Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-0056 (GCVE-0-2023-0056)
Vulnerability from cvelistv5 – Published: 2023-03-23 00:00 – Updated: 2025-02-25 19:35
VLAI
EPSS
Summary
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
Severity
6.5 (Medium)
CWE
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:54:32.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T19:35:23.746547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T19:35:27.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "haproxy",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "unknown"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-0056",
"datePublished": "2023-03-23T00:00:00.000Z",
"dateReserved": "2023-01-04T00:00:00.000Z",
"dateUpdated": "2025-02-25T19:35:27.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-0056",
"date": "2026-05-30",
"epss": "0.00147",
"percentile": "0.34853"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-0056\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2023-03-23T21:15:19.087\",\"lastModified\":\"2025-02-25T20:15:31.793\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haproxy:haproxy:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68833392-03CF-4C78-B499-EB2B8C1335D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ceph_storage:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E37E1B3-6F68-4502-85D6-68333643BDFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"749804DA-4B27-492A-9ABA-6BB562A6B3AC\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"40449571-22F8-44FA-B57B-B43F71AB25E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"948DF974-D58C-41D3-9024-1C7D260D822F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2127E592-F973-4244-9793-680736EC5313\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"608FBE62-5A35-4C7A-BBC7-E0D05E09008B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F6FB57C-2BC7-487C-96DD-132683AEB35D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:arm64:*\",\"matchCriteriaId\":\"4E5177BE-F2A0-4148-AA26-E1C8D3B75D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:arm64:*\",\"matchCriteriaId\":\"1E5CB8B9-F3B7-478E-94EA-705BDBE902D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:arm64:*\",\"matchCriteriaId\":\"36DBD95A-D9C8-47CB-AD0E-F37255E237EB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91EE3858-A648-44B4-B282-8F808D88D3B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54E24055-813B-4E6D-94B7-FAD5F78B8537\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E58526FB-522F-4AAC-B03C-9CAB443D0CFF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA983F8C-3A06-450A-AEFF-9429DE9A3454\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1104A2D0-B813-41B0-A6FB-677A3FC249BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_power:4.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B2EF9F6-CE0A-48FA-87E5-77F94363B540\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22DFC1BF-2EC4-4102-97D0-BC9F75C94F71\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"40449571-22F8-44FA-B57B-B43F71AB25E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"948DF974-D58C-41D3-9024-1C7D260D822F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2127E592-F973-4244-9793-680736EC5313\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"608FBE62-5A35-4C7A-BBC7-E0D05E09008B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB176AC3-3CDA-4DDA-9089-C67B2F73AA62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-0056\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-0056\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2023-0056\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:54:32.577Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-0056\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T19:35:23.746547Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T19:35:18.861Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"haproxy\", \"versions\": [{\"status\": \"affected\", \"version\": \"unknown\"}]}], \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2023-0056\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2023-03-23T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-0056\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T19:35:27.521Z\", \"dateReserved\": \"2023-01-04T00:00:00.000Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2023-03-23T00:00:00.000Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
RHSA-2023:1696
Vulnerability from csaf_redhat - Published: 2023-04-11 14:30 - Updated: 2025-11-21 18:39Summary
Red Hat Security Advisory: haproxy security update
Severity
Moderate
Notes
Topic: An update for haproxy is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
* haproxy: segfault DoS (CVE-2023-0056)
* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
4.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
8.2 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for haproxy is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: segfault DoS (CVE-2023-0056)\n\n* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1696",
"url": "https://access.redhat.com/errata/RHSA-2023:1696"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1696.json"
}
],
"title": "Red Hat Security Advisory: haproxy security update",
"tracking": {
"current_release_date": "2025-11-21T18:39:10+00:00",
"generator": {
"date": "2025-11-21T18:39:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:1696",
"initial_release_date": "2023-04-11T14:30:22+00:00",
"revision_history": [
{
"date": "2023-04-11T14:30:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-04-11T14:30:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:39:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.17-3.el9_1.2.src",
"product": {
"name": "haproxy-0:2.4.17-3.el9_1.2.src",
"product_id": "haproxy-0:2.4.17-3.el9_1.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.17-3.el9_1.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.17-3.el9_1.2.aarch64",
"product": {
"name": "haproxy-0:2.4.17-3.el9_1.2.aarch64",
"product_id": "haproxy-0:2.4.17-3.el9_1.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.17-3.el9_1.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"product": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"product_id": "haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.17-3.el9_1.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"product": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"product_id": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.17-3.el9_1.2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"product": {
"name": "haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"product_id": "haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.17-3.el9_1.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"product": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"product_id": "haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.17-3.el9_1.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"product": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"product_id": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.17-3.el9_1.2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.17-3.el9_1.2.x86_64",
"product": {
"name": "haproxy-0:2.4.17-3.el9_1.2.x86_64",
"product_id": "haproxy-0:2.4.17-3.el9_1.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.17-3.el9_1.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64",
"product": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64",
"product_id": "haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.17-3.el9_1.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"product": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"product_id": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.17-3.el9_1.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.17-3.el9_1.2.s390x",
"product": {
"name": "haproxy-0:2.4.17-3.el9_1.2.s390x",
"product_id": "haproxy-0:2.4.17-3.el9_1.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.17-3.el9_1.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"product": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"product_id": "haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.17-3.el9_1.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"product": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"product_id": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.17-3.el9_1.2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.17-3.el9_1.2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64"
},
"product_reference": "haproxy-0:2.4.17-3.el9_1.2.aarch64",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.17-3.el9_1.2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le"
},
"product_reference": "haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.17-3.el9_1.2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x"
},
"product_reference": "haproxy-0:2.4.17-3.el9_1.2.s390x",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.17-3.el9_1.2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src"
},
"product_reference": "haproxy-0:2.4.17-3.el9_1.2.src",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.17-3.el9_1.2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64"
},
"product_reference": "haproxy-0:2.4.17-3.el9_1.2.x86_64",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64"
},
"product_reference": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le"
},
"product_reference": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x"
},
"product_reference": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64"
},
"product_reference": "haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64"
},
"product_reference": "haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le"
},
"product_reference": "haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x"
},
"product_reference": "haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
},
"product_reference": "haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160808"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: segfault DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "RHBZ#2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056"
},
{
"category": "external",
"summary": "https://github.com/haproxy/haproxy/issues/1972",
"url": "https://github.com/haproxy/haproxy/issues/1972"
}
],
"release_date": "2022-12-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-04-11T14:30:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1696"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: segfault DoS"
},
{
"cve": "CVE-2023-25725",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2023-02-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2169089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in HAProxy\u0027s headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: request smuggling attack in HTTP/1 header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform doesn\u0027t ship any haproxy code of its own and instead the openstack-haproxy-container consumes the `haproxy` RPM provided by RHEL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "RHBZ#2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25725",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725"
},
{
"category": "external",
"summary": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/",
"url": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html"
}
],
"release_date": "2023-02-14T16:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-04-11T14:30:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1696"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.src",
"AppStream-9.1.0.Z.MAIN:haproxy-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debuginfo-0:2.4.17-3.el9_1.2.x86_64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.aarch64",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.ppc64le",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.s390x",
"AppStream-9.1.0.Z.MAIN:haproxy-debugsource-0:2.4.17-3.el9_1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "haproxy: request smuggling attack in HTTP/1 header parsing"
}
]
}
RHSA-2023:1978
Vulnerability from csaf_redhat - Published: 2023-04-25 10:27 - Updated: 2025-11-21 18:39Summary
Red Hat Security Advisory: haproxy security update
Severity
Moderate
Notes
Topic: An update for haproxy is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
* haproxy: segfault DoS (CVE-2023-0056)
* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
4.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
8.2 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for haproxy is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: segfault DoS (CVE-2023-0056)\n\n* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1978",
"url": "https://access.redhat.com/errata/RHSA-2023:1978"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1978.json"
}
],
"title": "Red Hat Security Advisory: haproxy security update",
"tracking": {
"current_release_date": "2025-11-21T18:39:41+00:00",
"generator": {
"date": "2025-11-21T18:39:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:1978",
"initial_release_date": "2023-04-25T10:27:06+00:00",
"revision_history": [
{
"date": "2023-04-25T10:27:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-04-25T10:27:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:39:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.0::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.7-2.el9_0.2.src",
"product": {
"name": "haproxy-0:2.4.7-2.el9_0.2.src",
"product_id": "haproxy-0:2.4.7-2.el9_0.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.7-2.el9_0.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.7-2.el9_0.2.aarch64",
"product": {
"name": "haproxy-0:2.4.7-2.el9_0.2.aarch64",
"product_id": "haproxy-0:2.4.7-2.el9_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.7-2.el9_0.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"product": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"product_id": "haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.7-2.el9_0.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"product": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"product_id": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.7-2.el9_0.2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"product": {
"name": "haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"product_id": "haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.7-2.el9_0.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"product": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"product_id": "haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.7-2.el9_0.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"product": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"product_id": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.7-2.el9_0.2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.7-2.el9_0.2.x86_64",
"product": {
"name": "haproxy-0:2.4.7-2.el9_0.2.x86_64",
"product_id": "haproxy-0:2.4.7-2.el9_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.7-2.el9_0.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64",
"product": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64",
"product_id": "haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.7-2.el9_0.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"product": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"product_id": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.7-2.el9_0.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:2.4.7-2.el9_0.2.s390x",
"product": {
"name": "haproxy-0:2.4.7-2.el9_0.2.s390x",
"product_id": "haproxy-0:2.4.7-2.el9_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@2.4.7-2.el9_0.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"product": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"product_id": "haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@2.4.7-2.el9_0.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"product": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"product_id": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@2.4.7-2.el9_0.2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.7-2.el9_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64"
},
"product_reference": "haproxy-0:2.4.7-2.el9_0.2.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.7-2.el9_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le"
},
"product_reference": "haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.7-2.el9_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x"
},
"product_reference": "haproxy-0:2.4.7-2.el9_0.2.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.7-2.el9_0.2.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src"
},
"product_reference": "haproxy-0:2.4.7-2.el9_0.2.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:2.4.7-2.el9_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64"
},
"product_reference": "haproxy-0:2.4.7-2.el9_0.2.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64"
},
"product_reference": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le"
},
"product_reference": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x"
},
"product_reference": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64"
},
"product_reference": "haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64"
},
"product_reference": "haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le"
},
"product_reference": "haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x"
},
"product_reference": "haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
},
"product_reference": "haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160808"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: segfault DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "RHBZ#2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056"
},
{
"category": "external",
"summary": "https://github.com/haproxy/haproxy/issues/1972",
"url": "https://github.com/haproxy/haproxy/issues/1972"
}
],
"release_date": "2022-12-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-04-25T10:27:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1978"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: segfault DoS"
},
{
"cve": "CVE-2023-25725",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2023-02-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2169089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in HAProxy\u0027s headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: request smuggling attack in HTTP/1 header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform doesn\u0027t ship any haproxy code of its own and instead the openstack-haproxy-container consumes the `haproxy` RPM provided by RHEL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "RHBZ#2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25725",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725"
},
{
"category": "external",
"summary": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/",
"url": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html"
}
],
"release_date": "2023-02-14T16:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-04-25T10:27:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1978"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.src",
"AppStream-9.0.0.Z.EUS:haproxy-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debuginfo-0:2.4.7-2.el9_0.2.x86_64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.aarch64",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.ppc64le",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.s390x",
"AppStream-9.0.0.Z.EUS:haproxy-debugsource-0:2.4.7-2.el9_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "haproxy: request smuggling attack in HTTP/1 header parsing"
}
]
}
RHSA-2024:0746
Vulnerability from csaf_redhat - Published: 2024-02-08 16:49 - Updated: 2026-05-10 02:38Summary
Red Hat Security Advisory: new container image: rhceph-5.3
Severity
Important
Notes
Topic: Updated container image for Red Hat Ceph Storage 5.3 is now available in
the Red Hat Ecosystem Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 5.3 and Red
Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users
are directed to the Red Hat Ceph Storage Release Notes for information on
the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from
the Red Hat Ecosystem catalog.
Security Fix(es):
* grafana: Use of Cache Containing Sensitive Information (CVE-2022-23498)
* grafana: cross site scripting (CVE-2023-0507)
* grafana: cross site scripting (CVE-2023-0594)
* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* haproxy: segfault DoS (CVE-2023-0056)
* grafana: JWT token leak to data source (CVE-2023-1387)
* grafana: stored XSS vulnerability affecting the core plugin "Text" (CVE-2023-22462)
* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Grafana package. When data-source query caching is enabled, Grafana caches all headers, including `grafana_session.` As a result, any user that queries a data source where the caching is enabled can acquire another user’s session.
8.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
4.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the GeoMap Grafana plugin, where a user can store unsanitized HTML in the GeoMap plugin under the Attribution text field, and the client will process it. The vulnerability makes it possible to use XHR to make arbitrary API calls on behalf of the attacked user. This means that a malicious user with editor permissions could alter a GeoMap panel to include JavaScript that changes the password for the user viewing the panel (this could be an admin) to a known password, thus gaining access to the admin account and resulting as the editor becoming an admin.
7.3 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.
7.3 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the "url_login" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the Grafana core plugin, "Text." The vulnerability was possible due to React's render cycle that will pass through unsanitized HTML code. However, the HTML is cleaned and saved in Grafana's database in the next cycle. An attacker needs the Editor role in changing a Text panel to include JavaScript. Later, another user needs to edit the same Text panel and click "Markdown" or "HTML" to execute the code. This issue allows possible vertical privilege escalation, where a user with an Editor role can change to a known password for a user having an Admin role if the user with an Admin role executes malicious JavaScript viewing a dashboard.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
8.2 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Important
References
64 references
Acknowledgments
Grafana Security Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated container image for Red Hat Ceph Storage 5.3 is now available in\nthe Red Hat Ecosystem Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform\nthat combines the most stable version of the Ceph storage system with a\nCeph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 5.3 and Red\nHat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users\nare directed to the Red Hat Ceph Storage Release Notes for information on\nthe most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from\nthe Red Hat Ecosystem catalog.\n\nSecurity Fix(es):\n\n* grafana: Use of Cache Containing Sensitive Information (CVE-2022-23498)\n\n* grafana: cross site scripting (CVE-2023-0507)\n\n* grafana: cross site scripting (CVE-2023-0594)\n\n* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* haproxy: segfault DoS (CVE-2023-0056)\n\n* grafana: JWT token leak to data source (CVE-2023-1387)\n\n* grafana: stored XSS vulnerability affecting the core plugin \"Text\" (CVE-2023-22462)\n\n* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:0746",
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2164936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164936"
},
{
"category": "external",
"summary": "2167266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167266"
},
{
"category": "external",
"summary": "2168037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168037"
},
{
"category": "external",
"summary": "2168038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168038"
},
{
"category": "external",
"summary": "2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "2256938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0746.json"
}
],
"title": "Red Hat Security Advisory: new container image: rhceph-5.3",
"tracking": {
"current_release_date": "2026-05-10T02:38:16+00:00",
"generator": {
"date": "2026-05-10T02:38:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2024:0746",
"initial_release_date": "2024-02-08T16:49:55+00:00",
"revision_history": [
{
"date": "2024-02-08T16:49:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-02-08T16:49:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T02:38:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ceph Storage 5.3 Tools",
"product": {
"name": "Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ceph_storage:5.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ceph Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product_id": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product_id": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product_id": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product_id": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product_id": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product_id": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23498",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-02-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2167266"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana package. When data-source query caching is enabled, Grafana caches all headers, including `grafana_session.` As a result, any user that queries a data source where the caching is enabled can acquire another user\u2019s session.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Use of Cache Containing Sensitive Information",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23498"
},
{
"category": "external",
"summary": "RHBZ#2167266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167266"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23498",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23498"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23498",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23498"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8"
}
],
"release_date": "2023-02-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "To mitigate the vulnerability, disable the data source query caching for all data sources.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Use of Cache Containing Sensitive Information"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2023-0056",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160808"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: segfault DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "RHBZ#2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056"
},
{
"category": "external",
"summary": "https://github.com/haproxy/haproxy/issues/1972",
"url": "https://github.com/haproxy/haproxy/issues/1972"
}
],
"release_date": "2022-12-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: segfault DoS"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0507",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2023-02-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2168038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the GeoMap Grafana plugin, where a user can store unsanitized HTML in the GeoMap plugin under the Attribution text field, and the client will process it. The vulnerability makes it possible to use XHR to make arbitrary API calls on behalf of the attacked user. This means that a malicious user with editor permissions could alter a GeoMap panel to include JavaScript that changes the password for the user viewing the panel (this could be an admin) to a known password, thus gaining access to the admin account and resulting as the editor becoming an admin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Grafana package shipped in Red Hat Enterprise Linux, it is not possible to take advantage of this vulnerability without specialized \u0027editor\u0027 access, which reduces the impact of this issue in RHEL. Thus, it is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0507"
},
{
"category": "external",
"summary": "RHBZ#2168038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0507",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/CVE-2023-0507",
"url": "https://grafana.com/security/security-advisories/CVE-2023-0507"
}
],
"release_date": "2023-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: cross site scripting"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0594",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2023-02-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2168037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an issue with Grafana Tempo which we don\u0027t ship in Red Hat Enterprise Linux. Hence, RHEL-8, 9 are not-affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0594"
},
{
"category": "external",
"summary": "RHBZ#2168037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0594",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0594"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0594",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0594"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/CVE-2023-0594",
"url": "https://grafana.com/security/security-advisories/CVE-2023-0594"
}
],
"release_date": "2023-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: cross site scripting"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-1387",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2186322"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: JWT token leak to data source",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "RHBZ#2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
}
],
"release_date": "2023-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: JWT token leak to data source"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-22462",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-01-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164936"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana core plugin, \"Text.\" The vulnerability was possible due to React\u0027s render cycle that will pass through unsanitized HTML code. However, the HTML is cleaned and saved in Grafana\u0027s database in the next cycle. An attacker needs the Editor role in changing a Text panel to include JavaScript. Later, another user needs to edit the same Text panel and click \"Markdown\" or \"HTML\" to execute the code. This issue allows possible vertical privilege escalation, where a user with an Editor role can change to a known password for a user having an Admin role if the user with an Admin role executes malicious JavaScript viewing a dashboard.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: stored XSS vulnerability affecting the core plugin \"Text\"",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Service Mesh containers include the grafana RPM from RHEL and consume CVE fixes for grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22462"
},
{
"category": "external",
"summary": "RHBZ#2164936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164936"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22462"
}
],
"release_date": "2023-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: stored XSS vulnerability affecting the core plugin \"Text\""
},
{
"cve": "CVE-2023-24538",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: backticks not treated as string delimiters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The described issue involving Go templates and JavaScript template literals poses a moderate severity rather than an important one due to several mitigating factors. Firstly, the vulnerability requires specific conditions to be met: the presence of Go templates within JavaScript template literals. This limits the scope of affected codebases, reducing the likelihood of exploitation. Additionally, the decision to disallow such interactions in future releases of Go indicates a proactive approach to addressing the issue. Furthermore, the affected packages or components within Red Hat Enterprise Linux, such as Conmon, Grafana, and the RHC package, have been assessed and determined not to be impacted due to their specific usage patterns. So the limited scope of affected systems and the absence of exploitation vectors in specific components within Red Hat Enterprise Linux contribute to categorizing the severity of the issue as moderate.\n\nFor Red Hat Enterprise Linux,\n\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* The rhc package do not make use of html/template. Hence, it is also not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24538"
},
{
"category": "external",
"summary": "RHBZ#2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/59234",
"url": "https://github.com/golang/go/issues/59234"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: backticks not treated as string delimiters"
},
{
"cve": "CVE-2023-25725",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2023-02-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2169089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in HAProxy\u0027s headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: request smuggling attack in HTTP/1 header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform doesn\u0027t ship any haproxy code of its own and instead the openstack-haproxy-container consumes the `haproxy` RPM provided by RHEL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "RHBZ#2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25725",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725"
},
{
"category": "external",
"summary": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/",
"url": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html"
}
],
"release_date": "2023-02-14T16:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "haproxy: request smuggling attack in HTTP/1 header parsing"
}
]
}
SUSE-FU-2023:2117-1
Vulnerability from csaf_suse - Published: 2023-05-05 20:27 - Updated: 2023-05-05 20:27Summary
Feature update for haproxy
Severity
Moderate
Notes
Title of the patch: Feature update for haproxy
Description of the patch: This update for haproxy fixes the following issues:
Update to version 2.0.31 (jsc#PED-3821):
* BUG/CRITICAL: http: properly reject empty http header field names
* CI: github: don't warn on deprecated openssl functions on windows
* DOC: proxy-protocol: fix wrong byte in provided example
* DOC: config: 'http-send-name-header' option may be used in default section
* DOC: config: fix option spop-check proxy compatibility
* BUG/MEDIUM: cache: use the correct time reference when comparing dates
* BUG/MEDIUM: stick-table: do not leave entries in end of window during purge
* BUG/MEDIUM: ssl: wrong eviction from the session cache tree
* BUG/MINOR: http-ana: make set-status also update txn->status
* BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
* BUG/MINOR: promex: Don't forget to consume the request on error
* BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
* BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
* BUILD: makefile: sort the features list
* BUILD: makefile: build the features list dynamically
* BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
* BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
* LICENSE: wurfl: clarify the dummy library license.
* BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout
* BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
* BUG/MINOR: ssl: Fix potential overflow
* BUG/MEDIUM: ssl: Verify error codes can exceed 63
* CI: github: change 'ubuntu-latest' to 'ubuntu-20.04'
* SCRIPTS: announce-release: add a link to the data plane API
* [RELEASE] Released version 2.0.30
* Revert 'CI: determine actual LibreSSL version dynamically'
* DOC: config: clarify the -m dir and -m dom pattern matching methods
* DOC: config: clarify the fact that 'retries' is not just for connections
* DOC: config: explain how default matching method for ACL works
* DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
* DOC: config: provide some configuration hints for 'http-reuse'
* BUILD: listener: fix build warning on global_listener_rwlock without threads
* BUILD: peers: Remove unused variables
* BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
* BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
* BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
* CI: emit the compiler's version in the build reports
* CI: add monthly gcc cross compile jobs
* BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
* BUG/MAJOR: stick-table: don't process store-response rules for applets
* DOC: management: add forgotten 'show startup-logs'
* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py
* BUG/MAJOR: stick-tables: do not try to index a server name for applets
* DOC: configuration: missing 'if' in tcp-request content example
* BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
* BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
* BUG/MEDIUM: lua: handle stick table implicit arguments right.
* BUILD: cfgparse: Fix GCC warning about a variable used after realloc
* BUILD: fix compilation for OpenSSL-3.0.0-alpha17
* BUG/MINOR: log: improper behavior when escaping log data
* SCRIPTS: announce-release: update some URLs to https
* BUG/MEDIUM: captures: free() an error capture out of the proxy lock
* BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
* BUG/MINOR: signals/poller: ensure wakeup from signals
* BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
* BUG/MINOR: h1: Support headers case adjustment for TCP proxies
* REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
* BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
* BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
* BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
* BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
* DOC: configuration: do-resolve doesn't work with a port in the string
* BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
* BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
* BUILD: http: silence an uninitialized warning affecting gcc-5
* BUG/MEDIUM: proxy: Perform a custom copy for default server settings
* REORG: server: Export srv_settings_cpy() function
* MINOR: server: Constify source server to copy its settings
* BUG/MINOR: peers: Use right channel flag to consider the peer as connected
* BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
* MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
* BUG/MINOR: ssl: free the fields in srv->ssl_ctx
* BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
* BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
* BUG/MINOR: peers: fix possible NULL dereferences at config parsing
* BUG/MINOR: peers/config: always fill the bind_conf's argument
* BUG/MINOR: http-fetch: Use integer value when possible in 'method' sample fetch
* BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
* BUG/MINOR: server: do not enable DNS resolution on disabled proxies
* BUILD: compiler: implement unreachable for older compilers too
* REGTESTS: http_request_buffer: Increase client timeout to wait 'slow' clients
* REGTESTS: abortonclose: Add a barrier to not mix up log messages
* BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
* DOC: peers: fix port number and addresses on new peers section format
* DOC: peers: clarify when entry expiration date is renewed.
* DOC: peers: indicate that some server settings are not usable
* SCRIPTS: make publish-release try to launch make-releases-json
* SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
* BUG/MEDIUM: sample: Fix adjusting size in word converter
* BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
* BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
* BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
* BUG/MINOR: peers: fix error reporting of 'bind' lines
* REGTESTS: abortonclose: Fix some race conditions
* BUILD: fix build warning on solaris based systems with __maybe_unused.
