From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Subject: [Buildroot] [PATCH] package/haproxy: security bump to version 2.4.3
Date: Wed, 18 Aug 2021 18:55:54 +0200 [thread overview]
Message-ID: <20210818165555.7148-1-peter@korsgaard.com> (raw)
Fixes the following security issues:
- CVE-2021-39240: An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3
before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme
and path portions of a URI have the expected characters. For example, the
authority field (as observed on a target HTTP/2 server) might differ from
what the routing rules were intended to achieve.
- CVE-2021-39241: An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2
before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method
name may contain a space followed by the name of a protected resource. It
is possible that a server would interpret this as a request for that
protected resource, such as in the "GET /admin? HTTP/1.1 /static/images
HTTP/1.1" example.
- CVE-2021-39242: An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3
before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an
attacker-controlled HTTP Host header, because a mismatch between Host and
authority is mishandled.
For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41041.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/haproxy/haproxy.hash | 4 ++--
package/haproxy/haproxy.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash
index 849d362dc0..9edf5def08 100644
--- a/package/haproxy/haproxy.hash
+++ b/package/haproxy/haproxy.hash
@@ -1,5 +1,5 @@
-# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.2.tar.gz.sha256
-sha256 edf9788f7f3411498e3d7b21777036b4dc14183e95c8e2ce7577baa0ea4ea2aa haproxy-2.4.2.tar.gz
+# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.3.tar.gz.sha256
+sha256 ce479380be5464faa881dcd829618931b60130ffeb01c88bc2bf95e230046405 haproxy-2.4.3.tar.gz
# Locally computed:
sha256 0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28 LICENSE
sha256 5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a doc/lgpl.txt
diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk
index 4c02b6d334..85d4fa7e8d 100644
--- a/package/haproxy/haproxy.mk
+++ b/package/haproxy/haproxy.mk
@@ -5,7 +5,7 @@
################################################################################
HAPROXY_VERSION_MAJOR = 2.4
-HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).2
+HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).3
HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src
HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions
HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
next reply other threads:[~2021-08-18 16:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 16:55 Peter Korsgaard [this message]
2021-08-19 20:48 ` [Buildroot] [PATCH] package/haproxy: security bump to version 2.4.3 Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210818165555.7148-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.