From: Raspbian automatic forward porter Date: Fri, 5 Jan 2024 18:45:26 +0000 (+0000) Subject: Merge version 2.2.9-2+rpi1+deb11u5 and 2.2.9-2+deb11u6 to produce 2.2.9-2+rpi1+deb11u6 X-Git-Tag: archive/raspbian/2.2.9-2+rpi1+deb11u6 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=3a7af8df65f771aa3d4417acf03bd70095b84d71;p=haproxy.git Merge version 2.2.9-2+rpi1+deb11u5 and 2.2.9-2+deb11u6 to produce 2.2.9-2+rpi1+deb11u6 --- 3e7ac46a0faa163db7e7f15bea47fd130e9b8f39 diff --cc debian/changelog index fc0adc6,02e61b5..817432d --- a/debian/changelog +++ b/debian/changelog @@@ -1,9 -1,21 +1,28 @@@ - haproxy (2.2.9-2+rpi1+deb11u5) bullseye-staging; urgency=medium ++haproxy (2.2.9-2+rpi1+deb11u6) bullseye-staging; urgency=medium + + [changes brought forward from 1.8.19-1+rpi1 by Peter Michael Green at Thu, 14 Mar 2019 20:25:01 +0000] + * Link with libatomic on armhf too. + - -- Raspbian forward porter Sat, 13 May 2023 11:21:57 +0000 ++ -- Raspbian forward porter Fri, 05 Jan 2024 18:45:26 +0000 ++ + haproxy (2.2.9-2+deb11u6) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * BUG/MAJOR: http: reject any empty content-length header value + (CVE-2023-40225) (Closes: #1043502) + * MINOR: ist: add new function ist_find_range() to find a character range + * MINOR: ist: Add istend() function to return a pointer to the end of the + string + * MINOR: http: add new function http_path_has_forbidden_char() + * MINOR: h2: pass accept-invalid-http-request down the request parser + * BUG/MINOR: h1: do not accept '#' as part of the URI component + (CVE-2023-45539) + * BUG/MINOR: h2: reject more chars from the :path pseudo header + * REGTESTS: http-rules: verify that we block '#' by default for + normalize-uri + * DOC: clarify the handling of URL fragments in requests + + -- Salvatore Bonaccorso Sat, 23 Dec 2023 11:02:19 +0100 haproxy (2.2.9-2+deb11u5) bullseye-security; urgency=high