[Buildroot] [PATCH] package/haproxy: bump version to 6.2.27

[Buildroot] [PATCH] package/haproxy: bump version to 6.2.27

[Peter Korsgaard]

Bugfix release with large number of (security) fixes.

For 6.2.26:

- a severe issue was found in the compression library (slz) where
    specially crafted patterns with tune.bufsize above 17408 or
    tune.maxrewrite below 964 (both non-default) could cause output
    buffer overflows due to the overhead exceeding the promised
    worst-case growth bound of 5 bytes and reach up to 1/16 of the
    input contents. Given that the compression output is hardly
    controllable, and the canaries at the end of the pools will catch
    this at release time, the risk of exploitation by a hostile server
    is close to zero, however it will cause repeated crashes if such a
    crafted file is present on a server and regularly downloaded. A
    workaround consists in keeping tune.maxrewrite at least 1/16 of
    tune.bufsize or just not changing them since the defaults are safe.
    A CVE was requested two weeks ago for this one, I'll mention it when
    it arrives.

  - HTTP/2 incomplete transfer detection was missing for HEADERS frames
    carrying END_STREAM. When relayed to an HTTP/1.1 server that
    responds before the end of the transfer, this can result in bytes
    of the next request over the same connection to be ignored. Most of
    the time it will cause the connection to be dropped due to an
    unparsable request, but when combined with "http-reuse never", or
    on totally idle servers, the client could expect the second request
    to reuse the same connection and perform a content smuggling attack
    that would allow to pass an unverified request to a server. For
    those who can't upgrade, a temporary workaround is to disable
    HTTP/2 by specifying "alpn http/1.1" on bind lines and adding
    "disable-h2-upgrade" in HTTP frontends. A CVE will be requested for
    this one.

  - HTTP/1.1 bodyless messages announcing a non-null Content-Length did
    not force close mode on the backend, potentially causing
    desynchronisation between HAProxy and the server in conjunction
    with other bugs.

  - FCGI record length truncation with large bufsize (>=65544) could
    enable request smuggling into PHP-FPM since the 16-bit
    content_length field silently truncated to 65535 bytes.

  - an unvalidated SNI name_len field in ClientHello could cause OOB
    heap reads of up to 65KB via XXH3, smp_dup(), and log-format leaks
    on any TCP frontend using req.ssl_sni, possibly causing crashes when
    used.

  - ECDSA JWT signatures with ES256/384/512 could cause a heap overflow
    of ~14 bytes in the DER conversion before verification.

  - Lua's httpclient headers conversion accepted more than 101 headers
    without bound checking, causing a stack buffer overflow reachable
    from any Lua action/task/service.

  - peers dictionary cache updates accepted an unvalidated entry id as
    array index, allowing OOB heap writes at attacker-controlled
    offsets.

  - Lua had a use-after-free of HTTP reason strings managed by Lua's GC
    between set_status() and start_response(), potentially leaking
    adjacent information from memory.

  - the regsub sample function could leak ~9-50KB of stale heap data
    when back-reference expansion overflowed the output buffer.

  - SPOE decode_varint() had no iteration cap, allowing pointer
    arithmetic to wrap and dereference memory ~64KB before the
    allocation, causing SIGSEGV or parser confusion.

  - in sample expressions, less common HTTP methods (PATCH etc.) are
    represented by both an enum and a string. The string part was not
    handled correctly in sample duplication functions, resulting in
    their contents appearing empty when trying to fetch the method.

  - QPACK varint decoding is now also limited to 62-bit, and had a risk
    of 1-byte OOB reads on truncated streams, which could cause
    incorrect header decoding.

  - config: a few argument parsing errors in conditional expressions
    used in ".if" could be misreported and even cause a crash during
    the parsing. Also, a few keywords relying on warnif_misplaced_*
    didn't check the return value and didn't count emitted warnings as
    warnings.

For more details, see the announcement:
https://www.mail-archive.com/haproxy@formilux.org/msg47016.html

For 6.2.27:

A major issue were fixed by this release. It was related to the scheme-based
normalization. The presence of commas in Host header and authority was permitted
and would be used to compare the values, which then would differ when read via
hdr(host) which splits them on commas, and under certain circumstances, trigger
crashes (at least it did in the OSS-Fuzz environment when injecting the values
directly at the HTX layer). The issue was fixed.  Remains the case of the comma
characters in authorities. Even though the spec permits commas in authorities
(not in domain names), there is currently no use case for this and it causes an
ambiguity with the historical use of hdr(host), so we preferred to just deny
them. The change was performed on the 3.4-dev10 and postponed for the next 3.3
release. It will probably be backported to lower versions too.

