Hi,
Just for archive: CVE-2012-2391
http://www.openwall.com/lists/oss-security/2012/05/23/15
Kevin Decherf - M: +33 681194547 - T: @Kdecherf
On Tue, May 22, 2012 at 9:30 PM, Vivek Malik wrote:
> A recommended upgrade for all production users. While we are not
> (generally) affected by the bugs fixed in haproxy stable version. I
> recommend updating haproxy.
>
> I can update haproxy bin in puppet and can check it in (we distribute
> haproxy binary via puppetmaster).
>
> Aiman,
>
> Please update puppetmaster when you see fit and also in general, please
> ensure that puppet client is running on all machines.
>
> Thanks,
> Vivek
>
>
> On Mon, May 21, 2012 at 1:43 AM, Willy Tarreau wrote:
>
>> Hi all,
>>
>> a number of old bugs were reported recently. Some of them are quite
>> problematic because they can lead to crashes while parsing configuration
>> or when starting up, which is even worse considering that startup scripts
>> will generally not notice it.
>>
>> Among the bugs fixed in 1.4.21, we can enumerate :
>> - risk of crash if using reqrep/rsprep and having tune.bufsize manually
>>configured larger than what was compiled in. The cause is the trash
>>buffer used for the replace was still static, and I believed this was
>>fixed months ago but only my mailbox had the fix! Thanks to Dmitry
>>Sivachenko for reporting this bug.
>>
>> - risk of crash when using header captures on a TCP frontend. This is a
>>configuration issue, and this situation is now correctly detected and
>>reported. Thanks to Olufemi Omojola for reporting this bug.
>>
>> - risk of crash when some servers are declared with checks in a farm
>> which
>>does not use an LB algorithm (eg: "option transparent" or "dispatch").
>>This happens when a server state is updated and reported to the non-
>>existing LB algorithm. Fortunately, this happens at start-up when
>>reporting the servers either up or down, but still it's after the fork
>>and too late for being easily recovered from by scripts. Thanks to
>> David
>>Touzeau for reporting this bug.
>>
>> - "balance source" did not correctly hash IPv6 addresses, so IPv4
>>connections to IPv6 listeners would always get the same result. Thanks
>>to Alex Markham for reporting this bug.
>>
>> - the connect timeout was not properly reset upon connection
>> establishment,
>>resulting in a retry if the timeout struck exactly at the same
>> millisecond
>>the connect succeeded. The effect is that if a request was sent as
>> part of
>>the connect hanshake, it is not available for resend during the retry
>> and
>>a response timeout is reported for the server. Note that in practice,
>> this
>>only happens with erroneous configurations. Thanks to Yehuda Sadeh for
>>reporting this bug.
>>
>> - the error captures were wrong if the buffer wrapped, which happens when
>>capturing incorrectly encoded chunked responses.
>>
>> I also backported Cyril's work on the stats page to allow POST params to
>> be
>> posted in any order, because I know there are people who script actions on
>> this page.
>>
>> This release also includes doc cleanups from Cyril, Dmitry Sivachenko and
>> Adrian Bridgett.
>>
>> Distro packagers will be happy to know that I added explicit checks to
>> shut
>> gcc warnings about unchecked write() return value in the debug code.
>>
>> While it's very likely that almost nobody is affected by the bugs above,
>> troubleshooting them is annoying enough to justify an upgrade.
>>
>> Sources, Linux/x86 and Solaris/sparc binaries are at the usual location :
>>
>>site index : http://haproxy.1wt.eu/
>>sources: http://haproxy.1wt.eu/download/1.4/src/
>>changelog : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
>>binaries : http://haproxy.1wt.eu/download/1.4/bin/
>>
>> Willy
>>
>>
>>
>