I am looking at CVE-2023-45539 as it affects older versions of haproxy (ie. haproxy-1.8). At this point I have verified that 1.8 is affected by this issue, which is in agreement with the original bug/commit which states versions prior to 2.8 need a backport. I am wondering if anyone has attempted or completed this backport. I am happy to provide one with the understanding that this will not be merged as 1.8 is EOL.
For reference, this CVE addressed the handling of URL fragments (the part following a '#'). It was originally addressed in 2.8.2 and mentioned in the release notes found here: https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html Thanks! Ryan
