package/haproxy: security bump to version 2.4.4

Fixes the following security issues:

- CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in
  the htx_add_header() can be exploited to perform an HTTP request smuggling
  attack, allowing an attacker to bypass all configured http-request HAProxy
  ACLs and possibly other ACLs.

For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41114.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

diff --git a/package/haproxy/haproxy.hash b/package/haproxy/haproxy.hash
index 9edf5def0804ee616b819187b45c95209924f31c..3ad5e4ebe8bb242a7215fec55eb7f12bc3437b11 100644 (file)
--- a/package/haproxy/haproxy.hash
+++ b/package/haproxy/haproxy.hash
@@ -1,5 +1,5 @@
-# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.3.tar.gz.sha256
-sha256  ce479380be5464faa881dcd829618931b60130ffeb01c88bc2bf95e230046405  haproxy-2.4.3.tar.gz
+# From: http://www.haproxy.org/download/2.4/src/haproxy-2.4.4.tar.gz.sha256
+sha256  116b7329cebee5dab8ba47ad70feeabd0c91680d9ef68c28e41c34869920d1fe  haproxy-2.4.4.tar.gz
 # Locally computed:
 sha256  0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28  LICENSE
 sha256  5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a  doc/lgpl.txt

diff --git a/package/haproxy/haproxy.mk b/package/haproxy/haproxy.mk
index 85d4fa7e8db86cc69d9be2cb20e454def98bff6c..91cb71eb7c21af04f8a3ebb306c927393b6f4dc5 100644 (file)
--- a/package/haproxy/haproxy.mk
+++ b/package/haproxy/haproxy.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 HAPROXY_VERSION_MAJOR = 2.4
-HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).3
+HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).4
 HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src
 HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions
 HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt