Security update for haproxy SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2626-1 Final 1 1 2019-12-03T14:49:39Z current 2019-12-03T14:49:39Z 2019-12-03T14:49:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for haproxy This update for haproxy to version 2.0.10 fixes the following issues: HAProxy was updated to 2.0.10 Security issues fixed: - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the 'chunked' (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed: - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2626 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html E-Mail link for openSUSE-SU-2019:2626-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082318 SUSE Bug 1082318 https://bugzilla.suse.com/1154980 SUSE Bug 1154980 https://bugzilla.suse.com/1157712 SUSE Bug 1157712 https://bugzilla.suse.com/1157714 SUSE Bug 1157714 https://www.suse.com/security/cve/CVE-2019-18277/ SUSE CVE CVE-2019-18277 page openSUSE Leap 15.0 haproxy-2.0.10+git0.ac198b92-lp150.2.16.1 haproxy-2.0.10+git0.ac198b92-lp150.2.16.1 as a component of openSUSE Leap 15.0 A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification). CVE-2019-18277 openSUSE Leap 15.0:haproxy-2.0.10+git0.ac198b92-lp150.2.16.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html https://www.suse.com/security/cve/CVE-2019-18277.html CVE-2019-18277 https://bugzilla.suse.com/1154980 SUSE Bug 1154980