summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Willy Tarreau [Sun, 29 Mar 2020 06:53:31 +0000 (08:53 +0200)]
BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
The HPACK header table is implemented as a wrapping list inside a contigous
area. Headers names and values are stored from right to left while indexes
are stored from left to right. When there's no more room to store a new one,
we wrap to the right again, or possibly defragment it if needed. The condition
do use the right part (called tailroom) or the left part (called headroom)
depends on the location of the last inserted header. After wrapping happens,
the code forces to stick to tailroom by pretending there's no more headroom,
so that the size fit test always fails. The problem is that nothing prevents
from storing a header with an empty name and empty value, resulting in a
total size of zero bytes, which satisfies the condition to use the headroom.
Doing this in a wrapped buffer results in changing the "front" header index
and causing miscalculations on the available size and the addresses of the
next headers. This may even allow to overwrite some parts of the index,
opening the possibility to perform arbitrary writes into a 32-bit relative
address space.
This patch fixes the issue by making sure the headroom is considered only
when the buffer does not wrap, instead of relying on the zero size. This
must be backported to all versions supporting H2, which is as far as 1.8.
Many thanks to Felix Wilhelm of Google Project Zero for responsibly
reporting this problem with a reproducer and a detailed analysis.
Gbp-Pq: Name 0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
Debian HAProxy Maintainers [Sun, 25 Mar 2018 09:31:50 +0000 (11:31 +0200)]
Add documentation field to the systemd unit
Forwarded: no
Last-Update: 2014-01-03
Gbp-Pq: Name haproxy.service-add-documentation.patch
Apollon Oikonomopoulos [Sun, 25 Mar 2018 09:31:50 +0000 (11:31 +0200)]
Start after rsyslog.service
As HAProxy is running chrooted by default, we rely on an additional syslog
socket created by rsyslog inside the chroot for logging. As this socket cannot
trigger syslog activation, we explicitly order HAProxy after rsyslog.service.
Note that we are not using syslog.service here, since the additional socket is
rsyslog-specific.
Forwarded: no
Last-Update: 2017-12-01
Gbp-Pq: Name haproxy.service-start-after-syslog.patch
Apollon Oikonomopoulos [Tue, 2 Jul 2013 12:24:59 +0000 (15:24 +0300)]
Use dpkg-buildflags to build halog
Forwarded: no
Last-Update: 2013-07-02
Gbp-Pq: Name 0002-Use-dpkg-buildflags-to-build-halog.patch
Vincent Bernat [Wed, 1 Apr 2020 19:49:32 +0000 (20:49 +0100)]
haproxy (2.0.13-2) unstable; urgency=medium
* d/dconv: replace cgi.escape by html.escape. Closes: #951416.
* d/copryight: document OpenSSL exception. Closes: #951782.
* d/haproxy.cfg: use "ssl-min-ver" to set minimum version.
* Apply one patch to fix an overflow in HTTP/2 header handling.
Fix CVE-2020-11100.
[dgit import unpatched haproxy 2.0.13-2]
Vincent Bernat [Wed, 1 Apr 2020 19:49:32 +0000 (20:49 +0100)]
Import haproxy_2.0.13-2.debian.tar.xz
[dgit import tarball haproxy 2.0.13-2 haproxy_2.0.13-2.debian.tar.xz]
Vincent Bernat [Sat, 15 Feb 2020 14:32:32 +0000 (14:32 +0000)]
Import haproxy_2.0.13.orig.tar.gz
[dgit import orig haproxy_2.0.13.orig.tar.gz]
projects / haproxy.git / log