Hi, On Sun, Jan 26, 2020 at 01:00:31PM +0100, Vincent Bernat wrote: > ❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff <j...@inutil.org>: > > >> The logrotate configuration file for HAProxy doesn't signal rsyslog > >> correctly. Therefore, logs are not really rotated and on a moderately > >> busy site, this can fill up a log partition. When running with > >> systemd, rsyslog doesn't write a PID file and there fore, the SysV > >> init script invoked to rotate logs does not work. Instead, rsyslog > >> package provides an helper for this purpose. > >> > >> The change has been applied to 2.0.12-1 currently in unstable and > >> testing. I would like to push it for the next point release next week. > > > > If we're doing a Buster update anyway, could we also piggyback the fix > > for https://nathandavison.com/blog/haproxy-http-request-smuggling > > (CVE-2019-18277), > > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 > > ? > > Ack! I have pulled the patch from the 1.8 branch. Here is the updated > debdiff. It compiles and simple tests pass too. I'll be checking with > upstream if they have an opinion around this. >
> diff --git a/debian/changelog b/debian/changelog > index 978702081baa..7139318a49cf 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,12 @@ > +haproxy (1.8.19-1+deb10u1) buster; urgency=medium > + > + * d/logrotate.conf: use rsyslog helper instead of SysV init script. > + Closes: #946973. > + * d/patches: reject messages where "chunked" is missing from > + transfer-encoding. CVE-2019-18277. > + > + -- Vincent Bernat <ber...@debian.org> Sun, 26 Jan 2020 12:54:30 +0100 This needs to be rebased to the 1.8.19-1+deb10u1 which was released as DSA 4577-1 AFAICT. Regards, Salvatore
