Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-53008 (GCVE-0-2024-53008)
Vulnerability from cvelistv5
Published
2024-11-28 02:10
Modified
2024-11-29 20:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-444 - Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling')
Summary
Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | HAProxy Project | HAProxy 2.6 |
Version: 2.6.18 and earlier |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "haproxy",
"vendor": "haproxy",
"versions": [
{
"lessThanOrEqual": "2.6.18",
"status": "affected",
"version": "2.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.8.10",
"status": "affected",
"version": "2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.9",
"status": "affected",
"version": "2.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.2",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-29T20:53:41.790046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T20:55:24.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HAProxy 2.6",
"vendor": "HAProxy Project",
"versions": [
{
"status": "affected",
"version": "2.6.18 and earlier"
}
]
},
{
"product": "HAProxy 2.8",
"vendor": "HAProxy Project",
"versions": [
{
"status": "affected",
"version": "2.8.10 and earlier"
}
]
},
{
"product": "HAProxy 2.9",
"vendor": "HAProxy Project",
"versions": [
{
"status": "affected",
"version": "2.9.9 and earlier"
}
]
},
{
"product": "HAProxy 3.0",
"vendor": "HAProxy Project",
"versions": [
{
"status": "affected",
"version": "3.0.2 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-28T02:10:43.901Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.haproxy.org/"
},
{
"url": "https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=1afca10150ac3e4e2224055cc31b6f1e4a70efe2"
},
{
"url": "https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=01c1056a44823c5ffb8f74660b32c099d9b5355b"
},
{
"url": "https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=4bcaece344c8738dac1ab5bd8cc81e2a22701d71"
},
{
"url": "https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=95a607c4b3af09be2a495b9c2872ea252ccff603"
},
{
"url": "https://jvn.jp/en/jp/JVN88385716/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-53008",
"datePublished": "2024-11-28T02:10:43.901Z",
"dateReserved": "2024-11-18T23:29:20.816Z",
"dateUpdated": "2024-11-29T20:55:24.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-53008\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2024-11-28T03:15:16.363\",\"lastModified\":\"2024-11-28T03:15:16.363\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.\"},{\"lang\":\"es\",\"value\":\"Existe un problema de interpretaci\u00f3n inconsistente de las solicitudes HTTP (\u0027Contrabando de solicitudes/respuestas HTTP\u0027) en HAProxy. Si se aprovecha esta vulnerabilidad, un atacante remoto puede acceder a una ruta restringida por la ACL (lista de control de acceso) establecida en el producto. Como resultado, el atacante puede obtener informaci\u00f3n confidencial.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"references\":[{\"url\":\"https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=1afca10150ac3e4e2224055cc31b6f1e4a70efe2\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=01c1056a44823c5ffb8f74660b32c099d9b5355b\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=4bcaece344c8738dac1ab5bd8cc81e2a22701d71\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=95a607c4b3af09be2a495b9c2872ea252ccff603\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://jvn.jp/en/jp/JVN88385716/\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://www.haproxy.org/\",\"source\":\"vultures@jpcert.or.jp\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53008\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-29T20:53:41.790046Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*\"], \"vendor\": \"haproxy\", \"product\": \"haproxy\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.6.18\"}, {\"status\": \"affected\", \"version\": \"2.8\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.8.10\"}, {\"status\": \"affected\", \"version\": \"2.9\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.9.9\"}, {\"status\": \"affected\", \"version\": \"3.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.0.2\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-29T20:55:19.015Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"HAProxy Project\", \"product\": \"HAProxy 2.6\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.18 and earlier\"}]}, {\"vendor\": \"HAProxy Project\", \"product\": \"HAProxy 2.8\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.8.10 and earlier\"}]}, {\"vendor\": \"HAProxy Project\", \"product\": \"HAProxy 2.9\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.9.9 and earlier\"}]}, {\"vendor\": \"HAProxy Project\", \"product\": \"HAProxy 3.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.2 and earlier\"}]}], \"references\": [{\"url\": \"https://www.haproxy.org/\"}, {\"url\": \"https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=1afca10150ac3e4e2224055cc31b6f1e4a70efe2\"}, {\"url\": \"https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=01c1056a44823c5ffb8f74660b32c099d9b5355b\"}, {\"url\": \"https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=4bcaece344c8738dac1ab5bd8cc81e2a22701d71\"}, {\"url\": \"https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=95a607c4b3af09be2a495b9c2872ea252ccff603\"}, {\"url\": \"https://jvn.jp/en/jp/JVN88385716/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2024-11-28T02:10:43.901Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-53008\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-29T20:55:24.521Z\", \"dateReserved\": \"2024-11-18T23:29:20.816Z\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2024-11-28T02:10:43.901Z\", \"assignerShortName\": \"jpcert\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
suse-su-2024:4390-1
Vulnerability from csaf_suse
Published
2024-12-20 09:06
Modified
2024-12-20 09:06
Summary
Security update for haproxy
Notes
Title of the patch
Security update for haproxy
Description of the patch
This update for haproxy fixes the following issues:
- CVE-2024-53008: Fixed HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)
Other fixes:
- Update to version 2.8.11
Patchnames
SUSE-2024-4390,SUSE-SLE-Product-HA-15-SP6-2024-4390,openSUSE-SLE-15.6-2024-4390
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\n- CVE-2024-53008: Fixed HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)\n \n Other fixes:\n\n- Update to version 2.8.11\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-4390,SUSE-SLE-Product-HA-15-SP6-2024-4390,openSUSE-SLE-15.6-2024-4390",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_4390-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:4390-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20244390-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:4390-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020037.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233973",
"url": "https://bugzilla.suse.com/1233973"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53008 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53008/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2024-12-20T09:06:31Z",
"generator": {
"date": "2024-12-20T09:06:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:4390-1",
"initial_release_date": "2024-12-20T09:06:31Z",
"revision_history": [
{
"date": "2024-12-20T09:06:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.i586",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.i586",
"product_id": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"product_id": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"product_id": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53008",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53008"
}
],
"notes": [
{
"category": "general",
"text": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53008",
"url": "https://www.suse.com/security/cve/CVE-2024-53008"
},
{
"category": "external",
"summary": "SUSE Bug 1233973 for CVE-2024-53008",
"url": "https://bugzilla.suse.com/1233973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.aarch64",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.ppc64le",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.s390x",
"openSUSE Leap 15.6:haproxy-2.8.11+git0.01c1056a4-150600.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-20T09:06:31Z",
"details": "moderate"
}
],
"title": "CVE-2024-53008"
}
]
}
suse-su-2025:20230-1
Vulnerability from csaf_suse
Published
2025-03-05 14:55
Modified
2025-03-05 14:55
Summary
Security update for haproxy
Notes
Title of the patch
Security update for haproxy
Description of the patch
This update for haproxy fixes the following issues:
Update to version 2.8.11+git0.01c1056a4:
* VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)
* BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
* BUG/MEDIUM: promex: Wait to have the request before sending the response
* BUG/MEDIUM: cache/stats: Wait to have the request before sending the response
* BUG/MEDIUM: queue: implement a flag to check for the dequeuing
* BUG/MINOR: clock: validate that now_offset still applies to the current date
* BUG/MINOR: clock: make time jump corrections a bit more accurate
* BUG/MINOR: polling: fix time reporting when using busy polling
* BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
* BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
* BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()
* BUG/MEDIUM: clock: detect and cover jumps during execution
* REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
* DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line
* BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
* BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
* BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
* BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full
* BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path
* BUG/MEDIUM: clock: also update the date offset on time jumps
* DOC: config: correct the table for option tcplog
* BUG/MINOR: h3: properly reject too long header responses
* BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
* BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
* REGTESTS: mcli: test the pipelined commands on master CLI
* BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI
* MINOR: channel: implement ci_insert() function
* BUG/MINOR: proto_tcp: keep error msg if listen() fails
* BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
* BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
* BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
* BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
* BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()
* BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
* BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
* BUG/MINOR: fcgi-app: handle a possible strdup() failure
* BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream
* BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
* BUG/MEDIUM: http-ana: Report error on write error waiting for the response
* BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
* BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set
* BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered
* BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli
* BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready
* BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
* MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
* BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
* MINOR: queue: add a function to check for TOCTOU after queueing
* BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
* BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)
* BUG/MINOR: cli: Atomically inc the global request counter between CLI commands
* BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution
* BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
* DOC: config: improve the http-keep-alive section
* DOC: configuration: issuers-chain-path not compatible with OCSP
* BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
* BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts
* BUG/MINOR: session: Eval L4/L5 rules defined in the default section
* BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past
* BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread
* BUG/MEDIUM: h1: Reject empty Transfer-encoding header
* BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
* BUG/MINOR: h1: Fail to parse empty transfer coding names
* BUG/MINOR: jwt: fix variable initialisation
* DOC: configuration: update maxconn description
* BUG/MINOR: jwt: don't try to load files with HMAC algorithm
* MEDIUM: ssl: initialize the SSL stack explicitely
* DOC: configuration: more details about the master-worker mode
* BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking
* BUG/MINOR: quic: fix race-condition on trace for CID retrieval
* BUG/MINOR: quic: fix race condition in qc_check_dcid()
* BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()
* BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
* BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
* MINOR: activity: make the memory profiling hash size configurable at build time
* BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()
* BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
* BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
* BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission
* DOC: api/event_hdl: small updates, fix an example and add some precisions
* SCRIPTS: git-show-backports: do not truncate git-show output
* DOC: configuration: fix alphabetical order of bind options
* DOC: management: rename show stats domain cli "dns" to "resolvers"
* DOC/MINOR: management: add missed -dR and -dv options
* BUG/MINOR: proxy: fix header_unique_id leak on deinit()
* BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()
* BUG/MINOR: proxy: fix dyncookie_key leak on deinit()
* BUG/MINOR: proxy: fix check_{command,path} leak on deinit()
* BUG/MINOR: proxy: fix log_tag leak on deinit()
* BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()
* BUG/MINOR: quic: fix computed length of emitted STREAM frames
* [RELEASE] Released version 2.8.10
* BUG/MEDIUM: quic: don't blindly rely on unaligned accesses
* BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
* BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
* BUG/MAJOR: server: do not delete srv referenced by session
* MINOR: session: rename private conns elements
* BUG/MEDIUM: quic: fix connection freeze on post handshake
* BUG/MEDIUM: server: fix dynamic servers initial settings
* BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration
* CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
* BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
* BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
* BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
* BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
* CLEANUP: hlua: use hlua_pusherror() where relevant
* BUG/MINOR: quic: prevent crash on qc_kill_conn()
* BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
* BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
* BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
* BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning
* BUG/MINOR: activity: fix Delta_calls and Delta_bytes count
* BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
* CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp
* BUILD: fd: errno is also needed without poll()
* CI: scripts: fix build of vtest regarding option -C
* REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
* DOC: config: fix incorrect section reference about custom log format
* DOC: quic: specify that connection migration is not supported
* BUG/MINOR: server: Don't reset resolver options on a new default-server line
* BUG/MINOR: http-htx: Support default path during scheme based normalization
* BUG/MINOR: quic: adjust restriction for stateless reset emission
* MEDIUM: config: prevent communication with privileged ports
* BUILD: quic: fix unused variable warning when threads are disabled
* BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
* BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305
* BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
* BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
* DOC: configuration: update the crt-list documentation
* CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
* BUG/MINOR: stats: Don't state the 303 redirect response is chunked
* BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header
* BUG/MEDIUM: fd: prevent memory waste in fdtab array
* BUILD: stick-tables: better mark the stktable_data as 32-bit aligned
* BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
* BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found
* BUG/MEDIUM: stick-tables: properly mark stktable_data as packed
* BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
* BUG/MINOR: qpack: fix error code reported on QPACK decoding failure
* BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3
* BUG/MINOR: log: smp_rgs array issues with inherited global log directives
* BUG/MINOR: log: keep the ref in dup_logger()
* MINOR: log: add dup_logsrv() helper function
* DOC: lua: fix filters.txt file location
* BUG/MINOR: haproxy: only tid 0 must not sleep if got signal
* BUILD: clock: improve check for pthread_getcpuclockid()
* BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null
* BUG/MINOR: h1: fix detection of upper bytes in the URI
* BUG/MINOR: backend: use cum_sess counters instead of cum_conn
* BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets
* BUG/MINOR: sock: handle a weird condition with connect()
* BUG/MINOR: stconn: Fix sc_mux_strm() return value
* BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding
* BUG/MINOR: server: fix slowstart behavior
* BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
* BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame
* BUG/MEDIUM: applet: Fix applet API to put input data in a buffer
* BUG/MEDIUM: evports: do not clear returned events list on signal
* BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered
* BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
* MINOR: net_helper: Add support for floats/doubles.
* CI: revert kernel addr randomization introduced in 3a0fc864
* BUG/MEDIUM: peers/trace: fix crash when listing event types
* BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
* BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
* BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection
* CLEANUP: log: lf_text_len() returns a pointer not an integer
* BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
* BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
* BUG/MINOR: log: fix lf_text_len() truncate inconsistency
* BUG/MINOR: listener: always assign distinct IDs to shards
* BUG/MINOR: cli: Report an error to user if command or payload is too big
* [RELEASE] Released version 2.8.9
* BUILD: proxy: Replace free_logformat_list() to manually release log-format
* [RELEASE] Released version 2.8.8
* BUG/MINOR: proxy: fix logformat expression leak in use_backend rules
* BUG/MINOR: backend: properly handle redispatch 0
* BUG/MINOR: server: ignore 'enabled' for dynamic servers
* BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n
* MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
* MINOR: server: allow cookie for dynamic servers
* BUG/MINOR: server: fix persistence cookie for dynamic servers
* BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities
* BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message
* BUG/MINOR: server: 'source' interface ignored from 'default-server' directive
* OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}
* BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block
* BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet
* BUG/MEDIUM: ssl: Fix crash in ocsp-update log function
* BUG/MINOR: session: ensure conn owner is set after insert into session
* BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small
* CI: temporarily adjust kernel entropy to work with ASAN/clang
* BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop
* BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout
* BUG/MINOR: listener: Don't schedule frontend without task in listener_release()
* BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release
* BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)
* MINOR: hlua: use accessors for stream hlua ctx
* DEBUG: lua: precisely identify if stream is stuck inside lua or not
* BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()
* BUG/MINOR: hlua: missing lock in hlua_filter_new()
* BUG/MINOR: hlua: segfault when loading the same filter from different contexts
* BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()
* DOC: configuration: clarify ciphersuites usage (V2)
* BUILD: solaris: fix compilation errors
* BUG/MINOR: cfgparse: report proper location for log-format-sd errors
* BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description
* CI: skip scheduled builds on forks
* BUG/MINOR: sink: fix a race condition in the TCP log forwarding code
* BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe()
* BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
* BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()
* BUG/MINOR: hlua: improper lock usage in hlua_filter_new()
* BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()
* BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load
* BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts
* BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack
* BUG/MINOR: tools: seed the statistical PRNG slightly better
* MINOR: hlua: Be able to disable logging from lua
* BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel
* BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener
* DOC: configuration: clarify ciphersuites usage
* LICENSE: http_ext: fix GPL license version
* LICENSE: event_hdl: fix GPL license version
* BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist
* BUG/MINOR: ist: only store NUL byte on succeeded alloc
* BUG/MINOR: quic: fix output of show quic
* BUG/MAJOR: server: fix stream crash due to deleted server
* BUG/MINOR: stats: drop srv refcount on early release
* BUG/MINOR: ist: allocate nul byte on istdup
* MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support
* DOC: quic: fix recommandation for bind on multiple address
* BUG/MEDIUM: quic: fix transient send error with listener socket
* BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data
* BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets
* BUG/MEDIUM: applet: Immediately free appctx on early error
* DOC: quic: Missing tuning setting in "Global parameters"
* BUG/MINOR: qpack: reject invalid dynamic table capacity
* BUG/MINOR: qpack: reject invalid increment count decoding
* BUG/MINOR: quic: reject HANDSHAKE_DONE as server
* BUG/MINOR: quic: reject unknown frame type
* BUG/MAJOR: promex: fix crash on deleted server
* MINOR: connection: add sample fetches to report per-connection glitches
* MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES
* MINOR: connection: add a new mux_ctl to report number of connection glitches
* MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection
* MINOR: mux-h2: always use h2c_report_glitch()
* MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch
* MINOR: mux-h2: count excess of CONTINUATION frames as a glitch
* BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control
* MINOR: mux-h2: add a counter of "glitches" on a connection
* [RELEASE] Released version 2.8.7
* BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
* [RELEASE] Released version 2.8.6
* DEV: makefile: fix POSIX compatibility for "range" target
* DEV: makefile: add a new "range" target to iteratively build all commits
* CI: Update to actions/cache@v4
* DOC: internal: update missing data types in peers-v2.0.txt
* DOC: install: recommend pcre2
* DOC: httpclient: add dedicated httpclient section
* DOC: configuration: clarify http-request wait-for-body
* BUILD: address a few remaining calloc(size, n) cases
* BUG/MINOR: ext-check: cannot use without preserve-env
* MINOR: ext-check: add an option to preserve environment variables
* BUG/MINOR: diag: run the final diags before quitting when using -c
* BUG/MINOR: diag: always show the version before dumping a diag warning
* MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()
* MINOR: quic: Add a counter for reordered packets
* MINOR: quic: Dynamic packet reordering threshold
* MINOR: quic: Update K CUBIC calculation (RFC 9438)
* BUG/MEDIUM: quic: Wrong K CUBIC calculation.
