{"id":2232523,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2232523/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260504160924.14432-1-peter@korsgaard.com/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.1/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260504160924.14432-1-peter@korsgaard.com>","date":"2026-05-04T16:09:22","name":"package/haproxy: bump version to 6.2.27","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"32e7cc8eba1f32a668435522a053039ceb2815b3","submitter":{"id":42365,"url":"http://patchwork.ozlabs.org/api/1.1/people/42365/?format=json","name":"Peter Korsgaard","email":"peter@korsgaard.com"},"delegate":{"id":89618,"url":"http://patchwork.ozlabs.org/api/1.1/users/89618/?format=json","username":"juju","first_name":"Julien","last_name":"Olivain","email":"juju@cotds.org"},"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260504160924.14432-1-peter@korsgaard.com/mbox/","series":[{"id":502693,"url":"http://patchwork.ozlabs.org/api/1.1/series/502693/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=502693","date":"2026-05-04T16:09:22","name":"package/haproxy: bump version to 6.2.27","version":1,"mbox":"http://patchwork.ozlabs.org/series/502693/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2232523/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2232523/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=n7BTaPVt;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g8RRv6Qb3z1yJ0\n\tfor ;\n Tue, 05 May 2026 02:09:47 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id D02C661520;\n\tMon, 4 May 2026 16:09:45 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 6XXoeeOuCrmP; Mon, 4 May 2026 16:09:44 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 8E4DE61500;\n\tMon, 4 May 2026 16:09:44 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id 795BD204\n for ; Mon, 4 May 2026 16:09:42 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 5ECCE845D2\n for ; Mon, 4 May 2026 16:09:42 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id FC58XFW2Y6OI for ;\n Mon, 4 May 2026 16:09:41 +0000 (UTC)","from sendmail.purelymail.com (sendmail.purelymail.com\n [34.202.193.197])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 6CD7B845C9\n for ; Mon, 4 May 2026 16:09:39 +0000 (UTC)","by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -138368886;\n (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);\n Mon, 04 May 2026 16:09:37 +0000 (UTC)","from peko by dell.be.48ers.dk with local (Exim 4.98.2)\n (envelope-from ) id 1wJvrU-000000003mi-1YF4;\n Mon, 04 May 2026 18:09:36 +0200"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8E4DE61500","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6CD7B845C9"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777910984;\n\tbh=qKaKtDdOhSIBsur7z0/d8wX0fFha+yvdajNqSNEP2tw=;\n\th=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:Cc:From;\n\tb=n7BTaPVtqquudJJIz/7F2HSXX4JyQXybj2R0VEwKswxvAjFcz+OWYV4emiPTnyGME\n\t tVt1gmPZt++sbWYoOTiFbHzshCa2TXUIaeWd36zRXgK7C4/q1yYG6vitAsGKP1Zwul\n\t a1vfzHjTBFxz2qK+3DT1yEaIJwU25MuUbh7eD5eiPWRFEw3bRA7H65AUh+vM6hgorJ\n\t pE6gl/2ovv0WoaoS1PpOdvRsIpMSyRo+1C7DiNU6Q5EcptN+gA++rs5dE/3JhDvHKo\n\t odGPhhgXhHHPN0XCIwuEDbA+cbBZeGZ0xppg092hq1x/Eyz16/6lGVxvdySNRIJJfm\n\t RV9GC88H9Xmzg==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=34.202.193.197;\n helo=sendmail.purelymail.com; envelope-from=peko@korsgaard.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 6CD7B845C9","Feedback-ID":"21632:4007:null:purelymail","X-Pm-Original-To":"buildroot@buildroot.org","From":"Peter Korsgaard ","To":"buildroot@buildroot.org","Date":"Mon, 4 May 2026 18:09:22 +0200","Message-ID":"<20260504160924.14432-1-peter@korsgaard.com>","X-Mailer":"git-send-email 2.47.3","MIME-Version":"1.0","X-MIME-Autoconverted":"from 8bit to quoted-printable by Purelymail","X-Mailman-Original-DKIM-Signature":"a=rsa-sha256;\n