Re: [ANNOUNCE] haproxy-1.8.14 - Security Update

2018-09-20 Thread Aleksandar Lazic
Am 20.09.2018 um 14:31 schrieb Willy Tarreau:
> Subject: [ANNOUNCE] haproxy-1.8.14
> To: haproxy@formilux.org
> 
> Hi,
> 
> HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
> after version 1.8.13.

Image on docker hub was updated to.

https://hub.docker.com/r/me2digital/haproxy18/

Regards
Aleks

> The most important one fixes a security issue reported by Tim Düsterhus
> and which was assigned CVE-2018-14645. There is an integer signedness
> issue in the HPACK decoder used in HTTP/2 which theorically makes it
> possible to remotely crash an haproxy instance where HTTP/2 is in use.
> I want to thank Tim for his responsible reporting and Ryan O'Hara for
> quickly providing us with a CVE ID.
> 
> The only workaround for those who for various reasons can't immediately
> update, is to disable HTTP/2. But distros will provide an updated package
> soon. If some distro maintainers need a way to test if their version is
> properly fixed, please contact me privately, I'll explain how to proceed.
> 
> Two other major issues are fixed in this version, one of them related to
> how SSL is initialized in Lua, apparently it didn't properly consider
> the presence of threads, leading to random behaviours. The second only
> affects kqueue, I don't have the details in memory, I suspect it was
> causing some delays in connection processing there.
> 
> The rest is the regular list of problematic but not critical issues that
> need to be fixed but for which there is no emergency. 
> 
> Please find the usual URLs below :
>Site index   : http://www.haproxy.org/
>Discourse: http://discourse.haproxy.org/
>Sources  : http://www.haproxy.org/download/1.8/src/
>Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
>Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
>Changelog: http://www.haproxy.org/download/1.8/src/CHANGELOG
>Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
> 
> Willy
> ---
> Complete changelog :
> Baptiste Assmann (4):
>   MINOR: dns: fix wrong score computation in dns_get_ip_from_response
>   MINOR: dns: new DNS options to allow/prevent IP address duplication
>   BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and 
> server state file
>   BUG/MINOR: dns: check and link servers' resolvers right after config 
> parsing
> 
> Bertrand Jacquin (2):
>   DOC: ssl: Use consistent naming for TLS protocols
>   DOC: Fix typos in lua documentation
> 
> Cyril Bonté (1):
>   BUG/MEDIUM: lua: socket timeouts are not applied
> 
> Dragan Dosen (1):
>   BUG/MEDIUM: patterns: fix possible double free when reloading a pattern 
> list
> 
> Emeric Brun (4):
>   BUG/MINOR: ssl: empty connections reported as errors.
>   BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
>   BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable 
> error.
>   BUG/MINOR: map: fix map_regm with backref
> 
> Emmanuel Hocdet (1):
>   BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1
> 
> Frédéric Lécaille (3):
>   BUG/MINOR: lua: Bad HTTP client request duration.
>   BUG/MAJOR: thread: lua: Wrong SSL context initialization.
>   BUG/MINOR: server: Crash when setting FQDN via CLI.
> 
> Jens Bissinger (1):
>   DOC: Fix spelling error in configuration doc
> 
> Lukas Tribus (1):
>   DOC: dns: explain set server ... fqdn requires resolver
> 
> Olivier Houchard (4):
>   MINOR: threads: Introduce double-width CAS on x86_64 and arm.
>   BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
>   BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
>   BUG/MAJOR: kqueue: Don't reset the changes number by accident.
> 
> Patrick Hemmer (1):
>   BUG/MEDIUM: lua: reset lua transaction between http requests
> 
> Thierry FOURNIER (1):
>   BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers
> 
> Willy Tarreau (20):
>   BUG/MEDIUM: servers: check the queues once enabling a server
>   BUG/MEDIUM: queue: prevent a backup server from draining the proxy's 
> connections
>   BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
>   MINOR: threads: add more consistency between certain variables in 
> no-thread case
>   BUG/MEDIUM: threads: fix the no-thread case after the change to the 
> sync point
>   MEDIUM: hathreads: implement a more flexible rendez-vous point
>   BUG/MEDIUM: cli: make "show fd" thread-safe
>   BUG/MEDIUM: cli/threads: protect all "proxy" commands against 
> concurrent updates
>   BUG/MEDIUM: cli/threads: protect some server commands against 
> concurrent operations
>   BUG/MEDIUM: unix: provide a ->drain() function
>   BUG/MEDIUM: mux_pt: dereference the connection with care in 
> mux_pt_wake()
>   MINOR: thread: implement HA_ATOMIC_XADD()
>   BUG/MINOR: stream: use atomic increments for the 

[ANNOUNCE] haproxy-1.8.14 - Security Update

2018-09-20 Thread Willy Tarreau
Subject: [ANNOUNCE] haproxy-1.8.14
To: haproxy@formilux.org

Hi,

HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
after version 1.8.13.

