[ubuntu/focal-security] haproxy 2.0.31-0ubuntu0.2 (Accepted)
Rodrigo Figueiredo Zaiden
rodrigo.zaiden at canonical.com
Thu Aug 17 14:44:57 UTC 2023
haproxy (2.0.31-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: incorrect handling of empty content-length header
- debian/patches/CVE-2023-40225-1.patch: add a proper check for empty
content-length header buffer in src/h1.c and src/h2.c. Also add
tests for it in reg-tests/http-messaging/h1_to_h1.vtc and
reg-tests/http-messaging/h2_to_h1.vtc.
- debian/patches/CVE-2023-40225-2.patch: add a check for leading zero
in content-length header buffer in src/h1.c and src/h2.c. Also add
tests in reg-tests/http-rules/h1or2_to_h1c.vtc.
- CVE-2023-40225
haproxy (2.0.31-0ubuntu0.1) focal; urgency=medium
* New upstream release (LP: #2012557).
- Major and critical bug fixes according to the upstream changelog:
+ BUG/MAJOR: stick-tables: do not try to index a server name for applets
+ BUG/MAJOR: stick-table: don't process store-response rules for applets
+ BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is
realigned
+ BUG/CRITICAL: http: properly reject empty http header field names
- Remove patches applied by upstream in debian/patches:
+ CVE-2023-0056.patch
+ CVE-2023-25725.patch
- Refresh existing patches in debian/patches:
+ 0002-Use-dpkg-buildflags-to-build-halog.patch
* Backport DEP-8 tests from Lunar:
- d/t/proxy-ssl-termination
- d/t/proxy-ssl-pass-through
Date: 2023-08-16 22:34:13.483795+00:00
Changed-By: Rodrigo Figueiredo Zaiden <rodrigo.zaiden at canonical.com>
https://launchpad.net/ubuntu/+source/haproxy/2.0.31-0ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list