openSUSE Security Update : haproxy (openSUSE-2015-682)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

haproxy was updated to fix two security issues.

These security issues were fixed :

- CVE-2015-3281: The buffer_slow_realign function in
HAProxy did not properly realign a buffer that is used
for pending outgoing data, which allowed remote
attackers to obtain sensitive information (uninitialized
memory contents of previous requests) via a crafted
request (bsc#937042).

- Changed DH parameters to prevent Logjam attack.

These non-security issues were fixed :

- BUG/MAJOR: buffers: make the buffer_slow_realign()
function respect output data

- BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id

- MEDIUM: ssl: replace standards DH groups with custom
ones

- BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value
being overwritten

- MINOR: ssl: add a destructor to free allocated SSL
ressources

- BUG/MINOR: ssl: Display correct filename in error
message

- MINOR: ssl: load certificates in alphabetical order

- BUG/MEDIUM: checks: fix conflicts between agent checks
and ssl healthchecks

- BUG/MEDIUM: ssl: force a full GC in case of memory
shortage

- BUG/MEDIUM: ssl: fix bad ssl context init can cause
segfault in case of OOM.

- BUG/MINOR: ssl: correctly initialize ssl ctx for invalid
certificates

- MINOR: ssl: add statement to force some ssl options in
global.

- MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to
return DER formatted certs

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=937042
https://bugzilla.opensuse.org/show_bug.cgi?id=937202

Solution :

Update the affected haproxy packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: SuSE Local Security Checks

Nessus Plugin ID: 86623 ()

Bugtraq ID:

CVE ID: CVE-2015-3281

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now