Bug#949826: buster-pu: package haproxy/1.8.19-1
Hi Vincent, On Sat, Aug 01, 2020 at 03:11:22PM +0200, Vincent Bernat wrote: > ❦ 31 juillet 2020 10:14 +02, Salvatore Bonaccorso: > > >> > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released > >> > > > as > >> > > > DSA 4577-1 AFAICT. > >> > > > >> > > Oh, sorry. Here is the updated patch. > >> > > >> > Please go ahead. > >> > >> Too late for buster 10.4 but actually this would need to be rebased to > >> the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not > >> including this CVE fix). So the version will be 1.8.19-1+deb10u3 by > >> now. > >> > >> If before the next point release will be another haproxy update this > >> fix for the CVE can be included as well, IMHO. > > > > Did you saw the acknowledgement from vom Adam? Could you upload to > > buster-proposed-updates? > > Hello Salvatore, > > I've just uploaded it. Thank you! Regards, Salvatore
Bug#949826: buster-pu: package haproxy/1.8.19-1
❦ 31 juillet 2020 10:14 +02, Salvatore Bonaccorso: >> > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released >> > > > as >> > > > DSA 4577-1 AFAICT. >> > > >> > > Oh, sorry. Here is the updated patch. >> > >> > Please go ahead. >> >> Too late for buster 10.4 but actually this would need to be rebased to >> the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not >> including this CVE fix). So the version will be 1.8.19-1+deb10u3 by >> now. >> >> If before the next point release will be another haproxy update this >> fix for the CVE can be included as well, IMHO. > > Did you saw the acknowledgement from vom Adam? Could you upload to > buster-proposed-updates? Hello Salvatore, I've just uploaded it. -- Each module should do one thing well. - The Elements of Programming Style (Kernighan & Plauger) signature.asc Description: PGP signature
Bug#949826: buster-pu: package haproxy/1.8.19-1
Hi Vincent, On Fri, May 08, 2020 at 02:03:41PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Apr 12, 2020 at 10:34:27PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote: > > > ❦ 8 février 2020 08:43 +01, Salvatore Bonaccorso > > >: > > > > > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released > > > > as > > > > DSA 4577-1 AFAICT. > > > > > > Oh, sorry. Here is the updated patch. > > > > Please go ahead. > > Too late for buster 10.4 but actually this would need to be rebased to > the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not > including this CVE fix). So the version will be 1.8.19-1+deb10u3 by > now. > > If before the next point release will be another haproxy update this > fix for the CVE can be included as well, IMHO. Did you saw the acknowledgement from vom Adam? Could you upload to buster-proposed-updates? Regards, Salvatore
Bug#949826: buster-pu: package haproxy/1.8.19-1
Hi, On Sun, Apr 12, 2020 at 10:34:27PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote: > > ❦ 8 février 2020 08:43 +01, Salvatore Bonaccorso > >: > > > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released > > > as > > > DSA 4577-1 AFAICT. > > > > Oh, sorry. Here is the updated patch. > > Please go ahead. Too late for buster 10.4 but actually this would need to be rebased to the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not including this CVE fix). So the version will be 1.8.19-1+deb10u3 by now. If before the next point release will be another haproxy update this fix for the CVE can be included as well, IMHO. Regards, Salvatore
Bug#949826: buster-pu: package haproxy/1.8.19-1
Control: tags -1 + confirmed On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote: > ❦ 8 février 2020 08:43 +01, Salvatore Bonaccorso >: > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released > > as > > DSA 4577-1 AFAICT. > > Oh, sorry. Here is the updated patch. Please go ahead. Regards, Adam
Bug#949826: buster-pu: package haproxy/1.8.19-1
❦ 8 février 2020 08:43 +01, Salvatore Bonaccorso : > This needs to be rebased to the 1.8.19-1+deb10u1 which was released as > DSA 4577-1 AFAICT. Oh, sorry. Here is the updated patch. diff --git a/debian/changelog b/debian/changelog index a3182ea0fdb9..6719f450553f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +haproxy (1.8.19-1+deb10u2) buster; urgency=medium + + * d/logrotate.conf: use rsyslog helper instead of SysV init script. +Closes: #946973. + * d/patches: reject messages where "chunked" is missing from +transfer-encoding. CVE-2019-18277. + + -- Vincent Bernat Sun, 26 Jan 2020 12:54:30 +0100 + haproxy (1.8.19-1+deb10u1) buster-security; urgency=high * Apply two patches around HTTP/2 header validation allowing an attacker diff --git a/debian/logrotate.conf b/debian/logrotate.conf index 442dc4e01e79..ad2031f198e6 100644 --- a/debian/logrotate.conf +++ b/debian/logrotate.conf @@ -6,6 +6,6 @@ compress delaycompress postrotate -invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true +/usr/lib/rsyslog/rsyslog-rotate endscript } diff --git a/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch new file mode 100644 index ..a623dc9f373a --- /dev/null +++ b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch @@ -0,0 +1,66 @@ +From 3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 12 Sep 2019 14:01:40 +0200 +Subject: [PATCH] BUG/MEDIUM: http: also reject messages where "chunked" is + missing from transfer-enoding + +Nathan Davison (@ndavison) reported that in legacy mode we don't +correctly reject requests or responses featuring a transfer-encoding +header missing the "chunked" value. As mandated in the protocol spec, +the test verifies that "chunked" is the last one, but only does so when +it is present. As such, "transfer-encoding: foobar" is not rejected, +only "transfer-encoding: chunked, foobar" will be. + +The impact is limited, but if combined with "http-reuse always", it +could be used as a help to construct a content smuggling attack against +a vulnerable component employing a lenient parser which would ignore +the content-length header as soon as it sees a transfer-encoding one, +without even parsing it. In this case haproxy would fail to protect it. + +The fix consists in completing the existing checks to verify that +"chunked" was present if any "transfer-encoding" header was met, +otherwise either reject the request message or make the response +end on a close. + +This fix is only for 2.0 and older versions as legacy mode was +removed from 2.1. It should be backported to all maintained versions. + +(cherry picked from commit 196a7df44d8129d1adc795da020b722614d6a581) +Signed-off-by: Christopher Faulet +(cherry picked from commit 5513fcaa601dd344be548430fc1760dbedebf4f2) +Signed-off-by: Willy Tarreau +--- + src/proto_http.c | 10 ++ + 1 file changed, 10 insertions(+) + +diff --git a/src/proto_http.c b/src/proto_http.c +index 411eb69899df..3c65606325e2 100644 +--- a/src/proto_http.c b/src/proto_http.c +@@ -2110,6 +2110,10 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit) + } + } + ++ /* "chunked" mandatory if transfer-encoding is used */ ++ if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) ++ goto return_bad_req; ++ + /* Chunked requests must have their content-length removed */ + ctx.idx = 0; + if (msg->flags & HTTP_MSGF_TE_CHNK) { +@@ -5568,6 +5572,12 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) + } + } + ++ /* "chunked" mandatory if transfer-encoding is used */ ++ if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) { ++ use_close_only = 1; ++ msg->flags &= ~(HTTP_MSGF_TE_CHNK | HTTP_MSGF_XFER_LEN); ++ } ++ + /* Chunked responses must have their content-length removed */ + ctx.idx = 0; + if (use_close_only || (msg->flags & HTTP_MSGF_TE_CHNK)) { +-- +2.25.0 + diff --git a/debian/patches/series b/debian/patches/series index 4b5471161f57..504fb00c3dab 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch 0002-Use-dpkg-buildflags-to-build-halog.patch haproxy.service-start-after-syslog.patch haproxy.service-add-documentation.patch -- Always do right. This will gratify some people and astonish the rest. -- Mark Twain signature.asc Description: PGP signature
