Bug 245282 - net/haproxy: Security Update (all supported Versions) CVE-2020-11100
Summary: net/haproxy: Security Update (all supported Versions) CVE-2020-11100
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Dmitry Sivachenko
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-04-02 13:58 UTC by Pascal Christen
Modified: 2020-05-02 08:15 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (demon)


Attachments
patch for all supported haproxy versions (2.51 KB, patch)
2020-04-02 13:58 UTC, Pascal Christen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Christen 2020-04-02 13:58:26 UTC
Created attachment 212980 [details]
patch for all supported haproxy versions

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

https://www.mail-archive.com/haproxy@formilux.org/msg36877.html

The attached patch is for all supported haproxy-versions
Comment 1 Dmitry Sivachenko freebsd_committer 2020-04-02 14:07:20 UTC
net/haproxy was already updated.
Others on the way.
Comment 2 commit-hook freebsd_committer 2020-04-02 14:09:22 UTC
A commit references this bug:

Author: demon
Date: Thu Apr  2 14:09:02 UTC 2020
New revision: 530373
URL: https://svnweb.freebsd.org/changeset/ports/530373

Log:
  Update to version 2.1.4.

  PR:		245282

Changes:
  head/net/haproxy21/Makefile
  head/net/haproxy21/distinfo
Comment 3 Pascal Christen 2020-04-02 14:12:01 UTC
(In reply to Dmitry Sivachenko from comment #1)

sorry, missed that
Comment 4 commit-hook freebsd_committer 2020-04-02 14:18:24 UTC
A commit references this bug:

Author: demon
Date: Thu Apr  2 14:10:06 UTC 2020
New revision: 530374
URL: https://svnweb.freebsd.org/changeset/ports/530374

Log:
  Update to version 1.8.25.

  PR:		245282

Changes:
  head/net/haproxy18/Makefile
  head/net/haproxy18/distinfo
Comment 5 commit-hook freebsd_committer 2020-04-02 14:32:25 UTC
A commit references this bug:

Author: demon
Date: Thu Apr  2 14:11:07 UTC 2020
New revision: 530375
URL: https://svnweb.freebsd.org/changeset/ports/530375

Log:
  Update to version 1.9.15.

  PR:		245282

Changes:
  head/net/haproxy19/Makefile
  head/net/haproxy19/distinfo
Comment 6 Florian Smeets freebsd_committer 2020-04-02 17:25:13 UTC
All these commits should have been marked with the Security: tag. Also, we should add a vuln.xml entry. Will you take care of that? Otherwise I'd be happy to add one. Thanks.
Comment 7 Dmitry Sivachenko freebsd_committer 2020-04-02 17:38:02 UTC
Forgot, sorry. Please feel free to add.  Thanks!
Comment 8 commit-hook freebsd_committer 2020-04-02 18:14:48 UTC
A commit references this bug:

Author: flo
Date: Thu Apr  2 18:12:58 UTC 2020
New revision: 530396
URL: https://svnweb.freebsd.org/changeset/ports/530396

Log:
  Add an entry for the HAproxy vulnerability announced today. The ports have
  already been fixed.

  PR:		245282
  Discussed with:	demon

Changes:
  head/security/vuxml/vuln.xml
Comment 9 rainer 2020-04-28 00:08:41 UTC
Hi,

these fixes still don't seem to be in the 2020Q2 ports-branch.

I assume this is an oversight?
Comment 10 Dmitry Sivachenko freebsd_committer 2020-05-02 08:15:57 UTC
Merged to 2020Q2, sorry for the delay.