The most important one fixes a security issue reported by Tim Düsterhus
and which was assigned CVE-2018-14645. There is an integer signedness
issue in the HPACK decoder used in HTTP/2 which theorically makes it
possible to remotely crash an haproxy instance where HTTP/2 is in use.
I want to thank Tim for his responsible reporting and Ryan O'Hara for
quickly providing us with a CVE ID.

The only workaround for those who for various reasons can't immediately
update, is to disable HTTP/2. But distros will provide an updated package
soon. If some distro maintainers need a way to test if their version is
properly fixed, please contact me privately, I'll explain how to proceed.

Two other major issues are fixed in this version, one of them related to
how SSL is initialized in Lua, apparently it didn't properly consider
the presence of threads, leading to random behaviours. The second only
affects kqueue, I don't have the details in memory, I suspect it was
causing some delays in connection processing there.

The rest is the regular list of problematic but not critical issues that
need to be fixed but for which there is no emergency. 

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Sources  : http://www.haproxy.org/download/1.8/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
   Changelog: http://www.haproxy.org/download/1.8/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Baptiste Assmann (4):
  MINOR: dns: fix wrong score computation in dns_get_ip_from_response
  MINOR: dns: new DNS options to allow/prevent IP address duplication
  BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and 
server state file
  BUG/MINOR: dns: check and link servers' resolvers right after config 
parsing

Bertrand Jacquin (2):
  DOC: ssl: Use consistent naming for TLS protocols
  DOC: Fix typos in lua documentation

Cyril Bonté (1):
  BUG/MEDIUM: lua: socket timeouts are not applied

Dragan Dosen (1):
  BUG/MEDIUM: patterns: fix possible double free when reloading a pattern 
list

Emeric Brun (4):
  BUG/MINOR: ssl: empty connections reported as errors.
  BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
  BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable 
error.
  BUG/MINOR: map: fix map_regm with backref

Emmanuel Hocdet (1):
  BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1

Frédéric Lécaille (3):
  BUG/MINOR: lua: Bad HTTP client request duration.
  BUG/MAJOR: thread: lua: Wrong SSL context initialization.
  BUG/MINOR: server: Crash when setting FQDN via CLI.

Jens Bissinger (1):
  DOC: Fix spelling error in configuration doc

Lukas Tribus (1):
  DOC: dns: explain set server ... fqdn requires resolver

Olivier Houchard (4):
  MINOR: threads: Introduce double-width CAS on x86_64 and arm.
  BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
  BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
  BUG/MAJOR: kqueue: Don't reset the changes number by accident.

Patrick Hemmer (1):
  BUG/MEDIUM: lua: reset lua transaction between http requests

Thierry FOURNIER (1):
  BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers

Willy Tarreau (20):
  BUG/MEDIUM: servers: check the queues once enabling a server
  BUG/MEDIUM: queue: prevent a backup server from draining the proxy's 
connections
  BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
  MINOR: threads: add more consistency between certain variables in 
no-thread case
  BUG/MEDIUM: threads: fix the no-thread case after the change to the sync 
point
  MEDIUM: hathreads: implement a more flexible rendez-vous point
  BUG/MEDIUM: cli: make "show fd" thread-safe
  BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent 
updates
  BUG/MEDIUM: cli/threads: protect some server commands against concurrent 
operations
  BUG/MEDIUM: unix: provide a ->drain() function
  BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
  MINOR: thread: implement HA_ATOMIC_XADD()
  BUG/MINOR: stream: use atomic increments for the request counter
  BUG/MEDIUM: session: fix reporting of handshake processing time in the 
logs
  BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
  BUG/MINOR: http/threads: atomically increment the error snapshot ID
  BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
  BUG/MINOR: tools: fix set_net_port() /