Your message dated Thu, 09 Sep 2021 19:02:07 +0000 with message-id <e1mopjh-000d0t...@fasolo.debian.org> and subject line Bug#993303: fixed in haproxy 2.2.9-2+deb11u2 has caused the Debian Bug report #993303, regarding haproxy: Fails to handle URL paths starting with more than one '/' using HTTP/2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 993303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: haproxy Version: 2.2.9-2+deb11u1~bpo10+1 Severity: grave Justification: renders package unusable Hi All! Since installing the latest HAProxy backports package for Debian 10, 2.2.9-2+deb11u1~bpo10+1, HAProxy fails to serve URLs like those: https://host.tld// https://host.tld//path/to/something https://host.tld//////some/silly/thing Accessing those URLs results in HAProxy "just" closing the connection: curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Those URLs were working brefore this version ... The Debian changelog for 2.2.9-2+deb11u1 lists this, which I fear is related: "Fix HTTP request smuggling via HTTP/2 desync attacks." I havn't had time to test the package from Bullseye, so not sure if this "only" affects the backported package, the Debian packages in general, or even the upstream fix ... Regards Alex -- System Information: Debian Release: 10.10 APT prefers buster-backports APT policy: (990, 'buster-backports'), (500, 'oldstable-updates'), (500, 'oldstable'), (100, 'buster-fasttrack'), (3, 'testing'), (2, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-0.bpo.7-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages haproxy depends on: ii adduser 3.118 ii dpkg 1.19.7 ii init-system-helpers 1.56+nmu1 ii libc6 2.28-10 pn libcrypt1 <none> ii libgcc-s1 [libgcc1] 10.1.0-6 ii libgcc1 1:8.3.0-6 ii liblua5.3-0 5.3.3-1.1 ii libpcre2-8-0 10.32-5 ii libssl1.1 1.1.1d-0+deb10u7 ii libsystemd0 247.3-6~bpo10+1 ii lsb-base 10.2019051400 ii zlib1g 1:1.2.11.dfsg-1 haproxy recommends no packages. Versions of packages haproxy suggests: pn haproxy-doc <none> pn vim-haproxy <none>
--- End Message ---
--- Begin Message ---Source: haproxy Source-Version: 2.2.9-2+deb11u2 Done: Vincent Bernat <ber...@debian.org> We believe that the bug you reported is fixed in the latest version of haproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 993...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vincent Bernat <ber...@debian.org> (supplier of updated haproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 05 Sep 2021 10:48:54 +0200 Source: haproxy Architecture: source Version: 2.2.9-2+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Debian HAProxy Maintainers <team+hapr...@tracker.debian.org> Changed-By: Vincent Bernat <ber...@debian.org> Closes: 993303 Changes: haproxy (2.2.9-2+deb11u2) bullseye-security; urgency=high . * d/patches: fix missing header name length check in HTX (CVE-2021-40346). * d/patches: h2: match absolute-path not path-absolute for :path. Closes: #993303. Checksums-Sha1: f75da2c3c2f4b4d01aa6d726696b29bc585ac436 2340 haproxy_2.2.9-2+deb11u2.dsc 20bcd6b373db215c8d2906f809ed995d154ae846 2900486 haproxy_2.2.9.orig.tar.gz be438ab17ea7ec8a41346b3694e118b7393b0d81 79212 haproxy_2.2.9-2+deb11u2.debian.tar.xz 0eacfe3b140cc43e31ca084ef860d3eacdae9381 8438 haproxy_2.2.9-2+deb11u2_amd64.buildinfo Checksums-Sha256: 9691deafe8b290045bf9101709b833b985ff43517cd309fdb530977654de818b 2340 haproxy_2.2.9-2+deb11u2.dsc 21680459b08b9ba21c8cc9f5dbd0ee6e1842f57a3a67f87179871e1c13ebd4e3 2900486 haproxy_2.2.9.orig.tar.gz 41c8464df8d0e902325ebd069e1759e4ea26aff06b7e61beeb77eb661169282f 79212 haproxy_2.2.9-2+deb11u2.debian.tar.xz fbd7dee3fe1d39cde5b034a49117ca3074ff3c596afbe986221cd43b38142867 8438 haproxy_2.2.9-2+deb11u2_amd64.buildinfo Files: e20cbaf695f3a3c93f3e346229adfa83 2340 net optional haproxy_2.2.9-2+deb11u2.dsc b7c89eee17a58be6afaf3af28970d47b 2900486 net optional haproxy_2.2.9.orig.tar.gz 3007182c6072aaa354567962408e75a8 79212 net optional haproxy_2.2.9-2+deb11u2.debian.tar.xz a8200871ff709e2f4dec5678dc840168 8438 net optional haproxy_2.2.9-2+deb11u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmE1p4cSHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5Q7YP/2o6dROIktYtqs0YuqiM3MXBJWjtE3LX EyH+zU/zW6pXtESLRM6NXy3TzRuRHtqKjdiT+yvDGijKIqHTGFCM9VRV/Df1PC+E nsQFA/LP5saiBXNpuWlwfV2h+n2z4tOJTO88G9J09fBMb3F/WZIiiG1vVv2aRYc0 3S8horTBFYTzIO3zXwVsX9mEjoTlkKZ3Mn4ly8YV5VwB46AKlpEtHc7tfCFyOZZU SqpRW2pE+cCMNKn+IjzYBJFq5kRf5ghsURuwDGspSXGQZG+FWmT/e2Vqok2lPFVK G8x8hZ9qlm895s0uxaCLO/1J/+7VBZYaQ0WAr0CdBSHNTI0YBhe8iFx2LGrCyaHT OHkaQpw0bztNOSgQ/8e6uUZQDtSTchKJOwYbvt5gus0Ab1XEZL/MVG8a+g84FquF EBPuK2/2EEDkcwZ7XV9GoSSQJ8MO/RtS2D3x0mVEE6ZD1rEe0/iVROpxskPaXlkV Q6pUKRpZx6tgcMdbsM5q4mdNkmJHjo/N4H+/LcLS9SNqXdQWSWrjncc8I/kbn3Ci p3LkVv0FO9fgzmDNtewFmyDQv9eeLms3nuhxXdp134dR+DKQWoOuEAfsCJiuCT6x JDheKuM/1YkDktES4vNnJhr/i7wrQBc4dXeOSEZkIdlSyTC5glRKRaoC+kna+Xm/ HU44IWuyu38U =5hUF -----END PGP SIGNATURE-----
--- End Message ---