* MINOR: quic: Stop using 1024th of a second.
* BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation
* CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)
* BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.
* BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON
* BUG/MEDIUM: qpack: allow 6xx..9xx status codes
* BUG/MEDIUM: h3: do not crash on invalid response status code
* MINOR: h3: add traces for stream sending function
* BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf
* MINOR: quic: extract qc_stream_buf free in a dedicated function
* MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)
* CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.
* BUG/MEDIUM: mux-quic: report early error on stream
* BUG/MINOR: h3: fix checking on NULL Tx buffer
* BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
* REGTESTS: ssl: Add OCSP related tests
* REGTESTS: ssl: Fix empty line in cli command input
* BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"
* BUG/MINOR: ssl: Destroy ckch instances before the store during deinit
* BUG/MEDIUM: ocsp: Separate refcount per instance and per store
* MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid
* BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
* BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch
* BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
* BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
* BUG/MEDIUM: h1: always reject the NUL character in header values
* BUG/MINOR: h1-htx: properly initialize the err_pos field
* BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size
* BUG/MINOR: h1: Don't support LF only at the end of chunks
* BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up
* BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending
* BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()
* BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs
* BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
* BUG/MINOR: vars/cli: fix missing LF after "get var" output
* BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI
* REGTESTS: add a test to ensure map-ordering is preserved
* MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc
* BUG/MEDIUM: mux-h2: refine connection vs stream error on headers
* MINOR: mux-h2/traces: clarify the "rejected H2 request" event
* MINOR: mux-h2/traces: explicitly show the error/refused stream states
* MINOR: mux-h2/traces: also suggest invalid header upon parsing error
* MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT
* MINOR: debug: make ABORT_NOW() store the caller's line number when using abort
* MINOR: debug: make sure calls to ha_crash_now() are never merged
* MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding
* BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)
* BUG/MINOR: mux-h2: also count streams for refused ones
* BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control
* DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay
* MINOR: mux-h2: support limiting the total number of H2 streams per connection
* BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up
* BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable
* BUG/MEDIUM: h3: fix incorrect snd_buf return value
* CLEANUP: quic: Remaining useless code into server part
* BUG/MINOR: h3: close connection on sending alloc errors
* BUG/MINOR: h3: properly handle alloc failure on finalize
* BUG/MINOR: h3: close connection on header list too big
* MINOR: h3: check connection error during sending
* BUG/MINOR: quic: Missing call to TLS message callbacks
* BUG/MINOR: quic: Wrong keylog callback setting.
* BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission
* BUG/MEDIUM: stats: unhandled switching rules with TCP frontend
* MINOR: stats: store the parent proxy in stats ctx (http)
* DOC: config: Update documentation about local haproxy response
* BUG/MINOR: resolvers: default resolvers fails when network not configured
* BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty
* BUG/MEDIUM: quic: QUIC CID removed from tree without locking
* BUG/MEDIUM: quic: Possible buffer overflow when building TLS records
* BUG/MINOR: mworker/cli: fix set severity-output support
* DOC: configuration: typo req.ssl_hello_type
* [RELEASE] Released version 2.8.5
* BUG/MEDIUM: proxy: always initialize the default settings after init
* BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
* BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
* MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
* BUG/MINOR: ssl: Double free of OCSP Certificate ID
* BUG/MINOR: quic: Packet number spaces too lately initialized
* BUG/MINOR: quic: Missing QUIC connection path member initialization
* BUG/MINOR: quic: Possible leak of TX packets under heavy load
* BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load
* BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed
* BUG/MEDIUM: peers: fix partial message decoding
* DOC: Clarify the differences between field() and word()
* BUG/MINOR: sample: Make the `word` converter compatible with `-m found`
* REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter
* DOC: config: fix monitor-fail typo
* DOC: config: add matrix entry for "max-session-srv-conns"
* DOC: config: specify supported sections for "max-session-srv-conns"
* BUG/MINOR: cfgparse-listen: fix warning being reported as an alert
* BUG/MINOR: config: Stopped parsing upon unmatched environment variables
* BUG/MINOR: quic_tp: fix preferred_address decoding
* DOC: config: fix missing characters in set-spoe-group action
* BUG/MINOR: h3: always reject PUSH_PROMISE
* BUG/MINOR: h3: fix TRAILERS encoding
* BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1
* BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()
* BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding
* DOC: lua: fix Proxy.get_mode() output
* DOC: lua: add sticktable class reference from Proxy.stktable
* REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY
* DOC: config: fix timeout check inheritance restrictions
* DOC: 51d: updated 51Degrees repo URL for v3.2.10
* BUG/MINOR: server: do not leak default-server in defaults sections
* BUG/MINOR: quic: Possible RX packet memory leak under heavy load
* BUG/MEDIUM: quic: Possible crash for connections to be killed
* BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them
* BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly
* REGTESTS: http: add a test to validate chunked responses delivery
* BUG/MINOR: proxy/stktable: missing frees on proxy cleanup
* MINOR: stktable: add stktable_deinit function
* BUG/MINOR: stream/cli: report correct stream age in "show sess"
* BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()
* BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()
* BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()
* BUG/MAJOR: quic: complete thread migration before tcp-rules
* [RELEASE] Released version 2.8.4
* BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends
* BUG/MINOR: stconn/applet: Report send activity only if there was output data
* BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer
* BUG/MINOR: stconn: Fix streamer detection for HTX streams
* MINOR: channel: Add functions to get info on buffers and deal with HTX streams
* MINOR: htx: Use a macro for overhead induced by HTX
* BUG/MEDIUM: stconn: Update fsb date on partial sends
* BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented
* BUG/MEDIUM: mworker: set the master variable earlier
* BUG/MEDIUM: applet: Report a send activity everytime data were sent
* BUG/MEDIUM: stconn: Report a send activity everytime data were sent
* REGTESTS: http: Improve script testing abortonclose option
* BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only
* MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
* MINOR: connection: Add a CTL flag to notify mux it should wait for reads again
* BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up
* BUG/MEDIUM: connection: report connection errors even when no mux is installed
* DOC: quic: Wrong syntax for "quic-cc-algo" keyword.
* BUG/MINOR: sink: don't learn srv port from srv addr
* BUG/MEDIUM: applet: Remove appctx from buffer wait list on release
* DOC: config: use the word 'backend' instead of 'proxy' in 'track' description
* BUG/MINOR: quic: fix retry token check inconsistency
* DOC: management: -q is quiet all the time
* BUG/MEDIUM: stconn: Don't update stream expiration date if already expired
* BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures
* BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets
* BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree
* BUG/MINOR: quic: idle timer task requeued in the past
* BUG/MEDIUM: pool: fix releasable pool calculation when overloaded
* BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period
* BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts
* BUG/MINOR: stick-table/cli: Check for invalid ipv4 key
* BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure
* BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure
* CLEANUP: htx: Properly indent htx_reserve_max_data() function
* BUG/MINOR: stconn: Sanitize report for read activity
* BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room()
* BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire
* BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()
* BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
* BUG/MINOR: stktable: missing free in parse_stick_table()
* BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure
* BUG/MEDIUM: ssl: segfault when cipher is NULL
* BUG/MINOR: mux-quic: fix early close if unset client timeout
* BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA
* MEDIUM: quic: count quic_conn for global sslconns
* MEDIUM: quic: count quic_conn instance for maxconn
* MINOR: frontend: implement a dedicated actconn increment function
* BUG/MINOR: ssl: use a thread-safe sslconns increment
* BUG/MINOR: quic: do not consider idle timeout on CLOSING state
* BUG/MEDIUM: server: "proto" not working for dynamic servers
* MINOR: connection: add conn_pr_mode_to_proto_mode() helper func
* DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder
* MINOR: lua: Add flags to configure logging behaviour
* BUG/MINOR: ssl: load correctly @system-ca when ca-base is define
* DOC: internal: filters: fix reference to entities.pdf
* BUG/MINOR: mux-h2: update tracked counters with req cnt/req err
* BUG/MINOR: mux-h2: commit the current stream ID even on reject
* BUG/MEDIUM: peers: Fix synchro for huge number of tables
* BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task
* BUG/MINOR: trace: fix trace parser error reporting
* BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again
* BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending
* BUG/MINOR: mux-h2: make up other blocked streams upon removal from list
* BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request
* BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash
* BUG/MINOR: mux-quic: fix free on qcs-new fail alloc
* BUG/MINOR: h3: strengthen host/authority header parsing
* BUG/MINOR: mux-quic: support initial 0 max-stream-data
* BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream
* BUG/MINOR: quic: reject packet with no frame
* BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos
* BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
* BUG/MINOR: hq-interop: simplify parser requirement
* BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
* BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
* BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
* BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
* MINOR: hlua: Test the hlua struct first when the lua socket is connecting
* MINOR: hlua: Save the lua socket's server in its context
* MINOR: hlua: Save the lua socket's timeout in its context
* MINOR: hlua: Don't preform operations on a not connected socket
* MINOR: hlua: Set context's appctx when the lua socket is created
* BUG/MEDIUM: http-ana: Try to handle response before handling server abort
* BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed
* BUG/MEDIUM: actions: always apply a longest match on prefix lookup
* BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
* BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams
* MINOR: pattern: fix pat_{parse,match}_ip() function comments
* BUG/MINOR: server: add missing free for server->rdr_pfx
* BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
* BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
* BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1
* BUG/MINOR: promex: fix backend_agg_check_status
* BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records
* BUG/MINOR: hlua/init: coroutine may not resume itself
* BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
* CI: musl: drop shopt in workflow invocation
* CI: musl: highlight section if there are coredumps
* Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
* BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
* MINOR: hlua: add hlua_stream_ctx_prepare helper function
* BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT
* BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code
* BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind
* BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help
* MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
* MINOR: quic+openssl_compat: Do not start without "limited-quic"
* MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
* BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
* DOC: quic: Add "limited-quic" new tuning setting
* MINOR: quic: Add "limited-quic" new tuning setting
* MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.
* MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct
* MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()
* MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper
* MINOR: quic: Export some KDF functions (QUIC-TLS)
* MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper
* MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()
* MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()
* MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT
* MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header
* MINOR: quic: QUIC openssl wrapper implementation
* BUG/MINOR: quic: Wrong cluster secret initialization
* BUG/MINOR: quic: Leak of frames to send.
* BUILD: bug: make BUG_ON() void to avoid a rare warning
Patchnames
SUSE-SLE-Micro-6.1-27
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\nUpdate to version 2.8.11+git0.01c1056a4:\n\n * VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)\n * BUG/MINOR: cfgparse-listen: fix option httpslog override warning message\n * BUG/MEDIUM: promex: Wait to have the request before sending the response\n * BUG/MEDIUM: cache/stats: Wait to have the request before sending the response\n * BUG/MEDIUM: queue: implement a flag to check for the dequeuing\n * BUG/MINOR: clock: validate that now_offset still applies to the current date\n * BUG/MINOR: clock: make time jump corrections a bit more accurate\n * BUG/MINOR: polling: fix time reporting when using busy polling\n * BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state\n * BUG/MEDIUM: pattern: prevent UAF on reused pattern expr\n * BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()\n * BUG/MEDIUM: clock: detect and cover jumps during execution\n * REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load\n * DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line\n * BUG/MINOR: pattern: do not leave a leading comma on \"set\" error messages\n * BUG/MINOR: pattern: pat_ref_set: return 0 if err was found\n * BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity\n * BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full\n * BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path\n * BUG/MEDIUM: clock: also update the date offset on time jumps\n * DOC: config: correct the table for option tcplog\n * BUG/MINOR: h3: properly reject too long header responses\n * BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails\n * BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID\n * REGTESTS: mcli: test the pipelined commands on master CLI\n * BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI\n * MINOR: channel: implement ci_insert() function\n * BUG/MINOR: proto_tcp: keep error msg if listen() fails\n * BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails\n * BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE\n * BUG/MINOR: trace/quic: make \"qconn\" selectable as a lockon criterion\n * BUG/MINOR: trace: automatically start in waiting mode with \"start \u003cevt\u003e\"\n * BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()\n * BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc\n * BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn\n * BUG/MINOR: fcgi-app: handle a possible strdup() failure\n * BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream\n * BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams\n * BUG/MEDIUM: http-ana: Report error on write error waiting for the response\n * BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content\n * BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set\n * BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered\n * BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli\n * BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready\n * BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn\n * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)\n * BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()\n * MINOR: queue: add a function to check for TOCTOU after queueing\n * BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature\n * BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)\n * BUG/MINOR: cli: Atomically inc the global request counter between CLI commands\n * BUG/MINOR: server: Don\u0027t warn fallback IP is used during init-addr resolution\n * BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter\n * DOC: config: improve the http-keep-alive section\n * DOC: configuration: issuers-chain-path not compatible with OCSP\n * BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path\n * BUG/MEDIUM: debug/cli: fix \"show threads\" crashing with low thread counts\n * BUG/MINOR: session: Eval L4/L5 rules defined in the default section\n * BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past\n * BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread\n * BUG/MEDIUM: h1: Reject empty Transfer-encoding header\n * BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value\n * BUG/MINOR: h1: Fail to parse empty transfer coding names\n * BUG/MINOR: jwt: fix variable initialisation\n * DOC: configuration: update maxconn description\n * BUG/MINOR: jwt: don\u0027t try to load files with HMAC algorithm\n * MEDIUM: ssl: initialize the SSL stack explicitely\n * DOC: configuration: more details about the master-worker mode\n * BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking\n * BUG/MINOR: quic: fix race-condition on trace for CID retrieval\n * BUG/MINOR: quic: fix race condition in qc_check_dcid()\n * BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()\n * BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid\n * BUG/MEDIUM: h3: ensure the \":method\" pseudo header is totally valid\n * MINOR: activity: make the memory profiling hash size configurable at build time\n * BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()\n * BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure\n * BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure\n * BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission\n * DOC: api/event_hdl: small updates, fix an example and add some precisions\n * SCRIPTS: git-show-backports: do not truncate git-show output\n * DOC: configuration: fix alphabetical order of bind options\n * DOC: management: rename show stats domain cli \"dns\" to \"resolvers\"\n * DOC/MINOR: management: add missed -dR and -dv options\n * BUG/MINOR: proxy: fix header_unique_id leak on deinit()\n * BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()\n * BUG/MINOR: proxy: fix dyncookie_key leak on deinit()\n * BUG/MINOR: proxy: fix check_{command,path} leak on deinit()\n * BUG/MINOR: proxy: fix log_tag leak on deinit()\n * BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()\n * BUG/MINOR: quic: fix computed length of emitted STREAM frames\n * [RELEASE] Released version 2.8.10\n * BUG/MEDIUM: quic: don\u0027t blindly rely on unaligned accesses\n * BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n * BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1\n * BUG/MAJOR: server: do not delete srv referenced by session\n * MINOR: session: rename private conns elements\n * BUG/MEDIUM: quic: fix connection freeze on post handshake\n * BUG/MEDIUM: server: fix dynamic servers initial settings\n * BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n * CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()\n * BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path\n * BUG/MINOR: hlua: prevent LJMP in hlua_traceback()\n * BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage\n * BUG/MINOR: hlua: don\u0027t use lua_pushfstring() when we don\u0027t expect LJMP\n * CLEANUP: hlua: use hlua_pusherror() where relevant\n * BUG/MINOR: quic: prevent crash on qc_kill_conn()\n * BUG/MINOR: hlua: use CertCache.set() from various hlua contexts\n * BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory\n * BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser\n * BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning\n * BUG/MINOR: activity: fix Delta_calls and Delta_bytes count\n * BUG/MINOR: ssl/ocsp: init callback func ptr as NULL\n * CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp\n * BUILD: fd: errno is also needed without poll()\n * CI: scripts: fix build of vtest regarding option -C\n * REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs\n * DOC: config: fix incorrect section reference about custom log format\n * DOC: quic: specify that connection migration is not supported\n * BUG/MINOR: server: Don\u0027t reset resolver options on a new default-server line\n * BUG/MINOR: http-htx: Support default path during scheme based normalization\n * BUG/MINOR: quic: adjust restriction for stateless reset emission\n * MEDIUM: config: prevent communication with privileged ports\n * BUILD: quic: fix unused variable warning when threads are disabled\n * BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream\n * BUG/MEDIUM: quic_tls: prevent LibreSSL \u003c 4.0 from negotiating CHACHA20_POLY1305\n * BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)\n * BUG/MINOR: connection: parse PROXY TLV for LOCAL mode\n * DOC: configuration: update the crt-list documentation\n * CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf\n * BUG/MINOR: stats: Don\u0027t state the 303 redirect response is chunked\n * BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header\n * BUG/MEDIUM: fd: prevent memory waste in fdtab array\n * BUILD: stick-tables: better mark the stktable_data as 32-bit aligned\n * BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme\n * BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found\n * BUG/MEDIUM: stick-tables: properly mark stktable_data as packed\n * BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned\n * BUG/MINOR: qpack: fix error code reported on QPACK decoding failure\n * BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3\n * BUG/MINOR: log: smp_rgs array issues with inherited global log directives\n * BUG/MINOR: log: keep the ref in dup_logger()\n * MINOR: log: add dup_logsrv() helper function\n * DOC: lua: fix filters.txt file location\n * BUG/MINOR: haproxy: only tid 0 must not sleep if got signal\n * BUILD: clock: improve check for pthread_getcpuclockid()\n * BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null\n * BUG/MINOR: h1: fix detection of upper bytes in the URI\n * BUG/MINOR: backend: use cum_sess counters instead of cum_conn\n * BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets\n * BUG/MINOR: sock: handle a weird condition with connect()\n * BUG/MINOR: stconn: Fix sc_mux_strm() return value\n * BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding\n * BUG/MINOR: server: fix slowstart behavior\n * BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached\n * BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame\n * BUG/MEDIUM: applet: Fix applet API to put input data in a buffer\n * BUG/MEDIUM: evports: do not clear returned events list on signal\n * BUG/MEDIUM: stconn: Don\u0027t forward channel data if input data must be filtered\n * BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses\n * MINOR: net_helper: Add support for floats/doubles.\n * CI: revert kernel addr randomization introduced in 3a0fc864\n * BUG/MEDIUM: peers/trace: fix crash when listing event types\n * BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented\n * BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values\n * BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection\n * CLEANUP: log: lf_text_len() returns a pointer not an integer\n * BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()\n * BUG/MINOR: tools/log: invalid encode_{chunk,string} usage\n * BUG/MINOR: log: fix lf_text_len() truncate inconsistency\n * BUG/MINOR: listener: always assign distinct IDs to shards\n * BUG/MINOR: cli: Report an error to user if command or payload is too big\n * [RELEASE] Released version 2.8.9\n * BUILD: proxy: Replace free_logformat_list() to manually release log-format\n * [RELEASE] Released version 2.8.8\n * BUG/MINOR: proxy: fix logformat expression leak in use_backend rules\n * BUG/MINOR: backend: properly handle redispatch 0\n * BUG/MINOR: server: ignore \u0027enabled\u0027 for dynamic servers\n * BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \\n\n * MINOR: cli: Remove useless loop on commands to find unescaped semi-colon\n * MINOR: server: allow cookie for dynamic servers\n * BUG/MINOR: server: fix persistence cookie for dynamic servers\n * BUG/MINOR: ssl: Detect more \u0027ocsp-update\u0027 incompatibilities\n * BUG/MINOR: ssl: Wrong ocsp-update \"incompatibility\" error message\n * BUG/MINOR: server: \u0027source\u0027 interface ignored from \u0027default-server\u0027 directive\n * OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}\n * BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block\n * BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet\n * BUG/MEDIUM: ssl: Fix crash in ocsp-update log function\n * BUG/MINOR: session: ensure conn owner is set after insert into session\n * BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small\n * CI: temporarily adjust kernel entropy to work with ASAN/clang\n * BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop\n * BUG/MEDIUM: spoe: Don\u0027t rely on stream\u0027s expiration to detect processing timeout\n * BUG/MINOR: listener: Don\u0027t schedule frontend without task in listener_release()\n * BUG/MINOR: listener: Wake proxy\u0027s mngmt task up if necessary on session release\n * BUG/MEDIUM: hlua: streams don\u0027t support mixing lua-load with lua-load-per-thread (2nd try)\n * MINOR: hlua: use accessors for stream hlua ctx\n * DEBUG: lua: precisely identify if stream is stuck inside lua or not\n * BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()\n * BUG/MINOR: hlua: missing lock in hlua_filter_new()\n * BUG/MINOR: hlua: segfault when loading the same filter from different contexts\n * BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()\n * DOC: configuration: clarify ciphersuites usage (V2)\n * BUILD: solaris: fix compilation errors\n * BUG/MINOR: cfgparse: report proper location for log-format-sd errors\n * BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description\n * CI: skip scheduled builds on forks\n * BUG/MINOR: sink: fix a race condition in the TCP log forwarding code\n * BUG/MINOR: hlua: don\u0027t call ha_alert() in hlua_event_subscribe()\n * BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n * BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()\n * BUG/MINOR: hlua: improper lock usage in hlua_filter_new()\n * BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()\n * BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load\n * BUG/MINOR: hlua: don\u0027t use lua_tostring() from unprotected contexts\n * BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack\n * BUG/MINOR: tools: seed the statistical PRNG slightly better\n * MINOR: hlua: Be able to disable logging from lua\n * BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel\n * BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener\n * DOC: configuration: clarify ciphersuites usage\n * LICENSE: http_ext: fix GPL license version\n * LICENSE: event_hdl: fix GPL license version\n * BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist\n * BUG/MINOR: ist: only store NUL byte on succeeded alloc\n * BUG/MINOR: quic: fix output of show quic\n * BUG/MAJOR: server: fix stream crash due to deleted server\n * BUG/MINOR: stats: drop srv refcount on early release\n * BUG/MINOR: ist: allocate nul byte on istdup\n * MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support\n * DOC: quic: fix recommandation for bind on multiple address\n * BUG/MEDIUM: quic: fix