-
haproxy (1.8.19-1ubuntu1.3) disco-security; urgency=medium
* SECURITY UPDATE: Intermediary Encapsulation attacks
- debian/patches/CVE-2019-19330.patch: reject header values containing
invalid chars and make header field name filtering stronger in
src/h2.c, include/common/ist.h, include/common/h2.h.
- CVE-2019-19330
-- <email address hidden> (Leonidas S. Barbosa) Mon, 02 Dec 2019 13:55:16 -0300
-
haproxy (1.8.19-1ubuntu1.2) disco-security; urgency=medium
* SECURITY UPDATE: Messages with transfer-encoding header missing "chunked"
value were not being correctly rejected
- debian/patches/CVE-2019-18277.patch: also reject messages where
"chunked" is missing from transfer-enoding in.
src/proto_http.c.
- CVE-2019-18277
-- <email address hidden> (Leonidas S. Barbosa) Mon, 04 Nov 2019 11:04:10 -0300
-
haproxy (1.8.19-1ubuntu1.1) disco; urgency=medium
* Fix configurability of dh_params that regressed since building
against openssl 1.1.1 (LP: #1841936)
- d/p/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch
- d/p/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch
-- Christian Ehrhardt <email address hidden> Wed, 23 Oct 2019 12:34:38 +0200
-
haproxy (1.8.19-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
generate traffic through haproxy.
[Updated to use "service" instead of "systemctl" to match what was
submitted to Debian.]
haproxy (1.8.19-1) unstable; urgency=medium
* New upstream version 1.8.19
- BUG/MEDIUM: spoe: initialization depending on nbthread must be done last
- BUG/MEDIUM: server: initialize the idle conns list after parsing the
config
- BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck
- BUG/MAJOR: stream: avoid double free on unique_id (Closes: #921981)
haproxy (1.8.18-1) unstable; urgency=medium
* New upstream version 1.8.18
- BUG/MAJOR: cache: fix confusion between zero and uninitialized cache
key
- BUG/MAJOR: config: verify that targets of track-sc and stick rules
are present
- BUG/MAJOR: spoe: verify that backends used by SPOE cover all their
callers' processes
-- Andreas Hasenack <email address hidden> Wed, 20 Feb 2019 14:18:15 +0100
-
haproxy (1.8.17-1ubuntu1) disco; urgency=medium
* d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
generate traffic through haproxy.
-- Andreas Hasenack <email address hidden> Thu, 24 Jan 2019 18:11:39 -0200
-
haproxy (1.8.17-1) unstable; urgency=medium
* New upstream version 1.8.17
- BUG/MAJOR: stream-int: Update the stream expiration date in
stream_int_notify()
- BUG/MEDIUM: mux-h2: mark that we have too many CS once we have more than
the max
- BUG/MEDIUM: server: Also copy "check-sni" for server templates.
- BUG/MEDIUM: cli: make "show sess" really thread-safe
- BUG/MEDIUM: lua: dead lock when Lua tasks are trigerred
* Drop CVE-2018-20615.patch; merged upstream
-- Apollon Oikonomopoulos <email address hidden> Mon, 14 Jan 2019 20:58:05 +0200
-
haproxy (1.8.16-2) unstable; urgency=high
* Fix out-of-bounds read in HTTP2 mux (CVE-2018-20615).
This would possibly lead to a crash in H2 HEADERS frame decoder when the
PRIORITY flag is present, due to a missing frame size check.
* Bump Standards-Version to 4.3.0; no changes needed.
-- Apollon Oikonomopoulos <email address hidden> Thu, 03 Jan 2019 12:08:07 +0200
-
haproxy (1.8.16-1) unstable; urgency=high
* New upstream version 1.8.16.
- BUG/MEDIUM: dns: Don't prevent reading the last byte of the payload
in dns_validate_response()
- BUG/MEDIUM: dns: overflowed dns name start position causing invalid
dns error
* d/rules: do not override CFLAGS, hijack DEBUG_CFLAGS for this instead.
-- Vincent Bernat <email address hidden> Sun, 23 Dec 2018 14:27:11 +0100
-
haproxy (1.8.15-1) unstable; urgency=high
[ Vincent Bernat ]
* d/rules: switch to pcre2. Closes: #911933.
[ Apollon Oikonomopoulos ]
* New upstream version 1.8.15
- BUG: dns: Fix off-by-one write in dns_validate_dns_response() (
- BUG: dns: Fix out-of-bounds read via signedness error in
dns_validate_dns_response()
- BUG: dns: Prevent out-of-bounds read in dns_read_name()
- BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response()
(CVE-2018-20102, closes: #916308)
- BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name
(CVE-2018-20103, closes: #916307)
- BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
-- Apollon Oikonomopoulos <email address hidden> Fri, 14 Dec 2018 15:31:04 +0200
-
haproxy (1.8.14-1) unstable; urgency=medium
* New upstream version.
- BUG/CRITICAL: hpack: fix improper sign check on the header index
value (already fixed in 1.8.13-2)
- BUG/MAJOR: kqueue: Don't reset the changes number by accident.
- BUG/MAJOR: thread: lua: Wrong SSL context initialization.
-- Vincent Bernat <email address hidden> Sun, 23 Sep 2018 12:25:03 +0200
-
haproxy (1.8.13-2build1) cosmic; urgency=high
* No change rebuild against openssl 1.1.1 with TLS 1.3 support.
-- Dimitri John Ledkov <email address hidden> Sat, 29 Sep 2018 01:36:44 +0100
