Devuan bug report logs - #863
haproxy forward upgrade and connection headers as default (h2c request smuggling)

Package: haproxy; Maintainer for haproxy is (unknown); Source for haproxy is src:haproxy.

Reported by: gr0 bUst4 <bUst4gr0@riseup.net>

Date: Mon, 28 Oct 2024 10:38:01 UTC

Severity: normal

Tags: debian

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#863; Package haproxy. (Mon, 28 Oct 2024 10:38:01 GMT) (full text, mbox, link).


Acknowledgement sent to gr0 bUst4 <bUst4gr0@riseup.net>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org. (Mon, 28 Oct 2024 10:38:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

From: gr0 bUst4 <bUst4gr0@riseup.net>
To: submit@bugs.devuan.org
Subject: haproxy forward upgrade and connection headers as default (h2c request smuggling)
Date: Mon, 28 Oct 2024 10:32:09 +0000
[Message part 1 (text/plain, inline)]
Package: haproxy

Version: 2.6.12-1

suggest to fix this default forwarding


-------- Message transféré --------
Sujet : 	Re: CVE request: headers forward can lead to h2c request 
smuggling (fwd)
Date : 	Mon, 28 Oct 2024 07:08:40 +0100
De : 	Willy TARREAU <wtarreau@haproxy.com>
Pour : 	bUst4gr0@riseup.net



Hello,

Thanks for contacting us!

> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC 
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.

I guess you're speaking about this commit:

7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")

If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74

If not, do not hesitate to share details about your concerns.

Thanks,
Willy
[Message part 2 (text/html, inline)]

Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#863; Package haproxy. (Mon, 28 Oct 2024 19:50:27 GMT) (full text, mbox, link).


Message #8 received at 863@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: gr0 bUst4 <bUst4gr0@riseup.net>, 863@bugs.devuan.org
Subject: Re: [devuan-dev] bug#863: haproxy forward upgrade and connection headers as default (h2c request smuggling)
Date: Mon, 28 Oct 2024 19:27:55 +0000
Control: tags -1 debian

On Mon, Oct 28, 2024 at 10:32:09AM +0000, gr0 bUst4 wrote:
>    Package: haproxy
> 
>    Version: 2.6.12-1
> suggest to fix this default forwarding

Devuan uses Debian's haproxy packages directly without recompilation. So when
this is fixed in Debian it will be inherited by Devuan.

>    If so, it's already backported for next stable releases:
>    3.0: cba44958ae
>    2.9: cf31943d74

haproxy    | 2.9.11-1                | testing                  | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 2.9.11-1                | unstable                 | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 2.9.11-1                | unstable-debug           | source
haproxy    | 3.0.5-1                 | experimental             | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 3.0.5-1                 | experimental-debug       | source

Mark

Added tag(s) debian. Request was from Mark Hindley <mark@hindley.org.uk> to 863-submit@bugs.devuan.org. (Mon, 28 Oct 2024 19:50:28 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Oct 31 03:26:28 2024;