transient send error with listener socket\n * BUG/MEDIUM: hlua: Don\u0027t loop if a lua socket does not consume received data\n * BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets\n * BUG/MEDIUM: applet: Immediately free appctx on early error\n * DOC: quic: Missing tuning setting in \"Global parameters\"\n * BUG/MINOR: qpack: reject invalid dynamic table capacity\n * BUG/MINOR: qpack: reject invalid increment count decoding\n * BUG/MINOR: quic: reject HANDSHAKE_DONE as server\n * BUG/MINOR: quic: reject unknown frame type\n * BUG/MAJOR: promex: fix crash on deleted server\n * MINOR: connection: add sample fetches to report per-connection glitches\n * MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES\n * MINOR: connection: add a new mux_ctl to report number of connection glitches\n * MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection\n * MINOR: mux-h2: always use h2c_report_glitch()\n * MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch\n * MINOR: mux-h2: count excess of CONTINUATION frames as a glitch\n * BUG/MINOR: mux-h2: count rejected DATA frames against the connection\u0027s flow control\n * MINOR: mux-h2: add a counter of \"glitches\" on a connection\n * [RELEASE] Released version 2.8.7\n * BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI\n * [RELEASE] Released version 2.8.6\n * DEV: makefile: fix POSIX compatibility for \"range\" target\n * DEV: makefile: add a new \"range\" target to iteratively build all commits\n * CI: Update to actions/cache@v4\n * DOC: internal: update missing data types in peers-v2.0.txt\n * DOC: install: recommend pcre2\n * DOC: httpclient: add dedicated httpclient section\n * DOC: configuration: clarify http-request wait-for-body\n * BUILD: address a few remaining calloc(size, n) cases\n * BUG/MINOR: ext-check: cannot use without preserve-env\n * MINOR: ext-check: add an option to preserve environment variables\n * BUG/MINOR: diag: run the final diags before quitting when using -c\n * BUG/MINOR: diag: always show the version before dumping a diag warning\n * MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()\n * MINOR: quic: Add a counter for reordered packets\n * MINOR: quic: Dynamic packet reordering threshold\n * MINOR: quic: Update K CUBIC calculation (RFC 9438)\n * BUG/MEDIUM: quic: Wrong K CUBIC calculation.\n * MINOR: quic: Stop using 1024th of a second.\n * BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation\n * CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)\n * BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.\n * BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON\n * BUG/MEDIUM: qpack: allow 6xx..9xx status codes\n * BUG/MEDIUM: h3: do not crash on invalid response status code\n * MINOR: h3: add traces for stream sending function\n * BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf\n * MINOR: quic: extract qc_stream_buf free in a dedicated function\n * MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)\n * CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.\n * BUG/MEDIUM: mux-quic: report early error on stream\n * BUG/MINOR: h3: fix checking on NULL Tx buffer\n * BUG/MEDIUM: ssl: Fix crash when calling \"update ssl ocsp-response\" when an update is ongoing\n * REGTESTS: ssl: Add OCSP related tests\n * REGTESTS: ssl: Fix empty line in cli command input\n * BUG/MINOR: ssl: Reenable ocsp auto-update after an \"add ssl crt-list\"\n * BUG/MINOR: ssl: Destroy ckch instances before the store during deinit\n * BUG/MEDIUM: ocsp: Separate refcount per instance and per store\n * MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid\n * BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line\n * BUG/MINOR: ssl: Duplicate ocsp update mode when dup\u0027ing ckch\n * BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call\n * BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n * BUG/MEDIUM: h1: always reject the NUL character in header values\n * BUG/MINOR: h1-htx: properly initialize the err_pos field\n * BUG/MEDIUM: h1: Don\u0027t support LF only to mark the end of a chunk size\n * BUG/MINOR: h1: Don\u0027t support LF only at the end of chunks\n * BUG/MEDIUM: stconn: Don\u0027t check pending shutdown to wake an applet up\n * BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending\n * BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()\n * BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs\n * BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs\n * BUG/MINOR: vars/cli: fix missing LF after \"get var\" output\n * BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat\u0027s CLI\n * REGTESTS: add a test to ensure map-ordering is preserved\n * MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc\n * BUG/MEDIUM: mux-h2: refine connection vs stream error on headers\n * MINOR: mux-h2/traces: clarify the \"rejected H2 request\" event\n * MINOR: mux-h2/traces: explicitly show the error/refused stream states\n * MINOR: mux-h2/traces: also suggest invalid header upon parsing error\n * MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT\n * MINOR: debug: make ABORT_NOW() store the caller\u0027s line number when using abort\n * MINOR: debug: make sure calls to ha_crash_now() are never merged\n * MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding\n * BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)\n * BUG/MINOR: mux-h2: also count streams for refused ones\n * BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control\n * DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay\n * MINOR: mux-h2: support limiting the total number of H2 streams per connection\n * BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up\n * BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable\n * BUG/MEDIUM: h3: fix incorrect snd_buf return value\n * CLEANUP: quic: Remaining useless code into server part\n * BUG/MINOR: h3: close connection on sending alloc errors\n * BUG/MINOR: h3: properly handle alloc failure on finalize\n * BUG/MINOR: h3: close connection on header list too big\n * MINOR: h3: check connection error during sending\n * BUG/MINOR: quic: Missing call to TLS message callbacks\n * BUG/MINOR: quic: Wrong keylog callback setting.\n * BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission\n * BUG/MEDIUM: stats: unhandled switching rules with TCP frontend\n * MINOR: stats: store the parent proxy in stats ctx (http)\n * DOC: config: Update documentation about local haproxy response\n * BUG/MINOR: resolvers: default resolvers fails when network not configured\n * BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty\n * BUG/MEDIUM: quic: QUIC CID removed from tree without locking\n * BUG/MEDIUM: quic: Possible buffer overflow when building TLS records\n * BUG/MINOR: mworker/cli: fix set severity-output support\n * DOC: configuration: typo req.ssl_hello_type\n * [RELEASE] Released version 2.8.5\n * BUG/MEDIUM: proxy: always initialize the default settings after init\n * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)\n * BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate\n * MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback\n * BUG/MINOR: ssl: Double free of OCSP Certificate ID\n * BUG/MINOR: quic: Packet number spaces too lately initialized\n * BUG/MINOR: quic: Missing QUIC connection path member initialization\n * BUG/MINOR: quic: Possible leak of TX packets under heavy load\n * BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load\n * BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed\n * BUG/MEDIUM: peers: fix partial message decoding\n * DOC: Clarify the differences between field() and word()\n * BUG/MINOR: sample: Make the `word` converter compatible with `-m found`\n * REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter\n * DOC: config: fix monitor-fail typo\n * DOC: config: add matrix entry for \"max-session-srv-conns\"\n * DOC: config: specify supported sections for \"max-session-srv-conns\"\n * BUG/MINOR: cfgparse-listen: fix warning being reported as an alert\n * BUG/MINOR: config: Stopped parsing upon unmatched environment variables\n * BUG/MINOR: quic_tp: fix preferred_address decoding\n * DOC: config: fix missing characters in set-spoe-group action\n * BUG/MINOR: h3: always reject PUSH_PROMISE\n * BUG/MINOR: h3: fix TRAILERS encoding\n * BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1\n * BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()\n * BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding\n * DOC: lua: fix Proxy.get_mode() output\n * DOC: lua: add sticktable class reference from Proxy.stktable\n * REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY\n * DOC: config: fix timeout check inheritance restrictions\n * DOC: 51d: updated 51Degrees repo URL for v3.2.10\n * BUG/MINOR: server: do not leak default-server in defaults sections\n * BUG/MINOR: quic: Possible RX packet memory leak under heavy load\n * BUG/MEDIUM: quic: Possible crash for connections to be killed\n * BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them\n * BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly\n * REGTESTS: http: add a test to validate chunked responses delivery\n * BUG/MINOR: proxy/stktable: missing frees on proxy cleanup\n * MINOR: stktable: add stktable_deinit function\n * BUG/MINOR: stream/cli: report correct stream age in \"show sess\"\n * BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()\n * BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()\n * BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()\n * BUG/MAJOR: quic: complete thread migration before tcp-rules\n * [RELEASE] Released version 2.8.4\n * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends\n * BUG/MINOR: stconn/applet: Report send activity only if there was output data\n * BUG/MINOR: stconn: Use HTX-aware channel\u0027s functions to get info on buffer\n * BUG/MINOR: stconn: Fix streamer detection for HTX streams\n * MINOR: channel: Add functions to get info on buffers and deal with HTX streams\n * MINOR: htx: Use a macro for overhead induced by HTX\n * BUG/MEDIUM: stconn: Update fsb date on partial sends\n * BUG/MEDIUM: stream: Don\u0027t call mux .ctl() callback if not implemented\n * BUG/MEDIUM: mworker: set the master variable earlier\n * BUG/MEDIUM: applet: Report a send activity everytime data were sent\n * BUG/MEDIUM: stconn: Report a send activity everytime data were sent\n * REGTESTS: http: Improve script testing abortonclose option\n * BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only\n * MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads\n * MINOR: connection: Add a CTL flag to notify mux it should wait for reads again\n * BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up\n * BUG/MEDIUM: connection: report connection errors even when no mux is installed\n * DOC: quic: Wrong syntax for \"quic-cc-algo\" keyword.