b=a784coRT1ikubu/bBqiwOFs/1I1IZOVte635okQwUXQjRiJ+m88Q8/YXsQYlNk2ckCLBkiMqkJ81UIcECJQ3qgyB1vhJO23L5JqjMK/2QLfwt5cb35jI4DZe4eGGfjUGA4IRgrxou4nubX+2NkBqLadMfUNTzSjNrjDFLS1K81JGnK8UPq4cvk9WXLRJYraD/0DPiESGHf46l6HfQUYuf07alS02Xo/ZnjbWLOnHrarLlSOxvBAMqISrF0pmSTaJPuSTaE3+1E1XlM9YV5/f0CUF9RpPPZjduJsAOkwrqV4QWf0aFIXwSHy+kUbNm9MSd82OWOD9kFTlpATfG3KAOg==;\n s=purelymail3; d=purelymail.com; v=1;\n bh=QA1JSQwdfH/rTRr50JIEQEPmR0jYuLdAF7EtizoSfII=;\n h=Feedback-ID:Received:Received:From:To:Subject:Date;","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=none (p=none dis=none)\n header.from=korsgaard.com","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=purelymail.com header.i=@purelymail.com\n header.a=rsa-sha256 header.s=purelymail3 header.b=a784coRT","purelymail.com; auth=pass"],"Subject":"[Buildroot] [PATCH] package/haproxy: bump version to 6.2.27","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Cc":"Fabrice Fontaine ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "},"content":"Bugfix release with large number of (security) fixes.\n\nFor 6.2.26:\n\n- a severe issue was found in the compression library (slz) where\n specially crafted patterns with tune.bufsize above 17408 or\n tune.maxrewrite below 964 (both non-default) could cause output\n buffer overflows due to the overhead exceeding the promised\n worst-case growth bound of 5 bytes and reach up to 1/16 of the\n input contents. Given that the compression output is hardly\n controllable, and the canaries at the end of the pools will catch\n this at release time, the risk of exploitation by a hostile server\n is close to zero, however it will cause repeated crashes if such a\n crafted file is present on a server and regularly downloaded. A\n workaround consists in keeping tune.maxrewrite at least 1/16 of\n tune.bufsize or just not changing them since the defaults are safe.\n A CVE was requested two weeks ago for this one, I'll mention it when\n it arrives.\n\n - HTTP/2 incomplete transfer detection was missing for HEADERS frames\n carrying END_STREAM. When relayed to an HTTP/1.1 server that\n responds before the end of the transfer, this can result in bytes\n of the next request over the same connection to be ignored. Most of\n the time it will cause the connection to be dropped due to an\n unparsable request, but when combined with \"http-reuse never\", or\n on totally idle servers, the client could expect the second request\n to reuse the same connection and perform a content smuggling attack\n that would allow to pass an unverified request to a server. For\n those who can't upgrade, a temporary workaround is to disable\n HTTP/2 by specifying \"alpn http/1.1\" on bind lines and adding\n \"disable-h2-upgrade\" in HTTP frontends. A CVE will be requested for\n this one.\n\n - HTTP/1.1 bodyless messages announcing a non-null Content-Length did\n not force close mode on the backend, potentially causing\n desynchronisation between HAProxy and the server in conjunction\n with other bugs.\n\n - FCGI record length truncation with large bufsize (>=65544) could\n enable request smuggling into PHP-FPM since the 16-bit\n content_length field silently truncated to 65535 bytes.\n\n - an unvalidated SNI name_len field in ClientHello could cause OOB\n heap reads of up to 65KB via XXH3, smp_dup(), and log-format leaks\n on any TCP frontend using req.ssl_sni, possibly causing crashes when\n used.\n\n - ECDSA JWT signatures with ES256/384/512 could cause a heap overflow\n of ~14 bytes in the DER conversion before verification.\n\n - Lua's httpclient headers conversion accepted more than 101 headers\n without bound checking, causing a stack buffer overflow reachable\n from any Lua action/task/service.\n\n - peers dictionary cache updates accepted an unvalidated entry id as\n array index, allowing OOB heap writes at attacker-controlled\n offsets.\n\n - Lua had a use-after-free of HTTP reason strings managed by Lua's GC\n between set_status() and start_response(), potentially leaking\n adjacent information from memory.\n\n - the regsub sample function could leak ~9-50KB of stale heap data\n when back-reference expansion overflowed the output buffer.