[Buildroot] [PATCH] package/haproxy: bump version to 6.2.27

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Subject: [Buildroot] [PATCH] package/haproxy: bump version to 6.2.27
Date: Mon,  4 May 2026 18:09:22 +0200	[thread overview]
Message-ID: <20260504160924.14432-1-peter@korsgaard.com> (raw)

Bugfix release with large number of (security) fixes.

For 6.2.26:

- a severe issue was found in the compression library (slz) where
    specially crafted patterns with tune.bufsize above 17408 or
    tune.maxrewrite below 964 (both non-default) could cause output
    buffer overflows due to the overhead exceeding the promised
    worst-case growth bound of 5 bytes and reach up to 1/16 of the
    input contents. Given that the compression output is hardly
    controllable, and the canaries at the end of the pools will catch
    this at release time, the risk of exploitation by a hostile server
    is close to zero, however it will cause repeated crashes if such a
    crafted file is present on a server and regularly downloaded. A
    workaround consists in keeping tune.maxrewrite at least 1/16 of
    tune.bufsize or just not changing them since the defaults are safe.
    A CVE was requested two weeks ago for this one, I'll mention it when
    it arrives.

  - HTTP/2 incomplete transfer detection was missing for HEADERS frames
    carrying END_STREAM. When relayed to an HTTP/1.1 server that
    responds before the end of the transfer, this can result in bytes
    of the next request over the same connection to be ignored. Most of
    the time it will cause the connection to be dropped due to an
    unparsable request, but when combined with "http-reuse never", or
    on totally idle servers, the client could expect the second request
    to reuse the same connection and perform a content smuggling attack
    that would allow to pass an unverified request to a server. For
    those who can't upgrade, a temporary workaround is to disable
    HTTP/2 by specifying "alpn http/1.1" on bind lines and adding
    "disable-h2-upgrade" in HTTP frontends. A CVE will be requested for
    this one.

  - HTTP/1.1 bodyless messages announcing a non-null Content-Length did
    not force close mode on the backend, potentially causing
    desynchronisation between HAProxy and the server in conjunction
    with other bugs.

  - FCGI record length truncation with large bufsize (>=65544) could
    enable request smuggling into PHP-FPM since the 16-bit
    content_length field silently truncated to 65535 bytes.

  - an unvalidated SNI name_len field in ClientHello could cause OOB
    heap reads of up to 65KB via XXH3, smp_dup(), and log-format leaks
    on any TCP frontend using req.ssl_sni, possibly causing crashes when
    used.

  - ECDSA JWT signatures with ES256/384/512 could cause a heap overflow
    of ~14 bytes in the DER conversion before verification.

  - Lua's httpclient headers conversion accepted more than 101 headers
    without bound checking, causing a stack buffer overflow reachable
    from any Lua action/task/service.

  - peers dictionary cache updates accepted an unvalidated entry id as
    array index, allowing OOB heap writes at attacker-controlled
    offsets.

  - Lua had a use-after-free of HTTP reason strings managed by Lua's GC
    between set_status() and start_response(), potentially leaking
    adjacent information from memory.

  - the regsub sample function could leak ~9-50KB of stale heap data
    when back-reference expansion overflowed the output buffer.

  - SPOE decode_varint() had no iteration cap, allowing pointer
    arithmetic to wrap and dereference memory ~64KB before the
    allocation, causing SIGSEGV or parser confusion.

  - in sample expressions, less common HTTP methods (PATCH etc.) are
    represented by both an enum and a string. The string part was not
    handled correctly in sample duplication functions, resulting in
    their contents appearing empty when trying to fetch the method.

  - QPACK varint decoding is now also limited to 62-bit, and had a risk
    of 1-byte OOB reads on truncated streams, which could cause
    incorrect header decoding.

  - config: a few argument parsing errors in conditional expressions
    used in ".if" could be misreported and even cause a crash during
    the parsing. Also, a few keywords relying on warnif_misplaced_*
    didn't check the return value and didn't count emitted warnings as
    warnings.

For more details, see the announcement:
https://www.mail-archive.com/haproxy@formilux.org/msg47016.html

For 6.2.27:

A major issue were fixed by this release. It was related to the scheme-based
normalization. The presence of commas in Host header and authority was permitted
and would be used to compare the values, which then would differ when read via
hdr(host) which splits them on commas, and under certain circumstances, trigger
crashes (at least it did in the OSS-Fuzz environment when injecting the values
directly at the HTX layer). The issue was fixed.  Remains the case of the comma
characters in authorities. Even though the spec permits commas in authorities
(not in domain names), there is currently no use case for this and it causes an
ambiguity with the historical use of hdr(host), so we preferred to just deny
them. The change was performed on the 3.4-dev10 and postponed for the next 3.3
release. It will probably be backported to lower versions too.

An issue in the FCGI multiplexer was fixed. The function responsible to emit
FCGI_PARAM records was not handling cases of full buffer in a consistent
way. The issue was quite limited, but the "http-send-name-header" option could
be silently ignored. The issue was fixed by reworking this function.

The scheme-based normalization was fixed to properly handle case of OPTIONS
requests. As stated in RFC9110#4.2.3, when the scheme-based normalization is
performed, an empty path must be normalized to "/", except for OPTIONS request.

Finally, a memory leak on error path (tools) and other minor issues were also
fixed.

For more details, see the announcement:
https://www.mail-archive.com/haproxy@formilux.org/msg47059.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/haproxy/haproxy.hash | 4 ++--
 package/haproxy/haproxy.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash
index 5c644356a6..6bb5dda804 100644
--- a/package/haproxy/haproxy.hash
+++ b/package/haproxy/haproxy.hash
@@ -1,5 +1,5 @@
-# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.25.tar.gz.sha256
-sha256  d861cacbe2ed51ae8ad5fa9ee5165b4e5e2bccaa5b9e04324711761d7d946be9  haproxy-2.6.25.tar.gz
+# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.27.tar.gz.sha256
+sha256  ccdaf08e8653f9651992212b51af0b5513c2e2cf0cd822ca67c94cffe10386a6  haproxy-2.6.27.tar.gz
 # Locally computed:
 sha256  0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28  LICENSE
 sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  doc/lgpl.txt
diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk
index a22c8b38ce..cf1484243c 100644
--- a/package/haproxy/haproxy.mk
+++ b/package/haproxy/haproxy.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 HAPROXY_VERSION_MAJOR = 2.6
-HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).25
+HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).27
 HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src
 HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions
 HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
