-
haproxy (2.0.5-1ubuntu0.4) eoan-security; urgency=medium
* SECURITY UPDATE: Arbitrary memory write
- debian/patches/CVE-2020-11100.patch: make sure the headroom is
considered only when the buffer does not wrap in src/hpack-tbl.c.
- CVE-2020-11100
-- <email address hidden> (Leonidas S. Barbosa) Fri, 03 Apr 2020 16:36:11 -0300
-
haproxy (2.0.5-1ubuntu0.3) eoan-security; urgency=medium
* SECURITY UPDATE: Intermediary Encapsulation attacks
- debian/patches/CVE-2019-19330-*.patch: reject header values containing
invalid chars and make header field name filtering stronger in
src/h2.c, include/common/ist.h.
- CVE-2019-19330
-- <email address hidden> (Leonidas S. Barbosa) Mon, 02 Dec 2019 16:12:00 -0300
-
haproxy (2.0.5-1ubuntu0.2) eoan-security; urgency=medium
* SECURITY UPDATE: Messages with transfer-encoding header missing "chunked"
value were not being correctly rejected
- debian/patches/CVE-2019-18277.patch: also reject messages where
"chunked" is missing from transfer-enoding in.
src/proto_http.c.
- CVE-2019-18277
-- <email address hidden> (Leonidas S. Barbosa) Mon, 04 Nov 2019 11:07:29 -0300
-
haproxy (2.0.5-1ubuntu0.1) eoan; urgency=medium
* Fix configurability of dh_params that regressed since building
against openssl 1.1.1 (LP: #1841936)
- d/p/lp-1841936-BUG-MEDIUM-ssl-tune.ssl.default-dh-param-value-ignor.patch
- d/p/lp-1841936-CLEANUP-ssl-make-ssl_sock_load_dh_params-handle-errc.patch
-- Christian Ehrhardt <email address hidden> Wed, 23 Oct 2019 12:58:09 +0200
-
haproxy (2.0.5-1) unstable; urgency=medium
* New upstream release.
- BUG/MEDIUM: mux_h1: Don't bother subscribing in recv if we're not
connected.
- BUG/MEDIUM: mux_pt: Don't call unsubscribe if we did not subscribe.
- BUG/MEDIUM: proxy: Don't forget the SF_HTX flag when upgrading
TCP=>H1+HTX.
- BUG/MEDIUM: proxy: Don't use cs_destroy() when freeing the
conn_stream.
- BUG/MEDIUM: stick-table: Wrong stick-table backends parsing.
-- Vincent Bernat <email address hidden> Fri, 16 Aug 2019 19:51:24 +0200
-
haproxy (2.0.4-1) unstable; urgency=medium
* New upstream release. Upload to unstable.
- BUG/MAJOR: http/sample: use a static buffer for raw -> htx
conversion
- BUG/MAJOR: queue/threads: avoid an AB/BA locking issue in
process_srv_queue()
* d/haproxy.cfg: update default cipher lists to more secure defaults.
TLSv1.0 and TLSv1.1 are disabled, as well as TLS tickets (they are
breaking forward secrecy unless correctly rotated).
Closes: #932763.
-- Vincent Bernat <email address hidden> Fri, 09 Aug 2019 14:22:23 +0200
-
haproxy (2.0.3-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
generate traffic through haproxy.
[Updated to use "service" instead of "systemctl" to match what was
submitted to Debian.]
* Dropped:
- SECURITY UPDATE: DoS in htx_manage_client_side_cookies
+ debian/patches/CVE-2019-14241.patch: fix parsing of malformed cookies
which start by a delimiter in src/proto_htx.c.
+ CVE-2019-14241
[Fixed upstream]
haproxy (2.0.3-1) experimental; urgency=medium
* New upstream version.
- BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by
a delimiter (CVE-2019-14241)
- BUG/MEDIUM: checks: Don't attempt to receive data if we already
subscribed.
- BUG/MEDIUM: http/htx: unbreak option http_proxy
- DOC: htx: Update comments in HTX files
- BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction
- BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream
* Bump Standards-Version to 4.4.0; no changes needed
haproxy (2.0.2-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: listener: fix thread safety in resume_listener()
-- Andreas Hasenack <email address hidden> Sat, 27 Jul 2019 10:15:10 -0300
-
haproxy (2.0.1-1ubuntu2) eoan; urgency=medium
* SECURITY UPDATE: DoS in htx_manage_client_side_cookies
- debian/patches/CVE-2019-14241.patch: fix parsing of malformed cookies
which start by a delimiter in src/proto_htx.c.
- CVE-2019-14241
-- Marc Deslauriers <email address hidden> Thu, 25 Jul 2019 13:04:51 -0400
-
haproxy (2.0.1-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
generate traffic through haproxy.
[Updated to use "service" instead of "systemctl" to match what was
submitted to Debian.]
haproxy (2.0.1-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL
condition.
- BUG/MAJOR: mux-h1: Don't crush trash chunk area when outgoing
message is formatted
* d/rules: fix crash during reload due to libgcc_s.so missing when
chrooted.
haproxy (2.0.0-1) experimental; urgency=medium
* New upstream version.
* d/watch: update to follow 2.0.
* d/gbp.conf: update for 2.0 and experimental.
* d/rules: update to use linux-glibc target.
* d/rules: enable prometheus exporter.
* d/patches: refresh patches.
* d/vim-haproxy.install: update path to vim syntax file.
* d/README.Debian: remove outdated information.
haproxy (1.9.8-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: map/acl: real fix segfault during show map/acl on CLI
- BUG/MAJOR: mux-h2: do not add a stream twice to the send list
haproxy (1.9.7-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: http_fetch: Get the channel depending on the keyword used
- BUG/MAJOR: lb/threads: fix AB/BA locking issue in round-robin LB
- BUG/MAJOR: lb/threads: fix insufficient locking on round-robin LB
- BUG/MAJOR: muxes: Use the HTX mode to find the best mux for HTTP
proxies only
- BUG/MAJOR: task: make sure never to delete a queued task
haproxy (1.9.6-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: checks: segfault during tcpcheck_main
haproxy (1.9.5-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: cache/htx: Set the start-line offset when a cached object
is served
- BUG/MAJOR: fd/threads, task/threads: ensure all spin locks are
unlocked
- BUG/MAJOR: listener: Make sure the listener exist before using it.
- BUG/MAJOR: mux-h2: fix race condition between close on both ends
- BUG/MAJOR: spoe: Don't try to get agent config during SPOP
healthcheck
- BUG/MAJOR: spoe: Fix initialization of thread-dependent fields
- BUG/MAJOR: stats: Fix how huge POST data are read from the channel
- BUG/MAJOR: stream: avoid double free on unique_id
- BUG/MAJOR: tasks: Use the TASK_GLOBAL flag to know if we're in the
global rq.
haproxy (1.9.4-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: config: verify that targets of track-sc and stick rules
are present
- BUG/MAJOR: htx/backend: Make all tests on HTTP messages compatible
with HTX
- BUG/MAJOR: spoe: verify that backends used by SPOE cover all their
callers' processes
haproxy (1.9.3-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: mux-h2: don't destroy the stream on failed allocation in
h2_snd_buf()
- BUG/MEDIUM: checks: fix recent regression on agent-check making it
crash
- BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages
haproxy (1.9.2-1) experimental; urgency=medium
* New upstream version.
- BUG/MAJOR: cache: fix confusion between zero and uninitialized cache
key
- BUG/MEDIUM: checks: Avoid having an associated server for email
checks.
- BUG/MEDIUM: connection: properly unregister the mux on failed
initialization
- BUG/MEDIUM: h1: Get the h1m state when restarting the headers
parsing
- BUG/MEDIUM: h1: Make sure we destroy an inactive connectin that did
shutw.
- BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in
server-template
- BUG/MEDIUM: mux-h2: decode trailers in HEADERS frames
- BUG/MEDIUM: ssl: Disable anti-replay protection and set max data
with 0RTT.
- BUG/MEDIUM: ssl: missing allocation failure checks loading tls key
file
- BUG/MEDIUM: stats: Get the right scope pointer depending on HTX is
used or not
* d/patches: removal of CVE-2018-20615.patch (applied upstream)
haproxy (1.9.0-2) experimental; urgency=medium
* Fix out-of-bounds read in HTTP2 mux (CVE-2018-20615).
Possible crash in H2 HEADERS frame decoder when the PRIORITY flag
is present, due to a missing frame size check.
* Bump Standards-Version to 4.3.0; no changes needed.
haproxy (1.9.0-1) experimental; urgency=medium
* New upstream version 1.9.0.
See https://www.haproxy.com/blog/haproxy-1-9-has-arrived/.
* d/watch: update to follow 1.9.
* d/gbp.conf: update for 1.9 and experimental.
* d/rules: do not override CFLAGS, hijack DEBUG_CFLAGS for this instead.
* d/patches: add regression fix for DNS.
-- Andreas Hasenack <email address hidden> Fri, 05 Jul 2019 15:23:44 -0300
-
haproxy (1.8.19-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
generate traffic through haproxy.
[Updated to use "service" instead of "systemctl" to match what was
submitted to Debian.]
haproxy (1.8.19-1) unstable; urgency=medium
* New upstream version 1.8.19
- BUG/MEDIUM: spoe: initialization depending on nbthread must be done last
- BUG/MEDIUM: server: initialize the idle conns list after parsing the
config
- BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck
- BUG/MAJOR: stream: avoid double free on unique_id (Closes: #921981)
haproxy (1.8.18-1) unstable; urgency=medium
* New upstream version 1.8.18
- BUG/MAJOR: cache: fix confusion between zero and uninitialized cache
key
- BUG/MAJOR: config: verify that targets of track-sc and stick rules
are present
- BUG/MAJOR: spoe: verify that backends used by SPOE cover all their
callers' processes
-- Andreas Hasenack <email address hidden> Wed, 20 Feb 2019 14:18:15 +0100