* CI: determine actual LibreSSL version dynamically
* [RELEASE] Released version 2.0.29
* BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x
* CLEANUP: mux-h1: Fix comments and error messages for global options
* BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
* BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
* DOC: fix typo 'ant' for 'and' in INSTALL
* BUG/MINOR: map/cli: make sure patterns don't vanish under 'show map''s init
* BUG/MINOR: map/cli: protect the backref list during 'show map' errors
* BUG/MEDIUM: cli: make 'show cli sockets' really yield
* BUG/MINOR: mux-h2: mark the stream as open before processing it not after
* SCRIPTS: announce-release: add URL of dev packages
* CI: github actions: update LibreSSL to 3.5.2
* BUILD: sockpair: do not set unused flag
* BUILD: proto_uxst: do not set unused flag
* BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
* REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
* DOC: remove my name from the config doc
* BUG/MINOR: cache: Disable cache if applet creation fails
* SCRIPTS: announce-release: add shortened links to pending issues
* DOC: lua: update a few doc URLs
* SCRIPTS: announce-release: update the doc's URL
* BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
* BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
* BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
* BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
* BUG/MINOR: cache: do not display expired entries in 'show cache'
* BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
* CI: Update to actions/cache@v3
* CI: Update to actions/checkout@v3
* BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
* BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
* DOC: reflect H2 timeout changes
* BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
* MEDIUM: mux-h2: slightly relax timeout management rules
* BUG/MEDIUM: stream-int: do not rely on the connection error once established
* BUG/MINOR: tools: url2sa reads too far when no port nor path
* BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
* CI: github actions: switch to LibreSSL-3.5.1
* BUILD: dns: fix backport of previous dns fix
* BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
* Revert 'BUG/MAJOR: mux-pt: Always destroy the backend connection on detach'
* BUG/MINOR: tools: fix url2sa return value with IPv4
* [RELEASE] Released version 2.0.28
* DOC: Fix usage/examples of deprecated ACLs
* BUG/MINOR: stream: make the call_rate only count the no-progress calls
* DOC: use the req.ssl_sni in examples
* DOC: ssl: req_ssl_sni needs implicit TLS
* BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
* BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
* DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
* BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: cli: shows correct mode in 'show sess'
* BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
* CLEANUP: atomic: add a fetch-and-xxx variant for common operations
* CI: github actions: use cache for SSL libs
* CI: github actions: add the output of $CC -dM -E-
* BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
* BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
* BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
* BUG/MINOR: tools: url2sa reads ipv4 too far
* BUG/MINOR: mailers: negotiate SMTP, not ESMTP
* CI: ssl: keep the old method for ancient OpenSSL versions
* CI: ssl: do not needlessly build the OpenSSL docs
* CI: ssl: enable parallel builds for OpenSSL on Linux
* BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
* BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
* BUG/MEDIUM: mworker: close unused transferred FDs on load failure
* MINOR: sock: move the unused socket cleaning code into its own function
* BUG/MAJOR: spoe: properly detach all agents when releasing the applet
* BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
* BUG/MINOR: mworker: does not erase the pidfile upon reload
* BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
* BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
* BUG/MEDIUM: mcli: do not try to parse empty buffers
* BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
* MINOR: channel: add new function co_getdelim() to support multiple delimiters
* MEDIUM: cli: yield between each pipelined command
* [RELEASE] Released version 2.0.27
* BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
* BUG/MEDIUM: cli: Never wait for more data on client shutdown
* BUILD/MINOR: fix solaris build with clang.
* BUG/MEDIUM: mworker: don't use _getsocks in wait mode
* BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
* BUG/MINOR: cli: fix _getsocks with musl libc
* CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free
* BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
* DOC: fix misspelled keyword 'resolve_retries' in resolvers
* BUILD: ssl: unbreak the build with newer libressl
* BUILD: cli: clear a maybe-unused warning on some older compilers
* BUG/MINOR: http: fix recent regression on authorization in legacy mode
* Revert 'BUG/MEDIUM: resolvers: always check a valid item in query_list'
* BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
* BUG/MINOR: backend: do not set sni on connection reuse
* BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
* DOC: config: Specify %Ta is only available in HTTP mode
* DOC: spoe: Clarify use of the event directive in spoe-message section
* MINOR: ssl: make tlskeys_list_get_next() take a list element
* CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()
* CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()
* BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
* MINOR: cli: 'show version' displays the current process version
* BUILD: general: always pass unsigned chars to is* functions
* CLEANUP: peers: Remove unused static function `free_dcache_tx`
* CLEANUP: peers: Remove unused static function `free_dcache`
* REGTESTS: mark the abns test as broken again
* BUILD: scripts/build-ssl.sh: use 'uname' instead of ${TRAVIS_OS_NAME}
* BUILD: makefile: add entries to build common debugging tools
* CI: Github Actions: temporarily disable BoringSSL builds
* CI: Github Actions: switch to LibreSSL-3.3.3
* CI: github actions: update LibreSSL to 3.2.5
* Revert 'CI: Pin VTest to a known good commit'
* CI: github actions: switch to stable LibreSSL release
* CI: Fix the coverity builds
* CI: Fix DEBUG_STRICT definition for Coverity
* CI: Pin VTest to a known good commit
* CI: github actions: build several popular 'contrib' tools
* CI: GitHub Actions: enable daily Coverity scan
* CI: github actions: enable 51degrees feature
* CI: github actions: update LibreSSL to 3.3.0
* CI: Clean up Windows CI
* CI: Pass the github.event_name to matrix.py
* CI: Github Action: run 'apt-get update' before packages restore
* CI: Github Actions: enable BoringSSL builds
* CI: Github Actions: remove LibreSSL-3.0.2 builds
* CI: Github Actions: enable prometheus exporter
* CI: Stop hijacking the hosts file
* CI: Expand use of GitHub Actions for CI
* [RELEASE] Released version 2.0.26
* BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
* BUG/MINOR: shctx: do not look for available blocks when the first one is enough
* BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
* BUG/MEDIUM: mux-h2: always process a pending shut read
* BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
* CLEANUP: ssl: Release cached SSL sessions on deinit
* MINOR: mux-h2: perform a full cycle shutdown+drain on close
* MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
* BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
* BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
* BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
* BUG/MINOR: mworker: doesn't launch the program postparser
* BUG/MEDIUM: conn-stream: Don't reset CS flags on close
* BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
* DOC: config: Fix typo in ssl_fc_unique_id description
* BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
* BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
* MINOR: htx: Add a function to know if the free space wraps
* MINOR: htx: Add an HTX flag to know when a message is fragmented
* BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
* MINOR: stream: Improve dump of bogus streams
* DOC: config: Fix alphabetical order of fc_* samples
* BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
* BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration
* CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT
* CLEANUP: always initialize the answer_list
* CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()
* BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released
* BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed
* BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame
* BUG/MEDIUM: resolvers: always check a valid item in query_list
* BUILD: resolvers: avoid a possible warning on null-deref
* MINOR: resolvers: merge address and target into a union 'data'
* BUG/MEDIUM: resolvers: use correct storage for the target address
* BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix
* MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
* BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records
* BUG/MEDIUM: resolver: make sure to always use the correct hostname length
* MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
* BUG/MEDIUM: sample: properly verify that variables cast to sample
* MINOR: sample: provide a generic var-to-sample conversion function
* CLEANUP: sample: uninline sample_conv_var2smp_str()
* CLEANUP: sample: rename sample_conv_var2smp() to *_sint
* BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error
* BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames
* BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
* BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
* BUG/MINOR: filters: Set right FLT_END analyser depending on channel
* BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
* BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
* BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
* BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
* BUG/MAJOR: lua: use task_wakeup() to properly run a task once
* BUG/MEDIUM: lua: fix wakeup condition from sleep()
* DOC: peers: fix doc 'enable' statement on 'peers' sections
* BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send 'trailers'
* BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
* BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
* BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
* BUG/MINOR: server: allow 'enable health' only if check configured
* Revert 'REGTESTS: mark http_abortonclose as broken'
* BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
* MEDIUM: actions: Fix block ACL.
* BUG/MINOR: stats: fix the POST requests processing in legacy mode
* BUG/MEDIUM: http: check for a channel pending data before waiting
* BUG/MINOR: cli/payload: do not search for args inside payload
* BUG/MINOR: compat: make sure __WORDSIZE is always defined
* BUG/MINOR: systemd: ExecStartPre must use -Ws
* [RELEASE] Released version 2.0.25
* REGTESTS: mark http_abortonclose as broken
* MINOR: action: Use a generic function to check validity of an action rule list
* Revert 'BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive'
* BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
* CLEANUP: htx: remove comments about 'must be < 256 MB'
* BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
* DOC: configuration: remove wrong tcp-request examples in tcp-response
* CLEANUP: Add missing include guard to signal.h
* BUG/MINOR: tools: Fix loop condition in dump_text()
* BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
* BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
* BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
* MINOR: compiler: implement an ONLY_ONCE() macro
* BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
* REGTESTS: abortonclose: after retries, 503 is expected, not close
* BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-
* [RELEASE] Released version 2.0.24
* REGTESTS: add a test to prevent h2 desync attacks
* BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
* DOC/MINOR: fix typo in management document
* MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade
* DOC: config: Fix 'http-response send-spoe-group' documentation
* DOC: Improve the lua documentation
* BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued
* BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released
* MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure
* BUG/MINOR: server: update last_change on maint->ready transitions too
* BUG/MINOR: connection: Add missing error labels to conn_err_code_str
* BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
* BUG/MINOR: mux-h2: Obey dontlognull option during the preface
* BUG/MINOR: systemd: must check the configuration using -Ws
* BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
* BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
* BUILD: add detection of missing important CFLAGS
* BUG/MEDIUM: tcp-check: Do not dereference inexisting connection
* [RELEASE] Released version 2.0.23
* BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled
* BUG/MINOR: server-state: load SRV resolution only if params match the config
* CLEANUP: pools: remove now unused seq and pool_free_list
* BUG/MAJOR: pools: fix possible race with free() in the lockless variant
* MEDIUM: pools: use a single pool_gc() function for locked and lockless
* MEDIUM: memory: make pool_gc() run under thread isolation
* BUG/MEDIUM: pools: Always update free_list in pool_gc().
* MINOR: pools: do not maintain the lock during pool_flush()
* BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()
* MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS
* Revert 'MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules'
* BUG/MINOR: peers: fix data_type bit computation more than 32 data_types
* MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()
* BUG/MINOR: resolvers: Reset server IP when no ip is found in the response
* DOC: config: use CREATE USER for mysql-check
* DOC: peers: fix the protocol tag name in the doc
* DOC: stick-table: add missing documentation about gpt0 stored type
* BUG/MINOR: stick-table: fix several printf sign errors dumping tables
* BUG/MINOR: cli: fix server name output in 'show fd'
* BUG/MEDIUM: sock: make sure to never miss early connection failures
* BUG/MINOR: server/cli: Fix locking in function processing 'set server' command
* BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI
* BUG/MINOR: resolvers: answser item list was randomly purged or errors
* DOC: config: Add missing actions in 'tcp-request session' documentation
* MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules
* BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check
* BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function
* BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken
* MINOR: mux-h2: obey http-ignore-probes during the preface
* BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue
* BUG/MINOR: mworker: fix typo in chroot error message
* BUG/MINOR: ssl: use atomic ops to update global shctx stats
* BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE
* BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id
* DOC: lua: Add a warning about buffers modification in HTTP
* BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded
* BUG/MEDIUM: dns: reset file descriptor if send returns an error
* BUG/MEDIUM: compression: Add a flag to know the filter is still processing data
* BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
* BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree
* BUG/MINOR: http: Missing calloc return value check in make_arg_list
* BUG/MINOR: http: Missing calloc return value check while parsing redirect rule
* BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list
* BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo
* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule
* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response
* BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy
* BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare
* BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture
* BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine
* BUG/MINOR: peers: Missing calloc return value check in peers_register_table
* BUG/MINOR: server: Missing calloc return value check in srv_parse_source
* BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts
* BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response
* BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter
* BUG/MAJOR: server: prevent deadlock when using 'set maxconn server'
* BUG/MEDIUM: ebtree: Invalid read when looking for dup entry
* REGTESTS: Add script to test abortonclose option
* MEDIUM: mux-h1: Don't block reads when waiting for the other side
* BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive
* MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()
* BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port
* BUG/MINOR: stream: Reset stream final state and si error type on L7 retry
* BUG/MINOR: stream: properly clear the previous error mask on L7 retries
* BUG/MINOR: stream: Decrement server current session counter on L7 retry
* BUG/MEDIUM: cli: prevent memory leak on write errors
* BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers
* MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode
* MINOR: peers: add informative flags about resync process for debugging
* BUG/MEDIUM: peers: reset tables stage flags stages on new conns
* BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly
* BUG/MEDIUM: peers: reset commitupdate value in new conns
* BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected
* BUG/MEDIUM: peers: stop considering ack messages teaching a full resync
* BUG/MEDIUM: peers: register last acked value as origin receiving a resync req
* BUG/MEDIUM: peers: initialize resync timer to get an initial full resync
* BUG/MINOR: applet: Notify the other side if data were consumed by an applet
* BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message
* BUG/MEDIUM: peers: re-work refcnt on table to protect against flush
* BUG/MEDIUM: peers: re-work connection to new process during reload.
* BUG/MINOR: peers: remove useless table check if initial resync is finished
* BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data
* BUG/MINOR: mworker: don't use oldpids[] anymore for reload
* BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases
* BUG/MEDIUM: config: fix cpu-map notation with both process and threads
* BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames
* BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers
* BUG/MINOR: server: free srv.lb_nodes in free_server
* BUG/MINOR: mux-h1: Release idle server H1 connection if data are received
* BUG/MINOR: logs: Report the true number of retries if there was no connection
* BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function
* BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded
* BUG/MEDIUM: threads: Ignore current thread to end its harmless period
* BUG/MEDIUM: sample: Fix adjusting size in field converter
* DOC: clarify that compression works for HTTP/2
* BUG/MINOR: tools: fix parsing 'us' unit for timers
* DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options
* [RELEASE] Released version 2.0.22
* BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks
* MINOR: resolvers: Directly call srvrq_update_srv_state() when possible
* MINOR: resolvers: Add function to change the srv status based on SRV resolution
* MINOR: resolvers: Purge answer items when a SRV resolution triggers an error
* MINOR: resolvers: Use a function to remove answers attached to a resolution
* BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution
* BUG/MAJOR: dns: disabled servers through SRV records never recover
* BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status
* BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields
* BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS
* BUG/MINOR: tcp: fix silent-drop workaround for IPv6
* BUG/MINOR: stats: Apply proper styles in HTML status page.
* BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent
* BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters
* MINOR: tools: make url2ipv4 return the exact number of bytes parsed
* BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless
* BUG/MEDIUM: time: make sure to always initialize the global tick
* BUG/MEDIUM: lua: Always init the lua stack before referencing the context
* BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback
* MINOR: lua: Slightly improve function dumping the lua traceback
* MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket
* BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable
* MINOR: time: also provide a global, monotonic global_now_ms timer
* [RELEASE] Released version 2.0.21
* BUG/MINOR: freq_ctr/threads: make use of the last updated global time
* MINOR: time: export the global_now variable
* BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames
* BUG/MINOR: resolvers: Reset server address on DNS error only on status change
* BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error
* CLEANUP: tcp-rules: add missing actions in the tcp-request error message
* BUG/MINOR: session: Add some forgotten tests on session's listener
* BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters
* BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached
* BUG/MEDIUM: session: NULL dereference possible when accessing the listener
* BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode
* BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring()
* BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
* BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout
* DOC: spoe: Add a note about fragmentation support in HAProxy
* BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1
* BUG/MINOR: connection: Use the client's dst family for adressless servers
* BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule
* BUG/MINOR: http-ana: Only consider dst address to process originalto option
* BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
* BUG/MEDIUM: resolvers: Reset address for unresolved servers
* BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records
* BUG/MINOR: resolvers: new callback to properly handle SRV record errors
* BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
* BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
* BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
* BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
* BUG/MINOR: sample: secure convs that accept base64 string and var name as args
* BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
* BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line
* BUG/MINOR: server: Init params before parsing a new server-state line
* BUG/MINOR: sample: Always consider zero size string samples as unsafe
* BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
* BUG/MINOR: session: atomically increment the tracked sessions counter
* BUG/MINOR: server: Remove RMAINT from admin state when loading server state
* CLEANUP: channel: fix comment in ci_putblk.
* BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL
* BUG/MINOR: cfgparse: do not mention 'addr:port' as supported on proxy lines
* BUG/MEDIUM: config: don't pick unset values from last defaults section
* CLEANUP: deinit: release global and per-proxy server-state variables on deinit
* BUG/MINOR: server: Fix server-state-file-name directive
* BUG/MINOR: backend: hold correctly lock when killing idle conn
* BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
* BUG/MINOR: server: re-align state file fields number
* BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
* BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty
* BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED
* BUG/MEDIUM: mux-h2: handle remaining read0 cases
* BUILD: Makefile: move REGTESTST_TYPE default setting
* BUG/MINOR: xxhash: make sure armv6 uses memcpy()
* BUG/MEDIUM: ssl: check a connection's status before computing a handshake
* BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list
* DOC: management: fix 'show resolvers' alphabetical ordering
* BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name
* BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown
* BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition
* BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX
* BUG/MEDIUM: mux-h2: fix read0 handling on partial frames
* BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()
* BUG/MINOR: peers: Wrong 'new_conn' value for 'show peers' CLI command.
* BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable
* BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
* BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
* [RELEASE] Released version 2.0.20
* BUG/MINOR: sample: fix concat() converter's corruption with non-string variables
* DOC: Add maintainers for the Prometheus exporter
* SCRIPTS: announce-release: fix typo in help message
* DOC: fix some spelling issues over multiple files
* MINOR: contrib/prometheus-exporter: export build_info
* BUILD: Makefile: exclude broken tests by default
* BUG/MINOR: srv: do not init address if backend is disabled
* SCRIPTS: make announce release support preparing announces before tag exists
* SCRIPTS: improve announce-release to support different tag and versions
* BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails
* MINOR: atomic: don't use ; to separate instruction on aarch64.
* BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h
* BUILD: plock: remove dead code that causes a warning in gcc 11
* CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps
* CONTRIB: halog: mark the has_zero* functions unused
* CONTRIB: halog: fix build issue caused by %L printf format
* BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode
* BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests
* BUILD: Makefile: have 'make clean' destroy .o/.a/.s in contrib subdirs as well
* REGTESTS: make use of HAPROXY_ARGS and pass -dM by default
* CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric
* CLEANUP: lua: Remove declaration of an inexistant function
* BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight
* BUG/MINOR: tools: Reject size format not starting by a digit
* BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
* DOC: email change of the DeviceAtlas maintainer
* BUG/MEDIUM: spoa/python: Fixing references to None
* BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
* BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
* BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
* DOC: spoa/python: Fixing typos in comments
* DOC: spoa/python: Rephrasing memory related error messages
* DOC: spoa/python: Fixing typo in IP related error messages
* BUG/MAJOR: spoa/python: Fixing return None
* DOC/MINOR: Fix formatting in Management Guide
* BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times
* MINOR: cli: add a function to look up a CLI service description
* MINOR: actions: add a function returning a service pointer from its name
* MINOR: actions: Export actions lookup functions
* BUG/MINOR: lua: Some lua init operation are processed unsafe
* BUG/MINOR: lua: Post init register function are not executed beyond the first one
* BUG/MINOR: lua: lua-load doesn't check its parameters
* MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
* DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
* BUG/MAJOR: peers: fix partial message decoding
* BUG/MAJOR: filters: Always keep all offsets up to date during data filtering
* BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
* BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering
* BUILD: http-htx: fix build warning regarding long type in printf
* MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.
* MINOR: spoe: Don't close connection in sync mode on processing timeout
* BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet
* BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches
* BUG/MINOR: http-fetch: Extract cookie value even when no cookie name
* BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages
* BUG/MINOR: peers: Missing TX cache entries reset.
* BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.
* BUG/MINOR: lua: set buffer size during map lookups
* BUG/MINOR: pattern: a sample marked as const could be written
* [RELEASE] Released version 2.0.19
* BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L
* MINOR: http-htx: Add understandable errors for the errorfiles parsing
* BUG/MEDIUM: stick-table: limit the time spent purging old entries
* BUG/MINOR: filters: Skip disabled proxies during startup only
* BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
* MINOR: server: Copy configuration file and line for server templates
* BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup
* BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
* BUG/MINOR: cache: Inverted variables in http_calc_maxage function
* BUG/MINOR: lua: initialize sample before using it
* BUG/MINOR: server: fix down_time report for stats
* BUG/MINOR: server: fix srv downtime calcul on starting
* BUG/MINOR: log: fix memory leak on logsrv parse error
* BUG/MINOR: extcheck: add missing checks on extchk_setenv()
* BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible
* BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests
* BUG/MEDIUM: server: support changing the slowstart value from state-file
* BUG/MINOR: queue: properly report redistributed connections
* BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.
* BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn
* BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages
* BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided
* BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once
* MINOR: fd: report an error message when failing initial allocations
* BUG/MINOR: mux-h2: do not stop outgoing connections on stopping
* BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited
* BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().
* BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses
* BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams
* BUG/MINOR: mux-h1: Always set the session on frontend h1 stream
* BUG/MINOR: peers: Inconsistency when dumping peer status codes.
* MINOR: hlua: Display debug messages on stderr only in debug mode
* BUG/MINOR: stats: fix validity of the json schema
* MINOR: counters: fix a typo in comment
* BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe
* BUG/MINOR: Fix several leaks of 'log_tag' in init().
* BUILD: makefile: Fix building with closefrom() support enabled
* DOC: ssl: crt-list negative filters are only a hint
* [RELEASE] Released version 2.0.18
* REGTEST: make map_regm_with_backref require 1.7
* REGTEST: make abns_socket.vtc require 1.8
* REGTEST: fix host part in balance-uri-path-only.vtc
* REGTESTS: add a few load balancing tests
* DOC: agent-check: fix typo in 'fail' word expected reply
* DOC: spoa-server: fix false friends `actually`
* BUG/MEDIUM: listeners: do not pause foreign listeners
* BUG/MINOR: config: Fix memory leak on config parse listen
* BUG/MINOR: Fix memory leaks cfg_parse_peers
* BUG/MEDIUM: h2: report frame bits only for handled types
* BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch
* BUG/MINOR: server: report correct error message for invalid port on 'socks4'
* BUG/MINOR: ssl: verifyhost is case sensitive
* BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
* BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers
* BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned
* BUILD: threads: better workaround for late loading of libgcc_s
* BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections
* BUG/MINOR: auth: report valid crypto(3) support depending on build options
* CLEANUP: Update .gitignore
* MINOR: Commit .gitattributes
* BUILD: thread: limit the libgcc_s workaround to glibc only
* BUG/MINOR: threads: work around a libgcc_s issue with chrooting
* BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
* BUG/MEDIUM: doc: Fix replace-path action description
* BUG/MINOR: startup: haproxy -s cause 100% cpu
* BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address
* BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure
* BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
* BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
* BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak
* DOC: cache: Use '<name>' instead of '<id>' in error message
* BUG/MINOR: reload: do not fail when no socket is sent
* BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
* BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
* BUG/MINOR: snapshots: leak of snapshots on deinit()
* BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation
* BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation
* BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
* BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
* BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response
* SCRIPTS: git-show-backports: emit the shell command to backport a commit
* SCRIPTS: git-show-backports: make -m most only show the left branch
* [RELEASE] Released version 2.0.17
* SCRIPTS: announce-release: add the link to the wiki in the announce messages
* MINOR: stream-int: Be sure to have a mux to do sends and receives
* MINOR: connection: Preinstall the mux for non-ssl connect
* BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields
* BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation
* MEDIUM: lua: Add support for the Lua 5.4
* BUG/MINOR: debug: Don't dump the lua stack if it is not initialized
* BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received
* BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected
* BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
* BUG/MAJOR: dns: Make the do-resolve action thread-safe
* BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete
* BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
* BUG/MINOR: cfgparse: don't increment linenum on incomplete lines
* BUILD: thread: add parenthesis around values of locking macros
* MINOR: pools: increase MAX_BASE_POOLS to 64
* BUG/MINOR: threads: Don't forget to init each thread toremove_lock.
