Package: haproxy Version: 2.2.9-2+deb11u1~bpo10+1 Severity: grave Justification: renders package unusable
Hi All! Since installing the latest HAProxy backports package for Debian 10, 2.2.9-2+deb11u1~bpo10+1, HAProxy fails to serve URLs like those: https://host.tld// https://host.tld//path/to/something https://host.tld//////some/silly/thing Accessing those URLs results in HAProxy "just" closing the connection: curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Those URLs were working brefore this version ... The Debian changelog for 2.2.9-2+deb11u1 lists this, which I fear is related: "Fix HTTP request smuggling via HTTP/2 desync attacks." I havn't had time to test the package from Bullseye, so not sure if this "only" affects the backported package, the Debian packages in general, or even the upstream fix ... Regards Alex -- System Information: Debian Release: 10.10 APT prefers buster-backports APT policy: (990, 'buster-backports'), (500, 'oldstable-updates'), (500, 'oldstable'), (100, 'buster-fasttrack'), (3, 'testing'), (2, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-0.bpo.7-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages haproxy depends on: ii adduser 3.118 ii dpkg 1.19.7 ii init-system-helpers 1.56+nmu1 ii libc6 2.28-10 pn libcrypt1 <none> ii libgcc-s1 [libgcc1] 10.1.0-6 ii libgcc1 1:8.3.0-6 ii liblua5.3-0 5.3.3-1.1 ii libpcre2-8-0 10.32-5 ii libssl1.1 1.1.1d-0+deb10u7 ii libsystemd0 247.3-6~bpo10+1 ii lsb-base 10.2019051400 ii zlib1g 1:1.2.11.dfsg-1 haproxy recommends no packages. Versions of packages haproxy suggests: pn haproxy-doc <none> pn vim-haproxy <none>
