[Bug 1950278] Re: Sync haproxy 2.4.8-1 (main) from Debian unstable (main)
Simon Chopin
1950278 at bugs.launchpad.net
Tue Nov 9 09:24:54 UTC 2021
This should theoretically fix
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1945773 (OpenSSL
3 build)
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1950278
Title:
Sync haproxy 2.4.8-1 (main) from Debian unstable (main)
Status in haproxy package in Ubuntu:
New
Bug description:
Please sync haproxy 2.4.8-1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: duplicate content-length header check bypass in HTX
- d/p/0001-2.0-2.3-BUG-MAJOR*.patch: fix missing header name length
check in htx_add_header/trailer in src/htx.c.
- CVE-2021-40346
=> This has been fixed in haproxy 2.4.4
* SECURITY UPDATE: Multiple issues in HTTP/2 implementation
- d/p/2.2-0001*.patch: add a new function http_validate_scheme() to
validate a scheme.
- d/p/2.2-0002*.patch: verify early that non-http/https schemes match
the valid syntax.
- d/p/2.2-0003*.patch: verify that :path starts with a / before
concatenating it.
- d/p/2.2-0004*.patch: enforce checks on the method syntax before
translating to HTX.
- d/p/2.2-0005*.patch: give :authority precedence over Host.
- No CVE number
=> This patchset was part of the 2.4.3 release.
Changelog entries since current jammy version 2.2.9-2ubuntu2:
haproxy (2.4.8-1) unstable; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 04 Nov 2021 08:36:56
+0100
haproxy (2.4.7-2) unstable; urgency=medium
* Upload to unstable.
-- Vincent Bernat <bernat at debian.org> Sat, 16 Oct 2021 20:43:13
+0200
haproxy (2.4.7-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 07 Oct 2021 09:08:09
+0200
haproxy (2.4.4-1) experimental; urgency=medium
* New upstream release.
* d/patches: remove patches applied upstream.
-- Vincent Bernat <bernat at debian.org> Wed, 08 Sep 2021 08:38:05
+0200
haproxy (2.4.3-2) experimental; urgency=high
* d/patches: fix missing header name length check in HTX
(CVE-2021-40346).
-- Vincent Bernat <bernat at debian.org> Sat, 04 Sep 2021 11:56:31
+0200
haproxy (2.4.3-1) experimental; urgency=medium
* New upstream release.
* d/patches: remove patches applied upstream.
* d/patches: h2: match absolute-path not path-absolute for :path.
-- Vincent Bernat <bernat at debian.org> Sat, 21 Aug 2021 16:32:25
+0200
haproxy (2.4.2-2) experimental; urgency=medium
* Fix HTTP request smuggling via HTTP/2 desync attacks.
-- Vincent Bernat <bernat at debian.org> Fri, 13 Aug 2021 16:12:31
+0200
haproxy (2.4.2-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Wed, 07 Jul 2021 21:47:17
+0200
haproxy (2.4.1-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 17 Jun 2021 13:57:57
+0200
haproxy (2.4.0-1) experimental; urgency=medium
* New upstream release.
* d/rules: switch to SLZ instead of zlib
* d/rules: update build for contrib → admin
* d/rules: remove use of USE_REGPARM (outdated)
* d/rules: remove hack around gcc_s
* d/copyright: update
-- Vincent Bernat <bernat at debian.org> Tue, 18 May 2021 22:00:05
+0200
haproxy (2.3.10-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Sat, 24 Apr 2021 18:22:41
+0200
haproxy (2.3.9-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Tue, 30 Mar 2021 19:50:42
+0200
haproxy (2.3.8-1) experimental; urgency=medium
* New upstream release.
* d/logrotate: reduce log retention to 7 days. Closes: #985441.
-- Vincent Bernat <bernat at debian.org> Thu, 25 Mar 2021 18:17:18
+0100
haproxy (2.3.7-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Tue, 16 Mar 2021 18:41:25
+0100
haproxy (2.3.6-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 04 Mar 2021 13:57:49
+0100
haproxy (2.3.5-1) experimental; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Sat, 06 Feb 2021 17:12:53
+0100
haproxy (2.3.4-1) experimental; urgency=medium
* New upstream release:
- Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records"
-- Vincent Bernat <bernat at debian.org> Fri, 15 Jan 2021 14:13:28
+0100
haproxy (2.3.3-1) experimental; urgency=medium
* d/tests: sleep before test to let Apache2 start.
Closes: #976997.
* New upstream release:
- BUG/MAJOR: ring: tcp forward on ring can break the reader counter.
- BUG/MAJOR: spoa/python: Fixing return None
- BUG/MEDIUM: local log format regression. Closes: #974977.
-- Vincent Bernat <bernat at debian.org> Sat, 09 Jan 2021 15:18:10
+0100
haproxy (2.3.2-1) experimental; urgency=medium
* New upstream release.
- BUG/MAJOR: connection: reset conn->owner when detaching from session
list
- BUG/MAJOR: filters: Always keep all offsets up to date during data
filtering
- BUG/MAJOR: peers: fix partial message decoding
- BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer
pool
-- Vincent Bernat <bernat at debian.org> Sat, 28 Nov 2020 20:25:34
+0100
haproxy (2.3.1-1) experimental; urgency=medium
* New upstream release.
- BUG/MAJOR: spoe: Be sure to remove all references on a released spoe
applet
* d/patches: remove patches applied upstream.
-- Vincent Bernat <bernat at debian.org> Sat, 14 Nov 2020 23:17:20
+0100
haproxy (2.3.0-1) experimental; urgency=medium
* New upstream release.
* d/gbp, d/watch: prepare for 2.3.0 release
-- Vincent Bernat <bernat at debian.org> Wed, 11 Nov 2020 16:30:10
+0100
haproxy (2.2.17-1) unstable; urgency=medium
* New upstream release.
* d/patches: remove upstream-applied patch.
-- Vincent Bernat <bernat at debian.org> Thu, 09 Sep 2021 19:42:08
+0200
haproxy (2.2.16-3) unstable; urgency=high
* d/patches: fix missing header name length check in HTX
(CVE-2021-40346).
-- Vincent Bernat <bernat at debian.org> Sat, 04 Sep 2021 16:14:51
+0200
haproxy (2.2.16-2) unstable; urgency=medium
* d/patches: h2: match absolute-path not path-absolute for :path
-- Vincent Bernat <bernat at debian.org> Sat, 21 Aug 2021 16:19:52
+0200
haproxy (2.2.16-1) unstable; urgency=high
* New upstream release.
* Fix CVE-2021-39240, CVE-2021-39241, CVE-2021-39242.
* d/patches: remove upstream-applied patch.
-- Vincent Bernat <bernat at debian.org> Thu, 19 Aug 2021 07:22:05
+0200
haproxy (2.2.15-1) UNRELEASED; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Fri, 16 Jul 2021 11:18:32
+0200
haproxy (2.2.14-1) UNRELEASED; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 29 Apr 2021 15:32:49
+0200
haproxy (2.2.13-1) UNRELEASED; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Fri, 02 Apr 2021 21:18:28
+0200
haproxy (2.2.12-1) UNRELEASED; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Wed, 31 Mar 2021 20:31:24
+0200
haproxy (2.2.11-1) UNRELEASED; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 18 Mar 2021 21:34:40
+0100
haproxy (2.2.10-1) UNRELEASED; urgency=medium
* New upstream release.
-- Vincent Bernat <bernat at debian.org> Thu, 04 Mar 2021 19:08:41
+0100
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1950278/+subscriptions
More information about the Ubuntu-sponsors
mailing list