This is a long term supported version that will be maintained till 2027.
https://www.mail-archive.com/haproxy@formilux.org/msg42371.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2022-0711: A flaw was found in the way HAProxy processed HTTP
responses containing the "Set-Cookie2" header. This flaw could allow an
attacker to send crafted HTTP response packets which lead to an infinite
loop, eventually resulting in a denial of service condition. The highest
threat from this vulnerability is availability.
https://www.mail-archive.com/haproxy@formilux.org/msg41963.htmlhttps://www.mail-archive.com/haproxy@formilux.org/msg41873.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a bug fix release which addresses quite a number of issues
https://www.mail-archive.com/haproxy@formilux.org/msg41404.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in
the htx_add_header() can be exploited to perform an HTTP request smuggling
attack, allowing an attacker to bypass all configured http-request HAProxy
ACLs and possibly other ACLs.
For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41114.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- CVE-2021-39240: An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3
before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme
and path portions of a URI have the expected characters. For example, the
authority field (as observed on a target HTTP/2 server) might differ from
what the routing rules were intended to achieve.
- CVE-2021-39241: An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2
before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method
name may contain a space followed by the name of a protected resource. It
is possible that a server would interpret this as a request for that
protected resource, such as in the "GET /admin? HTTP/1.1 /static/images
HTTP/1.1" example.
- CVE-2021-39242: An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3
before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an
attacker-controlled HTTP Host header, because a mismatch between Host and
authority is mishandled.
For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41041.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Two major bugs were fixed in this versions, both leading to a memory
corruption and random crashes.
https://www.mail-archive.com/haproxy@formilux.org/msg39068.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When threads are enabled, haproxy expects that pthread_getcpuclockid is
available which is not the case on m68k. Fix this by enabling threads
support only if NPTL is available.
Fixes:
- http://autobuild.buildroot.org/results/52cc4b1fcac2a4fc84ab15ec4c692d2cd9b6d8bd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Fix CVE-2020-11100: In hpack_dht_insert in hpack-tbl.c in the HPACK
decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can
write arbitrary bytes around a certain location on the heap via a
crafted HTTP/2 request, possibly causing remote code execution.
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-19330: The HTTP/2 implementation in HAProxy before 2.0.10
mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd),
line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka
Intermediary Encapsulation Attacks.
In addition, 2.0.6..10 fixes a number of bugs. See the changelog for
details:
https://www.haproxy.org/download/2.0/src/CHANGELOG
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With Microblaze ccc version < 8.x and optimization, the build fails
with;
'internal compiler error: in do_output_reload, at reload1.c:7978'
This is due to gcc bug 90620:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90620. To avoid this, the
haproxy package has a !BR2_microblaze dependency. However, this gcc
bug 90620 only triggers when optimization is enabled, so we can work
around the issue by passing -O0, which is what we do in other
Buildroot packages to work around similar Microblaze issues.
So, this commit passes -O0 when BR2_TOOLCHAIN_HAS_GCC_BUG_90620, and
re-enables haproxy on Microblaze.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove patch and tweak haproxy.mk to adapt pcre-config/pcre2-config
workaround with upstream solution.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
__sync_*_4 intrinsics is used by common/hathreads.h when gcc < 4.7 but
also by contrib/tcploop.c or include/proto/shctx.h so put back a
mandatory dependency on BR2_TOOLCHAIN_HAS_SYNC_4 which has been
wrongly removed by commit f22fca4bf2
("haproxy: tweak thread activation").
Fixes:
- http://autobuild.buildroot.net/results/52c88f2f27e1a3c42cf71554cf680da86d933ef6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If threads are enabled, as described in include/common/hathreads.h,
haproxy uses __sync_*_4 intrisics if gcc < 4.7. Otherwise, haproxy
uses __atomic_ intrinsics.
As a result, instead of adding a dependency on BR2_TOOLCHAIN_HAS_SYNC_4
and BR2_TOOLCHAIN_HAS_ATOMIC in Config.in, enable threads only if the
dependencies are fulfilled in haproxy.mk
Fixes:
- http://autobuild.buildroot.org/results/7f24873ecdd9246c95c03bb8d2fcd4c16c488c6c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a patch to customize path to pcre-config or pcre2-config instead of
messing with PCREDIR, PCRE2DIR and PCRE2_LDFLAGS variables
Fixes:
- http://autobuild.buildroot.net/results/490bc87b43074623d2338cfd2acb77d5de0abaa6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
HAProxy is a free, very fast and reliable solution offering
high availability, load balancing, and proxying for TCP and
HTTP-based applications.
http://www.haproxy.org
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine