Version in base suite: 1.8.19-1+deb10u1

Base version: haproxy_1.8.19-1+deb10u1
Target version: haproxy_1.8.19-1+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/haproxy/haproxy_1.8.19-1+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/h/haproxy/haproxy_1.8.19-1+deb10u2.dsc

 changelog                                                               |    7 +
 patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch |   51 ++++++++++
 patches/series                                                          |    5 
 3 files changed, 62 insertions(+), 1 deletion(-)

diff: /srv/release.debian.org/tmp/3__5NBznx2/haproxy-1.8.19/reg-tests/lua/common.pem: No such file or directory
diff: /srv/release.debian.org/tmp/8p6eIyRt40/haproxy-1.8.19/reg-tests/lua/common.pem: No such file or directory
diff -Nru haproxy-1.8.19/debian/changelog haproxy-1.8.19/debian/changelog
--- haproxy-1.8.19/debian/changelog	2019-11-27 16:07:57.000000000 +0000
+++ haproxy-1.8.19/debian/changelog	2020-04-01 10:00:13.000000000 +0000
@@ -1,3 +1,10 @@
+haproxy (1.8.19-1+deb10u2) buster-security; urgency=medium
+
+  * Apply one patch to fix an overflow in HTTP/2 header handling.
+    Fix CVE-2020-11100.
+
+ -- Vincent Bernat <bernat@debian.org>  Wed, 01 Apr 2020 12:00:13 +0200
+
 haproxy (1.8.19-1+deb10u1) buster-security; urgency=high
 
   * Apply two patches around HTTP/2 header validation allowing an attacker
diff -Nru haproxy-1.8.19/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch haproxy-1.8.19/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
--- haproxy-1.8.19/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch	1970-01-01 00:00:00.000000000 +0000
+++ haproxy-1.8.19/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch	2020-04-01 10:00:13.000000000 +0000
@@ -0,0 +1,51 @@
+From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 29 Mar 2020 08:53:31 +0200
+Subject: BUG/CRITICAL: hpack: never index a header into the headroom after
+ wrapping
+
+The HPACK header table is implemented as a wrapping list inside a contigous
+area. Headers names and values are stored from right to left while indexes
+are stored from left to right. When there's no more room to store a new one,
+we wrap to the right again, or possibly defragment it if needed. The condition
+do use the right part (called tailroom) or the left part (called headroom)
+depends on the location of the last inserted header. After wrapping happens,
+the code forces to stick to tailroom by pretending there's no more headroom,
+so that the size fit test always fails. The problem is that nothing prevents
+from storing a header with an empty name and empty value, resulting in a
+total size of zero bytes, which satisfies the condition to use the headroom.
+Doing this in a wrapped buffer results in changing the "front" header index
+and causing miscalculations on the available size and the addresses of the
+next headers. This may even allow to overwrite some parts of the index,
+opening the possibility to perform arbitrary writes into a 32-bit relative
+address space.
+
+This patch fixes the issue by making sure the headroom is considered only
+when the buffer does not wrap, instead of relying on the zero size. This
+must be backported to all versions supporting H2, which is as far as 1.8.
+
+Many thanks to Felix Wilhelm of Google Project Zero for responsibly
+reporting this problem with a reproducer and a detailed analysis.
+---
+ src/hpack-tbl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
+index 70d7f35834..727ff7a17b 100644
+--- a/src/hpack-tbl.c
++++ b/src/hpack-tbl.c
+@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
+ 	 * room left in the tail to suit the protocol, but tests show that in
+ 	 * practice it almost never happens in other situations so the extra
+ 	 * test is useless and we simply fill the headroom as long as it's
+-	 * available.
++	 * available and we don't wrap.
+ 	 */
+-	if (headroom >= name.len + value.len) {
++	if (prev == dht->front && headroom >= name.len + value.len) {
+ 		/* install upfront and update ->front */
+ 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
+ 		dht->front = head;
+-- 
+2.20.1
+
diff -Nru haproxy-1.8.19/debian/patches/series haproxy-1.8.19/debian/patches/series
--- haproxy-1.8.19/debian/patches/series	2019-11-27 16:07:57.000000000 +0000
+++ haproxy-1.8.19/debian/patches/series	2020-04-01 10:00:13.000000000 +0000
@@ -3,10 +3,13 @@
 haproxy.service-add-documentation.patch
 haproxy.service-use-environment-variables.patch
 
-# 20191125 security issue (no CVE) about HTTP/2 header validation
+# 20191125 security issue (CVE-2019-19330) about HTTP/2 header validation
 0001-MINOR-ist-add-ist_find_ctl.patch
 0002-BUG-MAJOR-h2-reject-header-values-containing-invalid.patch
 0003-BUG-MAJOR-h2-make-header-field-name-filtering-strong.patch
 
+# 20200402 security issue (no CVE) about HTTP/2 HPACK header table
+0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
+
 # applied during the build process:
 # debianize-dconv.patch