Bug#949826: buster-pu: package haproxy/1.8.19-1
Hi,
On Sun, Jan 26, 2020 at 01:00:31PM +0100, Vincent Bernat wrote:
> ❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff <jmm@inutil.org>:
>
> >> The logrotate configuration file for HAProxy doesn't signal rsyslog
> >> correctly. Therefore, logs are not really rotated and on a moderately
> >> busy site, this can fill up a log partition. When running with
> >> systemd, rsyslog doesn't write a PID file and there fore, the SysV
> >> init script invoked to rotate logs does not work. Instead, rsyslog
> >> package provides an helper for this purpose.
> >>
> >> The change has been applied to 2.0.12-1 currently in unstable and
> >> testing. I would like to push it for the next point release next week.
> >
> > If we're doing a Buster update anyway, could we also piggyback the fix
> > for https://nathandavison.com/blog/haproxy-http-request-smuggling (CVE-2019-18277),
> > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
> > ?
>
> Ack! I have pulled the patch from the 1.8 branch. Here is the updated
> debdiff. It compiles and simple tests pass too. I'll be checking with
> upstream if they have an opinion around this.
>
> diff --git a/debian/changelog b/debian/changelog
> index 978702081baa..7139318a49cf 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +haproxy (1.8.19-1+deb10u1) buster; urgency=medium
> +
> + * d/logrotate.conf: use rsyslog helper instead of SysV init script.
> + Closes: #946973.
> + * d/patches: reject messages where "chunked" is missing from
> + transfer-encoding. CVE-2019-18277.
> +
> + -- Vincent Bernat <bernat@debian.org> Sun, 26 Jan 2020 12:54:30 +0100
This needs to be rebased to the 1.8.19-1+deb10u1 which was released as
DSA 4577-1 AFAICT.
Regards,
Salvatore
Reply to: