18.03/haproxy 1.8.9 #41465
Merged
18.03/haproxy 1.8.9 #41465
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@GrahamcOfBorg build haproxy |
|
Success on x86_64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Failure on x86_64-darwin (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Failure on x86_64-darwin (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
@GrahamcOfBorg build haproxy |
|
Success on x86_64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Failure on x86_64-darwin (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Failure on x86_64-darwin (full log) Attempted: haproxy Partial log (click to expand)
|
This fixes CVE-2018-10184 a potential remote denial of service in the http/2 module. The version bump also includes various other changes that are described in the changelog [1]: 2018/05/18 : 1.8.9 - BUG/MINOR: pattern: Add a missing HA_SPIN_INIT() in pat_ref_newid() - BUG/MAJOR: channel: Fix crash when trying to read from a closed socket - BUG/MINOR: log: t_idle (%Ti) is not set for some requests - BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits - MINOR: h2: detect presence of CONNECT and/or content-length - BUG/MEDIUM: h2: implement missing support for chunked encoded uploads - BUG/MINOR: lua/threads: Make lua's tasks sticky to the current thread - BUG/MINOR: config: disable http-reuse on TCP proxies - BUG/MINOR: checks: Fix check->health computation for flapping servers - BUG/MEDIUM: threads: Fix the sync point for more than 32 threads - BUG/MINOR: lua: Put tasks to sleep when waiting for data - DOC/MINOR: clean up LUA documentation re: servers & array/table. - BUG/MINOR: map: correctly track reference to the last ref_elt being dumped - BUG/MEDIUM: task: Don't free a task that is about to be run. - BUG/MINOR: lua: schedule socket task upon lua connect() - BUG/MINOR: lua: ensure large proxy IDs can be represented - BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR - BUG/MEDIUM: pollers: Use a global list for fd shared between threads. - BUG/MEDIUM: ssl: properly protect SSL cert generation - BUG/MINOR: spoe: Mistake in error message about SPOE configuration 2018/04/19 : 1.8.8 - BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes - BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). - BUG/MINOR: http: Return an error in proxy mode when url2sa fails - BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors. - BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE - MINOR: cli: Ensure the CLI always outputs an error when it should - DOC: lua: update the links to the config and Lua API - BUG/CRITICAL: h2: fix incorrect frame length check 2018/04/07 : 1.8.7 - BUG/MAJOR: cache: always initialize newly created objects - MINOR: servers: Support alphanumeric characters for the server templates names 2018/04/05 : 1.8.6 - BUG/MINOR: lua: the function returns anything - BUG/MINOR: lua funtion hlua_socket_settimeout don't check negative values - BUILD/MINOR: fix build when USE_THREAD is not defined - MINOR: cli/threads: make "show fd" report thread_sync_io_handler instead of "unknown" - MINOR: cli: make "show fd" report the mux and mux_ctx pointers when available - BUILD/MINOR: cli: fix a build warning introduced by last commit - BUG/MINOR: hpack: fix harmless use of uninitialized value in hpack_dht_insert - CLEANUP: h2: rename misleading h2c_stream_close() to h2s_close() - MINOR: h2: provide and use h2s_detach() and h2s_free() - BUG/MAJOR: h2: remove orphaned streams from the send list before closing - MINOR: h2: always call h2s_detach() in h2_detach() - MINOR: h2: fuse h2s_detach() and h2s_free() into h2s_destroy() - BUG/MEDIUM: h2/threads: never release the task outside of the task handler - BUG/MEDIUM: h2: don't consider pending data on detach if connection is in error - BUILD/MINOR: threads: always export thread_sync_io_handler() - BUG/MEDIUM: h2: always add a stream to the send or fctl list when blocked - BUG/MINOR: checks: check the conn_stream's readiness and not the connection - BUG/MINOR: email-alert: Set the mailer port during alert initialization - BUG/MINOR: cache: fix "show cache" output - BUG/MINOR: fd: Don't clear the update_mask in fd_insert. - BUG/MAJOR: cache: fix random crashes caused by incorrect delete() on non-first blocks - BUG/MINOR: spoe: Initialize variables used during conf parsing before any check - BUG/MINOR: