e. rebuild without dropping critical options from CFLAGS). There is no soft-fail possible here as this can only be a runtime check and once the executable code is damaged there's nothing you can do to make it run reliably again. Nobody will face this unless they were using a bogus binary without knowing it. - the default-server SSL configuration was ignored by the servers (e.g. client certificate to present to a server). - the last_change field of a server was not properly updated when the server got out of maintenance, resulting in wrong values in the stats, and accelerated slowstarts. - the enable/disable health/agent CLI commands that were mistakenly marked as deprecated while cleaning up the CLI help have been fixed as they are not deprecated. - a new global config option "h2-workaround-bogus-websocket-clients" was added to temporarily disable RFC8441 support for websocket over H2 in case anyone faces a bogus client or suspects so. - plus a handful of very minor ones And that's about all. A few lower importance fixes were left pending for a future version to make sure the upgrade to this one is totally safe. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.4/src/ Git repository : http://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git Changelog: http://www.haproxy.org/download/2.4/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Compl
[ANNOUNCE] haproxy-2.3.13
Hi, HAProxy 2.3.13 was released on 2021/08/17. It added 31 new commits after version 2.3.12. This version contains the fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which affect Host name consistency with H2 backend servers when Host and :authority differ or when garbage is placed in the ":scheme" or ":path" headers, and the one which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). All users of 2.3 which skipped previous updates *MUST* program an update to this one. In the mean time, the previous message about the issue proposes several possible workarounds. Aside these, the following issues were addressed in this version: - a config containing only a log forwarder would refuse to start, claiming there was no listener. - there was yet another case where a partial H2 frame could leave an H2 connection in a stuck state. This time it's okay (famous last words). - checking a config with -W could cause an attempt to re-execute the process and crash. It does not bring anything to use -W during a config check but it usually remains from hard-coded command line arguments in scripts. And actually that was also missing from the systemd unit file and was added there. - when using pollers evports or poll (i.e. non-linux nor BSD systems), inter-thread wakeups wouldn't work, causing some inter-thread activity to be slow (e.g. multi-queue accept(), server queues). - SPOE was fixed regarding the connection close strategy in multi-threading so that there are always available connections for each active thread. - since muxes started to emit their own customizable "invalid request" logs in 2.2, using some sample fetch functions in log-format could crash the process on invalid requests because they were never designed to be used outside of a valid stream (essentially "ssl_s_*"). - muxes were not respecting "dontlognull" when dealing with H2 prefaces followed by a close, but this happens often with ALPN when clients tentatively set up multiple connections for the case where H2 will not be available. This was fixed. - port-less servers would not accept tcp-check connect rules and report a bogus error message that doesn't correspond to the configuration. - a run-time check on integer wrapping was added upon startup to make sure haproxy is not accidentally built with incorrect CFLAGS which cause incorrect/insecure code to be emitted. If the error happens on startup, haproxy will indicate what to do (i.e. rebuild without dropping critical options from CFLAGS). There is no soft-fail possible here as this can only be a runtime check and once the executable code is damaged there's nothing you can do to make it run reliably again. Nobody will face this unless they were using a bogus binary without knowing it. - the last_change field of a server was not properly updated when the server got out of maintenance, resulting in wrong values in the stats, and accelerated slowstarts. - plus a handful of very minor ones And that's about all. A few lower importance fixes were left pending for a future version to make sure the upgrade to this one is totally safe. One which concerns the potential idle connection takeover race was not merged in this version (different code, too risky) and will be postponed for a later one. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.3/src/ Git repository : http://git.haproxy.org/git/haproxy-2.3.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git Changelog: http://www.haproxy.org/download/2.3/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (2): BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request REGTESTS: add a test to prevent h2 desync attacks Christopher Faulet (9): BUG/MINOR: resolvers: Use a null-terminated string to lookup in servers tree BUG/MINOR: mux-h2: Obey dontlognull option during the preface BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer DOC: Improve the lua documentation DOC: config: Fix 'http-response send-s
[ANNOUNCE] haproxy-2.2.16