Bug#949826: buster-pu: package haproxy/1.8.19-1
Hi, On Sun, Jan 26, 2020 at 01:00:31PM +0100, Vincent Bernat wrote: > ❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff : > > >> The logrotate configuration file for HAProxy doesn't signal rsyslog > >> correctly. Therefore, logs are not really rotated and on a moderately > >> busy site, this can fill up a log partition. When running with > >> systemd, rsyslog doesn't write a PID file and there fore, the SysV > >> init script invoked to rotate logs does not work. Instead, rsyslog > >> package provides an helper for this purpose. > >> > >> The change has been applied to 2.0.12-1 currently in unstable and > >> testing. I would like to push it for the next point release next week. > > > > If we're doing a Buster update anyway, could we also piggyback the fix > > for https://nathandavison.com/blog/haproxy-http-request-smuggling > > (CVE-2019-18277), > > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 > > ? > > Ack! I have pulled the patch from the 1.8 branch. Here is the updated > debdiff. It compiles and simple tests pass too. I'll be checking with > upstream if they have an opinion around this. > > diff --git a/debian/changelog b/debian/changelog > index 978702081baa..7139318a49cf 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,12 @@ > +haproxy (1.8.19-1+deb10u1) buster; urgency=medium > + > + * d/logrotate.conf: use rsyslog helper instead of SysV init script. > +Closes: #946973. > + * d/patches: reject messages where "chunked" is missing from > +transfer-encoding. CVE-2019-18277. > + > + -- Vincent Bernat Sun, 26 Jan 2020 12:54:30 +0100 This needs to be rebased to the 1.8.19-1+deb10u1 which was released as DSA 4577-1 AFAICT. Regards, Salvatore
Bug#949826: buster-pu: package haproxy/1.8.19-1
❦ 26 janvier 2020 13:00 +01, Vincent Bernat : >>> The logrotate configuration file for HAProxy doesn't signal rsyslog >>> correctly. Therefore, logs are not really rotated and on a moderately >>> busy site, this can fill up a log partition. When running with >>> systemd, rsyslog doesn't write a PID file and there fore, the SysV >>> init script invoked to rotate logs does not work. Instead, rsyslog >>> package provides an helper for this purpose. >>> >>> The change has been applied to 2.0.12-1 currently in unstable and >>> testing. I would like to push it for the next point release next week. >> >> If we're doing a Buster update anyway, could we also piggyback the fix >> for https://nathandavison.com/blog/haproxy-http-request-smuggling >> (CVE-2019-18277), >> https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 >> ? > > Ack! I have pulled the patch from the 1.8 branch. Here is the updated > debdiff. It compiles and simple tests pass too. I'll be checking with > upstream if they have an opinion around this. Upstream is OK to apply the patch on top of 1.8.19. -- Don't use conditional branches as a substitute for a logical expression. - The Elements of Programming Style (Kernighan & Plauger) signature.asc Description: PGP signature
Bug#949826: buster-pu: package haproxy/1.8.19-1
❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff : >> The logrotate configuration file for HAProxy doesn't signal rsyslog >> correctly. Therefore, logs are not really rotated and on a moderately >> busy site, this can fill up a log partition. When running with >> systemd, rsyslog doesn't write a PID file and there fore, the SysV >> init script invoked to rotate logs does not work. Instead, rsyslog >> package provides an helper for this purpose. >> >> The change has been applied to 2.0.12-1 currently in unstable and >> testing. I would like to push it for the next point release next week. > > If we're doing a Buster update anyway, could we also piggyback the fix > for https://nathandavison.com/blog/haproxy-http-request-smuggling > (CVE-2019-18277), > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 > ? Ack! I have pulled the patch from the 1.8 branch. Here is the updated debdiff. It compiles and simple tests pass too. I'll be checking with upstream if they have an opinion around this. diff --git a/debian/changelog b/debian/changelog index 978702081baa..7139318a49cf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +haproxy (1.8.19-1+deb10u1) buster; urgency=medium + + * d/logrotate.conf: use rsyslog helper instead of SysV init script. +Closes: #946973. + * d/patches: reject messages where "chunked" is missing from +transfer-encoding. CVE-2019-18277. + + -- Vincent Bernat Sun, 26 Jan 2020 12:54:30 +0100 + haproxy (1.8.19-1) unstable; urgency=medium * New upstream version 1.8.19 diff --git a/debian/logrotate.conf b/debian/logrotate.conf index 442dc4e01e79..ad2031f198e6 100644 --- a/debian/logrotate.conf +++ b/debian/logrotate.conf @@ -6,6 +6,6 @@ compress delaycompress postrotate -invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true +/usr/lib/rsyslog/rsyslog-rotate endscript } diff --git a/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch new file mode 100644 index ..a623dc9f373a --- /dev/null +++ b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch @@ -0,0 +1,66 @@ +From 3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 12 Sep 2019 14:01:40 +0200 +Subject: [PATCH] BUG/MEDIUM: http: also reject messages where "chunked" is + missing from transfer-enoding + +Nathan Davison (@ndavison) reported that in legacy mode we don't +correctly reject requests or responses featuring a transfer-encoding +header missing the "chunked" value. As mandated in the protocol spec, +the test verifies that "chunked" is the last one, but only does so when +it is present. As such, "transfer-encoding: foobar" is not rejected, +only "transfer-encoding: chunked, foobar" will be. + +The impact is limited, but if combined with "http-reuse always", it +could be used as a help to construct a content smuggling attack against +a vulnerable component employing a lenient parser which would ignore +the content-length header as soon as it sees a transfer-encoding one, +without even parsing it. In this case haproxy would fail to protect it. + +The fix consists in completing the existing checks to verify that +"chunked" was present if any "transfer-encoding" header was met, +otherwise either reject the request message or make the response +end on a close. + +This fix is only for 2.0 and older versions as legacy mode was +removed from 2.1. It should be backported to all maintained versions. + +(cherry picked from commit 196a7df44d8129d1adc795da020b722614d6a581) +Signed-off-by: Christopher Faulet +(cherry picked from commit 5513fcaa601dd344be548430fc1760dbedebf4f2) +Signed-off-by: Willy Tarreau +--- + src/proto_http.c | 10 ++ + 1 file changed, 10 insertions(+) + +diff --git a/src/proto_http.c b/src/proto_http.c +index 411eb69899df..3c65606325e2 100644 +--- a/src/proto_http.c b/src/proto_http.c +@@ -2110,6 +2110,10 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit) + } + } + ++ /* "chunked" mandatory if transfer-encoding is used */ ++ if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) ++ goto return_bad_req; ++ + /* Chunked requests must have their content-length removed */ + ctx.idx = 0; + if (msg->flags & HTTP_MSGF_TE_CHNK) { +@@ -5568,6 +5572,12 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) + } + } + ++ /* "chunked" mandatory if transfer-encoding is used */ ++ if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) { ++ use_close_only = 1; ++ msg->flags &= ~(HTTP_MSGF_TE_CHNK | HTTP_MSGF_XFER_LEN); ++ } ++ + /* Chunked responses must have their content-length removed */ + ctx.idx = 0; + if (use_close_only || (msg->flags & HTTP_MSGF_TE_CHNK)) { +-- +2.25.0 + diff --git a/debian/patches/series b/debian/patches/series index
