Описание
Security update for haproxy
This update for haproxy fixes the following issues:
- CVE-2023-45539: Fixed misinterpretation of a path_end rule with # as part of the URI component (bsc#1217653).
- CVE-2023-40225: reject any empty content-length header value (bsc#1214102).
Список пакетов
SUSE Linux Enterprise High Availability Extension 15 SP1
haproxy-2.0.31-150100.8.34.1
Ссылки
- Link for SUSE-SU-2023:4646-1
- E-Mail link for SUSE-SU-2023:4646-1
- SUSE Security Ratings
- SUSE Bug 1214102
- SUSE Bug 1217653
- SUSE CVE CVE-2023-40225 page
- SUSE CVE CVE-2023-45539 page
Описание
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Затронутые продукты
SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.34.1
Ссылки
- CVE-2023-40225
- SUSE Bug 1214102
Описание
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Затронутые продукты
SUSE Linux Enterprise High Availability Extension 15 SP1:haproxy-2.0.31-150100.8.34.1
Ссылки
- CVE-2023-45539
- SUSE Bug 1217653