Bugzilla – Bug 1168023
VUL-0: CVE-2020-11100: haproxy: H2/HPACK vulnerability
Last modified: 2021-04-19 09:26:01 UTC
HAProxy was released on 2020/04/02. The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. There is no configuration-based workaround for 2.1 and above. This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly.
public via mailinglist
This is an autogenerated message for OBS integration: This bug (1168023) was mentioned in https://build.opensuse.org/request/show/790908 Factory / haproxy https://build.opensuse.org/request/show/790909 15.2 / haproxy
SUSE-SU-2020:0851-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1168023 CVE References: CVE-2020-11100 Sources used: SUSE Linux Enterprise High Availability 15-SP1 (src): haproxy-2.0.10+git0.ac198b92-8.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0852-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1168023 CVE References: CVE-2020-11100 Sources used: SUSE Linux Enterprise High Availability 15 (src): haproxy-2.0.10+git0.ac198b92-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0444-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1168023 CVE References: CVE-2020-11100 Sources used: openSUSE Leap 15.1 (src): haproxy-2.0.10+git0.ac198b92-lp151.2.9.1
This is an autogenerated message for OBS integration: This bug (1168023) was mentioned in https://build.opensuse.org/request/show/791752 15.2 / haproxy
Done