Bug 245282

Summary:

net/haproxy: Security Update (all supported Versions) CVE-2020-11100

Product:

Ports & Packages

Reporter:

Pascal Christen <pascal.christen>

Component:

Individual Port(s)

Assignee:

Dmitry Sivachenko <demon>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

flo, rainer

Priority:

---

Keywords:

security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (demon)

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch for all supported haproxy versions	none

Description Pascal Christen 2020-04-02 13:58:26 UTC

Created attachment 212980 [details]
patch for all supported haproxy versions

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

https://www.mail-archive.com/haproxy@formilux.org/msg36877.html

The attached patch is for all supported haproxy-versions

Comment 1 Dmitry Sivachenko freebsd_committer

2020-04-02 14:07:20 UTC

net/haproxy was already updated.
Others on the way.

Comment 2 commit-hook freebsd_committer

2020-04-02 14:09:22 UTC

A commit references this bug:

Author: demon
Date: Thu Apr  2 14:09:02 UTC 2020
New revision: 530373
URL: https://svnweb.freebsd.org/changeset/ports/530373

Log:
  Update to version 2.1.4.

  PR:		245282

Changes:
  head/net/haproxy21/Makefile
  head/net/haproxy21/distinfo

Comment 3 Pascal Christen 2020-04-02 14:12:01 UTC

(In reply to Dmitry Sivachenko from comment #1)

sorry, missed that

Comment 4 commit-hook freebsd_committer

2020-04-02 14:18:24 UTC

A commit references this bug:

Author: demon
Date: Thu Apr  2 14:10:06 UTC 2020
New revision: 530374
URL: https://svnweb.freebsd.org/changeset/ports/530374

Log:
  Update to version 1.8.25.

  PR:		245282

Changes:
  head/net/haproxy18/Makefile
  head/net/haproxy18/distinfo

Comment 5 commit-hook freebsd_committer

2020-04-02 14:32:25 UTC

A commit references this bug:

Author: demon
Date: Thu Apr  2 14:11:07 UTC 2020
New revision: 530375
URL: https://svnweb.freebsd.org/changeset/ports/530375

Log:
  Update to version 1.9.15.

  PR:		245282

Changes:
  head/net/haproxy19/Makefile
  head/net/haproxy19/distinfo

Comment 6 Florian Smeets freebsd_committer

2020-04-02 17:25:13 UTC

All these commits should have been marked with the Security: tag. Also, we should add a vuln.xml entry. Will you take care of that? Otherwise I'd be happy to add one. Thanks.

Comment 7 Dmitry Sivachenko freebsd_committer

2020-04-02 17:38:02 UTC

Forgot, sorry. Please feel free to add.  Thanks!

Comment 8 commit-hook freebsd_committer

2020-04-02 18:14:48 UTC

A commit references this bug:

Author: flo
Date: Thu Apr  2 18:12:58 UTC 2020
New revision: 530396
URL: https://svnweb.freebsd.org/changeset/ports/530396

Log:
  Add an entry for the HAproxy vulnerability announced today. The ports have
  already been fixed.

  PR:		245282
  Discussed with:	demon

Changes:
  head/security/vuxml/vuln.xml

Comment 9 rainer 2020-04-28 00:08:41 UTC

Hi,

these fixes still don't seem to be in the 2020Q2 ports-branch.

I assume this is an oversight?

Comment 10 Dmitry Sivachenko freebsd_committer

2020-05-02 08:15:57 UTC

Merged to 2020Q2, sorry for the delay.