Your message dated Sat, 11 Oct 2025 12:14:41 +0100
with message-id <aOo8IY1m3CUoeSaN@???>
and subject line Upstream fix now in Debian
has caused the Devuan bug report #863,
regarding haproxy forward upgrade and connection headers as default (h2c request smuggling)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@???
immediately.)


--
863: https://bugs.devuan.org/cgi/bugreport.cgi?bug=863
Devuan Bug Tracking System
Contact owner@??? with problems
Package: haproxy

Version: 2.6.12-1

suggest to fix this default forwarding

-------- Message transféré --------
Sujet :     Re: CVE request: headers forward can lead to h2c request 
smuggling (fwd)
Date :     Mon, 28 Oct 2024 07:08:40 +0100
De :     Willy TARREAU <wtarreau@???>
Pour :     bUst4gr0@???

Hello,

Thanks for contacting us!

> i did a CVE request about HAProxy and the default forward of the headers
> upgrade and connection which can lead to an h2c request smuggling or a
> web-socket smuggling.
>
> The CVE request is just about h2c (over clear text) i didn't POC
> enough for
> the web-socket smuggling.
>
> I'll appreciate to talk about this with you.

I guess you're speaking about this commit:

7b89aa5b19 ("BUG/MINOR: h1: do not forward h2c upgrade header token")

If so, it's already backported for next stable releases:
3.0: cba44958ae
2.9: cf31943d74

If not, do not hesitate to share details about your concerns.

Thanks,
WillyVersion: 3.0.9-1

Closing.

Mark