"Haproxy now supports keeping the private and public keys in
separate files, while previously, they needed to be in the same
file. This allows us to directly use the output of acme-client(1)
without doing extra scripting."
Based on a diff from Aisha Tammy who also authored the quote.
From the Announce email:
The main driver for this release is that it contains a fix for a
serious vulnerability that was responsibly reported last week by
Felix Wilhelm from Google Project Zero, affecting the HPACK
decoder used for HTTP/2. CVE-2020-11100 was assigned to this
issue.
This vulnerability makes it possible under certain circumstances
to write to a wide range of memory locations within the process'
heap, with the limitation that the attacker doesn't control the
absolute address, so the most likely result and by a far margin
will be a process crash, but it is not possible to completely
rule out the faint possibility of a remote code execution, at
least in a lab-controlled environment.
Fix CVE-2018-20615: """BUG/CRITICAL: mux-h2: re-check the frame
length when PRIORITY is used
An incorrect frame length check is performed on HEADERS frame having
the PRIORITY flag, possibly resulting in a read-past-bound which can
cause a crash depending how the frame is crafted. All 1.9 and 1.8
versions are affected. As a result, all HTTP/2 users must either
upgrade or temporarily disable HTTP/2 by commenting the "npn h2" and
"alpn h2" statements on their related "bind" lines."""
This moves the port to the latest stable branch. Thanks to Bernard Spil
for patching haproxy to make it work with libressl and pointing it to me!
OK gonzalo@
- BUG/MEDIUM: systemd: set KillMode to 'mixed'
- MINOR: systemd: Check configuration before start
- BUG/MEDIUM: config: avoid skipping disabled proxies
- BUG/MINOR: config: do not accept more track-sc than configured
- BUG/MEDIUM: backend: fix URI hash when a query string is present
ok benoit@
- DOC: fix typo in Unix Socket commands
- BUG/MEDIUM: connection: fix memory corruption when
building a proxy v2 header
- BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
- DOC: mention that Squid correctly responds 400 to PPv2
header
- BUG/MINOR: http: base32+src should use the big endian
version of base32
- BUG/MEDIUM: connection: fix proxy v2 header again!
Now use GMAKE.
Ok benoit@
- BUG/MAJOR: backend: consistent hash can loop forever in certain circumstances
- BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used
- MEDIUM: protocol: implement a "drain" function in protocol layers
- BUG/CRITICAL: fix a possible crash when using negative header occurrences
Resolves CVE-2013-2175
ok gonzalo
- BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations
- BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect
- REORG/MINOR: use dedicated proxy flags for the cookie handling
- BUG/MINOR: config: do not report twice the incompatibility between cookie and non-http
- MINOR: contrib/iprange: add a network IP range to mask converter
- BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches
- OPTIM: halog: make use of memchr() on platforms which provide a fast one
- OPTIM: halog: improve cold-cache behaviour when loading a file
- MINOR: config: tolerate server "cookie" setting in non-HTTP mode
- BUG/MINOR: tarpit: fix condition to return the HTTP 500 message
And others, while here remove for real the maintainer and add reload to rc.d(8) script.
Very initial update from chipitsine at gmail.com with tweaks by me. Thanks!
Ok aja@
- MINOR: stats admin: allow unordered parameters in POST requests
- BUG/MAJOR: possible crash when using capture headers on TCP frontends
- MINOR: config: disable header captures in TCP mode and complain
- CLEANUP: http: message parser must ignore HTTP_MSG_ERROR
- BUG/MAJOR: checks: don't call set_server_status_* when no LB algo is set
- MINOR: proxy: make findproxy() return proxies from numeric IDs too
- BUG/MINOR: stop connect timeout when connect succeeds
And others (http://haproxy.1wt.eu/download/1.4/src/CHANGELOG), while here GROFF is not needed,
add a rc.d(8) script and maintainer drop maintainership.
Tested on i386.
Ok sthen@ (untested)
which provides cookie-based persistence, automatic failover, header
insertion, deletion, modification on the fly, advanced logging contents
to help troubleshoot buggy applications and/or networks, and a few other
features. It uses its own state machine to achieve up to ten thousands
hits per second on modern hardware, even with thousands of simultaneous
connections.
feedback from merdely@, okan@, wcmaier@
ok merdely@ and pval@
