Devuan bug report logs - #863
haproxy forward upgrade and connection headers as default (h2c request smuggling)

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Mark Hindley <mark@hindley.org.uk>
Subject: bug#863: marked as done (haproxy forward upgrade and connection
 headers as default (h2c request smuggling))
Message-ID: <handler.863.D863.176018130728133.ackdone@bugs.devuan.org>
References: <aOo8IY1m3CUoeSaN@hindley.org.uk>
 <33a6301a-2146-4b07-921e-724a2432c796@riseup.net>
X-Devuan-PR-Message: closed 863
X-Devuan-PR-Package: haproxy
X-Devuan-PR-Keywords: debian
Reply-To: 863@bugs.devuan.org
Date: Sat, 11 Oct 2025 11:16:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1760181361-28163-0"

[Message part 1 (text/plain, inline)]

Your message dated Sat, 11 Oct 2025 12:14:41 +0100
with message-id <aOo8IY1m3CUoeSaN@hindley.org.uk>
and subject line Upstream fix now in Debian
has caused the Devuan bug report #863,
regarding haproxy forward upgrade and connection headers as default (h2c request smuggling)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.devuan.org
immediately.)


-- 
863: https://bugs.devuan.org/cgi/bugreport.cgi?bug=863
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]

From: gr0 bUst4 <bUst4gr0@riseup.net>

To: submit@bugs.devuan.org

Subject: haproxy forward upgrade and connection headers as default (h2c request smuggling)

Date: Mon, 28 Oct 2024 10:32:09 +0000

[Message part 3 (text/plain, inline)]

Package: haproxy

Version: 2.6.12-1

suggest to fix this default forwarding


-------- Message transféré --------
Sujet : 	Re: CVE request: headers forward can lead to h2c request 
smuggling (fwd)
Date : 	Mon, 28 Oct 2024 07:08:40 +0100
De : 	Willy TARREAU <wtarreau@haproxy.com>
Pour : 	bUst4gr0@riseup.net



Hello,

Thanks for contacting us!

> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC 
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.

I guess you're speaking about this commit:

7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")

If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74

If not, do not hesitate to share details about your concerns.

Thanks,
Willy

[Message part 4 (text/html, inline)]

[Message part 5 (message/rfc822, inline)]

From: Mark Hindley <mark@hindley.org.uk>

To: 863-done@bugs.devuan.org

Subject: Upstream fix now in Debian

Date: Sat, 11 Oct 2025 12:14:41 +0100

Version: 3.0.9-1

Closing.

Mark

Send a report that this bug log contains spam.