Package: haproxy / 2.6.12-1+deb12u2
Metadata
| Package | Version | Patches format |
|---|---|---|
| haproxy | 2.6.12-1+deb12u2 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| haproxy.service start after syslog.patch | (download) |
admin/systemd/haproxy.service.in |
2 1 + 1 - 0 ! |
start after rsyslog.service As HAProxy is running chrooted by default, we rely on an additional syslog socket created by rsyslog inside the chroot for logging. As this socket cannot trigger syslog activation, we explicitly order HAProxy after rsyslog.service. Note that we are not using syslog.service here, since the additional socket is rsyslog-specific. |
| haproxy.service add documentation.patch | (download) |
admin/systemd/haproxy.service.in |
2 2 + 0 - 0 ! |
add documentation field to the systemd unit |
| haproxy.service make systemd bind dev log inside chroot.patch | (download) |
admin/systemd/haproxy.service.in |
1 1 + 0 - 0 ! |
haproxy.service: make systemd bind /dev/log inside chroot This enables logging to work without rsyslog being present. |
| reproducible.patch | (download) |
Makefile |
2 1 + 1 - 0 ! |
--- |
| REORG http move has_forbidden_char from h2.c to http.patch | (download) |
include/haproxy/http.h |
18 18 + 0 - 0 ! |
reorg: http: move has_forbidden_char() from h2.c to http.h |
| BUG MAJOR h3 reject header values containing invalid.patch | (download) |
src/h3.c |
38 38 + 0 - 0 ! |
bug/major: h3: reject header values containing invalid chars |
| BUG MAJOR http reject any empty content length heade.patch | (download) |
reg-tests/http-messaging/h1_to_h1.vtc |
26 26 + 0 - 0 ! |
bug/major: http: reject any empty content-length header value |
| MINOR ist add new function ist_find_range to find a .patch | (download) |
include/import/ist.h |
47 47 + 0 - 0 ! |
minor: ist: add new function ist_find_range() to find a character range |
| MINOR http add new function http_path_has_forbidden_.patch | (download) |
include/haproxy/http.h |
19 19 + 0 - 0 ! |
minor: http: add new function http_path_has_forbidden_char() |
| MINOR h2 pass accept invalid http request down the r.patch | (download) |
include/haproxy/h2.h |
2 1 + 1 - 0 ! |
minor: h2: pass accept-invalid-http-request down the request parser |
| REGTESTS http rules add accept invalid http request .patch | (download) |
reg-tests/http-rules/normalize_uri.vtc |
2 2 + 0 - 0 ! |
regtests: http-rules: add accept-invalid-http-request for normalize-uri tests |
| BUG MINOR h1 do not accept as part of the URI compon.patch | (download) |
src/h1.c |
15 11 + 4 - 0 ! |
bug/minor: h1: do not accept '#' as part of the uri component |
| BUG MINOR h2 reject more chars from the path pseudo .patch | (download) |
src/h2.c |
15 11 + 4 - 0 ! |
bug/minor: h2: reject more chars from the :path pseudo header |
| BUG MINOR h3 reject more chars from the path pseudo .patch | (download) |
src/h3.c |
14 14 + 0 - 0 ! |
bug/minor: h3: reject more chars from the :path pseudo header |
| REGTESTS http rules verify that we block by default .patch | (download) |
reg-tests/http-rules/normalize_uri.vtc |
11 11 + 0 - 0 ! |
regtests: http-rules: verify that we block '#' by default for normalize-uri |
| DOC clarify the handling of URL fragments in request.patch | (download) |
doc/configuration.txt |
20 17 + 3 - 0 ! |
doc: clarify the handling of url fragments in requests |
| 0001 BUG MEDIUM sample fix risk of overflow when replacin.patch | (download) |
src/sample.c |
2 1 + 1 - 0 ! |
bug/medium: sample: fix risk of overflow when replacing multiple
regex back-refs
Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
reported a bug in sample_conv_regsub(), which can cause replacements
of multiple back-references to overflow the temporary trash buffer.
The problem happens when doing "regsub(match,replacement,g)": we're
replacing every occurrence of "match" with "replacement" in the input
sample, which requires a length check. For this, a max is applied, so
that a replacement may not use more than the remaining length in the
buffer. However, the length check is made on the replaced pattern and
not on the temporary buffer used to carry the new string. This results
in the remaining size to be usable for each input match, which can go
beyond the temporary buffer size if more than one occurrence has to be
replaced with something that's larger than the remaining room.
The fix proposed by Aleandro and Edoardo is the correct one (check on
"trash" not "output"), and is the one implemented in this patch.
While it is very unlikely that a config will replace multiple short
patterns each with a larger one in a request, this possibility cannot
be entirely ruled out (e.g. mask a known, short IP address using
"XXX.XXX.XXX.XXX"). However when this happens, the replacement pattern
will be static, and not be user-controlled, which is why this patch is
marked as medium.
The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
regsub now supports backreferences"), so it must be backported to all
versions.
Special thanks go to Aleandro and Edoardo for reporting this bug with
a simple reproducer and a fix.
(cherry picked from commit 3e3b9eebf871510aee36c3a3336faac2f38c9559)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit db87c8d9fe621539531f6f915ba9e1755a2a26cb)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
|