Devuan bug report logs - #863
haproxy forward upgrade and connection headers as default (h2c request smuggling)

Package: haproxy; Reported by: gr0 bUst4 <[email protected]>; Keywords: debian; dated Mon, 28 Oct 2024 10:38:01 UTC; Maintainer for haproxy is (unknown).

---

Added tag(s) debian. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

---

Message received at [email protected]:

Received: (at 863) by bugs.devuan.org; 28 Oct 2024 19:29:25 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Mon, 28 Oct 2024 19:29:25 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id cGctGb7lH2cYTwAAmSBk0A
	(envelope-from <[email protected]>)
	for <[email protected]>; Mon, 28 Oct 2024 19:27:58 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 496464E; Mon, 28 Oct 2024 19:27:58 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id 9E0EF4E
	for <[email protected]>; Mon, 28 Oct 2024 19:27:57 +0000 (UTC)
Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3])
	by mx.hindley.org.uk (Postfix) with SMTP id 1AFC78E;
	Mon, 28 Oct 2024 19:27:56 +0000 (GMT)
Received: (nullmailer pid 14421 invoked by uid 1000);
	Mon, 28 Oct 2024 19:27:55 -0000
Date: Mon, 28 Oct 2024 19:27:55 +0000
From: Mark Hindley <[email protected]>
To: gr0 bUst4 <[email protected]>, [email protected]
Subject: Re: [devuan-dev] bug#863: haproxy forward upgrade and connection
 headers as default (h2c request smuggling)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks

Control: tags -1 debian

On Mon, Oct 28, 2024 at 10:32:09AM +0000, gr0 bUst4 wrote:
>    Package: haproxy
> 
>    Version: 2.6.12-1
> suggest to fix this default forwarding

Devuan uses Debian's haproxy packages directly without recompilation. So when
this is fixed in Debian it will be inherited by Devuan.

>    If so, it's already backported for next stable releases:
>    3.0: cba44958ae
>    2.9: cf31943d74

haproxy    | 2.9.11-1                | testing                  | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 2.9.11-1                | unstable                 | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 2.9.11-1                | unstable-debug           | source
haproxy    | 3.0.5-1                 | experimental             | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
haproxy    | 3.0.5-1                 | experimental-debug       | source

Mark

---

Information forwarded to [email protected], [email protected]:
bug#863; Package haproxy. Full text available.

---

Message received at [email protected]:

Received: (at submit) by bugs.devuan.org; 28 Oct 2024 10:37:38 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Mon, 28 Oct 2024 10:37:38 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id TJMbBVhpH2fcZgAAmSBk0A
	(envelope-from <[email protected]>)
	for <[email protected]>; Mon, 28 Oct 2024 10:37:12 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id E30C63FF; Mon, 28 Oct 2024 10:37:11 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (1024-bit key; secure) header.d=riseup.net [email protected] header.a=rsa-sha256 header.s=squak header.b=ERWJ+yiT;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.252.153.6; helo=mx0.riseup.net; [email protected]; receiver=<UNKNOWN> 
Received: from mx0.riseup.net (mx0.riseup.net [198.252.153.6])
	by email.devuan.org (Postfix) with ESMTPS id 54A6F4B
	for <[email protected]>; Mon, 28 Oct 2024 10:37:07 +0000 (UTC)
Received: from fews02-sea.riseup.net (fews02-sea-pn.riseup.net [10.0.1.112])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx0.riseup.net (Postfix) with ESMTPS id 4XcVFC4lNkz9vWB
	for <[email protected]>; Mon, 28 Oct 2024 10:37:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
	t=1730111823; bh=uVK85ZhjhRly+eqne0bZfDZWjh90+rf+G2ND00xv5TQ=;
	h=Date:Subject:References:From:To:In-Reply-To:From;
	b=ERWJ+yiTqzai1uGu12vuu3bEX1jj/bVeaBvbdYAT9pmfNNC+PyCo7xC3Y7/RAp4LU
	 0Ri5/Z7NAJ7rUZYuShcEULuBIDpeowemRFC/my5I7vbIjPB84kKup0WYSkqe+6chud
	 V6mU8Vic0WlVCYQEwq/MrDkrsswHIQS1ippizrus=
X-Riseup-User-ID: 46C2C284AD90089F16D15E83560889ED43187EED0E3F790F7152CF5ACB2B6689
Received: from [127.0.0.1] (localhost [127.0.0.1])
	 by fews02-sea.riseup.net (Postfix) with ESMTPSA id 4XcVFC04lQzFtTK
	for <[email protected]>; Mon, 28 Oct 2024 10:37:02 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary="------------iINTW0xkWoq4uDLUV0R3owpG"
Message-ID: <[email protected]>
Date: Mon, 28 Oct 2024 10:32:09 +0000
MIME-Version: 1.0
Subject: haproxy forward upgrade and connection headers as default (h2c
 request smuggling)
References: <[email protected]>
Content-Language: en-US
From: gr0 bUst4 <[email protected]>
To: [email protected]
In-Reply-To: <[email protected]>
X-Forwarded-Message-Id: <[email protected]>

This is a multi-part message in MIME format.
--------------iINTW0xkWoq4uDLUV0R3owpG
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Package: haproxy

Version: 2.6.12-1

suggest to fix this default forwarding


-------- Message transféré --------
Sujet : 	Re: CVE request: headers forward can lead to h2c request 
smuggling (fwd)
Date : 	Mon, 28 Oct 2024 07:08:40 +0100
De : 	Willy TARREAU <[email protected]>
Pour : 	[email protected]



Hello,

Thanks for contacting us!

> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC 
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.

I guess you're speaking about this commit:

7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")

If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74

If not, do not hesitate to share details about your concerns.

Thanks,
Willy
--------------iINTW0xkWoq4uDLUV0R3owpG
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Package: haproxy</p>
    <p>Version: 2.6.12-1<br>
      <br>
    </p>
    <pre>suggest to fix this default forwarding</pre>
    <div class="moz-forward-container"><br>
      -------- Message transféré --------
      <table class="moz-email-headers-table" cellspacing="0"
        cellpadding="0" border="0">
        <tbody>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Sujet :
            </th>
            <td>Re: CVE request: headers forward can lead to h2c request
              smuggling (fwd)</td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date : </th>
            <td>Mon, 28 Oct 2024 07:08:40 +0100</td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">De : </th>
            <td>Willy TARREAU <a class="moz-txt-link-rfc2396E" href="mailto:[email protected]">&lt;[email protected]&gt;</a></td>
          </tr>
          <tr>
            <th valign="BASELINE" nowrap="nowrap" align="RIGHT">Pour : </th>
            <td><a class="moz-txt-link-abbreviated" href="mailto:[email protected]">[email protected]</a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      Hello,<br>
      <br>
      Thanks for contacting us!<br>
      <br>
      <blockquote type="cite">i did a CVE request about HAProxy and the
        default forward of the headers<br>
        upgrade and connection which can lead to an h2c request
        smuggling or a<br>
        web-socket smuggling.<br>
        <br>
        The CVE request is just about h2c (over clear text) i didn't POC
        enough for<br>
        the web-socket smuggling.<br>
        <br>
        I'll appreciate to talk about this with you.<br>
      </blockquote>
      <br>
      I guess you're speaking about this commit:<br>
      <br>
      7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header
      token")<br>
      <br>
      If so, it's already backported for next stable releases:<br>
      3.0: cba44958ae<br>
      2.9: cf31943d74<br>
      <br>
      If not, do not hesitate to share details about your concerns.<br>
      <br>
      Thanks,<br>
      Willy<br>
    </div>
  </body>
</html>

--------------iINTW0xkWoq4uDLUV0R3owpG--

---

Acknowledgement sent to gr0 bUst4 <[email protected]>:
New bug report received and forwarded. Copy sent to [email protected]. Full text available.

---

Report forwarded to [email protected], [email protected]:
bug#863; Package haproxy. Full text available.

---