Subject: [ANNOUNCE] haproxy-1.8.14 To: haproxy@formilux.org Hi,
HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits after version 1.8.13. The most important one fixes a security issue reported by Tim Düsterhus and which was assigned CVE-2018-14645. There is an integer signedness issue in the HPACK decoder used in HTTP/2 which theorically makes it possible to remotely crash an haproxy instance where HTTP/2 is in use. I want to thank Tim for his responsible reporting and Ryan O'Hara for quickly providing us with a CVE ID. The only workaround for those who for various reasons can't immediately update, is to disable HTTP/2. But distros will provide an updated package soon. If some distro maintainers need a way to test if their version is properly fixed, please contact me privately, I'll explain how to proceed. Two other major issues are fixed in this version, one of them related to how SSL is initialized in Lua, apparently it didn't properly consider the presence of threads, leading to random behaviours. The second only affects kqueue, I don't have the details in memory, I suspect it was causing some delays in connection processing there. The rest is the regular list of problematic but not critical issues that need to be fixed but for which there is no emergency. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Baptiste Assmann (4): MINOR: dns: fix wrong score computation in dns_get_ip_from_response MINOR: dns: new DNS options to allow/prevent IP address duplication BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file BUG/MINOR: dns: check and link servers' resolvers right after config parsing Bertrand Jacquin (2): DOC: ssl: Use consistent naming for TLS protocols DOC: Fix typos in lua documentation Cyril Bonté (1): BUG/MEDIUM: lua: socket timeouts are not applied Dragan Dosen (1): BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list Emeric Brun (4): BUG/MINOR: ssl: empty connections reported as errors. BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. BUG/MINOR: map: fix map_regm with backref Emmanuel Hocdet (1): BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 Frédéric Lécaille (3): BUG/MINOR: lua: Bad HTTP client request duration. BUG/MAJOR: thread: lua: Wrong SSL context initialization. BUG/MINOR: server: Crash when setting FQDN via CLI. Jens Bissinger (1): DOC: Fix spelling error in configuration doc Lukas Tribus (1): DOC: dns: explain set server ... fqdn requires resolver Olivier Houchard (4): MINOR: threads: Introduce double-width CAS on x86_64 and arm. BUG/MEDIUM: hlua: Make sure we drain the output buffer when done. BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0. BUG/MAJOR: kqueue: Don't reset the changes number by accident. Patrick Hemmer (1): BUG/MEDIUM: lua: reset lua transaction between http requests Thierry FOURNIER (1): BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers Willy Tarreau (20): BUG/MEDIUM: servers: check the queues once enabling a server BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7 MINOR: threads: add more consistency between certain variables in no-thread case BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point MEDIUM: hathreads: implement a more flexible rendez-vous point BUG/MEDIUM: cli: make "show fd" thread-safe BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations BUG/MEDIUM: unix: provide a ->drain() function BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake() MINOR: thread: implement HA_ATOMIC_XADD() BUG/MINOR: stream: use atomic increments for the request counter BUG/MEDIUM: session: fix reporting of handshake processing time in the logs BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames BUG/MINOR: http/threads: atomically increment the error snapshot ID BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4 BUG/MINOR: cli: make sure the "getsock" command is only called on connections BUG/CRITICAL: hpack: fix improper sign check on the header index value ---
