Debian Patches
Status for haproxy/3.0.11-1+deb13u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-BUG-CRITICAL-mjson-fix-possible-DoS-when-parsing-num.patch | BUG/CRITICAL: mjson: fix possible DoS when parsing numbers Mjson comes with its own strtod() implementation for portability reasons and probably also because many generic strtod() versions as provided by operating systems do not focus on resource preservation and may call malloc(), which is not welcome in a parser. The strtod() implementation used here apparently originally comes from https://gist.github.com/mattn/1890186 and seems to have purposely omitted a few parts that were considered as not needed in this context (e.g. skipping white spaces, or setting errno). But when subject to the relevant test cases of the designated file above, the current function provides the same results. The aforementioned implementation uses pow() to calculate exponents, but mjson authors visibly preferred not to introduce a libm dependency and replaced it with an iterative loop in O(exp) time. The problem is that the exponent is not bounded and that this loop can take a huge amount of time. There's even an issue already opened on mjson about haproxy, fortunately, the watchdog will quickly stop a runaway process but this remains a possible denial of service. A first approach would consist in reintroducing pow() like in the original implementation, but if haproxy is built without Lua nor 51Degrees, -lm is not used so this will not work everywhere. Anyway here we're dealing with integer exponents, so an easy alternate approach consists in simply using shifts and squares, to compute the exponent in O(log(exp)) time. Not only it doesn't introduce any new dependency, but it turns out to be even faster than the generic pow() (85k req/s per core vs 83.5k on the same machine). This must be backported as far as 2.4, where mjson was introduced. Many thanks to Oula Kivalo for reporting this issue. |
Willy Tarreau <w@1wt.eu> | no | 2025-09-29 | ||
| reproducible.patch | diff --git a/Makefile b/Makefile index 566bdb26a3e7..8603dea25c21 100644 |
no | ||||
| cross.patch | no | |||||
| haproxy.service-start-after-syslog.patch | Start after rsyslog.service As HAProxy is running chrooted by default, we rely on an additional syslog socket created by rsyslog inside the chroot for logging. As this socket cannot trigger syslog activation, we explicitly order HAProxy after rsyslog.service. Note that we are not using syslog.service here, since the additional socket is rsyslog-specific. |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2017-12-01 | ||
| haproxy.service-add-documentation.patch | Add documentation field to the systemd unit | Debian HAProxy Maintainers | no | 2014-01-03 | ||
| haproxy.service-make-systemd-bind-dev-log-inside-chroot.patch | haproxy.service: make systemd bind /dev/log inside chroot This enables logging to work without rsyslog being present. |
Vincent Bernat <bernat@debian.org> | no | 2021-11-25 |
All known versions for source package 'haproxy'
- 3.2.6-1 (sid, forky)
- 3.0.11-1+deb13u1 (trixie-proposed-updates, trixie-security)
- 3.0.11-1 (trixie)
- 2.6.12-1+deb12u3 (bookworm-security)
- 2.6.12-1+deb12u2 (bookworm)