diff --git a/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch b/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
new file mode 100644
index 0000000..24ed204
--- /dev/null
+++ b/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
@@ -0,0 +1,51 @@
+From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 29 Mar 2020 08:53:31 +0200
+Subject: BUG/CRITICAL: hpack: never index a header into the headroom after
+ wrapping
+
+The HPACK header table is implemented as a wrapping list inside a contigous
+area. Headers names and values are stored from right to left while indexes
+are stored from left to right. When there's no more room to store a new one,
+we wrap to the right again, or possibly defragment it if needed. The condition
+do use the right part (called tailroom) or the left part (called headroom)
+depends on the location of the last inserted header. After wrapping happens,
+the code forces to stick to tailroom by pretending there's no more headroom,
+so that the size fit test always fails. The problem is that nothing prevents
+from storing a header with an empty name and empty value, resulting in a
+total size of zero bytes, which satisfies the condition to use the headroom.
+Doing this in a wrapped buffer results in changing the "front" header index
+and causing miscalculations on the available size and the addresses of the
+next headers. This may even allow to overwrite some parts of the index,
+opening the possibility to perform arbitrary writes into a 32-bit relative
+address space.
+
+This patch fixes the issue by making sure the headroom is considered only
+when the buffer does not wrap, instead of relying on the zero size. This
+must be backported to all versions supporting H2, which is as far as 1.8.
+
+Many thanks to Felix Wilhelm of Google Project Zero for responsibly
+reporting this problem with a reproducer and a detailed analysis.
+---
+ src/hpack-tbl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
+index 70d7f35834..727ff7a17b 100644
+--- a/src/hpack-tbl.c
++++ b/src/hpack-tbl.c
+@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
+ * room left in the tail to suit the protocol, but tests show that in
+ * practice it almost never happens in other situations so the extra
+ * test is useless and we simply fill the headroom as long as it's
+- * available.
++ * available and we don't wrap.
+ */
+- if (headroom >= name.len + value.len) {
++ if (prev == dht->front && headroom >= name.len + value.len) {
+ /* install upfront and update ->front */
+ dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
+ dht->front = head;
+--
+2.20.1
+
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index a54dc6f..fe10158 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -8,7 +8,7 @@
Name: haproxy
Version: 1.8.23
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: HAProxy reverse proxy for high availability environments
Group: System Environment/Daemons
@@ -23,6 +23,7 @@ Source4: %{name}.sysconfig
Source5: halog.1
Patch0: bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
+Patch1: bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
BuildRequires: lua-devel
BuildRequires: pcre-devel
@@ -53,6 +54,7 @@ availability environments. Indeed, it can:
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
regparm_opts=
@@ -138,6 +140,9 @@ exit 0
%{_mandir}/man1/*
%changelog
+* Wed Apr 01 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.23-3
+- Fix hapack zero byte input causing overwrite (CVE-2020-11100, #1819519)
+
* Fri Dec 13 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.23-2
- Consider exist status 143 as success (#1778844)