Devuan bug report logs - #863
haproxy forward upgrade and connection headers as default (h2c request smuggling)

Package: haproxy; Maintainer for haproxy is (unknown); Source for haproxy is src:haproxy.

Reported by: gr0 bUst4 <bUst4gr0@riseup.net>

Date: Mon, 28 Oct 2024 10:38:01 UTC

Severity: normal

Tags: debian

Full log


Message #10 received at 863@bugs.devuan.org (full text, mbox, reply):

Received: (at 863) by bugs.devuan.org; 28 Oct 2024 19:29:25 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Mon, 28 Oct 2024 19:29:25 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id cGctGb7lH2cYTwAAmSBk0A
	(envelope-from <mark@hindley.org.uk>)
	for <bugs@devuan.org>; Mon, 28 Oct 2024 19:27:58 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 496464E; Mon, 28 Oct 2024 19:27:58 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; envelope-from=mark@hindley.org.uk; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id 9E0EF4E
	for <863@bugs.devuan.org>; Mon, 28 Oct 2024 19:27:57 +0000 (UTC)
Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3])
	by mx.hindley.org.uk (Postfix) with SMTP id 1AFC78E;
	Mon, 28 Oct 2024 19:27:56 +0000 (GMT)
Received: (nullmailer pid 14421 invoked by uid 1000);
	Mon, 28 Oct 2024 19:27:55 -0000
Date: Mon, 28 Oct 2024 19:27:55 +0000
From: Mark Hindley <mark@hindley.org.uk>
To: gr0 bUst4 <bUst4gr0@riseup.net>, 863@bugs.devuan.org
Subject: Re: [devuan-dev] bug#863: haproxy forward upgrade and connection
 headers as default (h2c request smuggling)
Message-ID: <Zx_lu6Jvglox9Snv@hindley.org.uk>
References: <20241028060840.GA6398@haproxy.com>
 <33a6301a-2146-4b07-921e-724a2432c796@riseup.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <33a6301a-2146-4b07-921e-724a2432c796@riseup.net>
X-Debbugs-No-Ack: No Thanks
Control: tags -1 debian

On Mon, Oct 28, 2024 at 10:32:09AM +0000, gr0 bUst4 wrote:
>    Package: haproxy
> 
>    Version: 2.6.12-1
> suggest to fix this default forwarding

Devuan uses Debian's haproxy packages directly without recompilation. So when
this is fixed in Debian it will be inherited by Devuan.

>    If so, it's already backported for next stable releases:
>    3.0: cba44958ae
>    2.9: cf31943d74

haproxy    | 2.9.11-1                | testing                  | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 2.9.11-1                | unstable                 | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 2.9.11-1                | unstable-debug           | source
haproxy    | 3.0.5-1                 | experimental             | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 3.0.5-1                 | experimental-debug       | source

Mark

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Oct 31 05:28:15 2024;