Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Willy Tarreau
On Mon, Oct 16, 2023 at 08:33:51PM +0200, Aleksandar Lazic wrote: > > On 2023-10-16 (Mo.) 20:12, Lukas Tribus wrote: > > On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic wrote: > > > > > > > > > > > > On 2023-10-16 (Mo.) 19:29, ??? wrote: > > > > Does 1.8 support http/2? > > > > > > No

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic
On 2023-10-16 (Mo.) 20:12, Lukas Tribus wrote: On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic wrote: On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote: Does 1.8 support http/2? No. Actually haproxy 1.8 supports H2 (without implementing HTX), as per the documentation and announcements: ht

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic
Hi . On 2023-10-16 (Mo.) 19:55, Ryan O'Hara wrote: I wondered exactly the same thing, but then saw this on the haproxy.org website: "version 1.8 : multi-threading, HTTP/2, cache, on-the fly server addition/removal, seamless reloads, DNS SRV, hardware SSL engines, ..." I know that haproxy-1.

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Lukas Tribus
On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic wrote: > > > > On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote: > > Does 1.8 support http/2? > > No. Actually haproxy 1.8 supports H2 (without implementing HTX), as per the documentation and announcements: https://www.mail-archive.com/haproxy@formilux

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Ryan O'Hara
I wondered exactly the same thing, but then saw this on the haproxy.org website: "version 1.8 : multi-threading, HTTP/2, cache, on-the fly server addition/removal, seamless reloads, DNS SRV, hardware SSL engines, ..." I know that haproxy-1.9 added end-to-end HTTP/2, so is that the determining fac

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic
On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote: Does 1.8 support http/2? No. On Mon, Oct 16, 2023, 18:58 Ryan O'Hara > wrote: Hi all. I read the most recently HAProxy Newsletter, specifically the article "HAProxy is Not Affected by the HTTP/2 Rapid Re

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Илья Шипицин
Does 1.8 support http/2? On Mon, Oct 16, 2023, 18:58 Ryan O'Hara wrote: > Hi all. > > I read the most recently HAProxy Newsletter, specifically the article "HAProxy > is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick Ramirez [1]. A > This article states that HAProxy versions 1.9 and late

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic
Hi Ryan. On 2023-10-16 (Mo.) 17:49, Ryan O'Hara wrote: Hi all. I read the most recently HAProxy Newsletter, specifically the article "HAProxy is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick Ramirez [1]. A This article states that HAProxy versions 1.9 and later are *not* affetced, w

CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Ryan O'Hara
Hi all. I read the most recently HAProxy Newsletter, specifically the article "HAProxy is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick Ramirez [1]. A This article states that HAProxy versions 1.9 and later are *not* affetced, which is great. This implies that haproxy-1.8 *is* affected, b