Willy Tarreau
2018-09-20 12:31:25 UTC
Subject: [ANNOUNCE] haproxy-1.8.14
To: ***@formilux.org
Hi,
HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
after version 1.8.13.
The most important one fixes a security issue reported by Tim Düsterhus
and which was assigned CVE-2018-14645. There is an integer signedness
issue in the HPACK decoder used in HTTP/2 which theorically makes it
possible to remotely crash an haproxy instance where HTTP/2 is in use.
I want to thank Tim for his responsible reporting and Ryan O'Hara for
quickly providing us with a CVE ID.
The only workaround for those who for various reasons can't immediately
update, is to disable HTTP/2. But distros will provide an updated package
soon. If some distro maintainers need a way to test if their version is
properly fixed, please contact me privately, I'll explain how to proceed.
Two other major issues are fixed in this version, one of them related to
how SSL is initialized in Lua, apparently it didn't properly consider
the presence of threads, leading to random behaviours. The second only
affects kqueue, I don't have the details in memory, I suspect it was
causing some delays in connection processing there.
The rest is the regular list of problematic but not critical issues that
need to be fixed but for which there is no emergency.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.8/src/
Git repository : http://git.haproxy.org/git/haproxy-1.8.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Baptiste Assmann (4):
MINOR: dns: fix wrong score computation in dns_get_ip_from_response
MINOR: dns: new DNS options to allow/prevent IP address duplication
BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file
BUG/MINOR: dns: check and link servers' resolvers right after config parsing
Bertrand Jacquin (2):
DOC: ssl: Use consistent naming for TLS protocols
DOC: Fix typos in lua documentation
Cyril Bonté (1):
BUG/MEDIUM: lua: socket timeouts are not applied
Dragan Dosen (1):
BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list
Emeric Brun (4):
BUG/MINOR: ssl: empty connections reported as errors.
BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error.
BUG/MINOR: map: fix map_regm with backref
Emmanuel Hocdet (1):
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1
Frédéric Lécaille (3):
BUG/MINOR: lua: Bad HTTP client request duration.
BUG/MAJOR: thread: lua: Wrong SSL context initialization.
BUG/MINOR: server: Crash when setting FQDN via CLI.
Jens Bissinger (1):
DOC: Fix spelling error in configuration doc
Lukas Tribus (1):
DOC: dns: explain set server ... fqdn requires resolver
Olivier Houchard (4):
MINOR: threads: Introduce double-width CAS on x86_64 and arm.
BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
BUG/MAJOR: kqueue: Don't reset the changes number by accident.
Patrick Hemmer (1):
BUG/MEDIUM: lua: reset lua transaction between http requests
Thierry FOURNIER (1):
BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers
Willy Tarreau (20):
BUG/MEDIUM: servers: check the queues once enabling a server
BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections
BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
MINOR: threads: add more consistency between certain variables in no-thread case
BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point
MEDIUM: hathreads: implement a more flexible rendez-vous point
BUG/MEDIUM: cli: make "show fd" thread-safe
BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates
BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations
BUG/MEDIUM: unix: provide a ->drain() function
BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
MINOR: thread: implement HA_ATOMIC_XADD()
BUG/MINOR: stream: use atomic increments for the request counter
BUG/MEDIUM: session: fix reporting of handshake processing time in the logs
BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
BUG/MINOR: http/threads: atomically increment the error snapshot ID
BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4
BUG/MINOR: cli: make sure the "getsock" command is only called on connections
BUG/CRITICAL: hpack: fix improper sign check on the header index value
---
To: ***@formilux.org
Hi,
HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
after version 1.8.13.
The most important one fixes a security issue reported by Tim Düsterhus
and which was assigned CVE-2018-14645. There is an integer signedness
issue in the HPACK decoder used in HTTP/2 which theorically makes it
possible to remotely crash an haproxy instance where HTTP/2 is in use.
I want to thank Tim for his responsible reporting and Ryan O'Hara for
quickly providing us with a CVE ID.
The only workaround for those who for various reasons can't immediately
update, is to disable HTTP/2. But distros will provide an updated package
soon. If some distro maintainers need a way to test if their version is
properly fixed, please contact me privately, I'll explain how to proceed.
Two other major issues are fixed in this version, one of them related to
how SSL is initialized in Lua, apparently it didn't properly consider
the presence of threads, leading to random behaviours. The second only
affects kqueue, I don't have the details in memory, I suspect it was
causing some delays in connection processing there.
The rest is the regular list of problematic but not critical issues that
need to be fixed but for which there is no emergency.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.8/src/
Git repository : http://git.haproxy.org/git/haproxy-1.8.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Baptiste Assmann (4):
MINOR: dns: fix wrong score computation in dns_get_ip_from_response
MINOR: dns: new DNS options to allow/prevent IP address duplication
BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file
BUG/MINOR: dns: check and link servers' resolvers right after config parsing
Bertrand Jacquin (2):
DOC: ssl: Use consistent naming for TLS protocols
DOC: Fix typos in lua documentation
Cyril Bonté (1):
BUG/MEDIUM: lua: socket timeouts are not applied
Dragan Dosen (1):
BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list
Emeric Brun (4):
BUG/MINOR: ssl: empty connections reported as errors.
BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error.
BUG/MINOR: map: fix map_regm with backref
Emmanuel Hocdet (1):
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1
Frédéric Lécaille (3):
BUG/MINOR: lua: Bad HTTP client request duration.
BUG/MAJOR: thread: lua: Wrong SSL context initialization.
BUG/MINOR: server: Crash when setting FQDN via CLI.
Jens Bissinger (1):
DOC: Fix spelling error in configuration doc
Lukas Tribus (1):
DOC: dns: explain set server ... fqdn requires resolver
Olivier Houchard (4):
MINOR: threads: Introduce double-width CAS on x86_64 and arm.
BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
BUG/MAJOR: kqueue: Don't reset the changes number by accident.
Patrick Hemmer (1):
BUG/MEDIUM: lua: reset lua transaction between http requests
Thierry FOURNIER (1):
BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers
Willy Tarreau (20):
BUG/MEDIUM: servers: check the queues once enabling a server
BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections
BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
MINOR: threads: add more consistency between certain variables in no-thread case
BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point
MEDIUM: hathreads: implement a more flexible rendez-vous point
BUG/MEDIUM: cli: make "show fd" thread-safe
BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates
BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations
BUG/MEDIUM: unix: provide a ->drain() function
BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
MINOR: thread: implement HA_ATOMIC_XADD()
BUG/MINOR: stream: use atomic increments for the request counter
BUG/MEDIUM: session: fix reporting of handshake processing time in the logs
BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
BUG/MINOR: http/threads: atomically increment the error snapshot ID
BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4
BUG/MINOR: cli: make sure the "getsock" command is only called on connections
BUG/CRITICAL: hpack: fix improper sign check on the header index value
---