Hi, HAProxy 2.3.13 was released on 2021/08/17. It added 31 new commits after version 2.3.12.
This version contains the fixes for the H2 vulnerabilities reported by Tim that were described in previous message, and which affect Host name consistency with H2 backend servers when Host and :authority differ or when garbage is placed in the ":scheme" or ":path" headers, and the one which allows to abuse the H2 ":method" pseudo-header to forge some malformed HTTP/1 messages that some vulnerable servers might possibly accept to parse (though we're not aware of any among the usual mainstream ones). All users of 2.3 which skipped previous updates *MUST* program an update to this one. In the mean time, the previous message about the issue proposes several possible workarounds. Aside these, the following issues were addressed in this version: - a config containing only a log forwarder would refuse to start, claiming there was no listener. - there was yet another case where a partial H2 frame could leave an H2 connection in a stuck state. This time it's okay (famous last words). - checking a config with -W could cause an attempt to re-execute the process and crash. It does not bring anything to use -W during a config check but it usually remains from hard-coded command line arguments in scripts. And actually that was also missing from the systemd unit file and was added there. - when using pollers evports or poll (i.e. non-linux nor BSD systems), inter-thread wakeups wouldn't work, causing some inter-thread activity to be slow (e.g. multi-queue accept(), server queues). - SPOE was fixed regarding the connection close strategy in multi-threading so that there are always available connections for each active thread. - since muxes started to emit their own customizable "invalid request" logs in 2.2, using some sample fetch functions in log-format could crash the process on invalid requests because they were never designed to be used outside of a valid stream (essentially "ssl_s_*"). - muxes were not respecting "dontlognull" when dealing with H2 prefaces followed by a close, but this happens often with ALPN when clients tentatively set up multiple connections for the case where H2 will not be available. This was fixed. - port-less servers would not accept tcp-check connect rules and report a bogus error message that doesn't correspond to the configuration. - a run-time check on integer wrapping was added upon startup to make sure haproxy is not accidentally built with incorrect CFLAGS which cause incorrect/insecure code to be emitted. If the error happens on startup, haproxy will indicate what to do (i.e. rebuild without dropping critical options from CFLAGS). There is no soft-fail possible here as this can only be a runtime check and once the executable code is damaged there's nothing you can do to make it run reliably again. Nobody will face this unless they were using a bogus binary without knowing it. - the last_change field of a server was not properly updated when the server got out of maintenance, resulting in wrong values in the stats, and accelerated slowstarts. - plus a handful of very minor ones And that's about all. A few lower importance fixes were left pending for a future version to make sure the upgrade to this one is totally safe. One which concerns the potential idle connection takeover race was not merged in this version (different code, too risky) and will be postponed for a later one. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.3/src/ Git repository : http://git.haproxy.org/git/haproxy-2.3.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git Changelog : http://www.haproxy.org/download/2.3/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Amaury Denoyelle (2): BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request REGTESTS: add a test to prevent h2 desync attacks Christopher Faulet (9): BUG/MINOR: resolvers: Use a null-terminated string to lookup in servers tree BUG/MINOR: mux-h2: Obey dontlognull option during the preface BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer DOC: Improve the lua documentation DOC: config: Fix 'http-response send-spoe-group' documentation BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued Emeric Brun (1): BUG/MEDIUM: cfgcheck: verify existing log-forward listeners during config check Jonathon Lacher (1): DOC/MINOR: fix typo in management document Remi Tricot-Le Breton (1): BUG/MINOR: connection: Add missing error labels to conn_err_code_str William Lallemand (2): BUG/MINOR: systemd: must check the configuration using -Ws BUG/MINOR: buffer: fix buffer_dump() formatting Willy Tarreau (15): BUILD: add detection of missing important CFLAGS BUILD: lua: silence a build warning with TCC BUG/MEDIUM: mworker: do not register an exit handler if exit is expected BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs BUG/MINOR: check: fix the condition to validate a port-less server BUG/MEDIUM: pollers: clear the sleeping bit after waking up, not before BUG/MINOR: select: fix excess number of dead/skip reported BUG/MINOR: poll: fix abnormally high skip_fd counter BUG/MINOR: pollers: always program an update for migrated FDs BUG/MINOR: server: update last_change on maint->ready transitions too MINOR: http: add a new function http_validate_scheme() to validate a scheme BUG/MAJOR: h2: verify early that non-http/https schemes match the valid syntax BUG/MAJOR: h2: verify that :path starts with a '/' before concatenating it BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header BUG/MEDIUM: h2: give :authority precedence over Host ---