* REGEST: Add reg tests about error files
* BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()
* [RELEASE] Released version 2.0.16
* BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked
* BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
* BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode
* CONTRIB: da: fix memory leak in dummy function da_atlas_open()
* BUG/MINOR: sample: Free str.area in smp_check_const_meth
* BUG/MINOR: sample: Free str.area in smp_check_const_bool
* DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x
* BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode
* BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection
* MINOR: http: Add support for http 413 status
* BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server
* BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready
* MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
* BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
* BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received
* BUG/MINOR: mux-h1: Disable splicing only if input data was processed
* BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive
* BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
* BUG/MINOR: http_act: don't check capture id in backend (2)
* DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio
* DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio
* BUG/MINOR: proxy: always initialize the trash in show servers state
* BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
* BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
* DOC: ssl: add 'allow-0rtt' and 'ciphersuites' in crt-list
* MINOR: cli: make 'show sess' stop at the last known session
* BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
* REGTEST: ssl: add some ssl_c_* sample fetches test
* REGTEST: ssl: tests the ssl_f_* sample fetches
* MINOR: spoe: Don't systematically create new applets if processing rate is low
* BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
* BUG/MINOR: spoe: correction of setting bits for analyzer
* REGTEST: Add a simple script to tests errorfile directives in proxy sections
* BUG/MINOR: systemd: Wait for network to be online
* MEDIUM: map: make the 'clear map' operation yield
* REGTEST: http-rules: test spaces in ACLs with master CLI
* REGTEST: http-rules: test spaces in ACLs
* BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
* BUG/MINOR: mworker/cli: fix the escaping in the master CLI
* BUG/MINOR: cli: allow space escaping on the CLI
* BUG/MINOR: spoe: add missing key length check before checking key names
* BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
* BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
* MINOR: http: Add 404 to http-request deny
* MINOR: http: Add 410 to http-request deny
* [RELEASE] Released version 2.0.15
* REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used
* BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation
* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv
* BUG/MEDIUM: pattern: fix thread safety of pattern matching
* BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor
* BUG/MINOR: mworker: fix a memleak when execvp() failed
* BUG/MEDIUM: mworker: fix the reload with an -- option
* BUG/MINOR: init: -S can have a parameter starting with a dash
* BUG/MINOR: init: -x can have a parameter starting with a dash
* BUG/MEDIUM: mworker: fix the copy of options in copy_argv()
* BUILD: makefile: adjust the sed expression of 'make help' for solaris
* BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version
* BUG/MEDIUM: logs: fix trailing zeros on log message.
* BUG/MINOR: logs: prevent double line returns in some events.
* BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics
* BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations
* BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action
* BUG/MINOR: peers: fix internal/network key type mapping.
* SCRIPTS: publish-release: pass -n to gzip to remove timestamp
* Revert 'BUG/MEDIUM: connections: force connections cleanup on server changes'
* BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf
* BUG/MINOR: lua: Add missing string length for lua sticktable lookup
* BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable
* BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified
* BUG/MINOR: cache: Don't needlessly test 'cache' keyword in parse_cache_flt()
* BUILD: select: only declare existing local labels to appease clang
* BUG/MINOR: soft-stop: always wake up waiting threads on stopping
* BUG/MINOR: pollers: remove uneeded free in global init
* BUG/MINOR: pools: use %u not %d to report pool stats in 'show pools'
* BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered
* BUG/MEDIUM: http_ana: make the detection of NTLM variants safer
* BUG/MINOR: http-ana: fix NTLM response parsing again
* BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur
* BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT
* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
* BUG/MINOR: sample: Set the correct type when a binary is converted to a string
* CLEANUP: connections: align function declaration
* BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
* BUG/MEDIUM: connections: force connections cleanup on server changes
* BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure
* BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.
* BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry.
* BUG/MINOR: checks: Remove a warning about http health checks
* BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks
* BUG/MEDIUM: checks: Always initialize checks before starting them
* BUG/MINOR: checks/server: use_ssl member must be signed
* BUG/MEDIUM: server/checks: Init server check during config validity check
* Revert 'BUG/MINOR: connection: make sure to correctly tag local PROXY connections'
* BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection
* REGTEST: ssl: test the client certificate authentication
* MINOR: stream: report the list of active filters on stream crashes
* BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock
* BUG/MEDIUM: shctx: really check the lock's value while waiting
* BUG/MINOR: debug: properly use long long instead of long for the thread ID
* MINOR: threads: export the POSIX thread ID in panic dumps
* BUG/MEDIUM: listener: mark the thread as not stuck inside the loop
* BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream
* BUG/MEDIUM: http: the 'unique-id' sample fetch could crash without a steeam
* BUG/MEDIUM: http: the 'http_first_req' sample fetch could crash without a steeam
* BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream
* BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream
* BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function
* BUG/MINOR: checks: chained expect will not properly wait for enough data
* BUG/MINOR: checks: Respect the no-check-ssl option
* MINOR: checks: Add a way to send custom headers and payload during http chekcs
* BUG/MINOR: check: Update server address and port to execute an external check
* DOC: option logasap does not depend on mode
* BUG/MINOR: http: make url_decode() optionally convert '+' to SP
* BUG/MINOR: tools: fix the i386 version of the div64_32 function
* BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
* BUG/MINOR: ssl: default settings for ssl server options are not used
* DOC: Improve documentation on http-request set-src
* DOC: hashing: update link to hashing functions
* BUG/MINOR: peers: Incomplete peers sections should be validated.
* BUG/MINOR: protocol_buffer: Wrong maximum shifting.
Patchnames: SUSE-2023-2117,SUSE-SLE-Product-HA-15-SP1-2023-2117
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.3 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Feature update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\nUpdate to version 2.0.31 (jsc#PED-3821):\n\n* BUG/CRITICAL: http: properly reject empty http header field names\n* CI: github: don\u0027t warn on deprecated openssl functions on windows\n* DOC: proxy-protocol: fix wrong byte in provided example\n* DOC: config: \u0027http-send-name-header\u0027 option may be used in default section\n* DOC: config: fix option spop-check proxy compatibility\n* BUG/MEDIUM: cache: use the correct time reference when comparing dates\n* BUG/MEDIUM: stick-table: do not leave entries in end of window during purge\n* BUG/MEDIUM: ssl: wrong eviction from the session cache tree\n* BUG/MINOR: http-ana: make set-status also update txn-\u003estatus\n* BUG/MINOR: http-fetch: Don\u0027t block HTTP sample fetch eval in HTTP_MSG_ERROR state\n* BUG/MINOR: promex: Don\u0027t forget to consume the request on error\n* BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action\n* BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned\n* BUILD: makefile: sort the features list\n* BUILD: makefile: build the features list dynamically\n* BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats\n* BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set\n* LICENSE: wurfl: clarify the dummy library license.\n* BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout\n* BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers\n* BUG/MINOR: ssl: Fix potential overflow\n* BUG/MEDIUM: ssl: Verify error codes can exceed 63\n* CI: github: change \u0027ubuntu-latest\u0027 to \u0027ubuntu-20.04\u0027\n* SCRIPTS: announce-release: add a link to the data plane API\n* [RELEASE] Released version 2.0.30\n* Revert \u0027CI: determine actual LibreSSL version dynamically\u0027\n* DOC: config: clarify the -m dir and -m dom pattern matching methods\n* DOC: config: clarify the fact that \u0027retries\u0027 is not just for connections\n* DOC: config: explain how default matching method for ACL works\n* DOC: config: clarify the fact that SNI should not be used in HTTP scenarios\n* DOC: config: provide some configuration hints for \u0027http-reuse\u0027\n* BUILD: listener: fix build warning on global_listener_rwlock without threads\n* BUILD: peers: Remove unused variables\n* BUG/MEDIUM: peers: messages about unkown tables not correctly ignored\n* BUG/MINOR: http_ana/txn: don\u0027t re-initialize txn and req var lists\n* BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task\n* CI: emit the compiler\u0027s version in the build reports\n* CI: add monthly gcc cross compile jobs\n* BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task\n* BUG/MAJOR: stick-table: don\u0027t process store-response rules for applets\n* DOC: management: add forgotten \u0027show startup-logs\u0027\n* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition\n* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py\n* BUG/MAJOR: stick-tables: do not try to index a server name for applets\n* DOC: configuration: missing \u0027if\u0027 in tcp-request content example\n* BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os\n* BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()\n* BUG/MEDIUM: lua: handle stick table implicit arguments right.\n* BUILD: cfgparse: Fix GCC warning about a variable used after realloc\n* BUILD: fix compilation for OpenSSL-3.0.0-alpha17\n* BUG/MINOR: log: improper behavior when escaping log data\n* SCRIPTS: announce-release: update some URLs to https\n* BUG/MEDIUM: captures: free() an error capture out of the proxy lock\n* BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK\n* BUG/MINOR: signals/poller: ensure wakeup from signals\n* BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals\n* BUG/MINOR: h1: Support headers case adjustment for TCP proxies\n* REGTESTS: http_request_buffer: Add a barrier to not mix up log messages\n* BUG/MEDIUM: peers: Don\u0027t start resync on reload if local peer is not up-to-date\n* BUG/MEDIUM: peers: Don\u0027t use resync timer when local resync is in progress\n* BUG/MEDIUM: peers: Add connect and server timeut to peers proxy\n* BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode\n* DOC: configuration: do-resolve doesn\u0027t work with a port in the string\n* BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()\n* BUG/MEDIUM: mux-h2: do not fiddle with -\u003edsi to indicate demux is idle\n* BUILD: http: silence an uninitialized warning affecting gcc-5\n* BUG/MEDIUM: proxy: Perform a custom copy for default server settings\n* REORG: server: Export srv_settings_cpy() function\n* MINOR: server: Constify source server to copy its settings\n* BUG/MINOR: peers: Use right channel flag to consider the peer as connected\n* BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload\n* MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer\n* BUG/MINOR: ssl: free the fields in srv-\u003essl_ctx\n* BUG/MINOR: sockpair: wrong return value for fd_send_uxst()\n* BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible\n* BUG/MINOR: peers: fix possible NULL dereferences at config parsing\n* BUG/MINOR: peers/config: always fill the bind_conf\u0027s argument\n* BUG/MINOR: http-fetch: Use integer value when possible in \u0027method\u0027 sample fetch\n* BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created\n* BUG/MINOR: server: do not enable DNS resolution on disabled proxies\n* BUILD: compiler: implement unreachable for older compilers too\n* REGTESTS: http_request_buffer: Increase client timeout to wait \u0027slow\u0027 clients\n* REGTESTS: abortonclose: Add a barrier to not mix up log messages\n* BUG/MINOR: conn_stream: do not confirm a connection from the frontend path\n* DOC: peers: fix port number and addresses on new peers section format\n* DOC: peers: clarify when entry expiration date is renewed.\n* DOC: peers: indicate that some server settings are not usable\n* SCRIPTS: make publish-release try to launch make-releases-json\n* SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs\n* BUG/MEDIUM: sample: Fix adjusting size in word converter\n* BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section\n* BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections\n* BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols\n* BUG/MINOR: peers: fix error reporting of \u0027bind\u0027 lines\n* REGTESTS: abortonclose: Fix some race conditions\n* BUILD: fix build warning on solaris based systems with __maybe_unused.\n* CI: determine actual LibreSSL version dynamically\n* [RELEASE] Released version 2.0.29\n* BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x\n* CLEANUP: mux-h1: Fix comments and error messages for global options\n* BUG/MEDIUM: wdt: don\u0027t trigger the watchdog when p is unitialized\n* BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).\n* DOC: fix typo \u0027ant\u0027 for \u0027and\u0027 in INSTALL\n* BUG/MINOR: map/cli: make sure patterns don\u0027t vanish under \u0027show map\u0027\u0027s init\n* BUG/MINOR: map/cli: protect the backref list during \u0027show map\u0027 errors\n* BUG/MEDIUM: cli: make \u0027show cli sockets\u0027 really yield\n* BUG/MINOR: mux-h2: mark the stream as open before processing it not after\n* SCRIPTS: announce-release: add URL of dev packages\n* CI: github actions: update LibreSSL to 3.5.2\n* BUILD: sockpair: do not set unused flag\n* BUILD: proto_uxst: do not set unused flag\n* BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()\n* REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc\n* DOC: remove my name from the config doc\n* BUG/MINOR: cache: Disable cache if applet creation fails\n* SCRIPTS: announce-release: add shortened links to pending issues\n* DOC: lua: update a few doc URLs\n* SCRIPTS: announce-release: update the doc\u0027s URL\n* BUG/MEDIUM: compression: Don\u0027t forget to update htx_sl and http_msg flags\n* BUG/MEDIUM: mux-h1: Don\u0027t request more room on partial trailers\n* BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive\n* BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side\n* BUG/MINOR: cache: do not display expired entries in \u0027show cache\u0027\n* BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent\n* CI: Update to actions/cache@v3\n* CI: Update to actions/checkout@v3\n* BUG/MEDIUM: http-act: Don\u0027t replace URI if path is not found or invalid\n* BUG/MAJOR: mux_pt: always report the connection error to the conn_stream\n* DOC: reflect H2 timeout changes\n* BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts\n* MEDIUM: mux-h2: slightly relax timeout management rules\n* BUG/MEDIUM: stream-int: do not rely on the connection error once established\n* BUG/MINOR: tools: url2sa reads too far when no port nor path\n* BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf\n* CI: github actions: switch to LibreSSL-3.5.1\n* BUILD: dns: fix backport of previous dns fix\n* BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket\n* Revert \u0027BUG/MAJOR: mux-pt: Always destroy the backend connection on detach\u0027\n* BUG/MINOR: tools: fix url2sa return value with IPv4\n* [RELEASE] Released version 2.0.28\n* DOC: Fix usage/examples of deprecated ACLs\n* BUG/MINOR: stream: make the call_rate only count the no-progress calls\n* DOC: use the req.ssl_sni in examples\n* DOC: ssl: req_ssl_sni needs implicit TLS\n* BUG/MAJOR: mux-pt: Always destroy the backend connection on detach\n* BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing\n* DEBUG: cache: Update underlying buffer when loading HTX message in cache applet\n* BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: cli: shows correct mode in \u0027show sess\u0027\n* BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks\n* CLEANUP: atomic: add a fetch-and-xxx variant for common operations\n* CI: github actions: use cache for SSL libs\n* CI: github actions: add the output of $CC -dM -E-\n* BUG/MEDIUM: stream: Abort processing if response buffer allocation fails\n* BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer\n* BUG/MEDIUM: mux-h1: Don\u0027t wake h1s if mux is blocked on lack of output buffer\n* BUG/MINOR: tools: url2sa reads ipv4 too far\n* BUG/MINOR: mailers: negotiate SMTP, not ESMTP\n* CI: ssl: keep the old method for ancient OpenSSL versions\n* CI: ssl: do not needlessly build the OpenSSL docs\n* CI: ssl: enable parallel builds for OpenSSL on Linux\n* BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names\n* BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload\n* BUG/MEDIUM: mworker: close unused transferred FDs on load failure\n* MINOR: sock: move the unused socket cleaning code into its own function\n* BUG/MAJOR: spoe: properly detach all agents when releasing the applet\n* BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies\n* BUG/MINOR: mworker: does not erase the pidfile upon reload\n* BUG/MEDIUM: mworker: don\u0027t lose the stats socket on failed reload\n* BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them\n* BUG/MEDIUM: mcli: do not try to parse empty buffers\n* BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands\n* MINOR: channel: add new function co_getdelim() to support multiple delimiters\n* MEDIUM: cli: yield between each pipelined command\n* [RELEASE] Released version 2.0.27\n* BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer\n* BUG/MEDIUM: cli: Never wait for more data on client shutdown\n* BUILD/MINOR: fix solaris build with clang.\n* BUG/MEDIUM: mworker: don\u0027t use _getsocks in wait mode\n* BUG/MEDIUM: http-ana: Preserve response\u0027s FLT_END analyser on L7 retry\n* BUG/MINOR: cli: fix _getsocks with musl libc\n* CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free\n* BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning\n* DOC: fix misspelled keyword \u0027resolve_retries\u0027 in resolvers\n* BUILD: ssl: unbreak the build with newer libressl\n* BUILD: cli: clear a maybe-unused warning on some older compilers\n* BUG/MINOR: http: fix recent regression on authorization in legacy mode\n* Revert \u0027BUG/MEDIUM: resolvers: always check a valid item in query_list\u0027\n* BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose\n* BUG/MINOR: backend: do not set sni on connection reuse\n* BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode\n* DOC: config: Specify %Ta is only available in HTTP mode\n* DOC: spoe: Clarify use of the event directive in spoe-message section\n* MINOR: ssl: make tlskeys_list_get_next() take a list element\n* CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()\n* CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()\n* BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time\n* MINOR: cli: \u0027show version\u0027 displays the current process version\n* BUILD: general: always pass unsigned chars to is* functions\n* CLEANUP: peers: Remove unused static function `free_dcache_tx`\n* CLEANUP: peers: Remove unused static function `free_dcache`\n* REGTESTS: mark the abns test as broken again\n* BUILD: scripts/build-ssl.sh: use \u0027uname\u0027 instead of ${TRAVIS_OS_NAME}\n* BUILD: makefile: add entries to build common debugging tools\n* CI: Github Actions: temporarily disable BoringSSL builds\n* CI: Github Actions: switch to LibreSSL-3.3.3\n* CI: github actions: update LibreSSL to 3.2.5\n* Revert \u0027CI: Pin VTest to a known good commit\u0027\n* CI: github actions: switch to stable LibreSSL release\n* CI: Fix the coverity builds\n* CI: Fix DEBUG_STRICT definition for Coverity\n* CI: Pin VTest to a known good commit\n* CI: github actions: build several popular \u0027contrib\u0027 tools\n* CI: GitHub Actions: enable daily Coverity scan\n* CI: github actions: enable 51degrees feature\n* CI: github actions: update LibreSSL to 3.3.0\n* CI: Clean up Windows CI\n* CI: Pass the github.event_name to matrix.py\n* CI: Github Action: run \u0027apt-get update\u0027 before packages restore\n* CI: Github Actions: enable BoringSSL builds\n* CI: Github Actions: remove LibreSSL-3.0.2 builds\n* CI: Github Actions: enable prometheus exporter\n* CI: Stop hijacking the hosts file\n* CI: Expand use of GitHub Actions for CI\n* [RELEASE] Released version 2.0.26\n* BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found\n* BUG/MINOR: shctx: do not look for available blocks when the first one is enough\n* BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found\n* BUG/MEDIUM: mux-h2: always process a pending shut read\n* BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3\n* CLEANUP: ssl: Release cached SSL sessions on deinit\n* MINOR: mux-h2: perform a full cycle shutdown+drain on close\n* MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close\n* BUG/MINOR: stick-table/cli: Check for invalid ipv6 key\n* BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent\n* BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value\n* BUG/MINOR: mworker: doesn\u0027t launch the program postparser\n* BUG/MEDIUM: conn-stream: Don\u0027t reset CS flags on close\n* BUG/MINOR: http-ana: Apply stop to the current section for http-response rules\n* DOC: config: Fix typo in ssl_fc_unique_id description\n* BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value\n* BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary\n* MINOR: htx: Add a function to know if the free space wraps\n* MINOR: htx: Add an HTX flag to know when a message is fragmented\n* BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check\n* MINOR: stream: Improve dump of bogus streams\n* DOC: config: Fix alphabetical order of fc_* samples\n* BUG/MINOR: http: Authorization value can have multiple spaces after the scheme\n* BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration\n* CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT\n* CLEANUP: always initialize the answer_list\n* CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()\n* BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released\n* BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed\n* BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame\n* BUG/MEDIUM: resolvers: always check a valid item in query_list\n* BUILD: resolvers: avoid a possible warning on null-deref\n* MINOR: resolvers: merge address and target into a union \u0027data\u0027\n* BUG/MEDIUM: resolvers: use correct storage for the target address\n* BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix\n* MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero\n* BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records\n* BUG/MEDIUM: resolver: make sure to always use the correct hostname length\n* MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero\n* BUG/MEDIUM: sample: properly verify that variables cast to sample\n* MINOR: sample: provide a generic var-to-sample conversion function\n* CLEANUP: sample: uninline sample_conv_var2smp_str()\n* CLEANUP: sample: rename sample_conv_var2smp() to *_sint\n* BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error\n* BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames\n* BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule\n* BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release\n* BUG/MINOR: filters: Set right FLT_END analyser depending on channel\n* BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set\n* BUG/MEDIUM: http-ana: Reset channels analysers when returning an error\n* BUG/MINOR: stream: Don\u0027t release a stream if FLT_END is still registered\n* BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input\n* BUG/MAJOR: lua: use task_wakeup() to properly run a task once\n* BUG/MEDIUM: lua: fix wakeup condition from sleep()\n* DOC: peers: fix doc \u0027enable\u0027 statement on \u0027peers\u0027 sections\n* BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send \u0027trailers\u0027\n* BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM\n* BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data\n* BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer\n* BUG/MINOR: server: allow \u0027enable health\u0027 only if check configured\n* Revert \u0027REGTESTS: mark http_abortonclose as broken\u0027\n* BUG/MEDIUM: stream-int: Don\u0027t block SI on a channel policy if EOI is reached\n* MEDIUM: actions: Fix block ACL.\n* BUG/MINOR: stats: fix the POST requests processing in legacy mode\n* BUG/MEDIUM: http: check for a channel pending data before waiting\n* BUG/MINOR: cli/payload: do not search for args inside payload\n* BUG/MINOR: compat: make sure __WORDSIZE is always defined\n* BUG/MINOR: systemd: ExecStartPre must use -Ws\n* [RELEASE] Released version 2.0.25\n* REGTESTS: mark http_abortonclose as broken\n* MINOR: action: Use a generic function to check validity of an action rule list\n* Revert \u0027BUG/MINOR: stream-int: Don\u0027t block reads in si_update_rx() if chn may receive\u0027\n* BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer\n* CLEANUP: htx: remove comments about \u0027must be \u003c 256 MB\u0027\n* BUG/MINOR: config: reject configs using HTTP with bufsize \u003e= 256 MB\n* DOC: configuration: remove wrong tcp-request examples in tcp-response\n* CLEANUP: Add missing include guard to signal.h\n* BUG/MINOR: tools: Fix loop condition in dump_text()\n* BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time\n* BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long\n* BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords\n* MINOR: compiler: implement an ONLY_ONCE() macro\n* BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}\n* REGTESTS: abortonclose: after retries, 503 is expected, not close\n* BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-\n* [RELEASE] Released version 2.0.24\n* REGTESTS: add a test to prevent h2 desync attacks\n* BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header\n* DOC/MINOR: fix typo in management document\n* MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade\n* DOC: config: Fix \u0027http-response send-spoe-group\u0027 documentation\n* DOC: Improve the lua documentation\n* BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued\n* BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released\n* MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure\n* BUG/MINOR: server: update last_change on maint-\u003eready transitions too\n* BUG/MINOR: connection: Add missing error labels to conn_err_code_str\n* BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames\n* BUG/MINOR: mux-h2: Obey dontlognull option during the preface\n* BUG/MINOR: systemd: must check the configuration using -Ws\n* BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs\n* BUG/MEDIUM: mworker: do not register an exit handler if exit is expected\n* BUILD: add detection of missing important CFLAGS\n* BUG/MEDIUM: tcp-check: Do not dereference inexisting connection\n* [RELEASE] Released version 2.0.23\n* BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled\n* BUG/MINOR: server-state: load SRV resolution only if params match the config\n* CLEANUP: pools: remove now unused seq and pool_free_list\n* BUG/MAJOR: pools: fix possible race with free() in the lockless variant\n* MEDIUM: pools: use a single pool_gc() function for locked and lockless\n* MEDIUM: memory: make pool_gc() run under thread isolation\n* BUG/MEDIUM: pools: Always update free_list in pool_gc().\n* MINOR: pools: do not maintain the lock during pool_flush()\n* BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()\n* MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS\n* Revert \u0027MINOR: tcp-act: Add set-src/set-src-port for \u0027tcp-request content\u0027 rules\u0027\n* BUG/MINOR: peers: fix data_type bit computation more than 32 data_types\n* MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()\n* BUG/MINOR: resolvers: Reset server IP when no ip is found in the response\n* DOC: config: use CREATE USER for mysql-check\n* DOC: peers: fix the protocol tag name in the doc\n* DOC: stick-table: add missing documentation about gpt0 stored type\n* BUG/MINOR: stick-table: fix several printf sign errors dumping tables\n* BUG/MINOR: cli: fix server name output in \u0027show fd\u0027\n* BUG/MEDIUM: sock: make sure to never miss early connection failures\n* BUG/MINOR: server/cli: Fix locking in function processing \u0027set server\u0027 command\n* BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI\n* BUG/MINOR: resolvers: answser item list was randomly purged or errors\n* DOC: config: Add missing actions in \u0027tcp-request session\u0027 documentation\n* MINOR: tcp-act: Add set-src/set-src-port for \u0027tcp-request content\u0027 rules\n* BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check\n* BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function\n* BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken\n* MINOR: mux-h2: obey http-ignore-probes during the preface\n* BUG/MAJOR: queue: set SF_ASSIGNED when setting strm-\u003etarget on dequeue\n* BUG/MINOR: mworker: fix typo in chroot error message\n* BUG/MINOR: ssl: use atomic ops to update global shctx stats\n* BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE\n* BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id\n* DOC: lua: Add a warning about buffers modification in HTTP\n* BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded\n* BUG/MEDIUM: dns: reset file descriptor if send returns an error\n* BUG/MEDIUM: compression: Add a flag to know the filter is still processing data\n* BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future\n* BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree\n* BUG/MINOR: http: Missing calloc return value check in make_arg_list\n* BUG/MINOR: http: Missing calloc return value check while parsing redirect rule\n* BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list\n* BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo\n* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule\n* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response\n* BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy\n* BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare\n* BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture\n* BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine\n* BUG/MINOR: peers: Missing calloc return value check in peers_register_table\n* BUG/MINOR: server: Missing calloc return value check in srv_parse_source\n* BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts\n* BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response\n* BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter\n* BUG/MAJOR: server: prevent deadlock when using \u0027set maxconn server\u0027\n* BUG/MEDIUM: ebtree: Invalid read when looking for dup entry\n* REGTESTS: Add script to test abortonclose option\n* MEDIUM: mux-h1: Don\u0027t block reads when waiting for the other side\n* BUG/MINOR: stream-int: Don\u0027t block reads in si_update_rx() if chn may receive\n* MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()\n* BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port\n* BUG/MINOR: stream: Reset stream final state and si error type on L7 retry\n* BUG/MINOR: stream: properly clear the previous error mask on L7 retries\n* BUG/MINOR: stream: Decrement server current session counter on L7 retry\n* BUG/MEDIUM: cli: prevent memory leak on write errors\n* BUG/MINOR: hlua: Don\u0027t rely on top of the stack when using Lua buffers\n* MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode\n* MINOR: peers: add informative flags about resync process for debugging\n* BUG/MEDIUM: peers: reset tables stage flags stages on new conns\n* BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly\n* BUG/MEDIUM: peers: reset commitupdate value in new conns\n* BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected\n* BUG/MEDIUM: peers: stop considering ack messages teaching a full resync\n* BUG/MEDIUM: peers: register last acked value as origin receiving a resync req\n* BUG/MEDIUM: peers: initialize resync timer to get an initial full resync\n* BUG/MINOR: applet: Notify the other side if data were consumed by an applet\n* BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message\n* BUG/MEDIUM: peers: re-work refcnt on table to protect against flush\n* BUG/MEDIUM: peers: re-work connection to new process during reload.