Hi, HAProxy 2.2.16 was released on 2021/08/17. It added 29 new commits after version 2.2.15. This version contains the fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which affect Host name consistency with H2 backend servers when Host and :authority differ or when garbage is placed in the ":scheme" or ":path" headers, and the one which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). All users of 2.2 which skipped previous updates *MUST* program an update to this one. In the mean time, the previous message about the issue suggests several possible workarounds. Aside these, the following issues were addressed in this version: - there was yet another case where a partial H2 frame could leave an H2 connection in a stuck state. This time it's okay (famous last words). - checking a config with -W could cause an attempt to re-execute the process and crash. It does not bring anything to use -W during a config check but it usually remains from hard-coded command line arguments in scripts. And actually that was also missing from the systemd unit file and was added there. - when using pollers evports or poll (i.e. non-linux nor BSD systems), inter-thread wakeups wouldn't work, causing some inter-thread activity to be slow (e.g. multi-queue accept(), server queues). - SPOE was fixed regarding the connection close strategy in multi-threading so that there are always available connections for each active thread. - since muxes started to emit their own customizable "invalid request" logs in 2.2, using some sample fetch functions in log-format could crash the process on invalid requests because they were never designed to be used outside of a valid stream (essentially "ssl_s_*"). - muxes were not respecting "dontlognull" when dealing with H2 prefaces followed by a close, but this happens often with ALPN when clients tentatively set up multiple connections for the case where H2 will not be available. This was fixed. - port-less servers would not accept tcp-check connect rules and report a bogus error message that doesn't correspond to the configuration. - a run-time check on integer wrapping was added upon startup to make sure haproxy is not accidentally built with incorrect CFLAGS which cause incorrect/insecure code to be emitted. If the error happens on startup, haproxy will indicate what to do (i.e. rebuild without dropping critical options from CFLAGS). There is no soft-fail possible here as this can only be a runtime check and once the executable code is damaged there's nothing you can do to make it run reliably again. Nobody will face this unless they were using a bogus binary without knowing it. - the last_change field of a server was not properly updated when the server got out of maintenance, resulting in wrong values in the stats, and accelerated slowstarts. - plus a handful of very minor ones And that's about all. A few lower importance fixes were left pending for a future version to make sure the upgrade to this one is totally safe. One which concerns the potential idle connection takeover race was not merged in this version (different code, too risky) and will be postponed for a later one. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.2/src/ Git repository : http://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git Changelog: http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (2): BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request REGTESTS: add a test to prevent h2 desync attacks Christopher Faulet (9): BUG/MINOR: resolvers: Use a null-terminated string to lookup in servers tree BUG/MINOR: mux-h2: Obey dontlognull option during the preface BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer DOC: Improve the lua documentation DOC: config: Fix 'http-response send-spoe-group' documentation BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are q
[ANNOUNCE] haproxy-2.0.24
Hi, HAProxy 2.0.24 was released on 2021/08/17. It added 18 new commits after version 2.0.23. This version contains the fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). All users of 2.0 which skipped previous updates *MUST* program an update to this one. In the mean time, the previous message about the issue suggests several possible workarounds. Aside these, the following issues were addressed in this version: - there was yet another case where a partial H2 frame could leave an H2 connection in a stuck state. This time it's okay (famous last words). - checking a config with -W could cause an attempt to re-execute the process and crash. It does not bring anything to use -W during a config check but it usually remains from hard-coded command line arguments in scripts. And actually that was also missing from the systemd unit file and was added there. - SPOE was fixed regarding the connection close strategy in multi-threading so that there are always available connections for each active thread. - a previous fix for an issue in tcp-checks where a dead connection could occasionally be dereferenced was incomplete in the 2.0 backport since the newer code had been refactored. It was completely addressed here. - muxes were not respecting "dontlognull" when dealing with H2 prefaces followed by a close, but this happens often with ALPN when clients tentatively set up multiple connections for the case where H2 will not be available. This was fixed. - support for "option disable-h2-upgrade" was backported from 2.2 to help users forcefully disable H1->H2 upgrades when desired. - a run-time check on integer wrapping was added upon startup to make sure haproxy is not accidentally built with incorrect CFLAGS which cause incorrect/insecure code to be emitted. If the error happens on startup, haproxy will indicate what to do (i.e. rebuild without dropping critical options from CFLAGS). There is no soft-fail possible here as this can only be a runtime check and once the executable code is damaged there's nothing you can do to make it run reliably again. Nobody will face this unless they were using a bogus binary without knowing it. - the last_change field of a server was not properly updated when the server got out of maintenance, resulting in wrong values in the stats, and accelerated slowstarts. - plus a handful of very minor ones And that's about all. A few lower importance fixes were left pending for a future version to make sure the upgrade to this one is totally safe. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.0/src/ Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git Changelog: http://www.haproxy.org/download/2.0/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (1): REGTESTS: add a test to prevent h2 desync attacks Christopher Faulet (9): BUG/MEDIUM: tcp-check: Do not dereference inexisting connection BUG/MINOR: mux-h2: Obey dontlognull option during the preface BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued DOC: Improve the lua documentation DOC: config: Fix 'http-response send-spoe-group' documentation MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade Jonathon Lacher (1): DOC/MINOR: fix typo in management document Remi Tricot-Le Breton (1): BUG/MINOR: connection: Add missing error labels to conn_err_code_str William Lallemand (1): BUG/MINOR: systemd: must check the configuration using -Ws Willy Tarreau (5): BUILD: add detection of missing important CFLAGS BUG/MEDIUM: mworker: do not register an exit handler if exit is expected BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs BUG/MINOR: server: update last_change on maint->ready transitions too BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header ---
Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev
❦ 17 August 2021 17:13 +02, Willy Tarreau: > HAProxy is affected by 4 vulnerabilities in its HTTP/2 implementation in > recent versions (starting with 2.0). Three of them are considered as having > a moderate impact as they only affect the interpretation of the authority > (Host header field) in H2->H2 communications in versions 2.2 and above. > One only affects a risk of misinterpretation from lenient HTTP/1 backend > servers, and affects version 2.0 and above, though at the time of writing > we're not aware of any such vulnerable server among the mainstream ones > that are commonly found behind HAProxy (Apache, NGINX, Varnish, etc). For users of haproxy.debian.net or Launchpad PPA, the vulnerabilities are fixed by patching the previous versions. Launchpad PPA builders are still running but it should be available in the next hour. I will upload the new versions later this week. Check the changelog (in /usr/share/doc/haproxy/changelog.Debian.gz) if you want to know if you are running a fixed version. The list of fixed versions are: haproxy_2.4.2-2~bpo10+1 haproxy_2.4.2-2~bpo11+1 haproxy_2.4.2-2ppa1~bionic haproxy_2.4.2-2ppa1~focal haproxy_2.2.9-2+deb11u1 (should be available from debian-security soon) haproxy_2.3.12-2~bpo10+1 haproxy_2.3.12-2ppa1~bionic haproxy_2.3.12-2ppa1~focal haproxy_2.2.15-3~bpo9+1 haproxy_2.2.15-3~bpo10+1 haproxy_2.2.15-3ppa1~bionic haproxy_2.2.15-3ppa1~focal haproxy_2.0.23-3~bpo9+1 haproxy_2.0.23-3~bpo10+1 haproxy_2.0.23-3ppa1~xenial haproxy_2.0.23-3ppa1~bionic haproxy_2.0.23-3ppa1~focal -- Make input easy to proofread. - The Elements of Programming Style (Kernighan & Plauger)
Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev
Vincent, On 8/17/21 5:49 PM, Vincent Bernat wrote: For users of haproxy.debian.net or Launchpad PPA, the vulnerabilities are fixed by patching the previous versions. Launchpad PPA builders are still running but it should be available in the next hour. I will upload the new versions later this week. As a consumer of your packages: A big thank you for your work. After I noticed Willy's announcement I checked whether any new 2.4.x packages were available and indeed they were already there, saving me the work from compiling a custom version / adjusting the config. Best regards Tim Düsterhus
Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev
Hi Willy, Everyone, On 8/17/21 5:13 PM, Willy Tarreau wrote: 2) Domain parts in ":scheme" and ":path" [...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed. I'd like to clarify that the above statement is not true. The issue also affects H2->HAProxy->H1 connections. It allows to forward a different 'host' header than the one HAProxy sees to the backend. The 'http-request set-uri %[url]' workaround mentioned at the bottom of Willy's email also fixes the issue for HTTP/1 backends. In any case I recommend to upgrade as soon as possible. That way you don't have to think whether your setup requires a workaround or not. Best regards Tim Düsterhus
Global Gaming Expo - G2E
Hi, I believe you are the best person to speak with regarding the Global Gaming Expo - G2E 2021 Attendees Database. Target Audience:- Bingo Halls, Casino Operation Professionals, Consultants, Esports, Finance, Food & Beverage, Game Developers, iGaming, Lottery, Marketing, Regulatory, Security, Sports Agencies, Sports Betting, Sports Leagues and Teams, Non-US Land-based or Lottery.. Do you want me to send counts and detail regarding the costs for your review? Thanks, Anne Frank - Marketing Team
Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev
On Tue, Aug 17, 2021 at 05:56:15PM +0200, Tim Düsterhus wrote: > Vincent, > > On 8/17/21 5:49 PM, Vincent Bernat wrote: > > For users of haproxy.debian.net or Launchpad PPA, the vulnerabilities > > are fixed by patching the previous versions. Launchpad PPA builders are > > still running but it should be available in the next hour. I will upload > > the new versions later this week. > > As a consumer of your packages: A big thank you for your work. > > After I noticed Willy's announcement I checked whether any new 2.4.x > packages were available and indeed they were already there, saving me the > work from compiling a custom version / adjusting the config. I second that! And I'm well aware of the amount of work Vincent had to do behind the curtains to deal with this since the end of last week to provide us with all this just in time. Thanks a lot Vincent! Willy
Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev
On Tue, Aug 17, 2021 at 06:57:28PM +0200, Tim Düsterhus wrote: > Hi Willy, Everyone, > > On 8/17/21 5:13 PM, Willy Tarreau wrote: > > 2) Domain parts in ":scheme" and ":path" > > > > [...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed. > > I'd like to clarify that the above statement is not true. The issue also > affects H2->HAProxy->H1 connections. It allows to forward a different 'host' > header than the one HAProxy sees to the backend. So to be more precise, based on the output of your test, both will see the same Host header field, however the server will receive a different authority than the Host header field. While this is not a valid request we know that some servers are more willing to accept that than the poorly formatted requests. However those which do most often only use the Host (which is why they don't check the authority). I'm not saying this to try to dismiss the problem, it's in order to help admins analyze strange logs that they may encounter before upgrading or deploying workarounds. > The 'http-request set-uri %[url]' workaround mentioned at the bottom of > Willy's email also fixes the issue for HTTP/1 backends. > > In any case I recommend to upgrade as soon as possible. That way you don't > have to think whether your setup requires a workaround or not. I agree on both points! Thanks for reporting that one. Willy