-
haproxy (2.0.33-0ubuntu0.1) focal; urgency=medium
* New upstream release (LP: #2028418)
- Major and critical bug fixes according to the upstream changelog:
+ BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value
replacement
+ BUG/MAJOR: http: reject any empty content-length header value
- For further information, refer to the upstream changelog at
https://www.haproxy.org/download/2.0/src/CHANGELOG and to the upstream
release announcements at
https://<email address hidden>/msg43668.html
(2.0.32), and
https://<email address hidden>/msg43904.html (2.0.33)
- Remove patches applied by upstream in debian/patches:
+ CVE-2023-40225-1.patch
+ CVE-2023-40225-2.patch
-- Athos Ribeiro <email address hidden> Tue, 31 Oct 2023 16:00:44 -0300
-
haproxy (2.0.31-0ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: info disclosure or end_rule issue via hash character
- debian/patches/CVE-2023-45539.patch: do not accept '#' as part of the
URI component in src/h1.c.
- CVE-2023-45539
-- Marc Deslauriers <email address hidden> Mon, 04 Dec 2023 13:02:34 -0500
-
haproxy (2.0.31-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: incorrect handling of empty content-length header
- debian/patches/CVE-2023-40225-1.patch: add a proper check for empty
content-length header buffer in src/h1.c and src/h2.c. Also add
tests for it in reg-tests/http-messaging/h1_to_h1.vtc and
reg-tests/http-messaging/h2_to_h1.vtc.
- debian/patches/CVE-2023-40225-2.patch: add a check for leading zero
in content-length header buffer in src/h1.c and src/h2.c. Also add
tests in reg-tests/http-rules/h1or2_to_h1c.vtc.
- CVE-2023-40225
-- Rodrigo Figueiredo Zaiden <email address hidden> Wed, 16 Aug 2023 18:14:42 -0300
-
haproxy (2.0.31-0ubuntu0.1) focal; urgency=medium
* New upstream release (LP: #2012557).
- Major and critical bug fixes according to the upstream changelog:
+ BUG/MAJOR: stick-tables: do not try to index a server name for applets
+ BUG/MAJOR: stick-table: don't process store-response rules for applets
+ BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is
realigned
+ BUG/CRITICAL: http: properly reject empty http header field names
- Remove patches applied by upstream in debian/patches:
+ CVE-2023-0056.patch
+ CVE-2023-25725.patch
- Refresh existing patches in debian/patches:
+ 0002-Use-dpkg-buildflags-to-build-halog.patch
* Backport DEP-8 tests from Lunar:
- d/t/proxy-ssl-termination
- d/t/proxy-ssl-pass-through
-- Lucas Kanashiro <email address hidden> Wed, 22 Mar 2023 17:39:46 -0300
-
haproxy (2.0.29-0ubuntu1.3) focal-security; urgency=medium
* SECURITY UPDATE: incorrect handling of empty http header field names
- debian/patches/CVE-2023-25725.patch: properly reject empty http
header field names in src/h1.c, src/hpack-dec.c, src/http_msg.c.
- CVE-2023-25725
-- Marc Deslauriers <email address hidden> Mon, 13 Feb 2023 07:42:58 -0500
-
haproxy (2.0.29-0ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: DoS via certain interim responses
- debian/patches/CVE-2023-0056.patch: refuse interim responses with
end-stream flag set in src/mux_h2.c.
- CVE-2023-0056
-- Marc Deslauriers <email address hidden> Thu, 19 Jan 2023 10:50:52 -0500
-
haproxy (2.0.29-0ubuntu1) focal; urgency=medium
* New upstream release (LP: #1987914).