An issue in the FCGI multiplexer was fixed. The function responsible to emit
FCGI_PARAM records was not handling cases of full buffer in a consistent
way. The issue was quite limited, but the "http-send-name-header" option could
be silently ignored. The issue was fixed by reworking this function.

The scheme-based normalization was fixed to properly handle case of OPTIONS
requests. As stated in RFC9110#4.2.3, when the scheme-based normalization is
performed, an empty path must be normalized to "/", except for OPTIONS request.

Finally, a memory leak on error path (tools) and other minor issues were also
fixed.

For more details, see the announcement:
https://www.mail-archive.com/haproxy@formilux.org/msg47059.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/haproxy/haproxy.hash | 4 ++--
 package/haproxy/haproxy.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash
index 5c644356a6..6bb5dda804 100644
--- a/package/haproxy/haproxy.hash
+++ b/package/haproxy/haproxy.hash
@@ -1,5 +1,5 @@
-# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.25.tar.gz.sha256
-sha256  d861cacbe2ed51ae8ad5fa9ee5165b4e5e2bccaa5b9e04324711761d7d946be9  haproxy-2.6.25.tar.gz
+# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.27.tar.gz.sha256
+sha256  ccdaf08e8653f9651992212b51af0b5513c2e2cf0cd822ca67c94cffe10386a6  haproxy-2.6.27.tar.gz
 # Locally computed:
 sha256  0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28  LICENSE
 sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  doc/lgpl.txt
diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk
index a22c8b38ce..cf1484243c 100644
--- a/package/haproxy/haproxy.mk
+++ b/package/haproxy/haproxy.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 HAPROXY_VERSION_MAJOR = 2.6
-HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).25
+HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).27
 HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src
 HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions
 HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/haproxy: bump version to 6.2.27

[Julien Olivain via buildroot]

On 04/05/2026 18:09, Peter Korsgaard wrote:
> Bugfix release with large number of (security) fixes.
[...]
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/haproxy: bump version to 6.2.27

[Thomas Perale via buildroot]

In reply of:
> Bugfix release with large number of (security) fixes.
> 
> For 6.2.26:
> 
> - a severe issue was found in the compression library (slz) where
>     specially crafted patterns with tune.bufsize above 17408 or
>     tune.maxrewrite below 964 (both non-default) could cause output
>     buffer overflows due to the overhead exceeding the promised
>     worst-case growth bound of 5 bytes and reach up to 1/16 of the
>     input contents. Given that the compression output is hardly
>     controllable, and the canaries at the end of the pools will catch
>     this at release time, the risk of exploitation by a hostile server
>     is close to zero, however it will cause repeated crashes if such a
>     crafted file is present on a server and regularly downloaded. A
>     workaround consists in keeping tune.maxrewrite at least 1/16 of
>     tune.bufsize or just not changing them since the defaults are safe.
>     A CVE was requested two weeks ago for this one, I'll mention it when
>     it arrives.
> 
>   - HTTP/2 incomplete transfer detection was missing for HEADERS frames
>     carrying END_STREAM. When relayed to an HTTP/1.1 server that
>     responds before the end of the transfer, this can result in bytes
>     of the next request over the same connection to be ignored. Most of
>     the time it will cause the connection to be dropped due to an
>     unparsable request, but when combined with "http-reuse never", or
>     on totally idle servers, the client could expect the second request
>     to reuse the same connection and perform a content smuggling attack
>     that would allow to pass an unverified request to a server. For
>     those who can't upgrade, a temporary workaround is to disable
>     HTTP/2 by specifying "alpn http/1.1" on bind lines and adding
>     "disable-h2-upgrade" in HTTP frontends. A CVE will be requested for
>     this one.
> 
>   - HTTP/1.1 bodyless messages announcing a non-null Content-Length did
>     not force close mode on the backend, potentially causing
>     desynchronisation between HAProxy and the server in conjunction
>     with other bugs.
> 
>   - FCGI record length truncation with large bufsize (>=65544) could
>     enable request smuggling into PHP-FPM since the 16-bit
>     content_length field silently truncated to 65535 bytes.
> 
>   - an unvalidated SNI name_len field in ClientHello could cause OOB
>     heap reads of up to 65KB via XXH3, smp_dup(), and log-format leaks
>     on any TCP frontend using req.ssl_sni, possibly causing crashes when
>     used.
> 
>   - ECDSA JWT signatures with ES256/384/512 could cause a heap overflow
>     of ~14 bytes in the DER conversion before verification.
> 
>   - Lua's httpclient headers conversion accepted more than 101 headers
>     without bound checking, causing a stack buffer overflow reachable
>     from any Lua action/task/service.
> 
>   - peers dictionary cache updates accepted an unvalidated entry id as
>     array index, allowing OOB heap writes at attacker-controlled
>     offsets.
> 
>   - Lua had a use-after-free of HTTP reason strings managed by Lua's GC
>     between set_status() and start_response(), potentially leaking
>     adjacent information from memory.
> 
>   - the regsub sample function could leak ~9-50KB of stale heap data
>     when back-reference expansion overflowed the output buffer.
> 
>   - SPOE decode_varint() had no iteration cap, allowing pointer
>     arithmetic to wrap and dereference memory ~64KB before the
>     allocation, causing SIGSEGV or parser confusion.
> 
>   - in sample expressions, less common HTTP methods (PATCH etc.) are
>     represented by both an enum and a string. The string part was not
>     handled correctly in sample duplication functions, resulting in
>     their contents appearing empty when trying to fetch the method.
> 
>   - QPACK varint decoding is now also limited to 62-bit, and had a risk
>     of 1-byte OOB reads on truncated streams, which could cause
>     incorrect header decoding.
> 
>   - config: a few argument parsing errors in conditional expressions
>     used in ".if" could be misreported and even cause a crash during
>     the parsing. Also, a few keywords relying on warnif_misplaced_*
>     didn't check the return value and didn't count emitted warnings as
>     warnings.
> 
> For more details, see the announcement:
> https://www.mail-archive.com/haproxy@formilux.org/msg47016.html
> 
> For 6.2.27:
> 
> A major issue were fixed by this release. It was related to the scheme-based
> normalization. The presence of commas in Host header and authority was permitted
> and would be used to compare the values, which then would differ when read via
> hdr(host) which splits them on commas, and under certain circumstances, trigger
> crashes (at least it did in the OSS-Fuzz environment when injecting the values
> directly at the HTX layer). The issue was fixed.  Remains the case of the comma
> characters in authorities. Even though the spec permits commas in authorities
> (not in domain names), there is currently no use case for this and it causes an
> ambiguity with the historical use of hdr(host), so we preferred to just deny
> them. The change was performed on the 3.4-dev10 and postponed for the next 3.3
> release. It will probably be backported to lower versions too.
> 
> An issue in the FCGI multiplexer was fixed. The function responsible to emit
> FCGI_PARAM records was not handling cases of full buffer in a consistent
> way. The issue was quite limited, but the "http-send-name-header" option could
> be silently ignored. The issue was fixed by reworking this function.
> 
> The scheme-based normalization was fixed to properly handle case of OPTIONS
> requests. As stated in RFC9110#4.2.3, when the scheme-based normalization is
> performed, an empty path must be normalized to "/", except for OPTIONS request.
> 
> Finally, a memory leak on error path (tools) and other minor issues were also
> fixed.
> 
> For more details, see the announcement:
> https://www.mail-archive.com/haproxy@formilux.org/msg47059.html
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/haproxy/haproxy.hash | 4 ++--
>  package/haproxy/haproxy.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash
> index 5c644356a6..6bb5dda804 100644
> --- a/package/haproxy/haproxy.hash
> +++ b/package/haproxy/haproxy.hash
> @@ -1,5 +1,5 @@
> -# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.25.tar.gz.sha256
> -sha256  d861cacbe2ed51ae8ad5fa9ee5165b4e5e2bccaa5b9e04324711761d7d946be9  haproxy-2.6.25.tar.gz
> +# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.27.tar.gz.sha256
> +sha256  ccdaf08e8653f9651992212b51af0b5513c2e2cf0cd822ca67c94cffe10386a6  haproxy-2.6.27.tar.gz
>  # Locally computed:
>  sha256  0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28  LICENSE
>  sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  doc/lgpl.txt
> diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk
> index a22c8b38ce..cf1484243c 100644
> --- a/package/haproxy/haproxy.mk
> +++ b/package/haproxy/haproxy.mk
> @@ -5,7 +5,7 @@
>  ################################################################################
>  
>  HAPROXY_VERSION_MAJOR = 2.6
> -HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).25
> +HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).27
>  HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src
>  HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions
>  HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot