- haproxy (2.6.12-1+rpi1) bookworm-staging; urgency=medium
++haproxy (2.6.12-1+rpi1+deb12u1) bookworm-staging; urgency=medium
+
+ [changes brought forward from 1.8.19-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 14 Mar 2019 20:25:01 +0000]
+ * Link with libatomic on armhf too.
+
- -- Raspbian forward porter <root@raspbian.org> Sun, 14 May 2023 19:45:32 +0000
++ -- Raspbian forward porter <root@raspbian.org> Sat, 06 Jan 2024 09:27:30 +0000
++
+ haproxy (2.6.12-1+deb12u1) bookworm-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * REORG: http: move has_forbidden_char() from h2.c to http.h
+ * BUG/MAJOR: h3: reject header values containing invalid chars
+ * BUG/MAJOR: http: reject any empty content-length header value
+ (CVE-2023-40225) (Closes: #1043502)
+ * MINOR: ist: add new function ist_find_range() to find a character range
+ * MINOR: http: add new function http_path_has_forbidden_char()
+ * MINOR: h2: pass accept-invalid-http-request down the request parser
+ * REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri
+ tests
+ * BUG/MINOR: h1: do not accept '#' as part of the URI component
+ (CVE-2023-45539)
+ * BUG/MINOR: h2: reject more chars from the :path pseudo header
+ * BUG/MINOR: h3: reject more chars from the :path pseudo header
+ * REGTESTS: http-rules: verify that we block '#' by default for
+ normalize-uri
+ * DOC: clarify the handling of URL fragments in requests
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 16 Dec 2023 17:41:30 +0100
haproxy (2.6.12-1) unstable; urgency=medium
projects / haproxy.git / commitdiff