Bug 1168023 - (CVE-2020-11100) VUL-0: CVE-2020-11100: haproxy: H2/HPACK vulnerability
(CVE-2020-11100)
VUL-0: CVE-2020-11100: haproxy: H2/HPACK vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dario Maiocchi
Security Team bot
https://smash.suse.de/issue/256061/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-30 06:39 UTC by Robert Frohl
Modified: 2021-04-19 09:26 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 13 Robert Frohl 2020-04-02 13:15:23 UTC
HAProxy was released on 2020/04/02.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

There is no configuration-based workaround for 2.1 and above.

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.
Comment 14 Robert Frohl 2020-04-02 13:15:43 UTC
public via mailinglist
Comment 15 Swamp Workflow Management 2020-04-02 14:20:05 UTC
This is an autogenerated message for OBS integration:
This bug (1168023) was mentioned in
https://build.opensuse.org/request/show/790908 Factory / haproxy
https://build.opensuse.org/request/show/790909 15.2 / haproxy
Comment 16 Swamp Workflow Management 2020-04-02 16:20:42 UTC
SUSE-SU-2020:0851-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1168023
CVE References: CVE-2020-11100
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    haproxy-2.0.10+git0.ac198b92-8.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-04-02 16:33:58 UTC
SUSE-SU-2020:0852-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1168023
CVE References: CVE-2020-11100
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    haproxy-2.0.10+git0.ac198b92-3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-04-04 13:12:56 UTC
openSUSE-SU-2020:0444-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1168023
CVE References: CVE-2020-11100
Sources used:
openSUSE Leap 15.1 (src):    haproxy-2.0.10+git0.ac198b92-lp151.2.9.1
Comment 19 Swamp Workflow Management 2020-04-06 12:10:07 UTC
This is an autogenerated message for OBS integration:
This bug (1168023) was mentioned in
https://build.opensuse.org/request/show/791752 15.2 / haproxy
Comment 23 Alexandros Toptsoglou 2021-04-08 15:45:49 UTC
Done