Описание
Security update for haproxy
This update for haproxy fixes the following issues:
- CVE-2023-40225: Fixed request smuggling with empty content-length header value (bsc#1214102).
Список пакетов
SUSE Linux Enterprise High Availability Extension 15 SP4
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
SUSE Linux Enterprise High Availability Extension 15 SP5
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
SUSE Linux Enterprise Micro 5.3
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
SUSE Linux Enterprise Micro 5.4
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
openSUSE Leap 15.4
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
openSUSE Leap 15.5
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
openSUSE Leap Micro 5.3
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
openSUSE Leap Micro 5.4
haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
Ссылки
- Link for SUSE-SU-2023:3469-1
- E-Mail link for SUSE-SU-2023:3469-1
- SUSE Security Ratings
- SUSE Bug 1214102
- SUSE CVE CVE-2023-40225 page
Описание
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Затронутые продукты
SUSE Linux Enterprise High Availability Extension 15 SP4:haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
SUSE Linux Enterprise High Availability Extension 15 SP5:haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
SUSE Linux Enterprise Micro 5.3:haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
SUSE Linux Enterprise Micro 5.4:haproxy-2.4.22+git0.f8e3218e2-150400.3.16.1
Ссылки
- CVE-2023-40225
- SUSE Bug 1214102