\n* BUG/MINOR: peers: remove useless table check if initial resync is finished\n* BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data\n* BUG/MINOR: mworker: don\u0027t use oldpids[] anymore for reload\n* BUG/MINOR: mworker/init: don\u0027t reset nb_oldpids in non-mworker cases\n* BUG/MEDIUM: config: fix cpu-map notation with both process and threads\n* BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames\n* BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers\n* BUG/MINOR: server: free srv.lb_nodes in free_server\n* BUG/MINOR: mux-h1: Release idle server H1 connection if data are received\n* BUG/MINOR: logs: Report the true number of retries if there was no connection\n* BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function\n* BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded\n* BUG/MEDIUM: threads: Ignore current thread to end its harmless period\n* BUG/MEDIUM: sample: Fix adjusting size in field converter\n* DOC: clarify that compression works for HTTP/2\n* BUG/MINOR: tools: fix parsing \u0027us\u0027 unit for timers\n* DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options\n* [RELEASE] Released version 2.0.22\n* BUG/MEDIUM: resolvers: Don\u0027t release resolution from a requester callbacks\n* MINOR: resolvers: Directly call srvrq_update_srv_state() when possible\n* MINOR: resolvers: Add function to change the srv status based on SRV resolution\n* MINOR: resolvers: Purge answer items when a SRV resolution triggers an error\n* MINOR: resolvers: Use a function to remove answers attached to a resolution\n* BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution\n* BUG/MAJOR: dns: disabled servers through SRV records never recover\n* BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status\n* BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields\n* BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS\n* BUG/MINOR: tcp: fix silent-drop workaround for IPv6\n* BUG/MINOR: stats: Apply proper styles in HTML status page.\n* BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent\n* BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters\n* MINOR: tools: make url2ipv4 return the exact number of bytes parsed\n* BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless\n* BUG/MEDIUM: time: make sure to always initialize the global tick\n* BUG/MEDIUM: lua: Always init the lua stack before referencing the context\n* BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback\n* MINOR: lua: Slightly improve function dumping the lua traceback\n* MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket\n* BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable\n* MINOR: time: also provide a global, monotonic global_now_ms timer\n* [RELEASE] Released version 2.0.21\n* BUG/MINOR: freq_ctr/threads: make use of the last updated global time\n* MINOR: time: export the global_now variable\n* BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames\n* BUG/MINOR: resolvers: Reset server address on DNS error only on status change\n* BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error\n* CLEANUP: tcp-rules: add missing actions in the tcp-request error message\n* BUG/MINOR: session: Add some forgotten tests on session\u0027s listener\n* BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters\n* BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached\n* BUG/MEDIUM: session: NULL dereference possible when accessing the listener\n* BUG/MINOR: ssl: don\u0027t truncate the file descriptor to 16 bits in debug mode\n* BUG/MINOR: hlua: Don\u0027t strip last non-LWS char in hlua_pushstrippedstring()\n* BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive\n* BUG/MINOR: http-ana: Don\u0027t increment HTTP error counter on read error/timeout\n* DOC: spoe: Add a note about fragmentation support in HAProxy\n* BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread \u003e 1\n* BUG/MINOR: connection: Use the client\u0027s dst family for adressless servers\n* BUG/MINOR: tcp-act: Don\u0027t forget to set the original port for IPv4 set-dst rule\n* BUG/MINOR: http-ana: Only consider dst address to process originalto option\n* BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()\n* BUG/MEDIUM: resolvers: Reset address for unresolved servers\n* BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records\n* BUG/MINOR: resolvers: new callback to properly handle SRV record errors\n* BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal\n* BUG/MEDIUM: cli/shutdown sessions: make it thread-safe\n* BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop\n* BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe\n* BUG/MINOR: sample: secure convs that accept base64 string and var name as args\n* BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok\n* BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line\n* BUG/MINOR: server: Init params before parsing a new server-state line\n* BUG/MINOR: sample: Always consider zero size string samples as unsafe\n* BUG/MINOR: checks: properly handle wrapping time in __health_adjust()\n* BUG/MINOR: session: atomically increment the tracked sessions counter\n* BUG/MINOR: server: Remove RMAINT from admin state when loading server state\n* CLEANUP: channel: fix comment in ci_putblk.\n* BUG/MINOR: server: Don\u0027t call fopen() with server-state filepath set to NULL\n* BUG/MINOR: cfgparse: do not mention \u0027addr:port\u0027 as supported on proxy lines\n* BUG/MEDIUM: config: don\u0027t pick unset values from last defaults section\n* CLEANUP: deinit: release global and per-proxy server-state variables on deinit\n* BUG/MINOR: server: Fix server-state-file-name directive\n* BUG/MINOR: backend: hold correctly lock when killing idle conn\n* BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()\n* BUG/MINOR: server: re-align state file fields number\n* BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state\n* BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty\n* BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED\n* BUG/MEDIUM: mux-h2: handle remaining read0 cases\n* BUILD: Makefile: move REGTESTST_TYPE default setting\n* BUG/MINOR: xxhash: make sure armv6 uses memcpy()\n* BUG/MEDIUM: ssl: check a connection\u0027s status before computing a handshake\n* BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list\n* DOC: management: fix \u0027show resolvers\u0027 alphabetical ordering\n* BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name\n* BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown\n* BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition\n* BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX\n* BUG/MEDIUM: mux-h2: fix read0 handling on partial frames\n* BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()\n* BUG/MINOR: peers: Wrong \u0027new_conn\u0027 value for \u0027show peers\u0027 CLI command.\n* BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable\n* BUG/MINOR: sample: Memory leak of sample_expr structure in case of error\n* BUG/MINOR: sample: check alloc_trash_chunk return value in concat()\n* [RELEASE] Released version 2.0.20\n* BUG/MINOR: sample: fix concat() converter\u0027s corruption with non-string variables\n* DOC: Add maintainers for the Prometheus exporter\n* SCRIPTS: announce-release: fix typo in help message\n* DOC: fix some spelling issues over multiple files\n* MINOR: contrib/prometheus-exporter: export build_info\n* BUILD: Makefile: exclude broken tests by default\n* BUG/MINOR: srv: do not init address if backend is disabled\n* SCRIPTS: make announce release support preparing announces before tag exists\n* SCRIPTS: improve announce-release to support different tag and versions\n* BUG/MINOR: cfgparse: Fail if the strdup() for `rule-\u003ebe.name` for `use_backend` fails\n* MINOR: atomic: don\u0027t use ; to separate instruction on aarch64.\n* BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h\n* BUILD: plock: remove dead code that causes a warning in gcc 11\n* CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps\n* CONTRIB: halog: mark the has_zero* functions unused\n* CONTRIB: halog: fix build issue caused by %L printf format\n* BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode\n* BUG/MINOR: mux-h1: Don\u0027t set CS_FL_EOI too early for protocol upgrade requests\n* BUILD: Makefile: have \u0027make clean\u0027 destroy .o/.a/.s in contrib subdirs as well\n* REGTESTS: make use of HAPROXY_ARGS and pass -dM by default\n* CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric\n* CLEANUP: lua: Remove declaration of an inexistant function\n* BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight\n* BUG/MINOR: tools: Reject size format not starting by a digit\n* BUG/MINOR: tools: make parse_time_err() more strict on the timer validity\n* DOC: email change of the DeviceAtlas maintainer\n* BUG/MEDIUM: spoa/python: Fixing references to None\n* BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments\n* BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails\n* BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations\n* DOC: spoa/python: Fixing typos in comments\n* DOC: spoa/python: Rephrasing memory related error messages\n* DOC: spoa/python: Fixing typo in IP related error messages\n* BUG/MAJOR: spoa/python: Fixing return None\n* DOC/MINOR: Fix formatting in Management Guide\n* BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times\n* MINOR: cli: add a function to look up a CLI service description\n* MINOR: actions: add a function returning a service pointer from its name\n* MINOR: actions: Export actions lookup functions\n* BUG/MINOR: lua: Some lua init operation are processed unsafe\n* BUG/MINOR: lua: Post init register function are not executed beyond the first one\n* BUG/MINOR: lua: lua-load doesn\u0027t check its parameters\n* MINOR: plock: use an ARMv8 instruction barrier for the pause instruction\n* DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section\n* BUG/MAJOR: peers: fix partial message decoding\n* BUG/MAJOR: filters: Always keep all offsets up to date during data filtering\n* BUG/MINOR: http-ana: Don\u0027t wait for the body of CONNECT requests\n* BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering\n* BUILD: http-htx: fix build warning regarding long type in printf\n* MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.\n* MINOR: spoe: Don\u0027t close connection in sync mode on processing timeout\n* BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet\n* BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches\n* BUG/MINOR: http-fetch: Extract cookie value even when no cookie name\n* BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages\n* BUG/MINOR: peers: Missing TX cache entries reset.\n* BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.\n* BUG/MINOR: lua: set buffer size during map lookups\n* BUG/MINOR: pattern: a sample marked as const could be written\n* [RELEASE] Released version 2.0.19\n* BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn\u0027t match the C-L\n* MINOR: http-htx: Add understandable errors for the errorfiles parsing\n* BUG/MEDIUM: stick-table: limit the time spent purging old entries\n* BUG/MINOR: filters: Skip disabled proxies during startup only\n* BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade\n* MINOR: server: Copy configuration file and line for server templates\n* BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup\n* BUG/MEDIUM: filters: Don\u0027t try to init filters for disabled proxies\n* BUG/MINOR: cache: Inverted variables in http_calc_maxage function\n* BUG/MINOR: lua: initialize sample before using it\n* BUG/MINOR: server: fix down_time report for stats\n* BUG/MINOR: server: fix srv downtime calcul on starting\n* BUG/MINOR: log: fix memory leak on logsrv parse error\n* BUG/MINOR: extcheck: add missing checks on extchk_setenv()\n* BUG/MAJOR: mux-h2: Don\u0027t try to send data if we know it is no longer possible\n* BUG/MINOR: http-ana: Don\u0027t send payload for internal responses to HEAD requests\n* BUG/MEDIUM: server: support changing the slowstart value from state-file\n* BUG/MINOR: queue: properly report redistributed connections\n* BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.\n* BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn\n* BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages\n* BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided\n* BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once\n* MINOR: fd: report an error message when failing initial allocations\n* BUG/MINOR: mux-h2: do not stop outgoing connections on stopping\n* BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited\n* BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().\n* BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses\n* BUG/MEDIUM: mux-h2: Don\u0027t handle pending read0 too early on streams\n* BUG/MINOR: mux-h1: Always set the session on frontend h1 stream\n* BUG/MINOR: peers: Inconsistency when dumping peer status codes.\n* MINOR: hlua: Display debug messages on stderr only in debug mode\n* BUG/MINOR: stats: fix validity of the json schema\n* MINOR: counters: fix a typo in comment\n* BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe\n* BUG/MINOR: Fix several leaks of \u0027log_tag\u0027 in init().\n* BUILD: makefile: Fix building with closefrom() support enabled\n* DOC: ssl: crt-list negative filters are only a hint\n* [RELEASE] Released version 2.0.18\n* REGTEST: make map_regm_with_backref require 1.7\n* REGTEST: make abns_socket.vtc require 1.8\n* REGTEST: fix host part in balance-uri-path-only.vtc\n* REGTESTS: add a few load balancing tests\n* DOC: agent-check: fix typo in \u0027fail\u0027 word expected reply\n* DOC: spoa-server: fix false friends `actually`\n* BUG/MEDIUM: listeners: do not pause foreign listeners\n* BUG/MINOR: config: Fix memory leak on config parse listen\n* BUG/MINOR: Fix memory leaks cfg_parse_peers\n* BUG/MEDIUM: h2: report frame bits only for handled types\n* BUG/MINOR: http-fetch: Don\u0027t set the sample type during the htx prefetch\n* BUG/MINOR: server: report correct error message for invalid port on \u0027socks4\u0027\n* BUG/MINOR: ssl: verifyhost is case sensitive\n* BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate\n* BUG/MEDIUM: http-ana: Don\u0027t wait to send 1xx responses received from servers\n* BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned\n* BUILD: threads: better workaround for late loading of libgcc_s\n* BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections\n* BUG/MINOR: auth: report valid crypto(3) support depending on build options\n* CLEANUP: Update .gitignore\n* MINOR: Commit .gitattributes\n* BUILD: thread: limit the libgcc_s workaround to glibc only\n* BUG/MINOR: threads: work around a libgcc_s issue with chrooting\n* BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()\n* BUG/MEDIUM: doc: Fix replace-path action description\n* BUG/MINOR: startup: haproxy -s cause 100% cpu\n* BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address\n* BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure\n* BUG/MINOR: contrib/spoa-server: Do not free reference to NULL\n* BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed\n* BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak\n* DOC: cache: Use \u0027\u003cname\u003e\u0027 instead of \u0027\u003cid\u003e\u0027 in error message\n* BUG/MINOR: reload: do not fail when no socket is sent\n* BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction\n* BUG/MINOR: stats: use strncmp() instead of memcmp() on health states\n* BUG/MINOR: snapshots: leak of snapshots on deinit()\n* BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation\n* BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation\n* BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime\n* BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send\n* BUG/MEDIUM: mux-h2: Don\u0027t fail if nothing is parsed for a legacy chunk response\n* SCRIPTS: git-show-backports: emit the shell command to backport a commit\n* SCRIPTS: git-show-backports: make -m most only show the left branch\n* [RELEASE] Released version 2.0.17\n* SCRIPTS: announce-release: add the link to the wiki in the announce messages\n* MINOR: stream-int: Be sure to have a mux to do sends and receives\n* MINOR: connection: Preinstall the mux for non-ssl connect\n* BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields\n* BUG/MEDIUM: dns: Don\u0027t yield in do-resolve action on a final evaluation\n* MEDIUM: lua: Add support for the Lua 5.4\n* BUG/MINOR: debug: Don\u0027t dump the lua stack if it is not initialized\n* BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received\n* BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected\n* BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed\n* BUG/MAJOR: dns: Make the do-resolve action thread-safe\n* BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete\n* BUG/MEDIUM: resolve: fix init resolving for ring and peers section.\n* BUG/MINOR: cfgparse: don\u0027t increment linenum on incomplete lines\n* BUILD: thread: add parenthesis around values of locking macros\n* MINOR: pools: increase MAX_BASE_POOLS to 64\n* BUG/MINOR: threads: Don\u0027t forget to init each thread toremove_lock.\n* REGEST: Add reg tests about error files\n* BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()\n* [RELEASE] Released version 2.0.16\n* BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked\n* BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.\n* BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode\n* CONTRIB: da: fix memory leak in dummy function da_atlas_open()\n* BUG/MINOR: sample: Free str.area in smp_check_const_meth\n* BUG/MINOR: sample: Free str.area in smp_check_const_bool\n* DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x\n* BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode\n* BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection\n* MINOR: http: Add support for http 413 status\n* BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server\n* BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready\n* MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only\n* BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()\n* BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received\n* BUG/MINOR: mux-h1: Disable splicing only if input data was processed\n* BUG/MINOR: mux-h1: Don\u0027t read data from a pipe if the mux is unable to receive\n* BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode\n* BUG/MINOR: http_act: don\u0027t check capture id in backend (2)\n* DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio\n* DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio\n* BUG/MINOR: proxy: always initialize the trash in show servers state\n* BUG/MINOR: proxy: fix dump_server_state()\u0027s misuse of the trash\n* BUG/MEDIUM: pattern: Add a trailing \\0 to match strings only if possible\n* DOC: ssl: add \u0027allow-0rtt\u0027 and \u0027ciphersuites\u0027 in crt-list\n* MINOR: cli: make \u0027show sess\u0027 stop at the last known session\n* BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL\n* REGTEST: ssl: add some ssl_c_* sample fetches test\n* REGTEST: ssl: tests the ssl_f_* sample fetches\n* MINOR: spoe: Don\u0027t systematically create new applets if processing rate is low\n* BUG/MINOR: http_ana: clarify connection pointer check on L7 retry\n* BUG/MINOR: spoe: correction of setting bits for analyzer\n* REGTEST: Add a simple script to tests errorfile directives in proxy sections\n* BUG/MINOR: systemd: Wait for network to be online\n* MEDIUM: map: make the \u0027clear map\u0027 operation yield\n* REGTEST: http-rules: test spaces in ACLs with master CLI\n* REGTEST: http-rules: test spaces in ACLs\n* BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI\n* BUG/MINOR: mworker/cli: fix the escaping in the master CLI\n* BUG/MINOR: cli: allow space escaping on the CLI\n* BUG/MINOR: spoe: add missing key length check before checking key names\n* BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks\n* BUG/MINOR: tcp-rules: tcp-response must check the buffer\u0027s fullness\n* MINOR: http: Add 404 to http-request deny\n* MINOR: http: Add 410 to http-request deny\n* [RELEASE] Released version 2.0.15\n* REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used\n* BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl \u003c 1.1.0\n* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation\n* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv\n* BUG/MEDIUM: pattern: fix thread safety of pattern matching\n* BUG/MEDIUM: log: don\u0027t hold the log lock during writev() on a file descriptor\n* BUG/MINOR: mworker: fix a memleak when execvp() failed\n* BUG/MEDIUM: mworker: fix the reload with an -- option\n* BUG/MINOR: init: -S can have a parameter starting with a dash\n* BUG/MINOR: init: -x can have a parameter starting with a dash\n* BUG/MEDIUM: mworker: fix the copy of options in copy_argv()\n* BUILD: makefile: adjust the sed expression of \u0027make help\u0027 for solaris\n* BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version\n* BUG/MEDIUM: logs: fix trailing zeros on log message.\n* BUG/MINOR: logs: prevent double line returns in some events.\n* BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics\n* BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations\n* BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action\n* BUG/MINOR: peers: fix internal/network key type mapping.\n* SCRIPTS: publish-release: pass -n to gzip to remove timestamp\n* Revert \u0027BUG/MEDIUM: connections: force connections cleanup on server changes\u0027\n* BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf\n* BUG/MINOR: lua: Add missing string length for lua sticktable lookup\n* BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable\n* BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified\n* BUG/MINOR: cache: Don\u0027t needlessly test \u0027cache\u0027 keyword in parse_cache_flt()\n* BUILD: select: only declare existing local labels to appease clang\n* BUG/MINOR: soft-stop: always wake up waiting threads on stopping\n* BUG/MINOR: pollers: remove uneeded free in global init\n* BUG/MINOR: pools: use %u not %d to report pool stats in \u0027show pools\u0027\n* BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \\x sequence is encountered\n* BUG/MEDIUM: http_ana: make the detection of NTLM variants safer\n* BUG/MINOR: http-ana: fix NTLM response parsing again\n* BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur\n* BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT\n* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()\n* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()\n* BUG/MINOR: sample: Set the correct type when a binary is converted to a string\n* CLEANUP: connections: align function declaration\n* BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()\n* BUG/MEDIUM: connections: force connections cleanup on server changes\n* BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure\n* BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.\n* BUG/MEDIUM: streams: Remove SF_ADDR_SET if we\u0027re retrying due to L7 retry.\n* BUG/MINOR: checks: Remove a warning about http health checks\n* BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks\n* BUG/MEDIUM: checks: Always initialize checks before starting them\n* BUG/MINOR: checks/server: use_ssl member must be signed\n* BUG/MEDIUM: server/checks: Init server check during config validity check\n* Revert \u0027BUG/MINOR: connection: make sure to correctly tag local PROXY connections\u0027\n* BUG/MEDIUM: backend: don\u0027t access a non-existing mux from a previous connection\n* REGTEST: ssl: test the client certificate authentication\n* MINOR: stream: report the list of active filters on stream crashes\n* BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock\n* BUG/MEDIUM: shctx: really check the lock\u0027s value while waiting\n* BUG/MINOR: debug: properly use long long instead of long for the thread ID\n* MINOR: threads: export the POSIX thread ID in panic dumps\n* BUG/MEDIUM: listener: mark the thread as not stuck inside the loop\n* BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream\n* BUG/MEDIUM: http: the \u0027unique-id\u0027 sample fetch could crash without a steeam\n* BUG/MEDIUM: http: the \u0027http_first_req\u0027 sample fetch could crash without a steeam\n* BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream\n* BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream\n* BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function\n* BUG/MINOR: checks: chained expect will not properly wait for enough data\n* BUG/MINOR: checks: Respect the no-check-ssl option\n* MINOR: checks: Add a way to send custom headers and payload during http chekcs\n* BUG/MINOR: check: Update server address and port to execute an external check\n* DOC: option logasap does not depend on mode\n* BUG/MINOR: http: make url_decode() optionally convert \u0027+\u0027 to SP\n* BUG/MINOR: tools: fix the i386 version of the div64_32 function\n* BUG/MEDIUM: http-ana: Handle NTLM messages correctly.\n* BUG/MINOR: ssl: default settings for ssl server options are not used\n* DOC: Improve documentation on http-request set-src\n* DOC: hashing: update link to hashing functions\n* BUG/MINOR: peers: Incomplete peers sections should be validated.\n* BUG/MINOR: protocol_buffer: Wrong maximum shifting.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-2117,SUSE-SLE-Product-HA-15-SP1-2023-2117",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-fu-2023_2117-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-FU-2023:2117-1",
"url": "https://www.suse.com/support/update/announcement//suse-fu-20232117-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-FU-2023:2117-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2023-May/029207.html"
},
{
"category": "self",
"summary": "SUSE Bug 1207181",
"url": "https://bugzilla.suse.com/1207181"
},
{
"category": "self",
"summary": "SUSE Bug 1208132",
"url": "https://bugzilla.suse.com/1208132"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0056 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0056/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25725 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25725/"
}
],
"title": "Feature update for haproxy",
"tracking": {
"current_release_date": "2023-05-05T20:27:49Z",
"generator": {
"date": "2023-05-05T20:27:49Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-FU-2023:2117-1",
"initial_release_date": "2023-05-05T20:27:49Z",
"revision_history": [
{
"date": "2023-05-05T20:27:49Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150100.8.31.1.aarch64",
"product": {
"name": "haproxy-2.0.31-150100.8.31.1.aarch64",
"product_id": "haproxy-2.0.31-150100.8.31.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150100.8.31.1.i586",
"product": {
"name": "haproxy-2.0.31-150100.8.31.1.i586",
"product_id": "haproxy-2.0.31-150100.8.31.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150100.8.31.1.ppc64le",
"product": {
"name": "haproxy-2.0.31-150100.8.31.1.ppc64le",
"product_id": "haproxy-2.0.31-150100.8.31.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150100.8.31.1.s390x",
"product": {
"name": "haproxy-2.0.31-150100.8.31.1.s390x",
"product_id": "haproxy-2.0.31-150100.8.31.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150100.8.31.1.x86_64",
"product": {
"name": "haproxy-2.0.31-150100.8.31.1.x86_64",
"product_id": "haproxy-2.0.31-150100.8.31.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150100.8.31.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64"
},
"product_reference": "haproxy-2.0.31-150100.8.31.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150100.8.31.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le"
},
"product_reference": "haproxy-2.0.31-150100.8.31.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150100.8.31.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x"
},
"product_reference": "haproxy-2.0.31-150100.8.31.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150100.8.31.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
},
"product_reference": "haproxy-2.0.31-150100.8.31.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0056"
}
],
"notes": [
{
"category": "general",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0056",
"url": "https://www.suse.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "SUSE Bug 1207181 for CVE-2023-0056",
"url": "https://bugzilla.suse.com/1207181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-05-05T20:27:49Z",
"details": "important"
}
],
"title": "CVE-2023-0056"
},
{
"cve": "CVE-2023-25725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25725"
}
],
"notes": [
{
"category": "general",
"text": "HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25725",
"url": "https://www.suse.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "SUSE Bug 1208132 for CVE-2023-25725",
"url": "https://bugzilla.suse.com/1208132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.31.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-05-05T20:27:49Z",
"details": "critical"
}
],
"title": "CVE-2023-25725"
}
]
}
SUSE-FU-2023:2119-1
Vulnerability from csaf_suse - Published: 2023-05-05 20:29 - Updated: 2023-05-05 20:29Summary
Feature update for haproxy
Severity
Moderate
Notes
Title of the patch: Feature update for haproxy
Description of the patch: This update for haproxy fixes the following issues:
Update to version 2.0.31 (jsc#PED-3821):
* BUG/CRITICAL: http: properly reject empty http header field names
* CI: github: don't warn on deprecated openssl functions on windows
* DOC: proxy-protocol: fix wrong byte in provided example
* DOC: config: 'http-send-name-header' option may be used in default section
* DOC: config: fix option spop-check proxy compatibility
* BUG/MEDIUM: cache: use the correct time reference when comparing dates
* BUG/MEDIUM: stick-table: do not leave entries in end of window during purge
* BUG/MEDIUM: ssl: wrong eviction from the session cache tree
* BUG/MINOR: http-ana: make set-status also update txn->status
* BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
* BUG/MINOR: promex: Don't forget to consume the request on error
* BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
* BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
* BUILD: makefile: sort the features list
* BUILD: makefile: build the features list dynamically
* BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
* BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
* LICENSE: wurfl: clarify the dummy library license.
* BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout
* BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
* BUG/MINOR: ssl: Fix potential overflow
* BUG/MEDIUM: ssl: Verify error codes can exceed 63
* CI: github: change 'ubuntu-latest' to 'ubuntu-20.04'
* SCRIPTS: announce-release: add a link to the data plane API
* [RELEASE] Released version 2.0.30
* Revert 'CI: determine actual LibreSSL version dynamically'
* DOC: config: clarify the -m dir and -m dom pattern matching methods
* DOC: config: clarify the fact that 'retries' is not just for connections
* DOC: config: explain how default matching method for ACL works
* DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
* DOC: config: provide some configuration hints for 'http-reuse'
* BUILD: listener: fix build warning on global_listener_rwlock without threads
* BUILD: peers: Remove unused variables
* BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
* BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
* BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
* CI: emit the compiler's version in the build reports
* CI: add monthly gcc cross compile jobs
* BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
* BUG/MAJOR: stick-table: don't process store-response rules for applets
* DOC: management: add forgotten 'show startup-logs'
* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py
* BUG/MAJOR: stick-tables: do not try to index a server name for applets
* DOC: configuration: missing 'if' in tcp-request content example
* BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
* BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
* BUG/MEDIUM: lua: handle stick table implicit arguments right.
* BUILD: cfgparse: Fix GCC warning about a variable used after realloc
* BUILD: fix compilation for OpenSSL-3.0.0-alpha17
* BUG/MINOR: log: improper behavior when escaping log data
* SCRIPTS: announce-release: update some URLs to https
* BUG/MEDIUM: captures: free() an error capture out of the proxy lock
* BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
* BUG/MINOR: signals/poller: ensure wakeup from signals
* BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
* BUG/MINOR: h1: Support headers case adjustment for TCP proxies
* REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
* BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
* BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
* BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
* BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
* DOC: configuration: do-resolve doesn't work with a port in the string
* BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
* BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
* BUILD: http: silence an uninitialized warning affecting gcc-5
* BUG/MEDIUM: proxy: Perform a custom copy for default server settings
* REORG: server: Export srv_settings_cpy() function
* MINOR: server: Constify source server to copy its settings
* BUG/MINOR: peers: Use right channel flag to consider the peer as connected
* BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
* MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
* BUG/MINOR: ssl: free the fields in srv->ssl_ctx
* BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
* BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
* BUG/MINOR: peers: fix possible NULL dereferences at config parsing
* BUG/MINOR: peers/config: always fill the bind_conf's argument
* BUG/MINOR: http-fetch: Use integer value when possible in 'method' sample fetch
* BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
* BUG/MINOR: server: do not enable DNS resolution on disabled proxies
* BUILD: compiler: implement unreachable for older compilers too
* REGTESTS: http_request_buffer: Increase client timeout to wait 'slow' clients
* REGTESTS: abortonclose: Add a barrier to not mix up log messages
* BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
* DOC: peers: fix port number and addresses on new peers section format
* DOC: peers: clarify when entry expiration date is renewed.
* DOC: peers: indicate that some server settings are not usable
* SCRIPTS: make publish-release try to launch make-releases-json
* SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
* BUG/MEDIUM: sample: Fix adjusting size in word converter
* BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
* BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
* BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
* BUG/MINOR: peers: fix error reporting of 'bind' lines
* REGTESTS: abortonclose: Fix some race conditions
* BUILD: fix build warning on solaris based systems with __maybe_unused.
* CI: determine actual LibreSSL version dynamically
* [RELEASE] Released version 2.0.29
* BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x
* CLEANUP: mux-h1: Fix comments and error messages for global options
* BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
* BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
* DOC: fix typo 'ant' for 'and' in INSTALL
* BUG/MINOR: map/cli: make sure patterns don't vanish under 'show map''s init
* BUG/MINOR: map/cli: protect the backref list during 'show map' errors
* BUG/MEDIUM: cli: make 'show cli sockets' really yield
* BUG/MINOR: mux-h2: mark the stream as open before processing it not after
* SCRIPTS: announce-release: add URL of dev packages
* CI: github actions: update LibreSSL to 3.5.2
* BUILD: sockpair: do not set unused flag
* BUILD: proto_uxst: do not set unused flag
* BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
* REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
* DOC: remove my name from the config doc
* BUG/MINOR: cache: Disable cache if applet creation fails
* SCRIPTS: announce-release: add shortened links to pending issues
* DOC: lua: update a few doc URLs
* SCRIPTS: announce-release: update the doc's URL
* BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
* BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
* BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
* BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
* BUG/MINOR: cache: do not display expired entries in 'show cache'
* BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
* CI: Update to actions/cache@v3
* CI: Update to actions/checkout@v3
* BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
* BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
* DOC: reflect H2 timeout changes
* BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
* MEDIUM: mux-h2: slightly relax timeout management rules
* BUG/MEDIUM: stream-int: do not rely on the connection error once established
* BUG/MINOR: tools: url2sa reads too far when no port nor path
* BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
* CI: github actions: switch to LibreSSL-3.5.1
* BUILD: dns: fix backport of previous dns fix
* BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
* Revert 'BUG/MAJOR: mux-pt: Always destroy the backend connection on detach'
* BUG/MINOR: tools: fix url2sa return value with IPv4
* [RELEASE] Released version 2.0.28
* DOC: Fix usage/examples of deprecated ACLs
* BUG/MINOR: stream: make the call_rate only count the no-progress calls
* DOC: use the req.ssl_sni in examples
* DOC: ssl: req_ssl_sni needs implicit TLS
* BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
* BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
* DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
* BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
* BUG/MINOR: cli: shows correct mode in 'show sess'
* BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
* CLEANUP: atomic: add a fetch-and-xxx variant for common operations
* CI: github actions: use cache for SSL libs
* CI: github actions: add the output of $CC -dM -E-
* BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
* BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
* BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
* BUG/MINOR: tools: url2sa reads ipv4 too far
* BUG/MINOR: mailers: negotiate SMTP, not ESMTP
* CI: ssl: keep the old method for ancient OpenSSL versions
* CI: ssl: do not needlessly build the OpenSSL docs
* CI: ssl: enable parallel builds for OpenSSL on Linux
* BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
* BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
* BUG/MEDIUM: mworker: close unused transferred FDs on load failure
* MINOR: sock: move the unused socket cleaning code into its own function
* BUG/MAJOR: spoe: properly detach all agents when releasing the applet
* BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
* BUG/MINOR: mworker: does not erase the pidfile upon reload
* BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
* BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
* BUG/MEDIUM: mcli: do not try to parse empty buffers
* BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
* MINOR: channel: add new function co_getdelim() to support multiple delimiters
* MEDIUM: cli: yield between each pipelined command
* [RELEASE] Released version 2.0.27
* BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
* BUG/MEDIUM: cli: Never wait for more data on client shutdown
* BUILD/MINOR: fix solaris build with clang.
* BUG/MEDIUM: mworker: don't use _getsocks in wait mode
* BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
* BUG/MINOR: cli: fix _getsocks with musl libc
* CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free
* BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
* DOC: fix misspelled keyword 'resolve_retries' in resolvers
* BUILD: ssl: unbreak the build with newer libressl
* BUILD: cli: clear a maybe-unused warning on some older compilers
* BUG/MINOR: http: fix recent regression on authorization in legacy mode
* Revert 'BUG/MEDIUM: resolvers: always check a valid item in query_list'
* BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
* BUG/MINOR: backend: do not set sni on connection reuse
* BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
* DOC: config: Specify %Ta is only available in HTTP mode
* DOC: spoe: Clarify use of the event directive in spoe-message section
* MINOR: ssl: make tlskeys_list_get_next() take a list element
* CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()
* CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()
* BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
* MINOR: cli: 'show version' displays the current process version
* BUILD: general: always pass unsigned chars to is* functions
* CLEANUP: peers: Remove unused static function `free_dcache_tx`
* CLEANUP: peers: Remove unused static function `free_dcache`
* REGTESTS: mark the abns test as broken again
* BUILD: scripts/build-ssl.sh: use 'uname' instead of ${TRAVIS_OS_NAME}
* BUILD: makefile: add entries to build common debugging tools
* CI: Github Actions: temporarily disable BoringSSL builds
* CI: Github Actions: switch to LibreSSL-3.3.3
* CI: github actions: update LibreSSL to 3.2.5
* Revert 'CI: Pin VTest to a known good commit'
* CI: github actions: switch to stable LibreSSL release
* CI: Fix the coverity builds
* CI: Fix DEBUG_STRICT definition for Coverity
* CI: Pin VTest to a known good commit
* CI: github actions: build several popular 'contrib' tools
* CI: GitHub Actions: enable daily Coverity scan
* CI: github actions: enable 51degrees feature
* CI: github actions: update LibreSSL to 3.3.0
* CI: Clean up Windows CI
* CI: Pass the github.event_name to matrix.py
* CI: Github Action: run 'apt-get update' before packages restore
* CI: Github Actions: enable BoringSSL builds
* CI: Github Actions: remove LibreSSL-3.0.2 builds
* CI: Github Actions: enable prometheus exporter
* CI: Stop hijacking the hosts file
* CI: Expand use of GitHub Actions for CI
* [RELEASE] Released version 2.0.26
* BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
* BUG/MINOR: shctx: do not look for available blocks when the first one is enough
* BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
* BUG/MEDIUM: mux-h2: always process a pending shut read
* BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
* CLEANUP: ssl: Release cached SSL sessions on deinit
* MINOR: mux-h2: perform a full cycle shutdown+drain on close
* MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
* BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
* BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
* BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
* BUG/MINOR: mworker: doesn't launch the program postparser
* BUG/MEDIUM: conn-stream: Don't reset CS flags on close
* BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
* DOC: config: Fix typo in ssl_fc_unique_id description
* BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
* BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
* MINOR: htx: Add a function to know if the free space wraps
* MINOR: htx: Add an HTX flag to know when a message is fragmented
* BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
* MINOR: stream: Improve dump of bogus streams
* DOC: config: Fix alphabetical order of fc_* samples
* BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
* BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration
* CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT
* CLEANUP: always initialize the answer_list
* CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()
* BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released
* BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed
* BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame
* BUG/MEDIUM: resolvers: always check a valid item in query_list
* BUILD: resolvers: avoid a possible warning on null-deref
* MINOR: resolvers: merge address and target into a union 'data'
* BUG/MEDIUM: resolvers: use correct storage for the target address
* BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix
* MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
* BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records
* BUG/MEDIUM: resolver: make sure to always use the correct hostname length
* MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
* BUG/MEDIUM: sample: properly verify that variables cast to sample
* MINOR: sample: provide a generic var-to-sample conversion function
* CLEANUP: sample: uninline sample_conv_var2smp_str()
* CLEANUP: sample: rename sample_conv_var2smp() to *_sint
* BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error
* BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames
* BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
* BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
* BUG/MINOR: filters: Set right FLT_END analyser depending on channel
* BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
* BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
* BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
* BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
* BUG/MAJOR: lua: use task_wakeup() to properly run a task once
* BUG/MEDIUM: lua: fix wakeup condition from sleep()
* DOC: peers: fix doc 'enable' statement on 'peers' sections
* BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send 'trailers'
* BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
* BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
* BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
* BUG/MINOR: server: allow 'enable health' only if check configured
* Revert 'REGTESTS: mark http_abortonclose as broken'
* BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
* MEDIUM: actions: Fix block ACL.
* BUG/MINOR: stats: fix the POST requests processing in legacy mode
* BUG/MEDIUM: http: check for a channel pending data before waiting
* BUG/MINOR: cli/payload: do not search for args inside payload
* BUG/MINOR: compat: make sure __WORDSIZE is always defined
* BUG/MINOR: systemd: ExecStartPre must use -Ws
* [RELEASE] Released version 2.0.25
* REGTESTS: mark http_abortonclose as broken
* MINOR: action: Use a generic function to check validity of an action rule list
* Revert 'BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive'
* BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
* CLEANUP: htx: remove comments about 'must be < 256 MB'
* BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
* DOC: configuration: remove wrong tcp-request examples in tcp-response
* CLEANUP: Add missing include guard to signal.h
* BUG/MINOR: tools: Fix loop condition in dump_text()
* BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
* BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
* BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
* MINOR: compiler: implement an ONLY_ONCE() macro
* BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
* REGTESTS: abortonclose: after retries, 503 is expected, not close
* BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-
* [RELEASE] Released version 2.0.24
* REGTESTS: add a test to prevent h2 desync attacks
* BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
* DOC/MINOR: fix typo in management document
* MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade
* DOC: config: Fix 'http-response send-spoe-group' documentation
* DOC: Improve the lua documentation
* BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued
* BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released
* MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure
* BUG/MINOR: server: update last_change on maint->ready transitions too
* BUG/MINOR: connection: Add missing error labels to conn_err_code_str
* BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
* BUG/MINOR: mux-h2: Obey dontlognull option during the preface
* BUG/MINOR: systemd: must check the configuration using -Ws
* BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
* BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
* BUILD: add detection of missing important CFLAGS
* BUG/MEDIUM: tcp-check: Do not dereference inexisting connection
* [RELEASE] Released version 2.0.23
* BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled
* BUG/MINOR: server-state: load SRV resolution only if params match the config
* CLEANUP: pools: remove now unused seq and pool_free_list
* BUG/MAJOR: pools: fix possible race with free() in the lockless variant
* MEDIUM: pools: use a single pool_gc() function for locked and lockless
* MEDIUM: memory: make pool_gc() run under thread isolation
* BUG/MEDIUM: pools: Always update free_list in pool_gc().
* MINOR: pools: do not maintain the lock during pool_flush()
* BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()
* MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS
* Revert 'MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules'
* BUG/MINOR: peers: fix data_type bit computation more than 32 data_types
* MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()
* BUG/MINOR: resolvers: Reset server IP when no ip is found in the response
* DOC: config: use CREATE USER for mysql-check
* DOC: peers: fix the protocol tag name in the doc
* DOC: stick-table: add missing documentation about gpt0 stored type
* BUG/MINOR: stick-table: fix several printf sign errors dumping tables
* BUG/MINOR: cli: fix server name output in 'show fd'
* BUG/MEDIUM: sock: make sure to never miss early connection failures
* BUG/MINOR: server/cli: Fix locking in function processing 'set server' command
* BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI
* BUG/MINOR: resolvers: answser item list was randomly purged or errors
* DOC: config: Add missing actions in 'tcp-request session' documentation
* MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules
* BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check
* BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function
* BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken
* MINOR: mux-h2: obey http-ignore-probes during the preface
* BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue
* BUG/MINOR: mworker: fix typo in chroot error message
* BUG/MINOR: ssl: use atomic ops to update global shctx stats
* BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE
* BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id
* DOC: lua: Add a warning about buffers modification in HTTP
* BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded
* BUG/MEDIUM: dns: reset file descriptor if send returns an error
* BUG/MEDIUM: compression: Add a flag to know the filter is still processing data
* BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
* BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree
* BUG/MINOR: http: Missing calloc return value check in make_arg_list
* BUG/MINOR: http: Missing calloc return value check while parsing redirect rule
* BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list
* BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo
* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule
* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response
* BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy
* BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare
* BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture
* BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine
* BUG/MINOR: peers: Missing calloc return value check in peers_register_table
* BUG/MINOR: server: Missing calloc return value check in srv_parse_source
* BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts
* BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response
* BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter
* BUG/MAJOR: server: prevent deadlock when using 'set maxconn server'
* BUG/MEDIUM: ebtree: Invalid read when looking for dup entry
* REGTESTS: Add script to test abortonclose option
* MEDIUM: mux-h1: Don't block reads when waiting for the other side
* BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive
* MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()
* BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port
* BUG/MINOR: stream: Reset stream final state and si error type on L7 retry
* BUG/MINOR: stream: properly clear the previous error mask on L7 retries
* BUG/MINOR: stream: Decrement server current session counter on L7 retry
* BUG/MEDIUM: cli: prevent memory leak on write errors
* BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers
* MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode
* MINOR: peers: add informative flags about resync process for debugging
* BUG/MEDIUM: peers: reset tables stage flags stages on new conns
* BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly
* BUG/MEDIUM: peers: reset commitupdate value in new conns
* BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected
* BUG/MEDIUM: peers: stop considering ack messages teaching a full resync
* BUG/MEDIUM: peers: register last acked value as origin receiving a resync req
* BUG/MEDIUM: peers: initialize resync timer to get an initial full resync
* BUG/MINOR: applet: Notify the other side if data were consumed by an applet
* BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message
* BUG/MEDIUM: peers: re-work refcnt on table to protect against flush
* BUG/MEDIUM: peers: re-work connection to new process during reload.
* BUG/MINOR: peers: remove useless table check if initial resync is finished
* BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data
* BUG/MINOR: mworker: don't use oldpids[] anymore for reload
* BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases
* BUG/MEDIUM: config: fix cpu-map notation with both process and threads
* BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames
* BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers
* BUG/MINOR: server: free srv.lb_nodes in free_server
* BUG/MINOR: mux-h1: Release idle server H1 connection if data are received
* BUG/MINOR: logs: Report the true number of retries if there was no connection
* BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function
* BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded
* BUG/MEDIUM: threads: Ignore current thread to end its harmless period
* BUG/MEDIUM: sample: Fix adjusting size in field converter
* DOC: clarify that compression works for HTTP/2
* BUG/MINOR: tools: fix parsing 'us' unit for timers
* DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options
* [RELEASE] Released version 2.0.22
* BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks
* MINOR: resolvers: Directly call srvrq_update_srv_state() when possible
* MINOR: resolvers: Add function to change the srv status based on SRV resolution
* MINOR: resolvers: Purge answer items when a SRV resolution triggers an error
* MINOR: resolvers: Use a function to remove answers attached to a resolution
* BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution
* BUG/MAJOR: dns: disabled servers through SRV records never recover
* BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status
* BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields
* BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS
* BUG/MINOR: tcp: fix silent-drop workaround for IPv6
* BUG/MINOR: stats: Apply proper styles in HTML status page.
* BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent
* BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters
* MINOR: tools: make url2ipv4 return the exact number of bytes parsed
* BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless
* BUG/MEDIUM: time: make sure to always initialize the global tick
* BUG/MEDIUM: lua: Always init the lua stack before referencing the context
* BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback
* MINOR: lua: Slightly improve function dumping the lua traceback
* MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket
* BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable
* MINOR: time: also provide a global, monotonic global_now_ms timer
* [RELEASE] Released version 2.0.21
* BUG/MINOR: freq_ctr/threads: make use of the last updated global time
* MINOR: time: export the global_now variable
* BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames
* BUG/MINOR: resolvers: Reset server address on DNS error only on status change
* BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error
* CLEANUP: tcp-rules: add missing actions in the tcp-request error message
* BUG/MINOR: session: Add some forgotten tests on session's listener
* BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters
* BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached
* BUG/MEDIUM: session: NULL dereference possible when accessing the listener
* BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode
* BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring()
* BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
* BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout
* DOC: spoe: Add a note about fragmentation support in HAProxy
* BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1
* BUG/MINOR: connection: Use the client's dst family for adressless servers
* BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule
* BUG/MINOR: http-ana: Only consider dst address to process originalto option
* BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
* BUG/MEDIUM: resolvers: Reset address for unresolved servers
* BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records
* BUG/MINOR: resolvers: new callback to properly handle SRV record errors
* BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
* BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
* BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
* BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
* BUG/MINOR: sample: secure convs that accept base64 string and var name as args
* BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
* BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line
* BUG/MINOR: server: Init params before parsing a new server-state line
* BUG/MINOR: sample: Always consider zero size string samples as unsafe
* BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
* BUG/MINOR: session: atomically increment the tracked sessions counter
* BUG/MINOR: server: Remove RMAINT from admin state when loading server state
* CLEANUP: channel: fix comment in ci_putblk.
* BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL
* BUG/MINOR: cfgparse: do not mention 'addr:port' as supported on proxy lines
* BUG/MEDIUM: config: don't pick unset values from last defaults section
* CLEANUP: deinit: release global and per-proxy server-state variables on deinit
* BUG/MINOR: server: Fix server-state-file-name directive
* BUG/MINOR: backend: hold correctly lock when killing idle conn
* BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
* BUG/MINOR: server: re-align state file fields number
* BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
* BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty
* BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED
* BUG/MEDIUM: mux-h2: handle remaining read0 cases
* BUILD: Makefile: move REGTESTST_TYPE default setting
* BUG/MINOR: xxhash: make sure armv6 uses memcpy()
* BUG/MEDIUM: ssl: check a connection's status before computing a handshake
* BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list
* DOC: management: fix 'show resolvers' alphabetical ordering
* BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name
* BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown
* BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition
* BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX
* BUG/MEDIUM: mux-h2: fix read0 handling on partial frames
* BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()
* BUG/MINOR: peers: Wrong 'new_conn' value for 'show peers' CLI command.
* BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable
* BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
* BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
* [RELEASE] Released version 2.0.20
* BUG/MINOR: sample: fix concat() converter's corruption with non-string variables
* DOC: Add maintainers for the Prometheus exporter
* SCRIPTS: announce-release: fix typo in help message
* DOC: fix some spelling issues over multiple files
* MINOR: contrib/prometheus-exporter: export build_info
* BUILD: Makefile: exclude broken tests by default
* BUG/MINOR: srv: do not init address if backend is disabled
* SCRIPTS: make announce release support preparing announces before tag exists
* SCRIPTS: improve announce-release to support different tag and versions
* BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails
* MINOR: atomic: don't use ; to separate instruction on aarch64.
* BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h
* BUILD: plock: remove dead code that causes a warning in gcc 11
* CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps
* CONTRIB: halog: mark the has_zero* functions unused
* CONTRIB: halog: fix build issue caused by %L printf format
* BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode
* BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests
* BUILD: Makefile: have 'make clean' destroy .o/.a/.s in contrib subdirs as well
* REGTESTS: make use of HAPROXY_ARGS and pass -dM by default
* CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric
* CLEANUP: lua: Remove declaration of an inexistant function
* BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight
* BUG/MINOR: tools: Reject size format not starting by a digit
* BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
* DOC: email change of the DeviceAtlas maintainer
* BUG/MEDIUM: spoa/python: Fixing references to None
* BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
* BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
* BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
* DOC: spoa/python: Fixing typos in comments
* DOC: spoa/python: Rephrasing memory related error messages
* DOC: spoa/python: Fixing typo in IP related error messages
* BUG/MAJOR: spoa/python: Fixing return None
* DOC/MINOR: Fix formatting in Management Guide
* BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times
* MINOR: cli: add a function to look up a CLI service description
* MINOR: actions: add a function returning a service pointer from its name
* MINOR: actions: Export actions lookup functions
* BUG/MINOR: lua: Some lua init operation are processed unsafe
* BUG/MINOR: lua: Post init register function are not executed beyond the first one
* BUG/MINOR: lua: lua-load doesn't check its parameters
* MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
* DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
* BUG/MAJOR: peers: fix partial message decoding
* BUG/MAJOR: filters: Always keep all offsets up to date during data filtering
* BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
* BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering
* BUILD: http-htx: fix build warning regarding long type in printf
* MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.
* MINOR: spoe: Don't close connection in sync mode on processing timeout
* BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet
* BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches
* BUG/MINOR: http-fetch: Extract cookie value even when no cookie name
* BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages
* BUG/MINOR: peers: Missing TX cache entries reset.
* BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.
* BUG/MINOR: lua: set buffer size during map lookups
* BUG/MINOR: pattern: a sample marked as const could be written
* [RELEASE] Released version 2.0.19
* BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L
* MINOR: http-htx: Add understandable errors for the errorfiles parsing
* BUG/MEDIUM: stick-table: limit the time spent purging old entries
* BUG/MINOR: filters: Skip disabled proxies during startup only
* BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
* MINOR: server: Copy configuration file and line for server templates
* BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup
* BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
* BUG/MINOR: cache: Inverted variables in http_calc_maxage function
* BUG/MINOR: lua: initialize sample before using it
* BUG/MINOR: server: fix down_time report for stats
* BUG/MINOR: server: fix srv downtime calcul on starting
* BUG/MINOR: log: fix memory leak on logsrv parse error
* BUG/MINOR: extcheck: add missing checks on extchk_setenv()
* BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible
* BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests
* BUG/MEDIUM: server: support changing the slowstart value from state-file
* BUG/MINOR: queue: properly report redistributed connections
* BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.
* BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn
* BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages
* BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided
* BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once
* MINOR: fd: report an error message when failing initial allocations
* BUG/MINOR: mux-h2: do not stop outgoing connections on stopping
* BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited
* BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().
* BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses
* BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams
* BUG/MINOR: mux-h1: Always set the session on frontend h1 stream
* BUG/MINOR: peers: Inconsistency when dumping peer status codes.
* MINOR: hlua: Display debug messages on stderr only in debug mode
* BUG/MINOR: stats: fix validity of the json schema
* MINOR: counters: fix a typo in comment
* BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe
* BUG/MINOR: Fix several leaks of 'log_tag' in init().
* BUILD: makefile: Fix building with closefrom() support enabled
* DOC: ssl: crt-list negative filters are only a hint
* [RELEASE] Released version 2.0.18
* REGTEST: make map_regm_with_backref require 1.7
* REGTEST: make abns_socket.vtc require 1.8
* REGTEST: fix host part in balance-uri-path-only.vtc
* REGTESTS: add a few load balancing tests
* DOC: agent-check: fix typo in 'fail' word expected reply
* DOC: spoa-server: fix false friends `actually`
* BUG/MEDIUM: listeners: do not pause foreign listeners
* BUG/MINOR: config: Fix memory leak on config parse listen
* BUG/MINOR: Fix memory leaks cfg_parse_peers
* BUG/MEDIUM: h2: report frame bits only for handled types
* BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch
* BUG/MINOR: server: report correct error message for invalid port on 'socks4'
* BUG/MINOR: ssl: verifyhost is case sensitive
* BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
* BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers
* BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned
* BUILD: threads: better workaround for late loading of libgcc_s
* BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections
* BUG/MINOR: auth: report valid crypto(3) support depending on build options
* CLEANUP: Update .gitignore
* MINOR: Commit .gitattributes
* BUILD: thread: limit the libgcc_s workaround to glibc only
* BUG/MINOR: threads: work around a libgcc_s issue with chrooting
* BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
* BUG/MEDIUM: doc: Fix replace-path action description
* BUG/MINOR: startup: haproxy -s cause 100% cpu
* BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address
* BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure
* BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
* BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
* BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak
* DOC: cache: Use '<name>' instead of '<id>' in error message
* BUG/MINOR: reload: do not fail when no socket is sent
* BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
* BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
* BUG/MINOR: snapshots: leak of snapshots on deinit()
* BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation
* BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation
* BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
* BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
* BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response
* SCRIPTS: git-show-backports: emit the shell command to backport a commit
* SCRIPTS: git-show-backports: make -m most only show the left branch
* [RELEASE] Released version 2.0.17
* SCRIPTS: announce-release: add the link to the wiki in the announce messages
* MINOR: stream-int: Be sure to have a mux to do sends and receives
* MINOR: connection: Preinstall the mux for non-ssl connect
* BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields
* BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation
* MEDIUM: lua: Add support for the Lua 5.4
* BUG/MINOR: debug: Don't dump the lua stack if it is not initialized
* BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received
* BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected
* BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
* BUG/MAJOR: dns: Make the do-resolve action thread-safe
* BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete
* BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
* BUG/MINOR: cfgparse: don't increment linenum on incomplete lines
* BUILD: thread: add parenthesis around values of locking macros
* MINOR: pools: increase MAX_BASE_POOLS to 64
* BUG/MINOR: threads: Don't forget to init each thread toremove_lock.
* REGEST: Add reg tests about error files
* BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()
* [RELEASE] Released version 2.0.16
* BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked
* BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
* BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode
* CONTRIB: da: fix memory leak in dummy function da_atlas_open()
* BUG/MINOR: sample: Free str.area in smp_check_const_meth
* BUG/MINOR: sample: Free str.area in smp_check_const_bool
* DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x
* BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode
* BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection
* MINOR: http: Add support for http 413 status
* BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server
* BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready
* MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
* BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
* BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received
* BUG/MINOR: mux-h1: Disable splicing only if input data was processed
* BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive
* BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
* BUG/MINOR: http_act: don't check capture id in backend (2)
* DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio
* DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio
* BUG/MINOR: proxy: always initialize the trash in show servers state
* BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
* BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
* DOC: ssl: add 'allow-0rtt' and 'ciphersuites' in crt-list
* MINOR: cli: make 'show sess' stop at the last known session
* BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
* REGTEST: ssl: add some ssl_c_* sample fetches test
* REGTEST: ssl: tests the ssl_f_* sample fetches
* MINOR: spoe: Don't systematically create new applets if processing rate is low
* BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
* BUG/MINOR: spoe: correction of setting bits for analyzer
* REGTEST: Add a simple script to tests errorfile directives in proxy sections
* BUG/MINOR: systemd: Wait for network to be online
* MEDIUM: map: make the 'clear map' operation yield
* REGTEST: http-rules: test spaces in ACLs with master CLI
* REGTEST: http-rules: test spaces in ACLs
* BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
* BUG/MINOR: mworker/cli: fix the escaping in the master CLI
* BUG/MINOR: cli: allow space escaping on the CLI
* BUG/MINOR: spoe: add missing key length check before checking key names
* BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
* BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
* MINOR: http: Add 404 to http-request deny
* MINOR: http: Add 410 to http-request deny
* [RELEASE] Released version 2.0.15
* REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used
* BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation
* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv
* BUG/MEDIUM: pattern: fix thread safety of pattern matching
* BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor
* BUG/MINOR: mworker: fix a memleak when execvp() failed
* BUG/MEDIUM: mworker: fix the reload with an -- option
* BUG/MINOR: init: -S can have a parameter starting with a dash
* BUG/MINOR: init: -x can have a parameter starting with a dash
* BUG/MEDIUM: mworker: fix the copy of options in copy_argv()
* BUILD: makefile: adjust the sed expression of 'make help' for solaris
* BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version
* BUG/MEDIUM: logs: fix trailing zeros on log message.
* BUG/MINOR: logs: prevent double line returns in some events.
* BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics
* BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations
* BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action
* BUG/MINOR: peers: fix internal/network key type mapping.
* SCRIPTS: publish-release: pass -n to gzip to remove timestamp
* Revert 'BUG/MEDIUM: connections: force connections cleanup on server changes'
* BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf
* BUG/MINOR: lua: Add missing string length for lua sticktable lookup
* BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable
* BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified
* BUG/MINOR: cache: Don't needlessly test 'cache' keyword in parse_cache_flt()
* BUILD: select: only declare existing local labels to appease clang
* BUG/MINOR: soft-stop: always wake up waiting threads on stopping
* BUG/MINOR: pollers: remove uneeded free in global init
* BUG/MINOR: pools: use %u not %d to report pool stats in 'show pools'
* BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered
* BUG/MEDIUM: http_ana: make the detection of NTLM variants safer
* BUG/MINOR: http-ana: fix NTLM response parsing again
* BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur
* BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT
* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
* BUG/MINOR: sample: Set the correct type when a binary is converted to a string
* CLEANUP: connections: align function declaration
* BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
* BUG/MEDIUM: connections: force connections cleanup on server changes
* BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure
* BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.
* BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry.
* BUG/MINOR: checks: Remove a warning about http health checks
* BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks
* BUG/MEDIUM: checks: Always initialize checks before starting them
* BUG/MINOR: checks/server: use_ssl member must be signed
* BUG/MEDIUM: server/checks: Init server check during config validity check
* Revert 'BUG/MINOR: connection: make sure to correctly tag local PROXY connections'
* BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection
* REGTEST: ssl: test the client certificate authentication
* MINOR: stream: report the list of active filters on stream crashes
* BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock
* BUG/MEDIUM: shctx: really check the lock's value while waiting
* BUG/MINOR: debug: properly use long long instead of long for the thread ID
* MINOR: threads: export the POSIX thread ID in panic dumps
* BUG/MEDIUM: listener: mark the thread as not stuck inside the loop
* BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream
* BUG/MEDIUM: http: the 'unique-id' sample fetch could crash without a steeam
* BUG/MEDIUM: http: the 'http_first_req' sample fetch could crash without a steeam
* BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream
* BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream
* BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function
* BUG/MINOR: checks: chained expect will not properly wait for enough data
* BUG/MINOR: checks: Respect the no-check-ssl option
* MINOR: checks: Add a way to send custom headers and payload during http chekcs
* BUG/MINOR: check: Update server address and port to execute an external check
* DOC: option logasap does not depend on mode
* BUG/MINOR: http: make url_decode() optionally convert '+' to SP
* BUG/MINOR: tools: fix the i386 version of the div64_32 function
* BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
* BUG/MINOR: ssl: default settings for ssl server options are not used
* DOC: Improve documentation on http-request set-src
* DOC: hashing: update link to hashing functions
* BUG/MINOR: peers: Incomplete peers sections should be validated.
* BUG/MINOR: protocol_buffer: Wrong maximum shifting.
Patchnames: SUSE-2023-2119,SUSE-SLE-Product-HA-15-SP2-2023-2119,SUSE-SLE-Product-HA-15-SP3-2023-2119
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.3 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Feature update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\nUpdate to version 2.0.31 (jsc#PED-3821):\n\n* BUG/CRITICAL: http: properly reject empty http header field names\n* CI: github: don\u0027t warn on deprecated openssl functions on windows\n* DOC: proxy-protocol: fix wrong byte in provided example\n* DOC: config: \u0027http-send-name-header\u0027 option may be used in default section\n* DOC: config: fix option spop-check proxy compatibility\n* BUG/MEDIUM: cache: use the correct time reference when comparing dates\n* BUG/MEDIUM: stick-table: do not leave entries in end of window during purge\n* BUG/MEDIUM: ssl: wrong eviction from the session cache tree\n* BUG/MINOR: http-ana: make set-status also update txn-\u003estatus\n* BUG/MINOR: http-fetch: Don\u0027t block HTTP sample fetch eval in HTTP_MSG_ERROR state\n* BUG/MINOR: promex: Don\u0027t forget to consume the request on error\n* BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action\n* BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned\n* BUILD: makefile: sort the features list\n* BUILD: makefile: build the features list dynamically\n* BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats\n* BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set\n* LICENSE: wurfl: clarify the dummy library license.\n* BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout\n* BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers\n* BUG/MINOR: ssl: Fix potential overflow\n* BUG/MEDIUM: ssl: Verify error codes can exceed 63\n* CI: github: change \u0027ubuntu-latest\u0027 to \u0027ubuntu-20.04\u0027\n* SCRIPTS: announce-release: add a link to the data plane API\n* [RELEASE] Released version 2.0.30\n* Revert \u0027CI: determine actual LibreSSL version dynamically\u0027\n* DOC: config: clarify the -m dir and -m dom pattern matching methods\n* DOC: config: clarify the fact that \u0027retries\u0027 is not just for connections\n* DOC: config: explain how default matching method for ACL works\n* DOC: config: clarify the fact that SNI should not be used in HTTP scenarios\n* DOC: config: provide some configuration hints for \u0027http-reuse\u0027\n* BUILD: listener: fix build warning on global_listener_rwlock without threads\n* BUILD: peers: Remove unused variables\n* BUG/MEDIUM: peers: messages about unkown tables not correctly ignored\n* BUG/MINOR: http_ana/txn: don\u0027t re-initialize txn and req var lists\n* BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task\n* CI: emit the compiler\u0027s version in the build reports\n* CI: add monthly gcc cross compile jobs\n* BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task\n* BUG/MAJOR: stick-table: don\u0027t process store-response rules for applets\n* DOC: management: add forgotten \u0027show startup-logs\u0027\n* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition\n* CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py\n* BUG/MAJOR: stick-tables: do not try to index a server name for applets\n* DOC: configuration: missing \u0027if\u0027 in tcp-request content example\n* BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os\n* BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()\n* BUG/MEDIUM: lua: handle stick table implicit arguments right.\n* BUILD: cfgparse: Fix GCC warning about a variable used after realloc\n* BUILD: fix compilation for OpenSSL-3.0.0-alpha17\n* BUG/MINOR: log: improper behavior when escaping log data\n* SCRIPTS: announce-release: update some URLs to https\n* BUG/MEDIUM: captures: free() an error capture out of the proxy lock\n* BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK\n* BUG/MINOR: signals/poller: ensure wakeup from signals\n* BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals\n* BUG/MINOR: h1: Support headers case adjustment for TCP proxies\n* REGTESTS: http_request_buffer: Add a barrier to not mix up log messages\n* BUG/MEDIUM: peers: Don\u0027t start resync on reload if local peer is not up-to-date\n* BUG/MEDIUM: peers: Don\u0027t use resync timer when local resync is in progress\n* BUG/MEDIUM: peers: Add connect and server timeut to peers proxy\n* BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode\n* DOC: configuration: do-resolve doesn\u0027t work with a port in the string\n* BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()\n* BUG/MEDIUM: mux-h2: do not fiddle with -\u003edsi to indicate demux is idle\n* BUILD: http: silence an uninitialized warning affecting gcc-5\n* BUG/MEDIUM: proxy: Perform a custom copy for default server settings\n* REORG: server: Export srv_settings_cpy() function\n* MINOR: server: Constify source server to copy its settings\n* BUG/MINOR: peers: Use right channel flag to consider the peer as connected\n* BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload\n* MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer\n* BUG/MINOR: ssl: free the fields in srv-\u003essl_ctx\n* BUG/MINOR: sockpair: wrong return value for fd_send_uxst()\n* BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible\n* BUG/MINOR: peers: fix possible NULL dereferences at config parsing\n* BUG/MINOR: peers/config: always fill the bind_conf\u0027s argument\n* BUG/MINOR: http-fetch: Use integer value when possible in \u0027method\u0027 sample fetch\n* BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created\n* BUG/MINOR: server: do not enable DNS resolution on disabled proxies\n* BUILD: compiler: implement unreachable for older compilers too\n* REGTESTS: http_request_buffer: Increase client timeout to wait \u0027slow\u0027 clients\n* REGTESTS: abortonclose: Add a barrier to not mix up log messages\n* BUG/MINOR: conn_stream: do not confirm a connection from the frontend path\n* DOC: peers: fix port number and addresses on new peers section format\n* DOC: peers: clarify when entry expiration date is renewed.\n* DOC: peers: indicate that some server settings are not usable\n* SCRIPTS: make publish-release try to launch make-releases-json\n* SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs\n* BUG/MEDIUM: sample: Fix adjusting size in word converter\n* BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section\n* BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections\n* BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols\n* BUG/MINOR: peers: fix error reporting of \u0027bind\u0027 lines\n* REGTESTS: abortonclose: Fix some race conditions\n* BUILD: fix build warning on solaris based systems with __maybe_unused.\n* CI: determine actual LibreSSL version dynamically\n* [RELEASE] Released version 2.0.29\n* BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x\n* CLEANUP: mux-h1: Fix comments and error messages for global options\n* BUG/MEDIUM: wdt: don\u0027t trigger the watchdog when p is unitialized\n* BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).\n* DOC: fix typo \u0027ant\u0027 for \u0027and\u0027 in INSTALL\n* BUG/MINOR: map/cli: make sure patterns don\u0027t vanish under \u0027show map\u0027\u0027s init\n* BUG/MINOR: map/cli: protect the backref list during \u0027show map\u0027 errors\n* BUG/MEDIUM: cli: make \u0027show cli sockets\u0027 really yield\n* BUG/MINOR: mux-h2: mark the stream as open before processing it not after\n* SCRIPTS: announce-release: add URL of dev packages\n* CI: github actions: update LibreSSL to 3.5.2\n* BUILD: sockpair: do not set unused flag\n* BUILD: proto_uxst: do not set unused flag\n* BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()\n* REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc\n* DOC: remove my name from the config doc\n* BUG/MINOR: cache: Disable cache if applet creation fails\n* SCRIPTS: announce-release: add shortened links to pending issues\n* DOC: lua: update a few doc URLs\n* SCRIPTS: announce-release: update the doc\u0027s URL\n* BUG/MEDIUM: compression: Don\u0027t forget to update htx_sl and http_msg flags\n* BUG/MEDIUM: mux-h1: Don\u0027t request more room on partial trailers\n* BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive\n* BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side\n* BUG/MINOR: cache: do not display expired entries in \u0027show cache\u0027\n* BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent\n* CI: Update to actions/cache@v3\n* CI: Update to actions/checkout@v3\n* BUG/MEDIUM: http-act: Don\u0027t replace URI if path is not found or invalid\n* BUG/MAJOR: mux_pt: always report the connection error to the conn_stream\n* DOC: reflect H2 timeout changes\n* BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts\n* MEDIUM: mux-h2: slightly relax timeout management rules\n* BUG/MEDIUM: stream-int: do not rely on the connection error once established\n* BUG/MINOR: tools: url2sa reads too far when no port nor path\n* BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf\n* CI: github actions: switch to LibreSSL-3.5.1\n* BUILD: dns: fix backport of previous dns fix\n* BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket\n* Revert \u0027BUG/MAJOR: mux-pt: Always destroy the backend connection on detach\u0027\n* BUG/MINOR: tools: fix url2sa return value with IPv4\n* [RELEASE] Released version 2.0.28\n* DOC: Fix usage/examples of deprecated ACLs\n* BUG/MINOR: stream: make the call_rate only count the no-progress calls\n* DOC: use the req.ssl_sni in examples\n* DOC: ssl: req_ssl_sni needs implicit TLS\n* BUG/MAJOR: mux-pt: Always destroy the backend connection on detach\n* BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing\n* DEBUG: cache: Update underlying buffer when loading HTX message in cache applet\n* BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request\n* BUG/MINOR: cli: shows correct mode in \u0027show sess\u0027\n* BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks\n* CLEANUP: atomic: add a fetch-and-xxx variant for common operations\n* CI: github actions: use cache for SSL libs\n* CI: github actions: add the output of $CC -dM -E-\n* BUG/MEDIUM: stream: Abort processing if response buffer allocation fails\n* BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer\n* BUG/MEDIUM: mux-h1: Don\u0027t wake h1s if mux is blocked on lack of output buffer\n* BUG/MINOR: tools: url2sa reads ipv4 too far\n* BUG/MINOR: mailers: negotiate SMTP, not ESMTP\n* CI: ssl: keep the old method for ancient OpenSSL versions\n* CI: ssl: do not needlessly build the OpenSSL docs\n* CI: ssl: enable parallel builds for OpenSSL on Linux\n* BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names\n* BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload\n* BUG/MEDIUM: mworker: close unused transferred FDs on load failure\n* MINOR: sock: move the unused socket cleaning code into its own function\n* BUG/MAJOR: spoe: properly detach all agents when releasing the applet\n* BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies\n* BUG/MINOR: mworker: does not erase the pidfile upon reload\n* BUG/MEDIUM: mworker: don\u0027t lose the stats socket on failed reload\n* BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them\n* BUG/MEDIUM: mcli: do not try to parse empty buffers\n* BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands\n* MINOR: channel: add new function co_getdelim() to support multiple delimiters\n* MEDIUM: cli: yield between each pipelined command\n* [RELEASE] Released version 2.0.27\n* BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer\n* BUG/MEDIUM: cli: Never wait for more data on client shutdown\n* BUILD/MINOR: fix solaris build with clang.