Описание
Security update for haproxy
This update for haproxy fixes the following issues:
- CVE-2019-18277: Fixed HTTP smuggling in messages with transfer-encoding header missing the 'chunked' value (bsc#1154980).
Список пакетов
HPE Helion OpenStack 8
haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability Extension 12 SP3
haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability Extension 12 SP4
haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability Extension 12 SP5
haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud 7
haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud 8
haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud 9
haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud Crowbar 8
haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud Crowbar 9
haproxy-1.6.11-11.3.1
Ссылки
- Link for SUSE-SU-2019:3288-1
- E-Mail link for SUSE-SU-2019:3288-1
- SUSE Security Ratings
- SUSE Bug 1154980
- SUSE CVE CVE-2019-18277 page
Описание
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
Затронутые продукты
HPE Helion OpenStack 8:haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability Extension 12 SP3:haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability Extension 12 SP4:haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability Extension 12 SP5:haproxy-1.6.11-11.3.1
Ссылки
- CVE-2019-18277
- SUSE Bug 1154980