spoe: Don't release the context buffer in .check_timeouts callbaclk 2018/03/23 : 1.8.5 - BUG/MINOR: threads: fix missing thread lock labels for 1.8 - BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. - BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL - BUG/MINOR: init: Add missing brackets in the code parsing -sf/-st - BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe - BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier as possible - BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. - DOC: lua: new prototype for function "register_action()" - DOC: cfgparse: Warn on option (tcp|http)log in backend - BUG/MINOR: debug/pools: properly handle out-of-memory when building with DEBUG_UAF - MINOR: debug/pools: make DEBUG_UAF also detect underflows - BUG/MINOR: h2: Set the target of dbuf_wait to h2c - MINOR: stats: display the number of threads in the statistics. - BUG/MEDIUM: h2: always consume any trailing data after end of output buffers - BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk - BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk - Revert "BUG/MINOR: send-proxy-v2: string size must include ('\0')" - MINOR: systemd: Add section for SystemD sandboxing to unit file - MINOR: systemd: Add SystemD's Protect*= options to the unit file - MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file - MINOR/BUILD: fix Lua build on Mac OS X - BUILD/MINOR: fix Lua build on Mac OS X (again) - BUG/MINOR: session: Fix tcp-request session failure if handshake. - CLEANUP: .gitignore: Ignore binaries from the contrib directory - BUG/MINOR: unix: Don't mess up when removing the socket from the xfer_sock_list. - BUG/MEDIUM: h2: also arm the h2 timeout when sending - BUG/MINOR: cli: Fix a crash when passing a negative or too large value to "show fd" - CLEANUP: ssl: Remove a duplicated #include - CLEANUP: cli: Remove a leftover debug message - BUG/MINOR: cli: Fix a typo in the 'set rate-limit' usage - BUG/MEDIUM: fix a 100% cpu usage with cpu-map and nbthread/nbproc - BUG/MINOR: force-persist and ignore-persist only apply to backends - BUG/MEDIUM: spoe: Remove idle applets from idle list when HAProxy is stopping - BUG/MEDIUM: threads/unix: Fix a deadlock when a listener is temporarily disabled - BUG/MAJOR: threads/queue: Fix thread-safety issues on the queues management - BUG/MINOR: dns: don't downgrade DNS accepted payload size automatically - BUG/MINOR: seemless reload: Fix crash when an interface is specified. - BUG/MINOR: cli: Fix a crash when sending a command with too many arguments - BUILD: ssl: Fix build with OpenSSL without NPN capability - BUG/MINOR: spoa-example: unexpected behavior for more than 127 args - BUG/MINOR: lua: return bad error messages - BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers - BUG/MINOR: tcp-check: use the server's service port as a fallback - BUG/MEDIUM: threads/queue: wake up other threads upon dequeue - MINOR: log: stop emitting alerts when it's not possible to write on the socket - BUILD/BUG: enable -fno-strict-overflow by default - DOC: log: more than 2 log servers are allowed - DOC: don't suggest using http-server-close - BUG/MEDIUM: h2: properly account for DATA padding in flow control - BUG/MINOR: h2: ensure we can never send an RST_STREAM in response to an RST_STREAM - BUG/MINOR: listener: Don't decrease actconn twice when a new session is rejected [1] https://www.haproxy.org/download/1.8/src/CHANGELOG (cherry picked from commit 6d03390)
(cherry picked from commit ea8b37c)
(cherry picked from commit e179003)
(cherry picked from commit 4c9c4c0)
andir
force-pushed
the
18.03/haproxy-1.8.9
branch
from
dfaf00a
to
ba7f78c
Compare
|
@GrahamcOfBorg build haproxy |
|
Success on x86_64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on x86_64-darwin (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: tests.haproxy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: haproxy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: tests.haproxy Partial log (click to expand)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
This fixes CVE-2018-10184 a potential remote denial of service in the
http/2 module and CVE-2018-11469. The version bump also includes various other changes that
are described in the changelog [1]:
[1] haproxy.org/download/1.8/src/CHANGELOG
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)