This update for haproxy to version 1.8.14 fixes the following issues :

These security issues were fixed :

  - CVE-2018-14645: A flaw was discovered in the HPACK     decoder what caused an out-of-bounds read in     hpack_valid_idx() that resulted in a remote crash and     denial of service (bsc#1108683)

  - CVE-2018-11469: Incorrect caching of responses to     requests including an Authorization header allowed     attackers to achieve information disclosure via an     unauthenticated remote request (bsc#1094846).

These non-security issues were fixed :

  - Require apparmor-abstractions to reduce dependencies     (bsc#1100787)

  - hpack: fix improper sign check on the header index value

  - cli: make sure the 'getsock' command is only called on     connections

  - tools: fix set_net_port() / set_host_port() on IPv4

  - patterns: fix possible double free when reloading a     pattern list

  - server: Crash when setting FQDN via CLI.

  - kqueue: Don't reset the changes number by accident.

  - snapshot: take the proxy's lock while dumping errors

- http/threads: atomically increment the error snapshot ID

  - dns: check and link servers' resolvers right after     config parsing

  - h2: fix risk of memory leak on malformated wrapped     frames

  - session: fix reporting of handshake processing time in     the logs

  - stream: use atomic increments for the request counter

  - thread: implement HA_ATOMIC_XADD()

  - ECC cert should work with TLS < v1.2 and openssl >=     1.1.1

  - dns/server: fix incomatibility between SRV resolution     and server state file

  - hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP     returns 0.

  - thread: lua: Wrong SSL context initialization.

  - hlua: Make sure we drain the output buffer when done.

  - lua: reset lua transaction between http requests

  - mux_pt: dereference the connection with care in     mux_pt_wake()

  - lua: Bad HTTP client request duration.

  - unix: provide a ->drain() function

  - Fix spelling error in configuration doc

  - cli/threads: protect some server commands against     concurrent operations

  - cli/threads: protect all 'proxy' commands against     concurrent updates

  - lua: socket timeouts are not applied

  - ssl: Use consistent naming for TLS protocols

  - dns: explain set server ... fqdn requires resolver

  - map: fix map_regm with backref

  - ssl: loading dh param from certifile causes     unpredictable error.

  - ssl: fix missing error loading a keytype cert from a     bundle.

  - ssl: empty connections reported as errors.

  - cli: make 'show fd' thread-safe

  - hathreads: implement a more flexible rendez-vous point

  - threads: fix the no-thread case after the change to the     sync point

  - threads: add more consistency between certain variables     in no-thread case

  - threads: fix the double CAS implementation for ARMv7

  - threads: Introduce double-width CAS on x86_64 and arm.

  - lua: possible CLOSE-WAIT state with '\n' headers

For additional changes please refer to the changelog.

This update was imported from the SUSE:SLE-15:Update update project.

Detections

Analytics

openSUSE Security Update : haproxy (openSUSE-2019-824)

medium Nessus Plugin ID 123348

Version 1.6

Version 1.5

Version 1.6 Mar 12, 2025, 9:27 AM CVSS metrics ("CVSSv3 score" set to 5.9) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N") CVSSv3 score source (changed from "manual" to none) CVSSv3 severity (based on None, severity decreased from "High" to "Medium") Exploit attributes ("Exploit available" set to "False") Plugin Feed: 202503120927
Version 1.5 Feb 18, 2025, 11:54 PM Plugin metadata (CVSS 3 Change AC:H --> AC:L where needed) Plugin Feed: 202502182354