Bug#949826: buster-pu: package haproxy/1.8.19-1
On Sat, Jan 25, 2020 at 02:39:04PM +0100, Vincent Bernat wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hey! > > The logrotate configuration file for HAProxy doesn't signal rsyslog > correctly. Therefore, logs are not really rotated and on a moderately > busy site, this can fill up a log partition. When running with > systemd, rsyslog doesn't write a PID file and there fore, the SysV > init script invoked to rotate logs does not work. Instead, rsyslog > package provides an helper for this purpose. > > The change has been applied to 2.0.12-1 currently in unstable and > testing. I would like to push it for the next point release next week. If we're doing a Buster update anyway, could we also piggyback the fix for https://nathandavison.com/blog/haproxy-http-request-smuggling (CVE-2019-18277), https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 ? Cheers, Moritz
Bug#949826: buster-pu: package haproxy/1.8.19-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey! The logrotate configuration file for HAProxy doesn't signal rsyslog correctly. Therefore, logs are not really rotated and on a moderately busy site, this can fill up a log partition. When running with systemd, rsyslog doesn't write a PID file and there fore, the SysV init script invoked to rotate logs does not work. Instead, rsyslog package provides an helper for this purpose. The change has been applied to 2.0.12-1 currently in unstable and testing. I would like to push it for the next point release next week. Thanks. - -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (101, 'experimental-debug'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAl4sRPgSHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5EzsP/AzdClF5G4t3FI4qXyVULb8bAuMYQqtK CYrV6LoMg9OSnQeN99EdP28anmgaTMhhaMs0vTs39DTxaUK6a9rIPYuxrzoqyF1q 2thYNdArHyTkSObW8yHQWal02wQ7S/rh14ryp+mgdZ6NbuduSiS8UZwB9gYIBJl6 0dGsWv7mKTTQvOMvRZEwoAHivM+mdY4z/RgXH9Pz1yhQ8RCsT2B1UcPuI+d6kolH g2QKE8ZrQ3Jp9L8CXNBhUxABqQnkOZjcBdKhYujuKEjhxIfZBAIg5P5DHhtZvmlj 8ikE8k7bRoTPp8zI7MMhRNZL6IO1yTFEyJJnL56GNMnSOhkN+Qupu2KrAAwYYTQB 0d1ccPuDEdxdDQdmyRISx9tl+6jkB6RK1gxbOFUQSmBpY7Xv9qCp9avl7RKUA/HC +hZDkRcmEyN2/GhKVAo5+HGpdaJIn3seF7Cc4ne0TVd+f4ZL/R/EopZ+WppAyIpU eBvMefcHLaTIA3YFGhfLepflzIeNJ/WoqjdzypEdsFtnjHQxilErYIIfKQi7qiRr pLfKyM/ju5azO4DjBTXKoLCgrjyEoCrQEZTNoQVVTiAXiFiqffoC/SK0o7W9kOvq WQ0iH3AD0Z05tISVUWtcasQYhfg0+PZc9JxrRWKX/9bV19bXB6Z0oeOi+CRy7d13 DK0Oc43IFOb+ =+pm7 -END PGP SIGNATURE- >From bcf26bb2d684d793792742e30fd66c5b4018b53f Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Fri, 20 Dec 2019 08:20:40 +0100 Subject: [PATCH] d/logrotate.conf: use rsyslog helper instead of SysV init script --- debian/changelog | 7 +++ debian/logrotate.conf | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 978702081baa..b996863ea351 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +haproxy (1.8.19-1+deb10u1) buster; urgency=medium + + * d/logrotate.conf: use rsyslog helper instead of SysV init script. +Closes: #946973. + + -- Vincent Bernat Sat, 25 Jan 2020 14:33:51 +0100 + haproxy (1.8.19-1) unstable; urgency=medium * New upstream version 1.8.19 diff --git a/debian/logrotate.conf b/debian/logrotate.conf index 442dc4e01e79..ad2031f198e6 100644 --- a/debian/logrotate.conf +++ b/debian/logrotate.conf @@ -6,6 +6,6 @@ compress delaycompress postrotate -invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true +/usr/lib/rsyslog/rsyslog-rotate endscript } -- 2.25.0