Bugzilla – Bug 1196408
VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
Last modified: 2022-07-06 07:15:48 UTC
rh#2053666 A flaw was found in haproxy. Anybody who can add a "set-cookie2 X=Y" header into the return path from their server/backend will kill haproxy in 2.2 (and onwards), resulting in a denial of service. References: https://bugzilla.redhat.com/show_bug.cgi?id=2053666 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0711
done
make update to latest 2.4
3378ea683b1579bf2f791545e154b2c76d48414c merge: origin/v2.4.8 - not something we can merge Already up to date.
According to the patch [0] v2.4.8 is still vulnerable. I checked the source code of the following packages: - SUSE:SLE-12-SP2:Update/haproxy 1.6.15 - SUSE:SLE-12-SP5:Update/haproxy 1.6.15 - SUSE:SLE-15-SP1:Update/haproxy 2.0.14 - SUSE:SLE-15-SP2:Update/haproxy 2.0.14 - SUSE:SLE-15-SP4:Update/haproxy 2.4.8+git0.d1f8d41e0 - SUSE:SLE-15:Update/haproxy 2.0.14 - openSUSE:Factory/haproxy 2.5.4+git0.e55ab4208 openSUSE:Factory/haproxy-2.5.4+git0.e55ab4208 already contains the patch, while SUSE:SLE-15-SP4:Update/haproxy does not. All the other codestreams are not affected. Please backport the above-mentioned patch to SUSE:SLE-15-SP4:Update/haproxy. And please _do not_ close security-related issues yourself, instead reassign them back to security-team@suse.de [0] https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
SUSE-SU-2022:2277-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1196408 CVE References: CVE-2022-0711 JIRA References: Sources used: openSUSE Leap 15.4 (src): haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13 SUSE Linux Enterprise High Availability 15-SP4 (src): haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.