Created attachment 212980 [details] patch for all supported haproxy versions The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. https://www.mail-archive.com/haproxy@formilux.org/msg36877.html The attached patch is for all supported haproxy-versions
net/haproxy was already updated. Others on the way.
A commit references this bug: Author: demon Date: Thu Apr 2 14:09:02 UTC 2020 New revision: 530373 URL: https://svnweb.freebsd.org/changeset/ports/530373 Log: Update to version 2.1.4. PR: 245282 Changes: head/net/haproxy21/Makefile head/net/haproxy21/distinfo
(In reply to Dmitry Sivachenko from comment #1) sorry, missed that
A commit references this bug: Author: demon Date: Thu Apr 2 14:10:06 UTC 2020 New revision: 530374 URL: https://svnweb.freebsd.org/changeset/ports/530374 Log: Update to version 1.8.25. PR: 245282 Changes: head/net/haproxy18/Makefile head/net/haproxy18/distinfo
A commit references this bug: Author: demon Date: Thu Apr 2 14:11:07 UTC 2020 New revision: 530375 URL: https://svnweb.freebsd.org/changeset/ports/530375 Log: Update to version 1.9.15. PR: 245282 Changes: head/net/haproxy19/Makefile head/net/haproxy19/distinfo
All these commits should have been marked with the Security: tag. Also, we should add a vuln.xml entry. Will you take care of that? Otherwise I'd be happy to add one. Thanks.
Forgot, sorry. Please feel free to add. Thanks!
A commit references this bug: Author: flo Date: Thu Apr 2 18:12:58 UTC 2020 New revision: 530396 URL: https://svnweb.freebsd.org/changeset/ports/530396 Log: Add an entry for the HAproxy vulnerability announced today. The ports have already been fixed. PR: 245282 Discussed with: demon Changes: head/security/vuxml/vuln.xml
Hi, these fixes still don't seem to be in the 2020Q2 ports-branch. I assume this is an oversight?
Merged to 2020Q2, sorry for the delay.