-
haproxy (2.2.9-2+deb11u6) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
* BUG/MAJOR: http: reject any empty content-length header value
(CVE-2023-40225) (Closes: #1043502)
* MINOR: ist: add new function ist_find_range() to find a character range
* MINOR: ist: Add istend() function to return a pointer to the end of the
string
* MINOR: http: add new function http_path_has_forbidden_char()
* MINOR: h2: pass accept-invalid-http-request down the request parser
* BUG/MINOR: h1: do not accept '#' as part of the URI component
(CVE-2023-45539)
* BUG/MINOR: h2: reject more chars from the :path pseudo header
* REGTESTS: http-rules: verify that we block '#' by default for
normalize-uri
* DOC: clarify the handling of URL fragments in requests
-- Salvatore Bonaccorso <email address hidden> Sat, 23 Dec 2023 11:02:19 +0100
-
haproxy (2.2.9-2+deb11u5) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
* BUG/MAJOR: fcgi: Fix uninitialized reserved bytes (CVE-2023-0836)
-- Salvatore Bonaccorso <email address hidden> Mon, 10 Apr 2023 16:18:09 +0200
-
haproxy (2.2.9-2+deb11u3) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
* BUG/MAJOR: http/htx: prevent unbounded loop in
http_manage_server_side_cookies (CVE-2022-0711)
-- Salvatore Bonaccorso <email address hidden> Thu, 10 Mar 2022 21:01:08 +0100
-
haproxy (2.2.9-2+deb11u2) bullseye-security; urgency=high
* d/patches: fix missing header name length check in HTX (CVE-2021-40346).
* d/patches: h2: match absolute-path not path-absolute for :path.
Closes: #993303.
-- Vincent Bernat <email address hidden> Sun, 05 Sep 2021 10:48:54 +0200
-
haproxy (2.2.9-2) unstable; urgency=medium
* d/patches: fix agent-check regression putting down servers.
Closes: #988779.
-- Vincent Bernat <email address hidden> Thu, 27 May 2021 15:00:01 +0200