Hi, HAProxy 1.9.15 was released on 2020/04/02. It added 53 new commits after version 1.9.14.
The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. In 1.9, it is possible to work around this issue by removing "npn h2", "alpn h2" or "proto h2" on "bind" lines, which will result in disabling HTTP/2 support.. But upgrading will be way easier and safer! This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly. Three other important fixes are present in this version: - a non-portable way of calculating a list pointer that breaks with gcc 10 unless using -fno-tree-pta. This bug results in infinite loops at random places in the code depending how the compiler decides to optimize the code. - a bug in the way TLV fields are extracted from the PROXY protocol, as they could be mistakenly looked up in the subsequent payload, even though these would have limited effects since these ones would generally be meaningless for the transported protocol, but could be used to hide a source address from logging for example. - the "tarpit" rules were partially broken in that since 1.9 they wouldn't prevent a connection from being sent to a server while the 500 response is delivered to the client. Given that they are often used to block suspicious activity it's problematic. The rest is less important, but still relevant to some users. Please have a look at the changelog below for a more detailed list of fixes, and do not forget to update, either from the sources or from your regular distro channels. Important note: let me remind that we're almost 18 months after 1.9 was released, that in December we said it would live for another 3-4 months, and that now it's about time to see it disappear. Thus barring any other major issue requiring a quick fix in the forthcoming weeks/months, it's unlikely that there will be another 1.9 version. I'm not suggesting to rush an upgrade especially when dealing with a security issue, but keep somewhere in your head that you'll really need to migrate to 2.0 or newer soon. I'll purposely mark it "End of life" on the site, even though I'm still open to a few extras if really needed and justified. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.9/src/ Git repository : http://git.haproxy.org/git/haproxy-1.9.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git Changelog : http://www.haproxy.org/download/1.9/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Bjoern Jacke (1): DOC: fix typo about no-tls-tickets Björn Jacke (1): DOC: improve description of no-tls-tickets Christopher Faulet (16): MINOR: http-htx: Add a function to retrieve the headers size of an HTX message MINOR: filters: Forward data only if the last filter forwards something BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered BUG/MINOR: http-ana: Reset request analysers on a response side error BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action BUG/MINOR: http-rules: Fix a typo in the reject action function BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop MINOR: http-rules: Add a flag on redirect rules to know the rule direction MINOR: http-rules: Handle the rule direction when a redirect is evaluated BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data BUG/MINOR: filters: Forward everything if no data filters are called BUG/MINOR: http-ana: Reset request analysers on error when waiting for response Daniel Corbett (1): BUG/MINOR: stats: Fix color of draining servers on stats page Ilya Shipitsin (1): DOC: assorted typo fixes in the documentation Jerome Magnin (1): BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits Lukas Tribus (2): BUG/MINOR: dns: ignore trailing dot DOC: ssl: clarify security implications of TLS tickets Miroslav Zagorac (1): DOC: internals: Fix spelling errors in filters.txt Olivier Houchard (1): BUG/MINOR: connections: Make sure we free the connection on failure. Tim Duesterhus (3): BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch BUG/MAJOR: proxy_protocol: Properly validate TLV lengths DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID William Dauchy (1): BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat William Lallemand (2): BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL Willy Tarreau (22): SCRIPTS: announce-release: use mutt -H instead of -i to include the draft BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines CONTRIB: debug: add the possibility to decode the value as certain types only CONTRIB: debug: support reporting multiple values at once CONTRIB: debug: also support reading values from stdin BUG/MEDIUM: shctx: make sure to keep all blocks aligned MINOR: compiler: move CPU capabilities definition from config.h and complete them BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support BUILD: fix recent build failure on unaligned archs MINOR: compiler: add new alignment macros BUILD: ebtree: improve architecture-specific alignment BUG/MINOR: sample: fix the json converter's endian-sensitivity BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions BUG/MINOR: connection: make sure to correctly tag local PROXY connections BUG/MAJOR: list: fix invalid element address calculation DOC: fix incorrect indentation of http_auth_* REGTEST: make the PROXY TLV validation depend on version 2.2 BUG/MINOR: haproxy: always initialize sleeping_thread_mask REGTESTS: use "command -v" instead of "which" REGTEST: increase timeouts on the seamless-reload test BUG/MEDIUM: http: unbreak redirects in legacy mode BUG/CRITICAL: hpack: never index a header into the headroom after wrapping ---