Hi all,
This week, Charlie Smurthwaite reported a bug in haproxy 1.5 affecting
SVN in pipeline mode. After a long debugging session and many very
detailed traces Charlie provided, we found the bug and it has even more
serious impacts than initially thought. To make a long story short,
with the proper timing and by requesting files of specific sizes from
the backend servers in HTTP pipelining mode, one can trigger a call to
a buffer alignment function which was not designed to work with pending
output data. The effect is that the output data pointer points to the
wrong location in the buffer, causing corruption on the client. It's
more visible with chunked encoding and compressed bodies because the
client cannot parse the response, but with a regular content-length
body, the client will simply retrieve corrupted contents. That's not
the worst problem in fact since pipelining is disabled in most clients.
The real problem is that it allows the client to sometimes retrieve
data from a previous session that remains in the buffer at the location
where the output pointer lies. Thus it's an information leak vulnerability.
No CVE ID was assigned to this bug yet.
For this reason, anyone using any 1.5-dev, 1.5.x or 1.6-dev version in
production must upgrade (or backport the fix) if their load balancers
are directly exposed to untrusted clients. 1.4 and older are not affected.
The fix was limited to its minimal version and was extensively tested
at various places and is running in production at least at one place.
Additionally, the build fix for NetBSD 6.0 was backported as it was simple.
So... no excuse for not updating.
The full 1.5.14 changelog follows :
- BUILD/MINOR: tools: rename popcount to my_popcountl
- BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
Usual URLs below :
Site index : http://www.haproxy.org/
Sources : http://www.haproxy.org/download/1.5/src/
Git repository : http://git.haproxy.org/git/haproxy-1.5.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.5.git
Changelog : http://www.haproxy.org/download/1.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html
Regards,
Willy
This week, Charlie Smurthwaite reported a bug in haproxy 1.5 affecting
SVN in pipeline mode. After a long debugging session and many very
detailed traces Charlie provided, we found the bug and it has even more
serious impacts than initially thought. To make a long story short,
with the proper timing and by requesting files of specific sizes from
the backend servers in HTTP pipelining mode, one can trigger a call to
a buffer alignment function which was not designed to work with pending
output data. The effect is that the output data pointer points to the
wrong location in the buffer, causing corruption on the client. It's
more visible with chunked encoding and compressed bodies because the
client cannot parse the response, but with a regular content-length
body, the client will simply retrieve corrupted contents. That's not
the worst problem in fact since pipelining is disabled in most clients.
The real problem is that it allows the client to sometimes retrieve
data from a previous session that remains in the buffer at the location
where the output pointer lies. Thus it's an information leak vulnerability.
No CVE ID was assigned to this bug yet.
For this reason, anyone using any 1.5-dev, 1.5.x or 1.6-dev version in
production must upgrade (or backport the fix) if their load balancers
are directly exposed to untrusted clients. 1.4 and older are not affected.
The fix was limited to its minimal version and was extensively tested
at various places and is running in production at least at one place.
Additionally, the build fix for NetBSD 6.0 was backported as it was simple.
So... no excuse for not updating.
The full 1.5.14 changelog follows :
- BUILD/MINOR: tools: rename popcount to my_popcountl
- BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
Usual URLs below :
Site index : http://www.haproxy.org/
Sources : http://www.haproxy.org/download/1.5/src/
Git repository : http://git.haproxy.org/git/haproxy-1.5.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.5.git
Changelog : http://www.haproxy.org/download/1.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html
Regards,
Willy