On Thu, Apr 02, 2020 at 03:27:07PM +0200, Julien Pivotto wrote: > On 02 Apr 15:03, Willy Tarreau wrote: > > Hi, > > > > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits > > after version 2.1.3. > > > > The main driver for this release is that it contains a fix for a serious > > vulnerability that was responsibly reported last week by Felix Wilhelm > > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > > CVE-2020-11100 was assigned to this issue. > > > > There is no configuration-based workaround for 2.1 and above. > > > Is disabling HTTP2 a workaround?
When possible yes, but in 2.1 and above you cannot as it's native, hence "no config workaround" :-( Willy
