X-Loop: [email protected] Subject: bug#863: haproxy forward upgrade and connection headers as default (h2c request smuggling) Reply-To: gr0 bUst4 <[email protected]>, [email protected] Resent-From: gr0 bUst4 <[email protected]> Resent-To: [email protected] Resent-CC: [email protected] X-Loop: [email protected] Resent-Date: Mon, 28 Oct 2024 10:38:01 +0000 Resent-Message-ID: <[email protected]> Resent-Sender: [email protected] X-Devuan-PR-Message: report 863 X-Devuan-PR-Package: haproxy X-Devuan-PR-Keywords: Received: via spool by [email protected] id=B.173011185824180 (code B); Mon, 28 Oct 2024 10:38:01 +0000 Received: (at submit) by bugs.devuan.org; 28 Oct 2024 10:37:38 +0000 Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Mon, 28 Oct 2024 10:37:38 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id TJMbBVhpH2fcZgAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Mon, 28 Oct 2024 10:37:12 +0000 Received: by email.devuan.org (Postfix, from userid 109) id E30C63FF; Mon, 28 Oct 2024 10:37:11 +0000 (UTC) Authentication-Results: email.devuan.org; dkim=pass (1024-bit key; secure) header.d=riseup.net [email protected] header.a=rsa-sha256 header.s=squak header.b=ERWJ+yiT; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.252.153.6; helo=mx0.riseup.net; [email protected]; receiver=<UNKNOWN> Received: from mx0.riseup.net (mx0.riseup.net [198.252.153.6]) by email.devuan.org (Postfix) with ESMTPS id 54A6F4B for <[email protected]>; Mon, 28 Oct 2024 10:37:07 +0000 (UTC) Received: from fews02-sea.riseup.net (fews02-sea-pn.riseup.net [10.0.1.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx0.riseup.net (Postfix) with ESMTPS id 4XcVFC4lNkz9vWB for <[email protected]>; Mon, 28 Oct 2024 10:37:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1730111823; bh=uVK85ZhjhRly+eqne0bZfDZWjh90+rf+G2ND00xv5TQ=; h=Date:Subject:References:From:To:In-Reply-To:From; b=ERWJ+yiTqzai1uGu12vuu3bEX1jj/bVeaBvbdYAT9pmfNNC+PyCo7xC3Y7/RAp4LU 0Ri5/Z7NAJ7rUZYuShcEULuBIDpeowemRFC/my5I7vbIjPB84kKup0WYSkqe+6chud V6mU8Vic0WlVCYQEwq/MrDkrsswHIQS1ippizrus= X-Riseup-User-ID: 46C2C284AD90089F16D15E83560889ED43187EED0E3F790F7152CF5ACB2B6689 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews02-sea.riseup.net (Postfix) with ESMTPSA id 4XcVFC04lQzFtTK for <[email protected]>; Mon, 28 Oct 2024 10:37:02 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------iINTW0xkWoq4uDLUV0R3owpG" Message-ID: <[email protected]> Date: Mon, 28 Oct 2024 10:32:09 +0000 MIME-Version: 1.0 Content-Language: en-US From: gr0 bUst4 <[email protected]> To: [email protected] In-Reply-To: <[email protected]> X-Forwarded-Message-Id: <[email protected]> This is a multi-part message in MIME format. --------------iINTW0xkWoq4uDLUV0R3owpG Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Package: haproxy Version: 2.6.12-1 suggest to fix this default forwarding -------- Message transféré -------- Sujet : Re: CVE request: headers forward can lead to h2c request smuggling (fwd) Date : Mon, 28 Oct 2024 07:08:40 +0100 De : Willy TARREAU <[email protected]> Pour : [email protected] Hello, Thanks for contacting us! > i did a CVE request about HAProxy and the default forward of the headers > upgrade and connection which can lead to an h2c request smuggling or a > web-socket smuggling. > > The CVE request is just about h2c (over clear text) i didn't POC > enough for > the web-socket smuggling. > > I'll appreciate to talk about this with you. I guess you're speaking about this commit: 7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token") If so, it's already backported for next stable releases: 3.0: cba44958ae 2.9: cf31943d74 If not, do not hesitate to share details about your concerns. Thanks, Willy --------------iINTW0xkWoq4uDLUV0R3owpG Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit <!DOCTYPE html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body> <p>Package: haproxy</p> <p>Version: 2.6.12-1<br> <br> </p> <pre>suggest to fix this default forwarding</pre> <div class="moz-forward-container"><br> -------- Message transféré -------- <table class="moz-email-headers-table" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr> <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Sujet : </th> <td>Re: CVE request: headers forward can lead to h2c request smuggling (fwd)</td> </tr> <tr> <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date : </th> <td>Mon, 28 Oct 2024 07:08:40 +0100</td> </tr> <tr> <th valign="BASELINE" nowrap="nowrap" align="RIGHT">De : </th> <td>Willy TARREAU <a class="moz-txt-link-rfc2396E" href="mailto:[email protected]"><[email protected]></a></td> </tr> <tr> <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Pour : </th> <td><a class="moz-txt-link-abbreviated" href="mailto:[email protected]">[email protected]</a></td> </tr> </tbody> </table> <br> <br> Hello,<br> <br> Thanks for contacting us!<br> <br> <blockquote type="cite">i did a CVE request about HAProxy and the default forward of the headers<br> upgrade and connection which can lead to an h2c request smuggling or a<br> web-socket smuggling.<br> <br> The CVE request is just about h2c (over clear text) i didn't POC enough for<br> the web-socket smuggling.<br> <br> I'll appreciate to talk about this with you.<br> </blockquote> <br> I guess you're speaking about this commit:<br> <br> 7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")<br> <br> If so, it's already backported for next stable releases:<br> 3.0: cba44958ae<br> 2.9: cf31943d74<br> <br> If not, do not hesitate to share details about your concerns.<br> <br> Thanks,<br> Willy<br> </div> </body> </html> --------------iINTW0xkWoq4uDLUV0R3owpG--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 X-Loop: [email protected] From: "Devuan bug Tracking System" <[email protected]> To: gr0 bUst4 <[email protected]> Subject: bug#863: Acknowledgement (haproxy forward upgrade and connection headers as default (h2c request smuggling)) Message-ID: <[email protected]> References: <[email protected]> X-Devuan-PR-Message: ack 863 X-Devuan-PR-Package: haproxy Reply-To: [email protected] Date: Mon, 28 Oct 2024 10:38:03 +0000 Thank you for filing a new bug report with Devuan. You can follow progress on this bug here: 863: https://bugs.devuan.org/cgi/= bugreport.cgi?bug=3D863. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): [email protected] If you wish to submit further information on this problem, please send it to [email protected]. Please do not send mail to [email protected] unless you wish to report a problem with the Bug-tracking system. --=20 863: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D863 Devuan Bug Tracking System Contact [email protected] with problems
X-Loop: [email protected] Subject: bug#863: [devuan-dev] bug#863: haproxy forward upgrade and connection headers as default (h2c request smuggling) Reply-To: Mark Hindley <[email protected]>, [email protected] Resent-From: Mark Hindley <[email protected]> Resent-To: [email protected] Resent-CC: [email protected] X-Loop: [email protected] Resent-Date: Mon, 28 Oct 2024 19:50:27 +0000 Resent-Message-ID: <[email protected]> Resent-Sender: [email protected] X-Devuan-PR-Message: followup 863 X-Devuan-PR-Package: haproxy X-Devuan-PR-Keywords: References: <[email protected]> <[email protected]> <[email protected]> Received: via spool by [email protected] id=B863.17301437654083 (code B ref 863); Mon, 28 Oct 2024 19:50:27 +0000 Received: (at 863) by bugs.devuan.org; 28 Oct 2024 19:29:25 +0000 Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Mon, 28 Oct 2024 19:29:25 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id cGctGb7lH2cYTwAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Mon, 28 Oct 2024 19:27:58 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 496464E; Mon, 28 Oct 2024 19:27:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) by email.devuan.org (Postfix) with ESMTPS id 9E0EF4E for <[email protected]>; Mon, 28 Oct 2024 19:27:57 +0000 (UTC) Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3]) by mx.hindley.org.uk (Postfix) with SMTP id 1AFC78E; Mon, 28 Oct 2024 19:27:56 +0000 (GMT) Received: (nullmailer pid 14421 invoked by uid 1000); Mon, 28 Oct 2024 19:27:55 -0000 Date: Mon, 28 Oct 2024 19:27:55 +0000 From: Mark Hindley <[email protected]> To: gr0 bUst4 <[email protected]>, [email protected] Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[email protected]> Control: tags -1 debian On Mon, Oct 28, 2024 at 10:32:09AM +0000, gr0 bUst4 wrote: > Package: haproxy > > Version: 2.6.12-1 > suggest to fix this default forwarding Devuan uses Debian's haproxy packages directly without recompilation. So when this is fixed in Debian it will be inherited by Devuan. > If so, it's already backported for next stable releases: > 3.0: cba44958ae > 2.9: cf31943d74 haproxy | 2.9.11-1 | testing | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x haproxy | 2.9.11-1 | unstable | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x haproxy | 2.9.11-1 | unstable-debug | source haproxy | 3.0.5-1 | experimental | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x haproxy | 3.0.5-1 | experimental-debug | source Mark
Received: (at 863) by bugs.devuan.org; 28 Oct 2024 19:29:25 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4] by doc.devuan.org with IMAP (fetchmail-6.4.16) for <debbugs@localhost> (single-drop); Mon, 28 Oct 2024 19:29:25 +0000 (UTC) Received: from email.devuan.org by email.devuan.org with LMTP id cGctGb7lH2cYTwAAmSBk0A (envelope-from <[email protected]>) for <[email protected]>; Mon, 28 Oct 2024 19:27:58 +0000 Received: by email.devuan.org (Postfix, from userid 109) id 496464E; Mon, 28 Oct 2024 19:27:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) by email.devuan.org (Postfix) with ESMTPS id 9E0EF4E for <[email protected]>; Mon, 28 Oct 2024 19:27:57 +0000 (UTC) Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3]) by mx.hindley.org.uk (Postfix) with SMTP id 1AFC78E; Mon, 28 Oct 2024 19:27:56 +0000 (GMT) Received: (nullmailer pid 14421 invoked by uid 1000); Mon, 28 Oct 2024 19:27:55 -0000 Date: Mon, 28 Oct 2024 19:27:55 +0000 From: Mark Hindley <[email protected]> To: gr0 bUst4 <[email protected]>, [email protected] Subject: Re: [devuan-dev] bug#863: haproxy forward upgrade and connection headers as default (h2c request smuggling) Message-ID: <[email protected]> References: <[email protected]> <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[email protected]> X-Debbugs-No-Ack: No Thanks Control: tags -1 debian On Mon, Oct 28, 2024 at 10:32:09AM +0000, gr0 bUst4 wrote: > Package: haproxy > > Version: 2.6.12-1 > suggest to fix this default forwarding Devuan uses Debian's haproxy packages directly without recompilation. So when this is fixed in Debian it will be inherited by Devuan. > If so, it's already backported for next stable releases: > 3.0: cba44958ae > 2.9: cf31943d74 haproxy | 2.9.11-1 | testing | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x haproxy | 2.9.11-1 | unstable | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x haproxy | 2.9.11-1 | unstable-debug | source haproxy | 3.0.5-1 | experimental | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x haproxy | 3.0.5-1 | experimental-debug | source Mark
Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.
Devuan Bugs Owner <[email protected]>.
Last modified:
Sun, 1 Dec 2024 00:39:02 UTC