Am 19.04.2018 um 17:34 schrieb Willy Tarreau: > Hi, > > HAProxy 1.8.8 was released on 2018/04/19. It added 8 new commits > after version 1.8.7.
As usual the images are updated https://hub.docker.com/r/me2digital/haproxy18/ https://hub.docker.com/r/me2digital/openshift-ocp-router-hap18/ If you ask why do I still build this images also for openshift, the easy answer is that this image have lua included and therfore you can run the header dumper without to modify the image ;-) https://www.me2digital.com/blog/2018/01/show-headers-in-haproxy/ Best regards Aleks > The most important one fixes a vulnerability in the HTTP/2 frame parser > which can be used to remotely crash the process. Code execution is > extremely unlikely to happen given that buffer allocation from memory > pools is not quite predictable and that the surrounding memory areas > are also unpredictable in a production environment. But since it is > very easy to crash the process, H2 users must absolutely upgrade. > > A CVE id was requested, unfortunately it was not delivered before this > announce but I preferred to keep everyone safe by releasing as soon as > possible. I want to address special thanks to Jordan Zebor from F5 > Networks for reporting this issue responsibly. > > The other relevant commits fix a min/max bug involving gcc < 4.7 with > threads which affect frequency counters, a risk of crash when a mux > failed to initialize and is destroyed, and a risk of event losses with > kqueue. > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Sources : http://www.haproxy.org/download/1.8/src/ > Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git > Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > Aurélien Nephtali (2): > BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE > MINOR: cli: Ensure the CLI always outputs an error when it should > > Christopher Faulet (2): > BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes > BUG/MINOR: http: Return an error in proxy mode when url2sa fails > > Olivier Houchard (2): > BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). > BUG/MEDIUM: kqueue: When adding new events, provide an output to get > errors. > > Willy Tarreau (2): > DOC: lua: update the links to the config and Lua API > BUG/CRITICAL: h2: fix incorrect frame length check > > --- > >
