| Message ID | 20210910140241.26771-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/haproxy: security bump to version 2.4.4 | expand |
Peter, All, On 2021-09-10 16:02 +0200, Peter Korsgaard spake thusly: > Fixes the following security issues: > > - CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in > the htx_add_header() can be exploited to perform an HTTP request smuggling > attack, allowing an attacker to bypass all configured http-request HAProxy > ACLs and possibly other ACLs. > > For more details, see the advisory: > https://www.mail-archive.com/haproxy@formilux.org/msg41114.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/haproxy/haproxy.hash | 4 ++-- > package/haproxy/haproxy.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash > index 9edf5def08..3ad5e4ebe8 100644 > --- a/package/haproxy/haproxy.hash > +++ b/package/haproxy/haproxy.hash > @@ -1,5 +1,5 @@ > -# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.3.tar.gz.sha256 > -sha256 ce479380be5464faa881dcd829618931b60130ffeb01c88bc2bf95e230046405 haproxy-2.4.3.tar.gz > +# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.4.tar.gz.sha256 > +sha256 116b7329cebee5dab8ba47ad70feeabd0c91680d9ef68c28e41c34869920d1fe haproxy-2.4.4.tar.gz > # Locally computed: > sha256 0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28 LICENSE > sha256 5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a doc/lgpl.txt > diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk > index 85d4fa7e8d..91cb71eb7c 100644 > --- a/package/haproxy/haproxy.mk > +++ b/package/haproxy/haproxy.mk > @@ -5,7 +5,7 @@ > ################################################################################ > > HAPROXY_VERSION_MAJOR = 2.4 > -HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).3 > +HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).4 > HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src > HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions > HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt > -- > 2.20.1 > > _______________________________________________ > buildroot mailing list > buildroot@lists.buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in > the htx_add_header() can be exploited to perform an HTTP request smuggling > attack, allowing an attacker to bypass all configured http-request HAProxy > ACLs and possibly other ACLs. > For more details, see the advisory: > https://www.mail-archive.com/haproxy@formilux.org/msg41114.html > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2021.08.x, thanks. For 2021.02.x and 2021.05.x I have bumped to 2.2.17 instead which contains the same fix.
diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash index 9edf5def08..3ad5e4ebe8 100644 --- a/package/haproxy/haproxy.hash +++ b/package/haproxy/haproxy.hash @@ -1,5 +1,5 @@ -# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.3.tar.gz.sha256 -sha256 ce479380be5464faa881dcd829618931b60130ffeb01c88bc2bf95e230046405 haproxy-2.4.3.tar.gz +# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.4.tar.gz.sha256 +sha256 116b7329cebee5dab8ba47ad70feeabd0c91680d9ef68c28e41c34869920d1fe haproxy-2.4.4.tar.gz # Locally computed: sha256 0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28 LICENSE sha256 5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a doc/lgpl.txt diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk index 85d4fa7e8d..91cb71eb7c 100644 --- a/package/haproxy/haproxy.mk +++ b/package/haproxy/haproxy.mk @@ -5,7 +5,7 @@ ################################################################################ HAPROXY_VERSION_MAJOR = 2.4 -HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).3 +HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).4 HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt
Fixes the following security issues: - CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in the htx_add_header() can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. For more details, see the advisory: https://www.mail-archive.com/haproxy@formilux.org/msg41114.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/haproxy/haproxy.hash | 4 ++-- package/haproxy/haproxy.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)