Hi .
On 2023-10-16 (Mo.) 19:55, Ryan O'Hara wrote:
I wondered exactly the same thing, but then saw this on the haproxy.org
website:
"version 1.8 : multi-threading, HTTP/2, cache, on-the fly server
addition/removal, seamless reloads, DNS SRV, hardware SSL engines, ..."
I know that haproxy-1.9 added end-to-end HTTP/2, so is that the
determining factor? here? Many thanks.
Oh you are right. The 1.8 was the first one with the mux_h2.c in the
tree. This was the first version with some first steps into HTTP/2
world. From my point of view are the Statements from the HAProxy.com
blog quite accurate why 1.8 is not affected with that CVE.
Ryan
Regards
Alex
On Mon, Oct 16, 2023 at 12:41 PM Aleksandar Lazic <al-hapr...@none.at
<mailto:al-hapr...@none.at>> wrote:
On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
> Does 1.8 support http/2?
No.
> On Mon, Oct 16, 2023, 18:58 Ryan O'Hara <roh...@redhat.com
<mailto:roh...@redhat.com>
> <mailto:roh...@redhat.com <mailto:roh...@redhat.com>>> wrote:
>
> Hi all.
>
> I read the most recently HAProxy Newsletter, specifically the
> article "HAProxy is Not Affected by the HTTP/2 Rapid Reset
Attack"
> by Nick Ramirez [1]. A This article states that HAProxy
versions 1.9
> and later are *not* affetced, which is great. This implies that
> haproxy-1.8 *is* affected, but it also doesn't come right out and
> say that. I understand haproxy-1.8 is EOL, but do we know for
> certain that haproxy-1.8 is affected or not? Asking for a reason.
>
> And shout-out to Nick for writing such a great article! Thank
you, Nick!
>
> Ryan
>
> [1]
>
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
<https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487>
<https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
<https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487>>
>
