- Fix CVE-2020-11100: In hpack_dht_insert in hpack-tbl.c in the HPACK
decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can
write arbitrary bytes around a certain location on the heap via a
crafted HTTP/2 request, possibly causing remote code execution.
https://www.mail-archive.com/haproxy@formilux.org/msg36878.html
Furthermore, 1.9.14 contains a number of bugfixes.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-19330: The HTTP/2 implementation in HAProxy before 2.0.10
mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd),
line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka
Intermediary Encapsulation Attacks (1.9.13)
- CVE-2019-14241: HAProxy through 2.0.2 allows attackers to cause a denial
of service (ha_panic) via vectors related to
htx_manage_client_side_cookies in proto_htx.c (1.9.9)
- CVE-2019-11323: HAProxy before 1.9.7 mishandles a reload with rotated
keys, which triggers use of uninitialized, and very predictable, HMAC
keys. This is related to an include/types/ssl_sock.h error (1.9.7)
In addition, a large number of non-security related bugs have been fixed.
See the changelog for details:
https://www.haproxy.org/download/1.9/src/CHANGELOG
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove patch and tweak haproxy.mk to adapt pcre-config/pcre2-config
workaround with upstream solution.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If threads are enabled, as described in include/common/hathreads.h,
haproxy uses __sync_*_4 intrisics if gcc < 4.7. Otherwise, haproxy
uses __atomic_ intrinsics.
As a result, instead of adding a dependency on BR2_TOOLCHAIN_HAS_SYNC_4
and BR2_TOOLCHAIN_HAS_ATOMIC in Config.in, enable threads only if the
dependencies are fulfilled in haproxy.mk
Fixes:
- http://autobuild.buildroot.org/results/7f24873ecdd9246c95c03bb8d2fcd4c16c488c6c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
HAProxy is a free, very fast and reliable solution offering
high availability, load balancing, and proxying for TCP and
HTTP-based applications.
http://www.haproxy.org
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
