Devuan bug report logs - #863
haproxy forward upgrade and connection headers as default (h2c request smuggling)

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: gr0 bUst4 <bUst4gr0@riseup.net>
Subject: bug#863 closed by Mark Hindley <mark@hindley.org.uk> (Upstream
 fix now in Debian)
Message-ID: <handler.863.D863.176018130728133.notifdone@bugs.devuan.org>
References: <aOo8IY1m3CUoeSaN@hindley.org.uk>
 <33a6301a-2146-4b07-921e-724a2432c796@riseup.net>
X-Devuan-PR-Message: they-closed 863
X-Devuan-PR-Package: haproxy
X-Devuan-PR-Keywords: debian
Reply-To: 863@bugs.devuan.org
Date: Sat, 11 Oct 2025 11:16:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1760181362-28163-1"

[Message part 1 (text/plain, inline)]

This is an automatic notification regarding your bug report
which was filed against the haproxy package:

#863: haproxy forward upgrade and connection headers as default (h2c request smuggling)

It has been closed by Mark Hindley <mark@hindley.org.uk>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.


-- 
863: https://bugs.devuan.org/cgi/bugreport.cgi?bug=863
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]

From: Mark Hindley <mark@hindley.org.uk>

To: 863-done@bugs.devuan.org

Subject: Upstream fix now in Debian

Date: Sat, 11 Oct 2025 12:14:41 +0100

Version: 3.0.9-1

Closing.

Mark

[Message part 3 (message/rfc822, inline)]

From: gr0 bUst4 <bUst4gr0@riseup.net>

To: submit@bugs.devuan.org

Subject: haproxy forward upgrade and connection headers as default (h2c request smuggling)

Date: Mon, 28 Oct 2024 10:32:09 +0000

[Message part 4 (text/plain, inline)]

Package: haproxy

Version: 2.6.12-1

suggest to fix this default forwarding


-------- Message transféré --------
Sujet : 	Re: CVE request: headers forward can lead to h2c request 
smuggling (fwd)
Date : 	Mon, 28 Oct 2024 07:08:40 +0100
De : 	Willy TARREAU <wtarreau@haproxy.com>
Pour : 	bUst4gr0@riseup.net



Hello,

Thanks for contacting us!

> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC 
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.

I guess you're speaking about this commit:

7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")

If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74

If not, do not hesitate to share details about your concerns.

Thanks,
Willy

[Message part 5 (text/html, inline)]

Send a report that this bug log contains spam.