Skip to content

HAproxy-1.8.14
Compare
Choose a tag to compare
@DBezemer DBezemer released this 21 Nov 11:17
· 3 commits to 1.8 since this release
1.8.14
dfa7ddc
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

HAProxy 1.8.14 was released on 2018/09/20. It added 44 new commits
after version 1.8.13.

The most important one fixes a security issue reported by Tim Düsterhus
and which was assigned CVE-2018-14645. There is an integer signedness
issue in the HPACK decoder used in HTTP/2 which theorically makes it
possible to remotely crash an haproxy instance where HTTP/2 is in use.
I want to thank Tim for his responsible reporting and Ryan O'Hara for
quickly providing us with a CVE ID.

The only workaround for those who for various reasons can't immediately
update, is to disable HTTP/2. But distros will provide an updated package
soon. If some distro maintainers need a way to test if their version is
properly fixed, please contact me privately, I'll explain how to proceed.

Two other major issues are fixed in this version, one of them related to
how SSL is initialized in Lua, apparently it didn't properly consider
the presence of threads, leading to random behaviours. The second only
affects kqueue, I don't have the details in memory, I suspect it was
causing some delays in connection processing there.

The rest is the regular list of problematic but not critical issues that
need to be fixed but for which there is no emergency.

Assets 4
Loading