:: [devuan-dev] bug#863: haproxy forwa…
Top Page
Delete this message
Reply to this message
Author: gr0 bUst4
Date:  
To: submit
Subject: [devuan-dev] bug#863: haproxy forward upgrade and connection headers as default (h2c request smuggling)
Package: haproxy

Version: 2.6.12-1

suggest to fix this default forwarding


-------- Message transféré --------
Sujet :     Re: CVE request: headers forward can lead to h2c request 
smuggling (fwd)
Date :     Mon, 28 Oct 2024 07:08:40 +0100
De :     Willy TARREAU <wtarreau@???>
Pour :     bUst4gr0@???




Hello,

Thanks for contacting us!

> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.


I guess you're speaking about this commit:

7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")

If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74

If not, do not hesitate to share details about your concerns.

Thanks,
Willy