- Major and critical bug fixes according to the upstream changelog:
+ http-ana: Always abort the request when a tarpit is triggered
+ list: fix invalid element address calculation
+ proxy_protocol: Properly validate TLV lengths
+ hpack: never index a header into the headroom after wrapping
+ stream-int: always detach a faulty endpoint on connect failure
+ stream: Mark the server address as unset on new outgoing connection
+ dns: Make the do-resolve action thread-safe
+ contrib/spoa-server: Fix unhandled python call leading to memory leak
+ mux-h2: Don't try to send data if we know it is no longer possible
+ spoe: Be sure to remove all references on a released spoe applet
+ filters: Always keep all offsets up to date during data filtering
+ peers: fix partial message decoding
+ spoa/python: Fixing return None
+ dns: fix null pointer dereference in snr_update_srv_status
+ dns: disabled servers through SRV records never recover
+ mux-h2: Properly detect too large frames when decoding headers
+ server: prevent deadlock when using 'set maxconn server'
+ htx: Fix htx_defrag() when an HTX block is expanded
+ queue: set SF_ASSIGNED when setting strm->target on dequeue
+ server: fix deadlock when changing maxconn via agent-check
+ h2: enforce stricter syntax checks on the :method pseudo-header
+ htx: fix missing header name length check in htx_add_header/trailer
+ lua: use task_wakeup() to properly run a task once
+ http/htx: prevent unbounded loop in http_manage_server_side_cookies
+ spoe: properly detach all agents when releasing the applet
+ mux-h2: Be sure to always report HTX parsing error to the app layer
+ sched: prevent rare concurrent wakeup of multi-threaded tasks
+ mux-pt: Always destroy the backend connection on detach
+ dns: multi-thread concurrency issue on UDP socket
+ mux_pt: always report the connection error to the conn_stream
- Refresh haproxy.service-*.patch.
- Remove patches applied by upstream in debian/patches:
+ 0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch
+ 0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
+ 2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch
+ CVE-2022-0711.patch
+ lp1894879-BUG-MEDIUM-dns-*.patch
-- Lucas Kanashiro <email address hidden> Fri, 26 Aug 2022 17:07:24 -0300
-
haproxy (2.0.13-2ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: infinite loop via Set-Cookie2 header
- debian/patches/CVE-2022-0711.patch: prevent unbounded loop in
src/http_ana.c.
- CVE-2022-0711
* debian/rules: link against libatomic on riscv64.
-- Marc Deslauriers <email address hidden> Wed, 02 Mar 2022 07:56:19 -0500
-
haproxy (2.0.13-2ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: duplicate content-length header check bypass in HTX
- d/p/0001-2.0-2.3-BUG-MAJOR*.patch: fix missing header name length
check in htx_add_header/trailer in src/htx.c.
- CVE number pending
-- Marc Deslauriers <email address hidden> Fri, 27 Aug 2021 07:48:39 -0400
-
haproxy (2.0.13-2ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Security issue in HTTP/2 implementation
- d/p/2.0-0001*.patch: enforce checks on the method syntax before
translating to HTX.
- No CVE number
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2021 07:42:00 -0400
-
haproxy (2.0.13-2ubuntu0.1) focal; urgency=medium
* Backport dns related fixes from git to resolve crashes when
using do-resolve action (LP: #1894879)
- BUG/CRITICAL: dns: Make the do-resolve action thread safe
- BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
- BUG/MEDIUM: dns: Don't yield in do resolve action on a final
-- Simon Deziel <email address hidden> Tue, 08 Sep 2020 17:16:14 +0000
-
haproxy (2.0.13-2) unstable; urgency=medium
* d/dconv: replace cgi.escape by html.escape. Closes: #951416.
* d/copryight: document OpenSSL exception. Closes: #951782.
* d/haproxy.cfg: use "ssl-min-ver" to set minimum version.
* Apply one patch to fix an overflow in HTTP/2 header handling.
Fix CVE-2020-11100.
-- Vincent Bernat <email address hidden> Wed, 01 Apr 2020 21:49:32 +0200
-
haproxy (2.0.13-1ubuntu2) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add Ubuntu version to block automatic sync from Debian, as we want
to stay in the 2.0.x LTS series for Focal (LP #1854988)
- convert cgi.escape into html.escape to fix a python3.8 failure
-- Gianfranco Costamagna <email address hidden> Sun, 16 Feb 2020 10:34:53 +0100
-
haproxy (2.0.13-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add Ubuntu version to block automatic sync from Debian, as we want
to stay in the 2.0.x LTS series for Focal (LP #1854988)
haproxy (2.0.13-1) unstable; urgency=medium
* New upstream release.
- BUG/MAJOR: hashes: fix the signedness of the hash inputs
- BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is
empty.
* d/dconv: use Python 3 to build the documentation.
Closes: #948296, #950435.
-- Gianfranco Costamagna <email address hidden> Sun, 16 Feb 2020 10:34:53 +0100
-
haproxy (2.0.12-1ubuntu2) focal; urgency=medium
* Use python3 to build the documentation (LP: #1858485, Closes: #948296):
- d/control, d/rules: switch to python3
- d/dconv/*: convert to python3
- d/p/debianize-dconv.patch: small update for python3
-- Andreas Hasenack <email address hidden> Fri, 17 Jan 2020 18:54:13 +0000
-
haproxy (2.0.12-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Add Ubuntu version to block automatic sync from Debian, as we want
to stay in the 2.0.x LTS series for Focal (LP #1854988)
haproxy (2.0.12-1) unstable; urgency=medium
* New upstream version.
- BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreign requeuing
* d/logrotate.conf: use rsyslog helper instead of SysV init script.
Closes: #946973.
-- Andreas Hasenack <email address hidden> Mon, 23 Dec 2019 16:33:21 -0300
-
haproxy (2.0.11-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Add Ubuntu version to block automatic sync from Debian, as we want
to stay in the 2.0.x LTS series for Focal (LP #1854988)
haproxy (2.0.11-1) unstable; urgency=medium
* New upstream release.
- BUG/MAJOR: dns: add minimalist error processing on the Rx path
-- Andreas Hasenack <email address hidden> Sun, 15 Dec 2019 14:41:16 -0300
-
haproxy (2.0.10-1ubuntu1) focal; urgency=medium
* Add Ubuntu version to block automatic sync from Debian, as we want
to stay in the 2.0.x LTS series for Focal (LP: #1854988)
-- Andreas Hasenack <email address hidden> Tue, 03 Dec 2019 15:38:53 -0300
-
haproxy (2.0.10-1) unstable; urgency=medium
* New upstream release.
- BUG/MAJOR: h2: make header field name filtering stronger
- BUG/MAJOR: h2: reject header values containing invalid chars
- BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in
idle state
-- Vincent Bernat <email address hidden> Tue, 26 Nov 2019 13:22:17 +0100
-
haproxy (2.0.9-1) unstable; urgency=medium
* New upstream release.
- BUG/MAJOR: stream-int: Don't receive data from mux until SI_ST_EST
is reached
-- Vincent Bernat <email address hidden> Sat, 16 Nov 2019 17:38:51 +0100
-
haproxy (2.0.8-1) unstable; urgency=medium
* New upstream release.
- BUG/MAJOR: idle conns: schedule the cleanup task on the correct
threads
-- Vincent Bernat <email address hidden> Wed, 23 Oct 2019 08:55:55 +0200
-
haproxy (2.0.5-1) unstable; urgency=medium
* New upstream release.
- BUG/MEDIUM: mux_h1: Don't bother subscribing in recv if we're not
connected.
- BUG/MEDIUM: mux_pt: Don't call unsubscribe if we did not subscribe.
- BUG/MEDIUM: proxy: Don't forget the SF_HTX flag when upgrading
TCP=>H1+HTX.
- BUG/MEDIUM: proxy: Don't use cs_destroy() when freeing the
conn_stream.
- BUG/MEDIUM: stick-table: Wrong stick-table backends parsing.
-- Vincent Bernat <email address hidden> Fri, 16 Aug 2019 19:51:24 +0200