UbuntuUpdates.org

Package "vim-haproxy"

Name: vim-haproxy

Description:

syntax highlighting for HAProxy configuration files
Latest version: 2.0.33-0ubuntu0.1
Release: focal (20.04)
Level: updates
Repository: universe
Head package: haproxy
Homepage: http://www.haproxy.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "vim-haproxy"

All arch deb package
APT INSTALL

Other versions of "vim-haproxy" in Focal

Repository Area Version
base universe 2.0.13-2
security universe 2.0.31-0ubuntu0.3

Changelog

Version: 2.0.33-0ubuntu0.1 2024-01-03 08:07:35 UTC

  haproxy (2.0.33-0ubuntu0.1) focal; urgency=medium

  * New upstream release (LP: #2028418)
    - Major and critical bug fixes according to the upstream changelog:
      + BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value
        replacement
      + BUG/MAJOR: http: reject any empty content-length header value
    - For further information, refer to the upstream changelog at
      https://www.haproxy.org/download/2.0/src/CHANGELOG and to the upstream
      release announcements at
      https://<email address hidden>/msg43668.html
      (2.0.32), and
      https://<email address hidden>/msg43904.html (2.0.33)
    - Remove patches applied by upstream in debian/patches:
      + CVE-2023-40225-1.patch
      + CVE-2023-40225-2.patch

 -- Athos Ribeiro <email address hidden> Tue, 31 Oct 2023 16:00:44 -0300
Source diff to previous version
2028418 MRE updates of haproxy for focal, jammy and lunar
CVE-2023-40225 HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x

Version: 2.0.31-0ubuntu0.3 2023-12-05 16:06:51 UTC

  haproxy (2.0.31-0ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: info disclosure or end_rule issue via hash character
    - debian/patches/CVE-2023-45539.patch: do not accept '#' as part of the
      URI component in src/h1.c.
    - CVE-2023-45539

 -- Marc Deslauriers <email address hidden> Mon, 04 Dec 2023 13:02:34 -0500
Source diff to previous version
CVE-2023-45539 HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified o

Version: 2.0.31-0ubuntu0.2 2023-08-17 18:06:51 UTC

  haproxy (2.0.31-0ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: incorrect handling of empty content-length header
    - debian/patches/CVE-2023-40225-1.patch: add a proper check for empty
      content-length header buffer in src/h1.c and src/h2.c. Also add
      tests for it in reg-tests/http-messaging/h1_to_h1.vtc and
      reg-tests/http-messaging/h2_to_h1.vtc.
    - debian/patches/CVE-2023-40225-2.patch: add a check for leading zero
      in content-length header buffer in src/h1.c and src/h2.c. Also add
      tests in reg-tests/http-rules/h1or2_to_h1c.vtc.
    - CVE-2023-40225

 -- Rodrigo Figueiredo Zaiden <email address hidden> Wed, 16 Aug 2023 18:14:42 -0300
Source diff to previous version
CVE-2023-40225 HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x

Version: 2.0.31-0ubuntu0.1 2023-04-26 08:23:03 UTC

  haproxy (2.0.31-0ubuntu0.1) focal; urgency=medium

  * New upstream release (LP: #2012557).
    - Major and critical bug fixes according to the upstream changelog:
      + BUG/MAJOR: stick-tables: do not try to index a server name for applets
      + BUG/MAJOR: stick-table: don't process store-response rules for applets
      + BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is
        realigned
      + BUG/CRITICAL: http: properly reject empty http header field names
    - Remove patches applied by upstream in debian/patches:
      + CVE-2023-0056.patch
      + CVE-2023-25725.patch
    - Refresh existing patches in debian/patches:
      + 0002-Use-dpkg-buildflags-to-build-halog.patch
  * Backport DEP-8 tests from Lunar:
    - d/t/proxy-ssl-termination
    - d/t/proxy-ssl-pass-through

 -- Lucas Kanashiro <email address hidden> Wed, 22 Mar 2023 17:39:46 -0300
Source diff to previous version
2012557 [MRE] haproxy
CVE-2023-0056 RESERVED
CVE-2023-25725 HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling."

Version: 2.0.29-0ubuntu1.3 2023-02-14 20:07:17 UTC

  haproxy (2.0.29-0ubuntu1.3) focal-security; urgency=medium

  * SECURITY UPDATE: incorrect handling of empty http header field names
    - debian/patches/CVE-2023-25725.patch: properly reject empty http
      header field names in src/h1.c, src/hpack-dec.c, src/http_msg.c.
    - CVE-2023-25725

 -- Marc Deslauriers <email address hidden> Mon, 13 Feb 2023 07:42:58 -0500


About   -   Send Feedback to @ubuntu_updates