Devuan bug report logs -
#863
haproxy forward upgrade and connection headers as default (h2c request smuggling)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#863; Package haproxy.
(Mon, 28 Oct 2024 10:38:01 GMT) (full text, mbox, link).
Acknowledgement sent
to gr0 bUst4 <bUst4gr0@riseup.net>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org.
(Mon, 28 Oct 2024 10:38:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: haproxy
Version: 2.6.12-1
suggest to fix this default forwarding
-------- Message transféré --------
Sujet : Re: CVE request: headers forward can lead to h2c request
smuggling (fwd)
Date : Mon, 28 Oct 2024 07:08:40 +0100
De : Willy TARREAU <wtarreau@haproxy.com>
Pour : bUst4gr0@riseup.net
Hello,
Thanks for contacting us!
> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.
I guess you're speaking about this commit:
7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")
If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74
If not, do not hesitate to share details about your concerns.
Thanks,
Willy
[Message part 2 (text/html, inline)]
Information forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#863; Package haproxy.
(Mon, 28 Oct 2024 19:50:27 GMT) (full text, mbox, link).
Message #8 received at 863@bugs.devuan.org (full text, mbox, reply):
Control: tags -1 debian
On Mon, Oct 28, 2024 at 10:32:09AM +0000, gr0 bUst4 wrote:
> Package: haproxy
>
> Version: 2.6.12-1
> suggest to fix this default forwarding
Devuan uses Debian's haproxy packages directly without recompilation. So when
this is fixed in Debian it will be inherited by Devuan.
> If so, it's already backported for next stable releases:
> 3.0: cba44958ae
> 2.9: cf31943d74
haproxy | 2.9.11-1 | testing | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy | 2.9.11-1 | unstable | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy | 2.9.11-1 | unstable-debug | source
haproxy | 3.0.5-1 | experimental | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy | 3.0.5-1 | experimental-debug | source
Mark
Added tag(s) debian.
Request was from Mark Hindley <mark@hindley.org.uk>
to 863-submit@bugs.devuan.org.
(Mon, 28 Oct 2024 19:50:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.