Hi, Just for archive: CVE-2012-2391 http://www.openwall.com/lists/oss-security/2012/05/23/15
---- Kevin Decherf - M: +33 681194547 - T: @Kdecherf On Tue, May 22, 2012 at 9:30 PM, Vivek Malik <vivek.ma...@gmail.com> wrote: > A recommended upgrade for all production users. While we are not > (generally) affected by the bugs fixed in haproxy stable version. I > recommend updating haproxy. > > I can update haproxy bin in puppet and can check it in (we distribute > haproxy binary via puppetmaster). > > Aiman, > > Please update puppetmaster when you see fit and also in general, please > ensure that puppet client is running on all machines. > > Thanks, > Vivek > > > On Mon, May 21, 2012 at 1:43 AM, Willy Tarreau <w...@1wt.eu> wrote: > >> Hi all, >> >> a number of old bugs were reported recently. Some of them are quite >> problematic because they can lead to crashes while parsing configuration >> or when starting up, which is even worse considering that startup scripts >> will generally not notice it. >> >> Among the bugs fixed in 1.4.21, we can enumerate : >> - risk of crash if using reqrep/rsprep and having tune.bufsize manually >> configured larger than what was compiled in. The cause is the trash >> buffer used for the replace was still static, and I believed this was >> fixed months ago but only my mailbox had the fix! Thanks to Dmitry >> Sivachenko for reporting this bug. >> >> - risk of crash when using header captures on a TCP frontend. This is a >> configuration issue, and this situation is now correctly detected and >> reported. Thanks to Olufemi Omojola for reporting this bug. >> >> - risk of crash when some servers are declared with checks in a farm >> which >> does not use an LB algorithm (eg: "option transparent" or "dispatch"). >> This happens when a server state is updated and reported to the non- >> existing LB algorithm. Fortunately, this happens at start-up when >> reporting the servers either up or down, but still it's after the fork >> and too late for being easily recovered from by scripts. Thanks to >> David >> Touzeau for reporting this bug. >> >> - "balance source" did not correctly hash IPv6 addresses, so IPv4 >> connections to IPv6 listeners would always get the same result. Thanks >> to Alex Markham for reporting this bug. >> >> - the connect timeout was not properly reset upon connection >> establishment, >> resulting in a retry if the timeout struck exactly at the same >> millisecond >> the connect succeeded. The effect is that if a request was sent as >> part of >> the connect hanshake, it is not available for resend during the retry >> and >> a response timeout is reported for the server. Note that in practice, >> this >> only happens with erroneous configurations. Thanks to Yehuda Sadeh for >> reporting this bug. >> >> - the error captures were wrong if the buffer wrapped, which happens when >> capturing incorrectly encoded chunked responses. >> >> I also backported Cyril's work on the stats page to allow POST params to >> be >> posted in any order, because I know there are people who script actions on >> this page. >> >> This release also includes doc cleanups from Cyril, Dmitry Sivachenko and >> Adrian Bridgett. >> >> Distro packagers will be happy to know that I added explicit checks to >> shut >> gcc warnings about unchecked write() return value in the debug code. >> >> While it's very likely that almost nobody is affected by the bugs above, >> troubleshooting them is annoying enough to justify an upgrade. >> >> Sources, Linux/x86 and Solaris/sparc binaries are at the usual location : >> >> site index : http://haproxy.1wt.eu/ >> sources : http://haproxy.1wt.eu/download/1.4/src/ >> changelog : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG >> binaries : http://haproxy.1wt.eu/download/1.4/bin/ >> >> Willy >> >> >> >