Bugzilla – Bug 1196408
VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
Last modified: 2022-07-06 07:15:48 UTC
A flaw was found in haproxy. Anybody who can add a "set-cookie2 X=Y" header into the return path from their server/backend will kill haproxy in 2.2 (and onwards), resulting in a denial of service.
make update to latest 2.4
merge: origin/v2.4.8 - not something we can merge
Already up to date.
According to the patch  v2.4.8 is still vulnerable.
I checked the source code of the following packages:
- SUSE:SLE-12-SP2:Update/haproxy 1.6.15
- SUSE:SLE-12-SP5:Update/haproxy 1.6.15
- SUSE:SLE-15-SP1:Update/haproxy 2.0.14
- SUSE:SLE-15-SP2:Update/haproxy 2.0.14
- SUSE:SLE-15-SP4:Update/haproxy 2.4.8+git0.d1f8d41e0
- SUSE:SLE-15:Update/haproxy 2.0.14
- openSUSE:Factory/haproxy 2.5.4+git0.e55ab4208
openSUSE:Factory/haproxy-2.5.4+git0.e55ab4208 already contains the patch, while SUSE:SLE-15-SP4:Update/haproxy does not. All the other codestreams are not affected.
Please backport the above-mentioned patch to SUSE:SLE-15-SP4:Update/haproxy.
And please _do not_ close security-related issues yourself, instead reassign them back to firstname.lastname@example.org
SUSE-SU-2022:2277-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1196408
CVE References: CVE-2022-0711
openSUSE Leap 15.4 (src): haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13
SUSE Linux Enterprise High Availability 15-SP4 (src): haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.