Per server-triage-discussion: this *may( be a case where a "new upstream
microrelease" is acceptable, but the requirements are to be verified:
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases
** Tags removed: server-triage-discuss
--
You received this bug notification
** Merge proposal linked:
https://code.launchpad.net/~utkarsh/ubuntu/+source/haproxy/+git/haproxy/+merge/402200
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919468
Title:
HAProxy 2.0.13 does
** Also affects: haproxy (Ubuntu Impish)
Importance: Medium
Assignee: Utkarsh Gupta (utkarsh)
Status: Confirmed
** Also affects: haproxy (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: haproxy (Ubuntu Groovy)
Importance: Undecided
Status: New
** Information type changed from Public Security to Public
** Changed in: haproxy (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919468
Title:
HAProxy
@Utkarsh, I'm not affected by this bug. I am interested in the MRE to
fix the other 305 bugs waiting to bite me or others ;)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919468
Title:
HAProxy
Right, thanks, Bryce! \o/
Simon, hey, I mean to ask, do you intend to work on the SRU (just this
fix for now) as well? I could help you land that patch if you're
interested and if not, I could just go ahead and do it. And then later,
we discuss the microrelease route in a bit detail and use your
Utkarsh, a few next steps:
a. Hone the test case in the bug description to a good 'paint-by-
numbers' level of detail
b. Identify if other Ubuntu releases in addition to focal will need
this fix. We have 2.2.x in groovy and hirsute, so presumably it already
has the fix, but doublecheck in
Hi Simon,
The server team discussed this bug and we do agree the debdiff in this
case looks good, and having a point release of haproxy for the stable
release likely would bring many good fixes to users in addition to this
particular one, even though it doesn't appear that those issues have
been
Hello Utkarsh,
Yes, that sounds like a good plan, thanks. I forgot to mention, but aside from
the changelog, they also maintain this wonderful list of fixed bugs:
https://www.haproxy.org/bugs/bugs-2.0.13.html
Let me know if I can help with this SRU ;)
Thank you!
--
You received this bug
Hi Simon,
Thanks for working on this! And wow, the debdiff looks huge but well, I
don't expect it to be any smaller either, considering that it's a 2.0.13
-> 2.0.22. But well, I'd still copy the SRU team to take their opinion
on this and to actually confirm whether they'd be OK with this being
The attachment "lp1919468.debdiff" seems to be a debdiff. The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff. If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if
I'm attaching a debdiff to have Focal upgraded from 2.0.13 to 2.0.22
(latest upstream 2.0 stable).
** Patch added: "lp1919468.debdiff"
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1919468/+attachment/5489911/+files/lp1919468.debdiff
--
You received this bug notification because
@paride, I know of at least another problem affecting a Ubuntu user who
reported to upstream [1]. Upstream have included the fix which should
make it in 2.0.22. Once it is released, I'd be happy to work with you on
having this new version shipped in Focal.
[1]
Hello Malte, thanks for this bug report and for providing some minimal
steps to reproduce it. I could reproduce the issue you described and
verified that it doesn't happen when using vbernat's PPA, as you stated.
I checked the haproxy changelog for the 2.0 branch [1] and its full git
history [2]
Hello Malte, no, it sounds like you found a real bug that probably
deserves to be fixed; I'm just not familiar enough with haproxy to know
if this is crossing security boundaries.
Server team, any thoughts?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Hello Seth,
unfortunately, this is incorrect.
HTTP/1.1 defines the "close" connection option for the sender to
signal that the connection will be closed after completion of the
response.
https://tools.ietf.org/html/rfc2616#section-14.10
But the server with Ubuntus HAProxy 2.0.13 will
Hello Malte, on a first read I don't think this is a security issue: if
a client is responsible for adding a "connection: close" header to the
messages, a malicious client could just as easily issue requests without
this header, no?
Thanks
--
You received this bug notification because you are a
This was created 20 days ago. When can I expect somebody to look into
it?
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919468
18 matches
Mail list logo
