On Sun, Nov 24, 2019 at 03:04:20PM +0100, William Dauchy wrote:
> trivial patch to fix issue #351
> Fixes: bc6ca7ccaa72 ("MINOR: ssl/cli: rework 'set ssl cert' as 'set/commit'")
> Reported-by: Илья Шипицин
> Signed-off-by: William Dauchy
> src/ssl_sock.c | 2 +-
> 1 file changed, 1
HAProxy 1.9.13 was released on 2019/11/25. It added 39 new commits
after version 1.9.12.
It addresses the same security issues as announced in 2.0.10:
- The first one, found by Tim Düsterhus, lets an attacker pass control
characters into header fields, leading to a possibility of content
HAProxy 2.0.10 was released on 2019/11/25. It added 37 new commits
after version 2.0.9.
This version addresses two potential security issues in the H2 decoder.
The first one, found by Tim Düsterhus, lets an attacker pass control
characters into header fields, leading to a possibility of
Le 23/11/2019 à 20:38, William Dauchy a écrit :
we were decoding all substring and then parsing; this could lead to
consider & and = in decoding result as delimiters where it should not.
this patch reverses the order by first parsing and then decoding each key
and value separately.
HAProxy 2.1.0 was released on 2019/11/25. It added 45 new commits
after version 2.1-dev5.
As some might have noticed, the last week was quite calm except the last
few days with a few unexpected bugs to deal with. But that's better than
having bugs immediately after the release forcing a new
HAProxy 1.8.23 was released on 2019/11/25. It added 14 new commits
after version 1.8.22.
This version is mostly aimed at addressing the header name encoding
issue in HTTP/2. In addition it fixes a corner case where a listener
may loop eating CPU when reaching the frontend/process' connection
On Sat, Nov 23, 2019 at 11:45:10PM +0100, Tim Duesterhus wrote:
> This commit removes the explicit checks for `if (err)` before
> passing `err` to `memprintf`. `memprintf` already checks itself
> whether the `**out*` parameter is `NULL` before doing anything.
> This reduces the indentation depth
Am 25.11.19 um 17:57 schrieb Willy Tarreau:
> I agree that it's cleaner this way, however it then uncovers another
> issue which is that *if* ever called with a NULL err then it will leak
> memory. William said in the issue discussion that the functions are not
Will it actually leak
Am 25.11.19 um 08:57 schrieb William Lallemand:
> Merged, Thanks Tim.
> I removed the mention to the backport because it's in master only and mustn't
> be backported.
When the other commit is not going to be backported either then that's
On Mon, Nov 25, 2019 at 09:17:51PM +0100, Tim Düsterhus wrote:
> Am 25.11.19 um 17:57 schrieb Willy Tarreau:
> > I agree that it's cleaner this way, however it then uncovers another
> > issue which is that *if* ever called with a NULL err then it will leak
> > memory. William said in
On Mon, Nov 25, 2019 at 05:57:04PM +0100, Willy Tarreau wrote:
> What I'd suggest instead as a better and more durable cleanup would be
> to explicitly mention above the function's prototype that it must not
> be called with a null err pointer, and remove all "if (err)" or "err &&"
> tests so that
Mail list logo