Re: [ANNOUNCE] HTX vulnerability from 2.0 to 2.5-dev
Hi Bjoern, On Thu, Sep 09, 2021 at 08:18:24PM +0200, bjun...@gmail.com wrote: > Hi, > > is HAProxy 2.0.x with "no option http-use-htx" also affected by > this vulnerability? No it's not. I thought I mentioned it but it's possible that I forgot it in the end. Regards, Willy
Re: [ANNOUNCE] HTX vulnerability from 2.0 to 2.5-dev
Hi,
is HAProxy 2.0.x with "no option http-use-htx" also affected by
this vulnerability?
Best regards / Mit freundlichen Grüßen
Bjoern
Am Di., 7. Sept. 2021 um 17:30 Uhr schrieb Willy Tarreau :
> Hi everyone,
>
> Right after the previous announce of HTTP/2 vulnerabilities, a group
> of security researchers from JFrog Security have been looking for the
> possibility of remaining issues around the same topic. While there was
> nothing directly exploitable, Ori Hollander found a bug in the HTTP
> header name length encoding in the HTX representation by which the most
> significant bit of the name's length can slip into the value's least
> significant bit, and figured he could craft a valid request that could
> inject a dummy content-length on input that would be produced on output
> in addition to the other one, resulting in the possibility of a blind
> request smuggling attack ("blind" because the response never gets back
> to the attacker). Quite honestly they've done an excellent job at
> spotting this one because it's not every day that you manage to turn
> a single-bit overflow into an extra request, and figuring this required
> to dig deeply into the layers! It's likely that they'll publish something
> shortly about their finding.
>
> CVE-2021-40346 was assigned to this issue, which affects versions 2.0
> and above. I'm going to emit new maintenance releases for 2.0, 2.2, 2.3
> and 2.4 (2.5 still being in development, it will be released a bit later).
>
> A possible workaround for those who cannot upgrade is to block requests
> and responses featuring more than one content-length header after the
> overflow occured; these ones are always invalid because they're always
> resolved during the parsing phase, hence this condition never reaches
> the HTTP layer:
>
>http-request deny if { req.hdr_cnt(content-length) gt 1 }
>http-response deny if { res.hdr_cnt(content-length) gt 1 }
>
> I'd like to thank the usual distro maintainers for having accepted to
> produce yet another version of their packages in a short time. Hopefully
> now we can all get back to development!
>
> Thanks,
> Willy
>
>
Re: [ANNOUNCE] HTX vulnerability from 2.0 to 2.5-dev
❦ 8 September 2021 09:02 +02, Artur: > Hello, > > Thank you. > > Could you please explain the version numbering differences between official > haproxy release and the linux distributions > packages ? > > For example : 2.4.4 (official) -> 2.4.3-2~bpo10+1 (Debian 10 > backports) 2.4.3-2~bpo10+1 means this is based on upstream version 2.4.3, second revision for Debian (-2), backport to Debian 10 (~bpo10), first iteration of the backport (+1). The changelog (in ~doc/haproxy/changelog.Debian.gz) gives a hint of the deviation compared to official upstream version: haproxy (2.4.3-2~bpo10+1) buster-backports; urgency=medium * Rebuild for buster-backports. -- Vincent Bernat Sat, 04 Sep 2021 15:19:43 +0200 haproxy (2.4.3-2) experimental; urgency=high * d/patches: fix missing header name length check in HTX (CVE-2021-40346). -- Vincent Bernat Sat, 04 Sep 2021 11:56:31 +0200 haproxy (2.4.3-1~bpo10+1) buster-backports; urgency=medium * Rebuild for buster-backports. -- Vincent Bernat Sat, 21 Aug 2021 16:47:45 +0200 haproxy (2.4.3-1) experimental; urgency=medium * New upstream release. * d/patches: remove patches applied upstream. * d/patches: h2: match absolute-path not path-absolute for :path. -- Vincent Bernat Sat, 21 Aug 2021 16:32:25 +0200 Debian packages are not based on 2.4.4 because they were prepared in advance to be ready when the vulnerability is announced. Packages based on 2.4.4 will get available later this week. -- Instrument your programs. Measure before making "efficiency" changes. - The Elements of Programming Style (Kernighan & Plauger)
Re: [ANNOUNCE] HTX vulnerability from 2.0 to 2.5-dev
On Tue, Sep 07, 2021 at 09:39:41PM +0200, Vincent Bernat wrote: > ? 7 September 2021 17:27 +02, Willy Tarreau: > > > I'd like to thank the usual distro maintainers for having accepted to > > produce yet another version of their packages in a short time. Hopefully > > now we can all get back to development! > > For Debian/Ubuntu, the fixed versions are: > > 2.4.3-2 > 2.4.3-2~bpo10+1 > 2.4.3-2~bpo11+1 > 2.4.3-2ppa2~bionic > 2.4.3-2ppa1~focal > > 2.3.13-2 > 2.3.13-2~bpo10+1 > 2.3.13-2ppa1~bionic > 2.3.13-2ppa1~focal > > 2.2.16-3 > 2.2.16-3~bpo9+1 > 2.2.16-3~bpo10+1 > 2.2.16-3ppa1~bionic > 2.2.16-3ppa1~focal > 2.2.9-2+deb11u2 (to be released pretty soon) > 2.2.9-2+deb11u2~bpo10+1 (not released yet) > 2.2.9-1ubuntu0.2 (not 100% sure as it is not released yet) > > 2.0.24-1 > 2.0.24-1~bpo9+1 > 2.0.24-1~bpo10+1 > 2.0.24-1ppa1~xenial > 2.0.24-1ppa1~bionic > 2.0.24-1ppa1~focal > 2.0.13-2ubuntu0.3 (not 100% sure as it is not released yet) Thank you Vincent! Willy
Re: [ANNOUNCE] HTX vulnerability from 2.0 to 2.5-dev
❦ 7 September 2021 17:27 +02, Willy Tarreau: > I'd like to thank the usual distro maintainers for having accepted to > produce yet another version of their packages in a short time. Hopefully > now we can all get back to development! For Debian/Ubuntu, the fixed versions are: 2.4.3-2 2.4.3-2~bpo10+1 2.4.3-2~bpo11+1 2.4.3-2ppa2~bionic 2.4.3-2ppa1~focal 2.3.13-2 2.3.13-2~bpo10+1 2.3.13-2ppa1~bionic 2.3.13-2ppa1~focal 2.2.16-3 2.2.16-3~bpo9+1 2.2.16-3~bpo10+1 2.2.16-3ppa1~bionic 2.2.16-3ppa1~focal 2.2.9-2+deb11u2 (to be released pretty soon) 2.2.9-2+deb11u2~bpo10+1 (not released yet) 2.2.9-1ubuntu0.2 (not 100% sure as it is not released yet) 2.0.24-1 2.0.24-1~bpo9+1 2.0.24-1~bpo10+1 2.0.24-1ppa1~xenial 2.0.24-1ppa1~bionic 2.0.24-1ppa1~focal 2.0.13-2ubuntu0.3 (not 100% sure as it is not released yet) -- Don't patch bad code - rewrite it. - The Elements of Programming Style (Kernighan & Plauger)