\n\n - SPOE decode_varint() had no iteration cap, allowing pointer\n arithmetic to wrap and dereference memory ~64KB before the\n allocation, causing SIGSEGV or parser confusion.\n\n - in sample expressions, less common HTTP methods (PATCH etc.) are\n represented by both an enum and a string. The string part was not\n handled correctly in sample duplication functions, resulting in\n their contents appearing empty when trying to fetch the method.\n\n - QPACK varint decoding is now also limited to 62-bit, and had a risk\n of 1-byte OOB reads on truncated streams, which could cause\n incorrect header decoding.\n\n - config: a few argument parsing errors in conditional expressions\n used in \".if\" could be misreported and even cause a crash during\n the parsing. Also, a few keywords relying on warnif_misplaced_*\n didn't check the return value and didn't count emitted warnings as\n warnings.\n\nFor more details, see the announcement:\nhttps://www.mail-archive.com/haproxy@formilux.org/msg47016.html\n\nFor 6.2.27:\n\nA major issue were fixed by this release. It was related to the scheme-based\nnormalization. The presence of commas in Host header and authority was permitted\nand would be used to compare the values, which then would differ when read via\nhdr(host) which splits them on commas, and under certain circumstances, trigger\ncrashes (at least it did in the OSS-Fuzz environment when injecting the values\ndirectly at the HTX layer). The issue was fixed. Remains the case of the comma\ncharacters in authorities. Even though the spec permits commas in authorities\n(not in domain names), there is currently no use case for this and it causes an\nambiguity with the historical use of hdr(host), so we preferred to just deny\nthem. The change was performed on the 3.4-dev10 and postponed for the next 3.3\nrelease. It will probably be backported to lower versions too.\n\nAn issue in the FCGI multiplexer was fixed. The function responsible to emit\nFCGI_PARAM records was not handling cases of full buffer in a consistent\nway. The issue was quite limited, but the \"http-send-name-header\" option could\nbe silently ignored. The issue was fixed by reworking this function.\n\nThe scheme-based normalization was fixed to properly handle case of OPTIONS\nrequests. As stated in RFC9110#4.2.3, when the scheme-based normalization is\nperformed, an empty path must be normalized to \"/\", except for OPTIONS request.\n\nFinally, a memory leak on error path (tools) and other minor issues were also\nfixed.\n\nFor more details, see the announcement:\nhttps://www.mail-archive.com/haproxy@formilux.org/msg47059.html\n\nSigned-off-by: Peter Korsgaard \n---\n package/haproxy/haproxy.hash | 4 ++--\n package/haproxy/haproxy.mk | 2 +-\n 2 files changed, 3 insertions(+), 3 deletions(-)","diff":"diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash\nindex 5c644356a6..6bb5dda804 100644\n--- a/package/haproxy/haproxy.hash\n+++ b/package/haproxy/haproxy.hash\n@@ -1,5 +1,5 @@\n-# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.25.tar.gz.sha256\n-sha256 d861cacbe2ed51ae8ad5fa9ee5165b4e5e2bccaa5b9e04324711761d7d946be9 haproxy-2.6.25.tar.gz\n+# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.27.tar.gz.sha256\n+sha256 ccdaf08e8653f9651992212b51af0b5513c2e2cf0cd822ca67c94cffe10386a6 haproxy-2.6.27.tar.gz\n # Locally computed:\n sha256 0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28 LICENSE\n sha256 5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a doc/lgpl.txt\ndiff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk\nindex a22c8b38ce..cf1484243c 100644\n--- a/package/haproxy/haproxy.mk\n+++ b/package/haproxy/haproxy.mk\n@@ -5,7 +5,7 @@\n ################################################################################\n \n HAPROXY_VERSION_MAJOR = 2.6\n-HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).25\n+HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).27\n HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src\n HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions\n HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt\n","prefixes":[]}