openSUSE: 2018:3324-1: important: haproxy
Description
This update for haproxy to version 1.8.14 fixes the following issues:
These security issues were fixed:
- CVE-2018-14645: A flaw was discovered in the HPACK decoder what caused an
out-of-bounds read in hpack_valid_idx() that resulted in a remote crash
and denial of service (bsc#1108683)
- CVE-2018-11469: Incorrect caching of responses to requests including an
Authorization header allowed attackers to achieve information disclosure
via an unauthenticated remote request (bsc#1094846).
These non-security issues were fixed:
- Require apparmor-abstractions to reduce dependencies (bsc#1100787)
- hpack: fix improper sign check on the header index value
- cli: make sure the "getsock" command is only called on connections
- tools: fix set_net_port() / set_host_port() on IPv4
- patterns: fix possible double free when reloading a pattern list
- server: Crash when setting FQDN via CLI.
- kqueue: Don't reset the changes number by accident.
- snapshot: take the proxy's lock while dumping errors - http/threads: atomically increment the error snapshot ID
- dns: check and link servers' resolvers right after config parsing
- h2: fix risk of memory leak on malformated wrapped frames
- session: fix reporting of handshake processing time in the logs
- stream: use atomic increments for the request counter
- thread: implement HA_ATOMIC_XADD()
- ECC cert should work with TLS
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-1229=1
Package List
- openSUSE Leap 15.0 (x86_64): haproxy-1.8.14~git0.52e4d43b-lp150.2.3.1 haproxy-debuginfo-1.8.14~git0.52e4d43b-lp150.2.3.1 haproxy-debugsource-1.8.14~git0.52e4d43b-lp150.2.3.1
References
https://www.suse.com/security/cve/CVE-2018-11469.html https://www.suse.com/security/cve/CVE-2018-14645.html https://bugzilla.suse.com/1094846 https://bugzilla.suse.com/1100787 https://bugzilla.suse.com/1108683--