Package: haproxy / 2.6.12-1+deb12u3
Metadata
| Package | Version | Patches format |
|---|---|---|
| haproxy | 2.6.12-1+deb12u3 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| haproxy.service start after syslog.patch | (download) |
admin/systemd/haproxy.service.in |
2 1 + 1 - 0 ! |
start after rsyslog.service As HAProxy is running chrooted by default, we rely on an additional syslog socket created by rsyslog inside the chroot for logging. As this socket cannot trigger syslog activation, we explicitly order HAProxy after rsyslog.service. Note that we are not using syslog.service here, since the additional socket is rsyslog-specific. |
| haproxy.service add documentation.patch | (download) |
admin/systemd/haproxy.service.in |
2 2 + 0 - 0 ! |
add documentation field to the systemd unit |
| haproxy.service make systemd bind dev log inside chroot.patch | (download) |
admin/systemd/haproxy.service.in |
1 1 + 0 - 0 ! |
haproxy.service: make systemd bind /dev/log inside chroot This enables logging to work without rsyslog being present. |
| reproducible.patch | (download) |
Makefile |
2 1 + 1 - 0 ! |
--- |
| REORG http move has_forbidden_char from h2.c to http.patch | (download) |
include/haproxy/http.h |
18 18 + 0 - 0 ! |
reorg: http: move has_forbidden_char() from h2.c to http.h |
| BUG MAJOR h3 reject header values containing invalid.patch | (download) |
src/h3.c |
38 38 + 0 - 0 ! |
bug/major: h3: reject header values containing invalid chars |
| BUG MAJOR http reject any empty content length heade.patch | (download) |
reg-tests/http-messaging/h1_to_h1.vtc |
26 26 + 0 - 0 ! |
bug/major: http: reject any empty content-length header value |
| MINOR ist add new function ist_find_range to find a .patch | (download) |
include/import/ist.h |
47 47 + 0 - 0 ! |
minor: ist: add new function ist_find_range() to find a character range |
| MINOR http add new function http_path_has_forbidden_.patch | (download) |
include/haproxy/http.h |
19 19 + 0 - 0 ! |
minor: http: add new function http_path_has_forbidden_char() |
| MINOR h2 pass accept invalid http request down the r.patch | (download) |
include/haproxy/h2.h |
2 1 + 1 - 0 ! |
minor: h2: pass accept-invalid-http-request down the request parser |
| REGTESTS http rules add accept invalid http request .patch | (download) |
reg-tests/http-rules/normalize_uri.vtc |
2 2 + 0 - 0 ! |
regtests: http-rules: add accept-invalid-http-request for normalize-uri tests |
| BUG MINOR h1 do not accept as part of the URI compon.patch | (download) |
src/h1.c |
15 11 + 4 - 0 ! |
bug/minor: h1: do not accept '#' as part of the uri component |
| BUG MINOR h2 reject more chars from the path pseudo .patch | (download) |
src/h2.c |
15 11 + 4 - 0 ! |
bug/minor: h2: reject more chars from the :path pseudo header |
| BUG MINOR h3 reject more chars from the path pseudo .patch | (download) |
src/h3.c |
14 14 + 0 - 0 ! |
bug/minor: h3: reject more chars from the :path pseudo header |
| REGTESTS http rules verify that we block by default .patch | (download) |
reg-tests/http-rules/normalize_uri.vtc |
11 11 + 0 - 0 ! |
regtests: http-rules: verify that we block '#' by default for normalize-uri |
| DOC clarify the handling of URL fragments in request.patch | (download) |
doc/configuration.txt |
20 17 + 3 - 0 ! |
doc: clarify the handling of url fragments in requests |
| 0001 BUG MEDIUM sample fix risk of overflow when replacin.patch | (download) |
src/sample.c |
2 1 + 1 - 0 ! |
bug/medium: sample: fix risk of overflow when replacing multiple
regex back-refs
Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
reported a bug in sample_conv_regsub(), which can cause replacements
of multiple back-references to overflow the temporary trash buffer.
The problem happens when doing "regsub(match,replacement,g)": we're
replacing every occurrence of "match" with "replacement" in the input
sample, which requires a length check. For this, a max is applied, so
that a replacement may not use more than the remaining length in the
buffer. However, the length check is made on the replaced pattern and
not on the temporary buffer used to carry the new string. This results
in the remaining size to be usable for each input match, which can go
beyond the temporary buffer size if more than one occurrence has to be
replaced with something that's larger than the remaining room.
The fix proposed by Aleandro and Edoardo is the correct one (check on
"trash" not "output"), and is the one implemented in this patch.
While it is very unlikely that a config will replace multiple short
patterns each with a larger one in a request, this possibility cannot
be entirely ruled out (e.g. mask a known, short IP address using
"XXX.XXX.XXX.XXX"). However when this happens, the replacement pattern
will be static, and not be user-controlled, which is why this patch is
marked as medium.
The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
regsub now supports backreferences"), so it must be backported to all
versions.
Special thanks go to Aleandro and Edoardo for reporting this bug with
a simple reproducer and a fix.
(cherry picked from commit 3e3b9eebf871510aee36c3a3336faac2f38c9559)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit db87c8d9fe621539531f6f915ba9e1755a2a26cb)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
|
| 0001 BUG CRITICAL mjson fix possible DoS when parsing num.patch | (download) |
src/mjson.c |
14 12 + 2 - 0 ! |
bug/critical: mjson: fix possible dos when parsing numbers Mjson comes with its own strtod() implementation for portability reasons and probably also because many generic strtod() versions as provided by operating systems do not focus on resource preservation and may call malloc(), which is not welcome in a parser. The strtod() implementation used here apparently originally comes from https://gist.github.com/mattn/1890186 and seems to have purposely omitted a few parts that were considered as not needed in this context (e.g. skipping white spaces, or setting errno). But when subject to the relevant test cases of the designated file above, the current function provides the same results. The aforementioned implementation uses pow() to calculate exponents, but mjson authors visibly preferred not to introduce a libm dependency and replaced it with an iterative loop in O(exp) time. The problem is that the exponent is not bounded and that this loop can take a huge amount of time. There's even an issue already opened on mjson about this: https://github.com/cesanta/mjson/issues/59. In the case of haproxy, fortunately, the watchdog will quickly stop a runaway process but this remains a possible denial of service. A first approach would consist in reintroducing pow() like in the original implementation, but if haproxy is built without Lua nor 51Degrees, -lm is not used so this will not work everywhere. Anyway here we're dealing with integer exponents, so an easy alternate approach consists in simply using shifts and squares, to compute the exponent in O(log(exp)) time. Not only it doesn't introduce any new dependency, but it turns out to be even faster than the generic pow() (85k req/s per core vs 83.5k on the same machine). This must be backported as far as 2.4, where mjson was introduced. Many thanks to Oula Kivalo for reporting this issue. |