\n* BUG/MEDIUM: mworker: don\u0027t use _getsocks in wait mode\n* BUG/MEDIUM: http-ana: Preserve response\u0027s FLT_END analyser on L7 retry\n* BUG/MINOR: cli: fix _getsocks with musl libc\n* CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free\n* BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning\n* DOC: fix misspelled keyword \u0027resolve_retries\u0027 in resolvers\n* BUILD: ssl: unbreak the build with newer libressl\n* BUILD: cli: clear a maybe-unused warning on some older compilers\n* BUG/MINOR: http: fix recent regression on authorization in legacy mode\n* Revert \u0027BUG/MEDIUM: resolvers: always check a valid item in query_list\u0027\n* BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose\n* BUG/MINOR: backend: do not set sni on connection reuse\n* BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode\n* DOC: config: Specify %Ta is only available in HTTP mode\n* DOC: spoe: Clarify use of the event directive in spoe-message section\n* MINOR: ssl: make tlskeys_list_get_next() take a list element\n* CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()\n* CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()\n* BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time\n* MINOR: cli: \u0027show version\u0027 displays the current process version\n* BUILD: general: always pass unsigned chars to is* functions\n* CLEANUP: peers: Remove unused static function `free_dcache_tx`\n* CLEANUP: peers: Remove unused static function `free_dcache`\n* REGTESTS: mark the abns test as broken again\n* BUILD: scripts/build-ssl.sh: use \u0027uname\u0027 instead of ${TRAVIS_OS_NAME}\n* BUILD: makefile: add entries to build common debugging tools\n* CI: Github Actions: temporarily disable BoringSSL builds\n* CI: Github Actions: switch to LibreSSL-3.3.3\n* CI: github actions: update LibreSSL to 3.2.5\n* Revert \u0027CI: Pin VTest to a known good commit\u0027\n* CI: github actions: switch to stable LibreSSL release\n* CI: Fix the coverity builds\n* CI: Fix DEBUG_STRICT definition for Coverity\n* CI: Pin VTest to a known good commit\n* CI: github actions: build several popular \u0027contrib\u0027 tools\n* CI: GitHub Actions: enable daily Coverity scan\n* CI: github actions: enable 51degrees feature\n* CI: github actions: update LibreSSL to 3.3.0\n* CI: Clean up Windows CI\n* CI: Pass the github.event_name to matrix.py\n* CI: Github Action: run \u0027apt-get update\u0027 before packages restore\n* CI: Github Actions: enable BoringSSL builds\n* CI: Github Actions: remove LibreSSL-3.0.2 builds\n* CI: Github Actions: enable prometheus exporter\n* CI: Stop hijacking the hosts file\n* CI: Expand use of GitHub Actions for CI\n* [RELEASE] Released version 2.0.26\n* BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found\n* BUG/MINOR: shctx: do not look for available blocks when the first one is enough\n* BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found\n* BUG/MEDIUM: mux-h2: always process a pending shut read\n* BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3\n* CLEANUP: ssl: Release cached SSL sessions on deinit\n* MINOR: mux-h2: perform a full cycle shutdown+drain on close\n* MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close\n* BUG/MINOR: stick-table/cli: Check for invalid ipv6 key\n* BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent\n* BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value\n* BUG/MINOR: mworker: doesn\u0027t launch the program postparser\n* BUG/MEDIUM: conn-stream: Don\u0027t reset CS flags on close\n* BUG/MINOR: http-ana: Apply stop to the current section for http-response rules\n* DOC: config: Fix typo in ssl_fc_unique_id description\n* BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value\n* BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary\n* MINOR: htx: Add a function to know if the free space wraps\n* MINOR: htx: Add an HTX flag to know when a message is fragmented\n* BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check\n* MINOR: stream: Improve dump of bogus streams\n* DOC: config: Fix alphabetical order of fc_* samples\n* BUG/MINOR: http: Authorization value can have multiple spaces after the scheme\n* BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration\n* CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT\n* CLEANUP: always initialize the answer_list\n* CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()\n* BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released\n* BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed\n* BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame\n* BUG/MEDIUM: resolvers: always check a valid item in query_list\n* BUILD: resolvers: avoid a possible warning on null-deref\n* MINOR: resolvers: merge address and target into a union \u0027data\u0027\n* BUG/MEDIUM: resolvers: use correct storage for the target address\n* BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix\n* MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero\n* BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records\n* BUG/MEDIUM: resolver: make sure to always use the correct hostname length\n* MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero\n* BUG/MEDIUM: sample: properly verify that variables cast to sample\n* MINOR: sample: provide a generic var-to-sample conversion function\n* CLEANUP: sample: uninline sample_conv_var2smp_str()\n* CLEANUP: sample: rename sample_conv_var2smp() to *_sint\n* BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error\n* BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames\n* BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule\n* BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release\n* BUG/MINOR: filters: Set right FLT_END analyser depending on channel\n* BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set\n* BUG/MEDIUM: http-ana: Reset channels analysers when returning an error\n* BUG/MINOR: stream: Don\u0027t release a stream if FLT_END is still registered\n* BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input\n* BUG/MAJOR: lua: use task_wakeup() to properly run a task once\n* BUG/MEDIUM: lua: fix wakeup condition from sleep()\n* DOC: peers: fix doc \u0027enable\u0027 statement on \u0027peers\u0027 sections\n* BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send \u0027trailers\u0027\n* BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM\n* BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data\n* BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer\n* BUG/MINOR: server: allow \u0027enable health\u0027 only if check configured\n* Revert \u0027REGTESTS: mark http_abortonclose as broken\u0027\n* BUG/MEDIUM: stream-int: Don\u0027t block SI on a channel policy if EOI is reached\n* MEDIUM: actions: Fix block ACL.\n* BUG/MINOR: stats: fix the POST requests processing in legacy mode\n* BUG/MEDIUM: http: check for a channel pending data before waiting\n* BUG/MINOR: cli/payload: do not search for args inside payload\n* BUG/MINOR: compat: make sure __WORDSIZE is always defined\n* BUG/MINOR: systemd: ExecStartPre must use -Ws\n* [RELEASE] Released version 2.0.25\n* REGTESTS: mark http_abortonclose as broken\n* MINOR: action: Use a generic function to check validity of an action rule list\n* Revert \u0027BUG/MINOR: stream-int: Don\u0027t block reads in si_update_rx() if chn may receive\u0027\n* BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer\n* CLEANUP: htx: remove comments about \u0027must be \u003c 256 MB\u0027\n* BUG/MINOR: config: reject configs using HTTP with bufsize \u003e= 256 MB\n* DOC: configuration: remove wrong tcp-request examples in tcp-response\n* CLEANUP: Add missing include guard to signal.h\n* BUG/MINOR: tools: Fix loop condition in dump_text()\n* BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time\n* BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long\n* BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords\n* MINOR: compiler: implement an ONLY_ONCE() macro\n* BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}\n* REGTESTS: abortonclose: after retries, 503 is expected, not close\n* BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-\n* [RELEASE] Released version 2.0.24\n* REGTESTS: add a test to prevent h2 desync attacks\n* BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header\n* DOC/MINOR: fix typo in management document\n* MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade\n* DOC: config: Fix \u0027http-response send-spoe-group\u0027 documentation\n* DOC: Improve the lua documentation\n* BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued\n* BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released\n* MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure\n* BUG/MINOR: server: update last_change on maint-\u003eready transitions too\n* BUG/MINOR: connection: Add missing error labels to conn_err_code_str\n* BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames\n* BUG/MINOR: mux-h2: Obey dontlognull option during the preface\n* BUG/MINOR: systemd: must check the configuration using -Ws\n* BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs\n* BUG/MEDIUM: mworker: do not register an exit handler if exit is expected\n* BUILD: add detection of missing important CFLAGS\n* BUG/MEDIUM: tcp-check: Do not dereference inexisting connection\n* [RELEASE] Released version 2.0.23\n* BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled\n* BUG/MINOR: server-state: load SRV resolution only if params match the config\n* CLEANUP: pools: remove now unused seq and pool_free_list\n* BUG/MAJOR: pools: fix possible race with free() in the lockless variant\n* MEDIUM: pools: use a single pool_gc() function for locked and lockless\n* MEDIUM: memory: make pool_gc() run under thread isolation\n* BUG/MEDIUM: pools: Always update free_list in pool_gc().\n* MINOR: pools: do not maintain the lock during pool_flush()\n* BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()\n* MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS\n* Revert \u0027MINOR: tcp-act: Add set-src/set-src-port for \u0027tcp-request content\u0027 rules\u0027\n* BUG/MINOR: peers: fix data_type bit computation more than 32 data_types\n* MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()\n* BUG/MINOR: resolvers: Reset server IP when no ip is found in the response\n* DOC: config: use CREATE USER for mysql-check\n* DOC: peers: fix the protocol tag name in the doc\n* DOC: stick-table: add missing documentation about gpt0 stored type\n* BUG/MINOR: stick-table: fix several printf sign errors dumping tables\n* BUG/MINOR: cli: fix server name output in \u0027show fd\u0027\n* BUG/MEDIUM: sock: make sure to never miss early connection failures\n* BUG/MINOR: server/cli: Fix locking in function processing \u0027set server\u0027 command\n* BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI\n* BUG/MINOR: resolvers: answser item list was randomly purged or errors\n* DOC: config: Add missing actions in \u0027tcp-request session\u0027 documentation\n* MINOR: tcp-act: Add set-src/set-src-port for \u0027tcp-request content\u0027 rules\n* BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check\n* BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function\n* BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken\n* MINOR: mux-h2: obey http-ignore-probes during the preface\n* BUG/MAJOR: queue: set SF_ASSIGNED when setting strm-\u003etarget on dequeue\n* BUG/MINOR: mworker: fix typo in chroot error message\n* BUG/MINOR: ssl: use atomic ops to update global shctx stats\n* BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE\n* BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id\n* DOC: lua: Add a warning about buffers modification in HTTP\n* BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded\n* BUG/MEDIUM: dns: reset file descriptor if send returns an error\n* BUG/MEDIUM: compression: Add a flag to know the filter is still processing data\n* BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future\n* BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree\n* BUG/MINOR: http: Missing calloc return value check in make_arg_list\n* BUG/MINOR: http: Missing calloc return value check while parsing redirect rule\n* BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list\n* BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo\n* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule\n* BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response\n* BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy\n* BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare\n* BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture\n* BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine\n* BUG/MINOR: peers: Missing calloc return value check in peers_register_table\n* BUG/MINOR: server: Missing calloc return value check in srv_parse_source\n* BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts\n* BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response\n* BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter\n* BUG/MAJOR: server: prevent deadlock when using \u0027set maxconn server\u0027\n* BUG/MEDIUM: ebtree: Invalid read when looking for dup entry\n* REGTESTS: Add script to test abortonclose option\n* MEDIUM: mux-h1: Don\u0027t block reads when waiting for the other side\n* BUG/MINOR: stream-int: Don\u0027t block reads in si_update_rx() if chn may receive\n* MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()\n* BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port\n* BUG/MINOR: stream: Reset stream final state and si error type on L7 retry\n* BUG/MINOR: stream: properly clear the previous error mask on L7 retries\n* BUG/MINOR: stream: Decrement server current session counter on L7 retry\n* BUG/MEDIUM: cli: prevent memory leak on write errors\n* BUG/MINOR: hlua: Don\u0027t rely on top of the stack when using Lua buffers\n* MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode\n* MINOR: peers: add informative flags about resync process for debugging\n* BUG/MEDIUM: peers: reset tables stage flags stages on new conns\n* BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly\n* BUG/MEDIUM: peers: reset commitupdate value in new conns\n* BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected\n* BUG/MEDIUM: peers: stop considering ack messages teaching a full resync\n* BUG/MEDIUM: peers: register last acked value as origin receiving a resync req\n* BUG/MEDIUM: peers: initialize resync timer to get an initial full resync\n* BUG/MINOR: applet: Notify the other side if data were consumed by an applet\n* BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message\n* BUG/MEDIUM: peers: re-work refcnt on table to protect against flush\n* BUG/MEDIUM: peers: re-work connection to new process during reload.\n* BUG/MINOR: peers: remove useless table check if initial resync is finished\n* BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data\n* BUG/MINOR: mworker: don\u0027t use oldpids[] anymore for reload\n* BUG/MINOR: mworker/init: don\u0027t reset nb_oldpids in non-mworker cases\n* BUG/MEDIUM: config: fix cpu-map notation with both process and threads\n* BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames\n* BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers\n* BUG/MINOR: server: free srv.lb_nodes in free_server\n* BUG/MINOR: mux-h1: Release idle server H1 connection if data are received\n* BUG/MINOR: logs: Report the true number of retries if there was no connection\n* BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function\n* BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded\n* BUG/MEDIUM: threads: Ignore current thread to end its harmless period\n* BUG/MEDIUM: sample: Fix adjusting size in field converter\n* DOC: clarify that compression works for HTTP/2\n* BUG/MINOR: tools: fix parsing \u0027us\u0027 unit for timers\n* DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options\n* [RELEASE] Released version 2.0.22\n* BUG/MEDIUM: resolvers: Don\u0027t release resolution from a requester callbacks\n* MINOR: resolvers: Directly call srvrq_update_srv_state() when possible\n* MINOR: resolvers: Add function to change the srv status based on SRV resolution\n* MINOR: resolvers: Purge answer items when a SRV resolution triggers an error\n* MINOR: resolvers: Use a function to remove answers attached to a resolution\n* BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution\n* BUG/MAJOR: dns: disabled servers through SRV records never recover\n* BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status\n* BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields\n* BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS\n* BUG/MINOR: tcp: fix silent-drop workaround for IPv6\n* BUG/MINOR: stats: Apply proper styles in HTML status page.\n* BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent\n* BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters\n* MINOR: tools: make url2ipv4 return the exact number of bytes parsed\n* BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless\n* BUG/MEDIUM: time: make sure to always initialize the global tick\n* BUG/MEDIUM: lua: Always init the lua stack before referencing the context\n* BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback\n* MINOR: lua: Slightly improve function dumping the lua traceback\n* MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket\n* BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable\n* MINOR: time: also provide a global, monotonic global_now_ms timer\n* [RELEASE] Released version 2.0.21\n* BUG/MINOR: freq_ctr/threads: make use of the last updated global time\n* MINOR: time: export the global_now variable\n* BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames\n* BUG/MINOR: resolvers: Reset server address on DNS error only on status change\n* BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error\n* CLEANUP: tcp-rules: add missing actions in the tcp-request error message\n* BUG/MINOR: session: Add some forgotten tests on session\u0027s listener\n* BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters\n* BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached\n* BUG/MEDIUM: session: NULL dereference possible when accessing the listener\n* BUG/MINOR: ssl: don\u0027t truncate the file descriptor to 16 bits in debug mode\n* BUG/MINOR: hlua: Don\u0027t strip last non-LWS char in hlua_pushstrippedstring()\n* BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive\n* BUG/MINOR: http-ana: Don\u0027t increment HTTP error counter on read error/timeout\n* DOC: spoe: Add a note about fragmentation support in HAProxy\n* BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread \u003e 1\n* BUG/MINOR: connection: Use the client\u0027s dst family for adressless servers\n* BUG/MINOR: tcp-act: Don\u0027t forget to set the original port for IPv4 set-dst rule\n* BUG/MINOR: http-ana: Only consider dst address to process originalto option\n* BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()\n* BUG/MEDIUM: resolvers: Reset address for unresolved servers\n* BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records\n* BUG/MINOR: resolvers: new callback to properly handle SRV record errors\n* BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal\n* BUG/MEDIUM: cli/shutdown sessions: make it thread-safe\n* BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop\n* BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe\n* BUG/MINOR: sample: secure convs that accept base64 string and var name as args\n* BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok\n* BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line\n* BUG/MINOR: server: Init params before parsing a new server-state line\n* BUG/MINOR: sample: Always consider zero size string samples as unsafe\n* BUG/MINOR: checks: properly handle wrapping time in __health_adjust()\n* BUG/MINOR: session: atomically increment the tracked sessions counter\n* BUG/MINOR: server: Remove RMAINT from admin state when loading server state\n* CLEANUP: channel: fix comment in ci_putblk.\n* BUG/MINOR: server: Don\u0027t call fopen() with server-state filepath set to NULL\n* BUG/MINOR: cfgparse: do not mention \u0027addr:port\u0027 as supported on proxy lines\n* BUG/MEDIUM: config: don\u0027t pick unset values from last defaults section\n* CLEANUP: deinit: release global and per-proxy server-state variables on deinit\n* BUG/MINOR: server: Fix server-state-file-name directive\n* BUG/MINOR: backend: hold correctly lock when killing idle conn\n* BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()\n* BUG/MINOR: server: re-align state file fields number\n* BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state\n* BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty\n* BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED\n* BUG/MEDIUM: mux-h2: handle remaining read0 cases\n* BUILD: Makefile: move REGTESTST_TYPE default setting\n* BUG/MINOR: xxhash: make sure armv6 uses memcpy()\n* BUG/MEDIUM: ssl: check a connection\u0027s status before computing a handshake\n* BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list\n* DOC: management: fix \u0027show resolvers\u0027 alphabetical ordering\n* BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name\n* BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown\n* BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition\n* BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX\n* BUG/MEDIUM: mux-h2: fix read0 handling on partial frames\n* BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()\n* BUG/MINOR: peers: Wrong \u0027new_conn\u0027 value for \u0027show peers\u0027 CLI command.\n* BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable\n* BUG/MINOR: sample: Memory leak of sample_expr structure in case of error\n* BUG/MINOR: sample: check alloc_trash_chunk return value in concat()\n* [RELEASE] Released version 2.0.20\n* BUG/MINOR: sample: fix concat() converter\u0027s corruption with non-string variables\n* DOC: Add maintainers for the Prometheus exporter\n* SCRIPTS: announce-release: fix typo in help message\n* DOC: fix some spelling issues over multiple files\n* MINOR: contrib/prometheus-exporter: export build_info\n* BUILD: Makefile: exclude broken tests by default\n* BUG/MINOR: srv: do not init address if backend is disabled\n* SCRIPTS: make announce release support preparing announces before tag exists\n* SCRIPTS: improve announce-release to support different tag and versions\n* BUG/MINOR: cfgparse: Fail if the strdup() for `rule-\u003ebe.name` for `use_backend` fails\n* MINOR: atomic: don\u0027t use ; to separate instruction on aarch64.\n* BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h\n* BUILD: plock: remove dead code that causes a warning in gcc 11\n* CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps\n* CONTRIB: halog: mark the has_zero* functions unused\n* CONTRIB: halog: fix build issue caused by %L printf format\n* BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode\n* BUG/MINOR: mux-h1: Don\u0027t set CS_FL_EOI too early for protocol upgrade requests\n* BUILD: Makefile: have \u0027make clean\u0027 destroy .o/.a/.s in contrib subdirs as well\n* REGTESTS: make use of HAPROXY_ARGS and pass -dM by default\n* CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric\n* CLEANUP: lua: Remove declaration of an inexistant function\n* BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight\n* BUG/MINOR: tools: Reject size format not starting by a digit\n* BUG/MINOR: tools: make parse_time_err() more strict on the timer validity\n* DOC: email change of the DeviceAtlas maintainer\n* BUG/MEDIUM: spoa/python: Fixing references to None\n* BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments\n* BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails\n* BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations\n* DOC: spoa/python: Fixing typos in comments\n* DOC: spoa/python: Rephrasing memory related error messages\n* DOC: spoa/python: Fixing typo in IP related error messages\n* BUG/MAJOR: spoa/python: Fixing return None\n* DOC/MINOR: Fix formatting in Management Guide\n* BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times\n* MINOR: cli: add a function to look up a CLI service description\n* MINOR: actions: add a function returning a service pointer from its name\n* MINOR: actions: Export actions lookup functions\n* BUG/MINOR: lua: Some lua init operation are processed unsafe\n* BUG/MINOR: lua: Post init register function are not executed beyond the first one\n* BUG/MINOR: lua: lua-load doesn\u0027t check its parameters\n* MINOR: plock: use an ARMv8 instruction barrier for the pause instruction\n* DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section\n* BUG/MAJOR: peers: fix partial message decoding\n* BUG/MAJOR: filters: Always keep all offsets up to date during data filtering\n* BUG/MINOR: http-ana: Don\u0027t wait for the body of CONNECT requests\n* BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering\n* BUILD: http-htx: fix build warning regarding long type in printf\n* MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.\n* MINOR: spoe: Don\u0027t close connection in sync mode on processing timeout\n* BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet\n* BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches\n* BUG/MINOR: http-fetch: Extract cookie value even when no cookie name\n* BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages\n* BUG/MINOR: peers: Missing TX cache entries reset.\n* BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.\n* BUG/MINOR: lua: set buffer size during map lookups\n* BUG/MINOR: pattern: a sample marked as const could be written\n* [RELEASE] Released version 2.0.19\n* BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn\u0027t match the C-L\n* MINOR: http-htx: Add understandable errors for the errorfiles parsing\n* BUG/MEDIUM: stick-table: limit the time spent purging old entries\n* BUG/MINOR: filters: Skip disabled proxies during startup only\n* BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade\n* MINOR: server: Copy configuration file and line for server templates\n* BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup\n* BUG/MEDIUM: filters: Don\u0027t try to init filters for disabled proxies\n* BUG/MINOR: cache: Inverted variables in http_calc_maxage function\n* BUG/MINOR: lua: initialize sample before using it\n* BUG/MINOR: server: fix down_time report for stats\n* BUG/MINOR: server: fix srv downtime calcul on starting\n* BUG/MINOR: log: fix memory leak on logsrv parse error\n* BUG/MINOR: extcheck: add missing checks on extchk_setenv()\n* BUG/MAJOR: mux-h2: Don\u0027t try to send data if we know it is no longer possible\n* BUG/MINOR: http-ana: Don\u0027t send payload for internal responses to HEAD requests\n* BUG/MEDIUM: server: support changing the slowstart value from state-file\n* BUG/MINOR: queue: properly report redistributed connections\n* BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.\n* BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn\n* BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages\n* BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided\n* BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once\n* MINOR: fd: report an error message when failing initial allocations\n* BUG/MINOR: mux-h2: do not stop outgoing connections on stopping\n* BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited\n* BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().\n* BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses\n* BUG/MEDIUM: mux-h2: Don\u0027t handle pending read0 too early on streams\n* BUG/MINOR: mux-h1: Always set the session on frontend h1 stream\n* BUG/MINOR: peers: Inconsistency when dumping peer status codes.\n* MINOR: hlua: Display debug messages on stderr only in debug mode\n* BUG/MINOR: stats: fix validity of the json schema\n* MINOR: counters: fix a typo in comment\n* BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe\n* BUG/MINOR: Fix several leaks of \u0027log_tag\u0027 in init().\n* BUILD: makefile: Fix building with closefrom() support enabled\n* DOC: ssl: crt-list negative filters are only a hint\n* [RELEASE] Released version 2.0.18\n* REGTEST: make map_regm_with_backref require 1.7\n* REGTEST: make abns_socket.vtc require 1.8\n* REGTEST: fix host part in balance-uri-path-only.vtc\n* REGTESTS: add a few load balancing tests\n* DOC: agent-check: fix typo in \u0027fail\u0027 word expected reply\n* DOC: spoa-server: fix false friends `actually`\n* BUG/MEDIUM: listeners: do not pause foreign listeners\n* BUG/MINOR: config: Fix memory leak on config parse listen\n* BUG/MINOR: Fix memory leaks cfg_parse_peers\n* BUG/MEDIUM: h2: report frame bits only for handled types\n* BUG/MINOR: http-fetch: Don\u0027t set the sample type during the htx prefetch\n* BUG/MINOR: server: report correct error message for invalid port on \u0027socks4\u0027\n* BUG/MINOR: ssl: verifyhost is case sensitive\n* BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate\n* BUG/MEDIUM: http-ana: Don\u0027t wait to send 1xx responses received from servers\n* BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned\n* BUILD: threads: better workaround for late loading of libgcc_s\n* BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections\n* BUG/MINOR: auth: report valid crypto(3) support depending on build options\n* CLEANUP: Update .gitignore\n* MINOR: Commit .gitattributes\n* BUILD: thread: limit the libgcc_s workaround to glibc only\n* BUG/MINOR: threads: work around a libgcc_s issue with chrooting\n* BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()\n* BUG/MEDIUM: doc: Fix replace-path action description\n* BUG/MINOR: startup: haproxy -s cause 100% cpu\n* BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address\n* BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure\n* BUG/MINOR: contrib/spoa-server: Do not free reference to NULL\n* BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed\n* BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak\n* DOC: cache: Use \u0027\u003cname\u003e\u0027 instead of \u0027\u003cid\u003e\u0027 in error message\n* BUG/MINOR: reload: do not fail when no socket is sent\n* BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction\n* BUG/MINOR: stats: use strncmp() instead of memcmp() on health states\n* BUG/MINOR: snapshots: leak of snapshots on deinit()\n* BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation\n* BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation\n* BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime\n* BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send\n* BUG/MEDIUM: mux-h2: Don\u0027t fail if nothing is parsed for a legacy chunk response\n* SCRIPTS: git-show-backports: emit the shell command to backport a commit\n* SCRIPTS: git-show-backports: make -m most only show the left branch\n* [RELEASE] Released version 2.0.17\n* SCRIPTS: announce-release: add the link to the wiki in the announce messages\n* MINOR: stream-int: Be sure to have a mux to do sends and receives\n* MINOR: connection: Preinstall the mux for non-ssl connect\n* BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields\n* BUG/MEDIUM: dns: Don\u0027t yield in do-resolve action on a final evaluation\n* MEDIUM: lua: Add support for the Lua 5.4\n* BUG/MINOR: debug: Don\u0027t dump the lua stack if it is not initialized\n* BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received\n* BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected\n* BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed\n* BUG/MAJOR: dns: Make the do-resolve action thread-safe\n* BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete\n* BUG/MEDIUM: resolve: fix init resolving for ring and peers section.\n* BUG/MINOR: cfgparse: don\u0027t increment linenum on incomplete lines\n* BUILD: thread: add parenthesis around values of locking macros\n* MINOR: pools: increase MAX_BASE_POOLS to 64\n* BUG/MINOR: threads: Don\u0027t forget to init each thread toremove_lock.