-
haproxy (2.6.9-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: incorrect handling of empty content-length header
- debian/patches/CVE-2023-40225-1.patch: add a proper check for empty
content-length header buffer in src/h1.c and src/http.c. Also add
tests for it in reg-tests/http-messaging/h1_to_h1.vtc and
reg-tests/http-messaging/h2_to_h1.vtc.
- debian/patches/CVE-2023-40225-2.patch: add a check for leading zero
in content-length header buffer in src/h1.c and src/http.c. Also add
tests in reg-tests/http-rules/h1or2_to_h1c.vtc.
- CVE-2023-40225
-- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 15 Aug 2023 12:16:02 -0300
-
haproxy (2.6.9-1ubuntu1) lunar; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/{control,rules}: Remove support for OpenTracing due to it is
in universe.
* Dropped changes:
- debian/patches/CVE-2023-0056.patch: removed, included in new version.
haproxy (2.6.9-1) unstable; urgency=medium
* New upstream version.
haproxy (2.6.8-2) unstable; urgency=medium
* Add a NEWS entry for incompatibilities introduced in HAProxy 2.6.
Closes: #1030173.
* BUG/CRITICAL: http: properly reject empty http header field names
(CVE-2023-25725)
haproxy (2.6.8-1) unstable; urgency=medium
* New upstream release.
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2023 08:07:41 -0500
-
haproxy (2.6.7-1ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: DoS via certain interim responses
- debian/patches/CVE-2023-0056.patch: refuse interim responses with
end-stream flag set in src/mux_h2.c.
- CVE-2023-0056
-- Marc Deslauriers <email address hidden> Thu, 19 Jan 2023 10:33:43 -0500
-
haproxy (2.6.7-1ubuntu1) lunar; urgency=medium
* Merge with Debian unstable (LP: #1993402). Remaining changes:
- d/{control,rules}: Removing support for OpenTracing due to it is
in universe.
-- Lucas Kanashiro <email address hidden> Wed, 14 Dec 2022 11:49:52 -0300
-
haproxy (2.4.18-1ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/{control,rules}: Removing support for OpenTracing due to it is
in universe.
* Dropped (in 2.4.18-1):
- d/t/utils: add helper functions to be re-used in tests.
- d/t/proxy-localhost: refactor to use the check_index_file helper function.
- d/t/proxy-ssl-termination: add test for the SSL termination proxy feature.
- d/t/proxy-ssl-pass-through: add test for the SSL Pass-Through proxy feature.
- d/t/control: add both SSL related tests.
-- Andreas Hasenack <email address hidden> Mon, 15 Aug 2022 09:46:33 -0300
