CVE-2019-19330 (https://nvd.nist.gov/vuln/detail/CVE-2019-19330): The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
@maintainer(s), please advise if you are ready for stabilisation or call for stabilisation yourself (see also bug 699870).
Permission received from maintainer via IRC. @arches, please stabilise (amd64, arm, ppc, x86).
amd64 stable
arm stable
x86 stable
Maybe we should have targeted the LTS branch 2.0.
(In reply to Tomáš Mózes from comment #6) > Maybe we should have targeted the LTS branch 2.0. I meant like having 2.1 in ~testing and 2.0 stable.
(In reply to Tomáš Mózes from comment #7) > (In reply to Tomáš Mózes from comment #6) > > Maybe we should have targeted the LTS branch 2.0. > > I meant like having 2.1 in ~testing and 2.0 stable. That's why 2.0.13 will be stabilized as well. I don't see a problem having both stabilized since both work pretty solid/stable for me.
Not really a problem, but probably no one will run 2.0 as the latest stable is 2.1 ;) If you just install/upgrade haproxy, then everybody will receive version 2.1, so is there a point of keeping both stable? But like I said, not really a problem, just my opinion.
This issue was resolved and addressed in GLSA 202004-01 at https://security.gentoo.org/glsa/202004-01 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
Still fails to build on ppc due to bug #668002.
Newer Stabilization in progress, Please continue in Bug #715944
Unable to check for sanity: > no match for package: =net-proxy/haproxy-2.0.13
All sanity-check issues have been resolved
ppc stable. all arches stable
Unable to check for sanity: > dependent bug #715944 is missing keywords
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22a7680ab28c28d7b7f100c83500c4630c848f12 commit 22a7680ab28c28d7b7f100c83500c4630c848f12 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 01:19:54 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 01:19:54 +0000 net-analyzer/sarg: drop vulnerable Bug: https://bugs.gentoo.org/701842 Signed-off-by: Aaron Bauman <bman@gentoo.org> net-analyzer/sarg/Manifest | 1 - net-analyzer/sarg/sarg-2.3.11-r1.ebuild | 43 -------------------------------- net-analyzer/sarg/sarg-2.3.11-r2.ebuild | 44 --------------------------------- 3 files changed, 88 deletions(-)