\n* REGEST: Add reg tests about error files\n* BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()\n* [RELEASE] Released version 2.0.16\n* BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked\n* BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.\n* BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode\n* CONTRIB: da: fix memory leak in dummy function da_atlas_open()\n* BUG/MINOR: sample: Free str.area in smp_check_const_meth\n* BUG/MINOR: sample: Free str.area in smp_check_const_bool\n* DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x\n* BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode\n* BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection\n* MINOR: http: Add support for http 413 status\n* BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server\n* BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready\n* MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only\n* BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()\n* BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received\n* BUG/MINOR: mux-h1: Disable splicing only if input data was processed\n* BUG/MINOR: mux-h1: Don\u0027t read data from a pipe if the mux is unable to receive\n* BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode\n* BUG/MINOR: http_act: don\u0027t check capture id in backend (2)\n* DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio\n* DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio\n* BUG/MINOR: proxy: always initialize the trash in show servers state\n* BUG/MINOR: proxy: fix dump_server_state()\u0027s misuse of the trash\n* BUG/MEDIUM: pattern: Add a trailing \\0 to match strings only if possible\n* DOC: ssl: add \u0027allow-0rtt\u0027 and \u0027ciphersuites\u0027 in crt-list\n* MINOR: cli: make \u0027show sess\u0027 stop at the last known session\n* BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL\n* REGTEST: ssl: add some ssl_c_* sample fetches test\n* REGTEST: ssl: tests the ssl_f_* sample fetches\n* MINOR: spoe: Don\u0027t systematically create new applets if processing rate is low\n* BUG/MINOR: http_ana: clarify connection pointer check on L7 retry\n* BUG/MINOR: spoe: correction of setting bits for analyzer\n* REGTEST: Add a simple script to tests errorfile directives in proxy sections\n* BUG/MINOR: systemd: Wait for network to be online\n* MEDIUM: map: make the \u0027clear map\u0027 operation yield\n* REGTEST: http-rules: test spaces in ACLs with master CLI\n* REGTEST: http-rules: test spaces in ACLs\n* BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI\n* BUG/MINOR: mworker/cli: fix the escaping in the master CLI\n* BUG/MINOR: cli: allow space escaping on the CLI\n* BUG/MINOR: spoe: add missing key length check before checking key names\n* BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks\n* BUG/MINOR: tcp-rules: tcp-response must check the buffer\u0027s fullness\n* MINOR: http: Add 404 to http-request deny\n* MINOR: http: Add 410 to http-request deny\n* [RELEASE] Released version 2.0.15\n* REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used\n* BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl \u003c 1.1.0\n* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation\n* REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv\n* BUG/MEDIUM: pattern: fix thread safety of pattern matching\n* BUG/MEDIUM: log: don\u0027t hold the log lock during writev() on a file descriptor\n* BUG/MINOR: mworker: fix a memleak when execvp() failed\n* BUG/MEDIUM: mworker: fix the reload with an -- option\n* BUG/MINOR: init: -S can have a parameter starting with a dash\n* BUG/MINOR: init: -x can have a parameter starting with a dash\n* BUG/MEDIUM: mworker: fix the copy of options in copy_argv()\n* BUILD: makefile: adjust the sed expression of \u0027make help\u0027 for solaris\n* BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version\n* BUG/MEDIUM: logs: fix trailing zeros on log message.\n* BUG/MINOR: logs: prevent double line returns in some events.\n* BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics\n* BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations\n* BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action\n* BUG/MINOR: peers: fix internal/network key type mapping.\n* SCRIPTS: publish-release: pass -n to gzip to remove timestamp\n* Revert \u0027BUG/MEDIUM: connections: force connections cleanup on server changes\u0027\n* BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf\n* BUG/MINOR: lua: Add missing string length for lua sticktable lookup\n* BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable\n* BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified\n* BUG/MINOR: cache: Don\u0027t needlessly test \u0027cache\u0027 keyword in parse_cache_flt()\n* BUILD: select: only declare existing local labels to appease clang\n* BUG/MINOR: soft-stop: always wake up waiting threads on stopping\n* BUG/MINOR: pollers: remove uneeded free in global init\n* BUG/MINOR: pools: use %u not %d to report pool stats in \u0027show pools\u0027\n* BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \\x sequence is encountered\n* BUG/MEDIUM: http_ana: make the detection of NTLM variants safer\n* BUG/MINOR: http-ana: fix NTLM response parsing again\n* BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur\n* BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT\n* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()\n* BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()\n* BUG/MINOR: sample: Set the correct type when a binary is converted to a string\n* CLEANUP: connections: align function declaration\n* BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()\n* BUG/MEDIUM: connections: force connections cleanup on server changes\n* BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure\n* BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.\n* BUG/MEDIUM: streams: Remove SF_ADDR_SET if we\u0027re retrying due to L7 retry.\n* BUG/MINOR: checks: Remove a warning about http health checks\n* BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks\n* BUG/MEDIUM: checks: Always initialize checks before starting them\n* BUG/MINOR: checks/server: use_ssl member must be signed\n* BUG/MEDIUM: server/checks: Init server check during config validity check\n* Revert \u0027BUG/MINOR: connection: make sure to correctly tag local PROXY connections\u0027\n* BUG/MEDIUM: backend: don\u0027t access a non-existing mux from a previous connection\n* REGTEST: ssl: test the client certificate authentication\n* MINOR: stream: report the list of active filters on stream crashes\n* BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock\n* BUG/MEDIUM: shctx: really check the lock\u0027s value while waiting\n* BUG/MINOR: debug: properly use long long instead of long for the thread ID\n* MINOR: threads: export the POSIX thread ID in panic dumps\n* BUG/MEDIUM: listener: mark the thread as not stuck inside the loop\n* BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream\n* BUG/MEDIUM: http: the \u0027unique-id\u0027 sample fetch could crash without a steeam\n* BUG/MEDIUM: http: the \u0027http_first_req\u0027 sample fetch could crash without a steeam\n* BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream\n* BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream\n* BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function\n* BUG/MINOR: checks: chained expect will not properly wait for enough data\n* BUG/MINOR: checks: Respect the no-check-ssl option\n* MINOR: checks: Add a way to send custom headers and payload during http chekcs\n* BUG/MINOR: check: Update server address and port to execute an external check\n* DOC: option logasap does not depend on mode\n* BUG/MINOR: http: make url_decode() optionally convert \u0027+\u0027 to SP\n* BUG/MINOR: tools: fix the i386 version of the div64_32 function\n* BUG/MEDIUM: http-ana: Handle NTLM messages correctly.\n* BUG/MINOR: ssl: default settings for ssl server options are not used\n* DOC: Improve documentation on http-request set-src\n* DOC: hashing: update link to hashing functions\n* BUG/MINOR: peers: Incomplete peers sections should be validated.\n* BUG/MINOR: protocol_buffer: Wrong maximum shifting.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-2119,SUSE-SLE-Product-HA-15-SP2-2023-2119,SUSE-SLE-Product-HA-15-SP3-2023-2119",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-fu-2023_2119-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-FU-2023:2119-1",
"url": "https://www.suse.com/support/update/announcement//suse-fu-20232119-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-FU-2023:2119-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2023-May/029205.html"
},
{
"category": "self",
"summary": "SUSE Bug 1207181",
"url": "https://bugzilla.suse.com/1207181"
},
{
"category": "self",
"summary": "SUSE Bug 1208132",
"url": "https://bugzilla.suse.com/1208132"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0056 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0056/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25725 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25725/"
}
],
"title": "Feature update for haproxy",
"tracking": {
"current_release_date": "2023-05-05T20:29:04Z",
"generator": {
"date": "2023-05-05T20:29:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-FU-2023:2119-1",
"initial_release_date": "2023-05-05T20:29:04Z",
"revision_history": [
{
"date": "2023-05-05T20:29:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150200.11.20.1.aarch64",
"product": {
"name": "haproxy-2.0.31-150200.11.20.1.aarch64",
"product_id": "haproxy-2.0.31-150200.11.20.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150200.11.20.1.i586",
"product": {
"name": "haproxy-2.0.31-150200.11.20.1.i586",
"product_id": "haproxy-2.0.31-150200.11.20.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150200.11.20.1.ppc64le",
"product": {
"name": "haproxy-2.0.31-150200.11.20.1.ppc64le",
"product_id": "haproxy-2.0.31-150200.11.20.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150200.11.20.1.s390x",
"product": {
"name": "haproxy-2.0.31-150200.11.20.1.s390x",
"product_id": "haproxy-2.0.31-150200.11.20.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.31-150200.11.20.1.x86_64",
"product": {
"name": "haproxy-2.0.31-150200.11.20.1.x86_64",
"product_id": "haproxy-2.0.31-150200.11.20.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.31-150200.11.20.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
},
"product_reference": "haproxy-2.0.31-150200.11.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0056"
}
],
"notes": [
{
"category": "general",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0056",
"url": "https://www.suse.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "SUSE Bug 1207181 for CVE-2023-0056",
"url": "https://bugzilla.suse.com/1207181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-05-05T20:29:04Z",
"details": "important"
}
],
"title": "CVE-2023-0056"
},
{
"cve": "CVE-2023-25725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25725"
}
],
"notes": [
{
"category": "general",
"text": "HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25725",
"url": "https://www.suse.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "SUSE Bug 1208132 for CVE-2023-25725",
"url": "https://bugzilla.suse.com/1208132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.31-150200.11.20.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.31-150200.11.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-05-05T20:29:04Z",
"details": "critical"
}
],
"title": "CVE-2023-25725"
}
]
}
SUSE-SU-2023:0153-1
Vulnerability from csaf_suse - Published: 2023-01-26 12:14 - Updated: 2023-01-26 12:14Summary
Security update for haproxy
Severity
Important
Notes
Title of the patch: Security update for haproxy
Description of the patch: This update for haproxy fixes the following issues:
- CVE-2023-0056: Fixed a server crash that could be triggered via a
malformed HTTP/2 frame (bsc#1207181).
Patchnames: SUSE-2023-153,SUSE-SLE-Micro-5.3-2023-153,SUSE-SLE-Product-HA-15-SP4-2023-153,openSUSE-Leap-Micro-5.3-2023-153,openSUSE-SLE-15.4-2023-153
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\n- CVE-2023-0056: Fixed a server crash that could be triggered via a\n malformed HTTP/2 frame (bsc#1207181).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-153,SUSE-SLE-Micro-5.3-2023-153,SUSE-SLE-Product-HA-15-SP4-2023-153,openSUSE-Leap-Micro-5.3-2023-153,openSUSE-SLE-15.4-2023-153",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0153-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:0153-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20230153-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:0153-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-January/013533.html"
},
{
"category": "self",
"summary": "SUSE Bug 1207181",
"url": "https://bugzilla.suse.com/1207181"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0056 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0056/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2023-01-26T12:14:22Z",
"generator": {
"date": "2023-01-26T12:14:22Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:0153-1",
"initial_release_date": "2023-01-26T12:14:22Z",
"revision_history": [
{
"date": "2023-01-26T12:14:22Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"product": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"product_id": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.i586",
"product": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.i586",
"product_id": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"product": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"product_id": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"product": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"product_id": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"product": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"product_id": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap Micro 5.3",
"product": {
"name": "openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap-micro:5.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 as component of openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 as component of openSUSE Leap Micro 5.3",
"product_id": "openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
},
"product_reference": "haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0056"
}
],
"notes": [
{
"category": "general",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0056",
"url": "https://www.suse.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "SUSE Bug 1207181 for CVE-2023-0056",
"url": "https://bugzilla.suse.com/1207181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"SUSE Linux Enterprise Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.ppc64le",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.s390x",
"openSUSE Leap 15.4:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64",
"openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.aarch64",
"openSUSE Leap Micro 5.3:haproxy-2.4.8+git0.d1f8d41e0-150400.3.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-01-26T12:14:22Z",
"details": "important"
}
],
"title": "CVE-2023-0056"
}
]
}
SUSE-SU-2023:0412-1
Vulnerability from csaf_suse - Published: 2023-02-14 16:07 - Updated: 2023-02-14 16:07Summary
Security update for haproxy
Severity
Critical
Notes
Title of the patch: Security update for haproxy
Description of the patch: This update for haproxy fixes the following issues:
- CVE-2023-25725: Fixed a serious vulnerability in the HTTP/1 parser (bsc#1208132).
- CVE-2023-0056: Fixed denial of service via crash in http_wait_for_response() (bsc#1207181).
Patchnames: SUSE-2023-412,SUSE-SLE-Product-HA-15-SP1-2023-412
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.3 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\n- CVE-2023-25725: Fixed a serious vulnerability in the HTTP/1 parser (bsc#1208132).\n- CVE-2023-0056: Fixed denial of service via crash in http_wait_for_response() (bsc#1207181).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-412,SUSE-SLE-Product-HA-15-SP1-2023-412",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0412-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:0412-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20230412-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:0412-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013763.html"
},
{
"category": "self",
"summary": "SUSE Bug 1207181",
"url": "https://bugzilla.suse.com/1207181"
},
{
"category": "self",
"summary": "SUSE Bug 1208132",
"url": "https://bugzilla.suse.com/1208132"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0056 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0056/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25725 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25725/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2023-02-14T16:07:15Z",
"generator": {
"date": "2023-02-14T16:07:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:0412-1",
"initial_release_date": "2023-02-14T16:07:15Z",
"revision_history": [
{
"date": "2023-02-14T16:07:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150100.8.27.1.aarch64",
"product": {
"name": "haproxy-2.0.14-150100.8.27.1.aarch64",
"product_id": "haproxy-2.0.14-150100.8.27.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150100.8.27.1.i586",
"product": {
"name": "haproxy-2.0.14-150100.8.27.1.i586",
"product_id": "haproxy-2.0.14-150100.8.27.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150100.8.27.1.ppc64le",
"product": {
"name": "haproxy-2.0.14-150100.8.27.1.ppc64le",
"product_id": "haproxy-2.0.14-150100.8.27.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150100.8.27.1.s390x",
"product": {
"name": "haproxy-2.0.14-150100.8.27.1.s390x",
"product_id": "haproxy-2.0.14-150100.8.27.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150100.8.27.1.x86_64",
"product": {
"name": "haproxy-2.0.14-150100.8.27.1.x86_64",
"product_id": "haproxy-2.0.14-150100.8.27.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150100.8.27.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64"
},
"product_reference": "haproxy-2.0.14-150100.8.27.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150100.8.27.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le"
},
"product_reference": "haproxy-2.0.14-150100.8.27.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150100.8.27.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x"
},
"product_reference": "haproxy-2.0.14-150100.8.27.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150100.8.27.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
},
"product_reference": "haproxy-2.0.14-150100.8.27.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0056"
}
],
"notes": [
{
"category": "general",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0056",
"url": "https://www.suse.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "SUSE Bug 1207181 for CVE-2023-0056",
"url": "https://bugzilla.suse.com/1207181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-14T16:07:15Z",
"details": "important"
}
],
"title": "CVE-2023-0056"
},
{
"cve": "CVE-2023-25725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25725"
}
],
"notes": [
{
"category": "general",
"text": "HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25725",
"url": "https://www.suse.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "SUSE Bug 1208132 for CVE-2023-25725",
"url": "https://bugzilla.suse.com/1208132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.14-150100.8.27.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-14T16:07:15Z",
"details": "critical"
}
],
"title": "CVE-2023-25725"
}
]
}
SUSE-SU-2023:0413-1
Vulnerability from csaf_suse - Published: 2023-02-14 16:07 - Updated: 2023-02-14 16:07Summary
Security update for haproxy
Severity
Critical
Notes
Title of the patch: Security update for haproxy
Description of the patch: This update for haproxy fixes the following issues:
- CVE-2023-25725: Fixed a serious vulnerability in the HTTP/1 parser (bsc#1208132).
- CVE-2023-0056: Fixed denial of service via crash in http_wait_for_response() (bsc#1207181).
Patchnames: SUSE-2023-413,SUSE-SLE-Product-HA-15-SP2-2023-413,SUSE-SLE-Product-HA-15-SP3-2023-413
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.3 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\n- CVE-2023-25725: Fixed a serious vulnerability in the HTTP/1 parser (bsc#1208132).\n- CVE-2023-0056: Fixed denial of service via crash in http_wait_for_response() (bsc#1207181).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-413,SUSE-SLE-Product-HA-15-SP2-2023-413,SUSE-SLE-Product-HA-15-SP3-2023-413",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0413-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:0413-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20230413-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:0413-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013762.html"
},
{
"category": "self",
"summary": "SUSE Bug 1207181",
"url": "https://bugzilla.suse.com/1207181"
},
{
"category": "self",
"summary": "SUSE Bug 1208132",
"url": "https://bugzilla.suse.com/1208132"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0056 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0056/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25725 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25725/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2023-02-14T16:07:30Z",
"generator": {
"date": "2023-02-14T16:07:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:0413-1",
"initial_release_date": "2023-02-14T16:07:30Z",
"revision_history": [
{
"date": "2023-02-14T16:07:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150200.11.15.1.aarch64",
"product": {
"name": "haproxy-2.0.14-150200.11.15.1.aarch64",
"product_id": "haproxy-2.0.14-150200.11.15.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150200.11.15.1.i586",
"product": {
"name": "haproxy-2.0.14-150200.11.15.1.i586",
"product_id": "haproxy-2.0.14-150200.11.15.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150200.11.15.1.ppc64le",
"product": {
"name": "haproxy-2.0.14-150200.11.15.1.ppc64le",
"product_id": "haproxy-2.0.14-150200.11.15.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150200.11.15.1.s390x",
"product": {
"name": "haproxy-2.0.14-150200.11.15.1.s390x",
"product_id": "haproxy-2.0.14-150200.11.15.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.0.14-150200.11.15.1.x86_64",
"product": {
"name": "haproxy-2.0.14-150200.11.15.1.x86_64",
"product_id": "haproxy-2.0.14-150200.11.15.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.0.14-150200.11.15.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
},
"product_reference": "haproxy-2.0.14-150200.11.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0056"
}
],
"notes": [
{
"category": "general",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0056",
"url": "https://www.suse.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "SUSE Bug 1207181 for CVE-2023-0056",
"url": "https://bugzilla.suse.com/1207181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-14T16:07:30Z",
"details": "important"
}
],
"title": "CVE-2023-0056"
},
{
"cve": "CVE-2023-25725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25725"
}
],
"notes": [
{
"category": "general",
"text": "HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25725",
"url": "https://www.suse.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "SUSE Bug 1208132 for CVE-2023-25725",
"url": "https://bugzilla.suse.com/1208132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:haproxy-2.0.14-150200.11.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:haproxy-2.0.14-150200.11.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-14T16:07:30Z",
"details": "critical"
}
],
"title": "CVE-2023-25725"
}
]
}
WID-SEC-W-2023-0097
Vulnerability from csaf_certbund - Published: 2023-01-15 23:00 - Updated: 2024-01-17 23:00Summary
HAProxy: Schwachstelle ermöglicht Denial of Service
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: HAProxy Enterprise ist ein weit verbreiteter Open Source Software Load Balancer und Application Delivery Controller.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HAProxy ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme: - UNIX
- Linux
Es existiert eine Schwachstelle in HAProxy. Nach dem Aufruf von "http_get_stline(htx)" in "http_wait_for_response" hat die Variable "sl" (start line) den Wert "NULL". Dadurch kommt es zu einem Segmentierungsfehler. Ein Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen.
Affected products
Known affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM Security Verify Access 10.0.0.0 - 10.0.6.1
IBM
|
cpe:/a:ibm:security_verify_access:10.0.0.0_-_10.0.6.1
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
HAProxy Enterprise 2.5
HAProxy / Enterprise
|
cpe:/a:haproxy:haproxy:2.5
|
— | |
|
HAProxy Enterprise 2.4
HAProxy / Enterprise
|
cpe:/a:haproxy:haproxy:2.4
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
HAProxy Enterprise 2.7
HAProxy / Enterprise
|
cpe:/a:haproxy:haproxy:2.7
|
— | |
|
HAProxy Enterprise 2.6
HAProxy / Enterprise
|
cpe:/a:haproxy:haproxy:2.6
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
HAProxy Enterprise 2.2
HAProxy / Enterprise
|
cpe:/a:haproxy:haproxy:2.2
|
— | |
|
HAProxy Enterprise 2.0
HAProxy / Enterprise
|
cpe:/a:haproxy:haproxy:2.0
|
— |
References
13 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "HAProxy Enterprise ist ein weit verbreiteter Open Source Software Load Balancer und Application Delivery Controller.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HAProxy ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0097 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0097.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0097 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0097"
},
{
"category": "external",
"summary": "RedHat Bugzilla vom 2023-01-15",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-5819-1 vom 2023-01-23",
"url": "https://ubuntu.com/security/notices/USN-5819-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2023:0153-1 vom 2023-01-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-January/013533.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2023:0413-1 vom 2023-02-14",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013762.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2023:0412-1 vom 2023-02-14",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013763.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-5348 vom 2023-02-15",
"url": "https://www.debian.org/security/2023/dsa-5348"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1696 vom 2023-04-11",
"url": "https://access.redhat.com/errata/RHSA-2023:1696"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2023-1696 vom 2023-04-11",
"url": "https://linux.oracle.com/errata/ELSA-2023-1696.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1978 vom 2023-04-25",
"url": "https://access.redhat.com/errata/RHSA-2023:1978"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASHAPROXY2-2023-004 vom 2023-09-27",
"url": "https://alas.aws.amazon.com/AL2/ALASHAPROXY2-2023-004.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7108821 vom 2024-01-17",
"url": "https://www.ibm.com/support/pages/node/7108821"
}
],
"source_lang": "en-US",
"title": "HAProxy: Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2024-01-17T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:41:27.059+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0097",
"initial_release_date": "2023-01-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-01-23T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2023-01-26T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2023-02-14T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2023-02-15T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2023-02-16T23:00:00.000+00:00",
"number": "6",
"summary": "Referenz(en) aufgenommen: FEDORA-2023-7E04833463, FEDORA-2023-3E8A21CD5B"
},
{
"date": "2023-04-11T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2023-04-24T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-09-27T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-01-17T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "10"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "HAProxy Enterprise 2.0",
"product": {
"name": "HAProxy Enterprise 2.0",
"product_id": "T025841",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:2.0"
}
}
},
{
"category": "product_name",
"name": "HAProxy Enterprise 2.2",
"product": {
"name": "HAProxy Enterprise 2.2",
"product_id": "T025842",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:2.2"
}
}
},
{
"category": "product_name",
"name": "HAProxy Enterprise 2.4",
"product": {
"name": "HAProxy Enterprise 2.4",
"product_id": "T025843",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:2.4"
}
}
},
{
"category": "product_name",
"name": "HAProxy Enterprise 2.5",
"product": {
"name": "HAProxy Enterprise 2.5",
"product_id": "T025844",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:2.5"
}
}
},
{
"category": "product_name",
"name": "HAProxy Enterprise 2.6",
"product": {
"name": "HAProxy Enterprise 2.6",
"product_id": "T025845",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:2.6"
}
}
},
{
"category": "product_name",
"name": "HAProxy Enterprise 2.7",
"product": {
"name": "HAProxy Enterprise 2.7",
"product_id": "T025846",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:2.7"
}
}
}
],
"category": "product_name",
"name": "Enterprise"
}
],
"category": "vendor",
"name": "HAProxy"
},
{
"branches": [
{
"category": "product_name",
"name": "IBM Security Verify Access 10.0.0.0 - 10.0.6.1",
"product": {
"name": "IBM Security Verify Access 10.0.0.0 - 10.0.6.1",
"product_id": "T031895",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_verify_access:10.0.0.0_-_10.0.6.1"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0056",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in HAProxy. Nach dem Aufruf von \"http_get_stline(htx)\" in \"http_wait_for_response\" hat die Variable \"sl\" (start line) den Wert \"NULL\". Dadurch kommt es zu einem Segmentierungsfehler. Ein Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen."
}
],
"product_status": {
"known_affected": [
"T031895",
"67646",
"T004914",
"2951",
"T002207",
"T025844",
"T025843",
"T000126",
"T025846",
"T025845",
"398363",
"T025842",
"T025841"
]
},
"release_date": "2023-01-15T23:00:00.000+00:00",
"title": "CVE-2023-0056"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…