Hi, HAProxy 2.0.10 was released on 2019/11/25. It added 37 new commits after version 2.0.9.
This version addresses two potential security issues in the H2 decoder. The first one, found by Tim Düsterhus, lets an attacker pass control characters into header fields, leading to a possibility of content smuggling attacks on HTTP/1 backends, which is mainly a concern if http-reuse is in use. The second, found by Christopher Faulet, is a direct consequence of a flaw in the H2 spec making no special case of HEADER frames received on an IDLE stream on the response path. As such, such a frame passes all validity checks but no stream is allocated since it's a response, and the decoding of the headers on a read-only dummy stream results in a crash of the process. New versions of 1.9 and 1.8 will be issued to fix these flaws as well (1.8 is only affected by the first one). A few other issues were addressed, such as certain cases of server errors being reported while the client closed first, and some peers desynchronization issues. At the HAProxyConf, a few people asked for the "h1-case-adjust" feature to be backported to help them fix bogus applications and smoothly transition to HTX. Indeed, since HTX, header field names are lower cased (as is the case in HTTP/2) and it was reported that a few decades-old application still living in field incorrectly expect various CaMeLCaSe. As 2.1 dropped support for legacy mode it's not convenient for users to quickly switch between one mode and the other when trying to work around problems. With this patch backported into 2.0, it now becomes easier to address one application at a time using h1-case-adjust and h1-case-adjust-file and only switch once all applications work in HTX. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.0/src/ Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (19): BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding MINOR: freq_ctr: Make the sliding window sums thread-safe MINOR: stream: Remove the lock on the proxy to update time stats MINOR: counters: Add fields to store the max observed for {q,c,d,t}_time MINOR: contrib/prometheus-exporter: Report metrics about max times for sessions BUG/MINOR: contrib/prometheus-exporter: Rename some metrics MINOR: contrib/prometheus-exporter: report the number of idle conns per server MINOR: contrib/prometheus-exporter: filter exported metrics by scope MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance BUG/MINOR: stream-int: Fix si_cs_recv() return value MINOR: stats: Report max times in addition of the averages for sessions MEDIUM: mux-h1: Add the support of headers adjustment for bogus HTTP/1 apps BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser() BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a message DOC: Add missing stats fields in the management manual DOC: Add documentation about the use-service action Emmanuel Hocdet (1): BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 Eric Salama (1): BUILD/MINOR: ssl: fix compiler warning about useless statement Frédéric Lécaille (5): MINOR: peers: Alway show the table info for disconnected peers. MINOR: peers: Add TX/RX heartbeat counters. MINOR: peers: Add debugging information to "show peers". BUG/MINOR: peers: Wrong null "server_name" data field handling. BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. Jerome Magnin (1): REGTEST: vtest can now enable mcli with its own flag Lukas Tribus (1): BUG/MINOR: ssl: fix curve setup with LibreSSL William Dauchy (1): BUG/MINOR: init: fix set-dumpable when using uid/gid William Lallemand (2): BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec BUG/MINOR: cli: fix out of bounds in -S parser Willy Tarreau (6): MINOR: ist: add ist_find_ctl() BUG/MAJOR: h2: reject header values containing invalid chars BUG/MAJOR: h2: make header field name filtering stronger BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state SCRIPTS: create-release: show the correct origin name in suggested commands SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands ---