Control: reopen -1 Hi Luk
On Sat, Jun 23, 2012 at 10:03:21AM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the haproxy package: > > #674447: CVE-2012-2391 > > It has been closed by Luk Claes <l...@debian.org>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Luk Claes > <l...@debian.org> by > replying to this email. I was currently looking at the list of bugs with security tag but not tracked in the security tracker[1] and noticed #674447. [1]: http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-secur...@lists.debian.org;exclude=tracked Noticed that you closed this bug with version 1.4.15-1. Is this correct? Looking at the code and the information the pach from [2] still applies and corrects the trash and trashlen. However /usr/share/doc/haproxy/configuration.txt.gz clearly says: tune.bufsize <number> Sets the buffer size to this size (in bytes). Lower values allow more sessions to coexist in the same amount of RAM, and higher values allow some applications with very large cookies to work. The default value is 16384 and can be changed at build time. It is strongly recommended not to change this from the default value, as very low values will break some services such as statistics, and values larger than default size will increase memory usage, possibly causing the system to run out of memory. At least the global maxconn parameter should be decreased by the same factor as this one is increased. So changing this from non-default value can result in the problem (downgrading severity for the bugreport?) [2]: http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commitdiff;h=30297cb17147a8d339eb160226bcc08c91d9530b The mentioned patch was only applied 1.4.21 upstream. Would be great if you could doublecheck my comment above. Or why is it fixed in 1.4.15? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
