HAProxy community

HAProxy 2.0.14 (with vulnerability fix) package for ubuntu & debian stretch

Could anyone please point me to from where I can download debian package for HAProxy 2.0.14 (2.0 version with the fix for HPACK vulnerability). Thanks.

Both Debian and Ubuntu have the fix, what package are you using currently exactly which you are concerned about?

I was looking for the source to download those packages, everywhere I see is giving HAProxy 2.0.13
Eg: https://haproxy.debian.net/#?distribution=Ubuntu&release=xenial&version=2.0

Vincent Bernard’s PPA packages have been update on April 2nd, with the bugfix for this issue. You don’t have to do anything if you are using those packages.

I am using package 2.0.10 currently. Don’t see package update for this version.
I’ll have to move to 2.0.14 only, right?

If you tell me what OS and release you are using and how exactly you installed this haproxy 2.0.10 release, then I can tell you what you have to do.

No, you most likely don’t have to upgrade to 2.0.14, because security fixes get backported to packages in the OS repositories.

Sure @lukastribus

  1. Debian Stretch
  2. Ubuntu 16.04

For both HAProxy 2.0.10 is being used.

For installing this HAProxy 2.0.10, I got debian package using Vincent Bernard’s PPA packages and then installed the packages on our systems.
Debian package source:

  1. https://haproxy.debian.net/#?distribution=Debian&release=stretch&version=2.0
  2. https://haproxy.debian.net/pool/main/h/haproxy/
    For ubuntu, I got it from: https://launchpad.net/~vbernat/+archive/ubuntu/haproxy-2.0/+builds?build_state=built

apt-get update && apt-get upgrade is all you need, if you used the proper procedure as indicated on that website.

If on the other hand you manually downloaded the .deb file and installed it from the filesystem via dpkg or something, then go back to the website and follow the procedure to install it properly, which will get you 2.0.13 with the backported security fix.