Am 20.09.2018 um 14:31 schrieb Willy Tarreau: > Subject: [ANNOUNCE] haproxy-1.8.14 > To: haproxy@formilux.org > > Hi, > > HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits > after version 1.8.13.
Image on docker hub was updated to. https://hub.docker.com/r/me2digital/haproxy18/ Regards Aleks > The most important one fixes a security issue reported by Tim Düsterhus > and which was assigned CVE-2018-14645. There is an integer signedness > issue in the HPACK decoder used in HTTP/2 which theorically makes it > possible to remotely crash an haproxy instance where HTTP/2 is in use. > I want to thank Tim for his responsible reporting and Ryan O'Hara for > quickly providing us with a CVE ID. > > The only workaround for those who for various reasons can't immediately > update, is to disable HTTP/2. But distros will provide an updated package > soon. If some distro maintainers need a way to test if their version is > properly fixed, please contact me privately, I'll explain how to proceed. > > Two other major issues are fixed in this version, one of them related to > how SSL is initialized in Lua, apparently it didn't properly consider > the presence of threads, leading to random behaviours. The second only > affects kqueue, I don't have the details in memory, I suspect it was > causing some delays in connection processing there. > > The rest is the regular list of problematic but not critical issues that > need to be fixed but for which there is no emergency. > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Sources : http://www.haproxy.org/download/1.8/src/ > Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git > Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > Baptiste Assmann (4): > MINOR: dns: fix wrong score computation in dns_get_ip_from_response > MINOR: dns: new DNS options to allow/prevent IP address duplication > BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and > server state file > BUG/MINOR: dns: check and link servers' resolvers right after config > parsing > > Bertrand Jacquin (2): > DOC: ssl: Use consistent naming for TLS protocols > DOC: Fix typos in lua documentation > > Cyril Bonté (1): > BUG/MEDIUM: lua: socket timeouts are not applied > > Dragan Dosen (1): > BUG/MEDIUM: patterns: fix possible double free when reloading a pattern > list > > Emeric Brun (4): > BUG/MINOR: ssl: empty connections reported as errors. > BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. > BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable > error. > BUG/MINOR: map: fix map_regm with backref > > Emmanuel Hocdet (1): > BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 > > Frédéric Lécaille (3): > BUG/MINOR: lua: Bad HTTP client request duration. > BUG/MAJOR: thread: lua: Wrong SSL context initialization. > BUG/MINOR: server: Crash when setting FQDN via CLI. > > Jens Bissinger (1): > DOC: Fix spelling error in configuration doc > > Lukas Tribus (1): > DOC: dns: explain set server ... fqdn requires resolver > > Olivier Houchard (4): > MINOR: threads: Introduce double-width CAS on x86_64 and arm. > BUG/MEDIUM: hlua: Make sure we drain the output buffer when done. > BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0. > BUG/MAJOR: kqueue: Don't reset the changes number by accident. > > Patrick Hemmer (1): > BUG/MEDIUM: lua: reset lua transaction between http requests > > Thierry FOURNIER (1): > BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers > > Willy Tarreau (20): > BUG/MEDIUM: servers: check the queues once enabling a server > BUG/MEDIUM: queue: prevent a backup server from draining the proxy's > connections > BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7 > MINOR: threads: add more consistency between certain variables in > no-thread case > BUG/MEDIUM: threads: fix the no-thread case after the change to the > sync point > MEDIUM: hathreads: implement a more flexible rendez-vous point > BUG/MEDIUM: cli: make "show fd" thread-safe > BUG/MEDIUM: cli/threads: protect all "proxy" commands against > concurrent updates > BUG/MEDIUM: cli/threads: protect some server commands against > concurrent operations > BUG/MEDIUM: unix: provide a ->drain() function > BUG/MEDIUM: mux_pt: dereference the connection with care in > mux_pt_wake() > MINOR: thread: implement HA_ATOMIC_XADD() > BUG/MINOR: stream: use atomic increments for the request counter > BUG/MEDIUM: session: fix reporting of handshake processing time in the > logs > BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames > BUG/MINOR: http/threads: atomically increment the error snapshot ID > BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors > BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4 > BUG/MINOR: cli: make sure the "getsock" command is only called on > connections > BUG/CRITICAL: hpack: fix improper sign check on the header index value > > --- >