\n * BUG/MINOR: sink: don\u0027t learn srv port from srv addr\n * BUG/MEDIUM: applet: Remove appctx from buffer wait list on release\n * DOC: config: use the word \u0027backend\u0027 instead of \u0027proxy\u0027 in \u0027track\u0027 description\n * BUG/MINOR: quic: fix retry token check inconsistency\n * DOC: management: -q is quiet all the time\n * BUG/MEDIUM: stconn: Don\u0027t update stream expiration date if already expired\n * BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures\n * BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets\n * BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree\n * BUG/MINOR: quic: idle timer task requeued in the past\n * BUG/MEDIUM: pool: fix releasable pool calculation when overloaded\n * BUG/MEDIUM: freq-ctr: Don\u0027t report overshoot for long inactivity period\n * BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts\n * BUG/MINOR: stick-table/cli: Check for invalid ipv4 key\n * BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure\n * BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure\n * CLEANUP: htx: Properly indent htx_reserve_max_data() function\n * BUG/MINOR: stconn: Sanitize report for read activity\n * BUG/MEDIUM: Don\u0027t apply a max value on room_needed in sc_need_room()\n * BUG/MEDIUM: stconn: Don\u0027t report rcv/snd expiration date if SC cannot epxire\n * BUG/MEDIUM: pattern: don\u0027t trim pools under lock in pat_ref_purge_range()\n * BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure\n * BUG/MINOR: stktable: missing free in parse_stick_table()\n * BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure\n * BUG/MEDIUM: ssl: segfault when cipher is NULL\n * BUG/MINOR: mux-quic: fix early close if unset client timeout\n * BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA\n * MEDIUM: quic: count quic_conn for global sslconns\n * MEDIUM: quic: count quic_conn instance for maxconn\n * MINOR: frontend: implement a dedicated actconn increment function\n * BUG/MINOR: ssl: use a thread-safe sslconns increment\n * BUG/MINOR: quic: do not consider idle timeout on CLOSING state\n * BUG/MEDIUM: server: \"proto\" not working for dynamic servers\n * MINOR: connection: add conn_pr_mode_to_proto_mode() helper func\n * DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder\n * MINOR: lua: Add flags to configure logging behaviour\n * BUG/MINOR: ssl: load correctly @system-ca when ca-base is define\n * DOC: internal: filters: fix reference to entities.pdf\n * BUG/MINOR: mux-h2: update tracked counters with req cnt/req err\n * BUG/MINOR: mux-h2: commit the current stream ID even on reject\n * BUG/MEDIUM: peers: Fix synchro for huge number of tables\n * BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task\n * BUG/MINOR: trace: fix trace parser error reporting\n * BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again\n * BUG/MEDIUM: mux-h2: Don\u0027t report an error on shutr if a shutw is pending\n * BUG/MINOR: mux-h2: make up other blocked streams upon removal from list\n * BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request\n * BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash\n * BUG/MINOR: mux-quic: fix free on qcs-new fail alloc\n * BUG/MINOR: h3: strengthen host/authority header parsing\n * BUG/MINOR: mux-quic: support initial 0 max-stream-data\n * BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream\n * BUG/MINOR: quic: reject packet with no frame\n * BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos\n * BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()\n * BUG/MINOR: hq-interop: simplify parser requirement\n * BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set\n * BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set\n * BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried\n * BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only\n * MINOR: hlua: Test the hlua struct first when the lua socket is connecting\n * MINOR: hlua: Save the lua socket\u0027s server in its context\n * MINOR: hlua: Save the lua socket\u0027s timeout in its context\n * MINOR: hlua: Don\u0027t preform operations on a not connected socket\n * MINOR: hlua: Set context\u0027s appctx when the lua socket is created\n * BUG/MEDIUM: http-ana: Try to handle response before handling server abort\n * BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed\n * BUG/MEDIUM: actions: always apply a longest match on prefix lookup\n * BUG/MINOR: mux-quic: remove full demux flag on ncbuf release\n * BUG/MEDIUM: server/cli: don\u0027t delete a dynamic server that has streams\n * MINOR: pattern: fix pat_{parse,match}_ip() function comments\n * BUG/MINOR: server: add missing free for server-\u003erdr_pfx\n * BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers\n * BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API\n * BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1\n * BUG/MINOR: promex: fix backend_agg_check_status\n * BUG/MEDIUM: mux-fcgi: Don\u0027t swap trash and dbuf when handling STDERR records\n * BUG/MINOR: hlua/init: coroutine may not resume itself\n * BUG/MEDIUM: hlua: don\u0027t pass stale nargs argument to lua_resume()\n * CI: musl: drop shopt in workflow invocation\n * CI: musl: highlight section if there are coredumps\n * Revert \"BUG/MEDIUM: quic: missing check of dcid for init pkt including a token\"\n * BUG/MEDIUM: hlua: streams don\u0027t support mixing lua-load with lua-load-per-thread\n * MINOR: hlua: add hlua_stream_ctx_prepare helper function\n * BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT\n * BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code\n * BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind\n * BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help\n * MINOR: quic+openssl_compat: Emit an alert for \"allow-0rtt\" option\n * MINOR: quic+openssl_compat: Do not start without \"limited-quic\"\n * MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without \"limited-quic\"\n * BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels\n * DOC: quic: Add \"limited-quic\" new tuning setting\n * MINOR: quic: Add \"limited-quic\" new tuning setting\n * MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.\n * MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct\n * MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()\n * MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper\n * MINOR: quic: Export some KDF functions (QUIC-TLS)\n * MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper\n * MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()\n * MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()\n * MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT\n * MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header\n * MINOR: quic: QUIC openssl wrapper implementation\n * BUG/MINOR: quic: Wrong cluster secret initialization\n * BUG/MINOR: quic: Leak of frames to send.\n * BUILD: bug: make BUG_ON() void to avoid a rare warning\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-27",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20230-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20230-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520230-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20230-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021093.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233973",
"url": "https://bugzilla.suse.com/1233973"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53008 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53008/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2025-03-05T14:55:47Z",
"generator": {
"date": "2025-03-05T14:55:47Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20230-1",
"initial_release_date": "2025-03-05T14:55:47Z",
"revision_history": [
{
"date": "2025-03-05T14:55:47Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"product_id": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53008",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53008"
}
],
"notes": [
{
"category": "general",
"text": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53008",
"url": "https://www.suse.com/security/cve/CVE-2024-53008"
},
{
"category": "external",
"summary": "SUSE Bug 1233973 for CVE-2024-53008",
"url": "https://bugzilla.suse.com/1233973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-05T14:55:47Z",
"details": "moderate"
}
],
"title": "CVE-2024-53008"
}
]
}
suse-su-2025:20101-1
Vulnerability from csaf_suse
Published
2025-02-03 09:17
Modified
2025-02-03 09:17
Summary
Security update for haproxy
Notes
Title of the patch
Security update for haproxy
Description of the patch
This update for haproxy fixes the following issues:
Update to version 2.8.11+git0.01c1056a4:
- VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)
- BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
- BUG/MEDIUM: promex: Wait to have the request before sending the response
- BUG/MEDIUM: cache/stats: Wait to have the request before sending the response
- BUG/MEDIUM: queue: implement a flag to check for the dequeuing
- BUG/MINOR: clock: validate that now_offset still applies to the current date
- BUG/MINOR: clock: make time jump corrections a bit more accurate
- BUG/MINOR: polling: fix time reporting when using busy polling
- BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
- BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
- BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()
- BUG/MEDIUM: clock: detect and cover jumps during execution
- REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
- DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line
- BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
- BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
- BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
- BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full
- BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path
- BUG/MEDIUM: clock: also update the date offset on time jumps
- DOC: config: correct the table for option tcplog
- BUG/MINOR: h3: properly reject too long header responses
- BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
- BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
- REGTESTS: mcli: test the pipelined commands on master CLI
- BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI
- MINOR: channel: implement ci_insert() function
- BUG/MINOR: proto_tcp: keep error msg if listen() fails
- BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
- BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
- BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
- BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
- BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()
- BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
- BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
- BUG/MINOR: fcgi-app: handle a possible strdup() failure
- BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream
- BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
- BUG/MEDIUM: http-ana: Report error on write error waiting for the response
- BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
- BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set
- BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered
- BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli
- BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready
- BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
- MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
- BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
- MINOR: queue: add a function to check for TOCTOU after queueing
- BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
- BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)
- BUG/MINOR: cli: Atomically inc the global request counter between CLI commands
- BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution
- BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
- DOC: config: improve the http-keep-alive section
- DOC: configuration: issuers-chain-path not compatible with OCSP
- BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
- BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts
- BUG/MINOR: session: Eval L4/L5 rules defined in the default section
- BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past
- BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread
- BUG/MEDIUM: h1: Reject empty Transfer-encoding header
- BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
- BUG/MINOR: h1: Fail to parse empty transfer coding names
- BUG/MINOR: jwt: fix variable initialisation
- DOC: configuration: update maxconn description
- BUG/MINOR: jwt: don't try to load files with HMAC algorithm
- MEDIUM: ssl: initialize the SSL stack explicitely
- DOC: configuration: more details about the master-worker mode
- BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking
- BUG/MINOR: quic: fix race-condition on trace for CID retrieval
- BUG/MINOR: quic: fix race condition in qc_check_dcid()
- BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()
- BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
- BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
- MINOR: activity: make the memory profiling hash size configurable at build time
- BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()
- BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
- BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
- BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission
- DOC: api/event_hdl: small updates, fix an example and add some precisions
- SCRIPTS: git-show-backports: do not truncate git-show output
- DOC: configuration: fix alphabetical order of bind options
- DOC: management: rename show stats domain cli "dns" to "resolvers"
- DOC/MINOR: management: add missed -dR and -dv options
- BUG/MINOR: proxy: fix header_unique_id leak on deinit()
- BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()
- BUG/MINOR: proxy: fix dyncookie_key leak on deinit()
- BUG/MINOR: proxy: fix check_{command,path} leak on deinit()
- BUG/MINOR: proxy: fix log_tag leak on deinit()
- BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()
- BUG/MINOR: quic: fix computed length of emitted STREAM frames
- [RELEASE] Released version 2.8.10
- BUG/MEDIUM: quic: don't blindly rely on unaligned accesses
- BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
- BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
- BUG/MAJOR: server: do not delete srv referenced by session
- MINOR: session: rename private conns elements
- BUG/MEDIUM: quic: fix connection freeze on post handshake
- BUG/MEDIUM: server: fix dynamic servers initial settings
- BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration
- CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
- BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
- BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
- BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
- BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
- CLEANUP: hlua: use hlua_pusherror() where relevant
- BUG/MINOR: quic: prevent crash on qc_kill_conn()
- BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
- BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
- BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
- BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning
- BUG/MINOR: activity: fix Delta_calls and Delta_bytes count
- BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
- CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp
- BUILD: fd: errno is also needed without poll()
- CI: scripts: fix build of vtest regarding option -C
- REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
- DOC: config: fix incorrect section reference about custom log format
- DOC: quic: specify that connection migration is not supported
- BUG/MINOR: server: Don't reset resolver options on a new default-server line
- BUG/MINOR: http-htx: Support default path during scheme based normalization
- BUG/MINOR: quic: adjust restriction for stateless reset emission
- MEDIUM: config: prevent communication with privileged ports
- BUILD: quic: fix unused variable warning when threads are disabled
- BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
- BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305
- BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
- BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
- DOC: configuration: update the crt-list documentation
- CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
- BUG/MINOR: stats: Don't state the 303 redirect response is chunked
- BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header
- BUG/MEDIUM: fd: prevent memory waste in fdtab array
- BUILD: stick-tables: better mark the stktable_data as 32-bit aligned
- BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
- BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found
- BUG/MEDIUM: stick-tables: properly mark stktable_data as packed
- BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
- BUG/MINOR: qpack: fix error code reported on QPACK decoding failure
- BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3
- BUG/MINOR: log: smp_rgs array issues with inherited global log directives
- BUG/MINOR: log: keep the ref in dup_logger()
- MINOR: log: add dup_logsrv() helper function
- DOC: lua: fix filters.txt file location
- BUG/MINOR: haproxy: only tid 0 must not sleep if got signal
- BUILD: clock: improve check for pthread_getcpuclockid()
- BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null
- BUG/MINOR: h1: fix detection of upper bytes in the URI
- BUG/MINOR: backend: use cum_sess counters instead of cum_conn
- BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets
- BUG/MINOR: sock: handle a weird condition with connect()
- BUG/MINOR: stconn: Fix sc_mux_strm() return value
- BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding
- BUG/MINOR: server: fix slowstart behavior
- BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
- BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame
- BUG/MEDIUM: applet: Fix applet API to put input data in a buffer
- BUG/MEDIUM: evports: do not clear returned events list on signal
- BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered
- BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
- MINOR: net_helper: Add support for floats/doubles.
- CI: revert kernel addr randomization introduced in 3a0fc864
- BUG/MEDIUM: peers/trace: fix crash when listing event types
- BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
- BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
- BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection
- CLEANUP: log: lf_text_len() returns a pointer not an integer
- BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
- BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
- BUG/MINOR: log: fix lf_text_len() truncate inconsistency
- BUG/MINOR: listener: always assign distinct IDs to shards
- BUG/MINOR: cli: Report an error to user if command or payload is too big
- [RELEASE] Released version 2.8.9
- BUILD: proxy: Replace free_logformat_list() to manually release log-format
- [RELEASE] Released version 2.8.8
- BUG/MINOR: proxy: fix logformat expression leak in use_backend rules
- BUG/MINOR: backend: properly handle redispatch 0
- BUG/MINOR: server: ignore 'enabled' for dynamic servers
- BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n
- MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
- MINOR: server: allow cookie for dynamic servers
- BUG/MINOR: server: fix persistence cookie for dynamic servers
- BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities
- BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message
- BUG/MINOR: server: 'source' interface ignored from 'default-server' directive
- OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}
- BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block
- BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet
- BUG/MEDIUM: ssl: Fix crash in ocsp-update log function
- BUG/MINOR: session: ensure conn owner is set after insert into session
- BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small
- CI: temporarily adjust kernel entropy to work with ASAN/clang
- BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop
- BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout
- BUG/MINOR: listener: Don't schedule frontend without task in listener_release()
- BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release
- BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)
- MINOR: hlua: use accessors for stream hlua ctx
- DEBUG: lua: precisely identify if stream is stuck inside lua or not
- BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()
- BUG/MINOR: hlua: missing lock in hlua_filter_new()
- BUG/MINOR: hlua: segfault when loading the same filter from different contexts
- BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()
- DOC: configuration: clarify ciphersuites usage (V2)
- BUILD: solaris: fix compilation errors
- BUG/MINOR: cfgparse: report proper location for log-format-sd errors
- BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description
- CI: skip scheduled builds on forks
- BUG/MINOR: sink: fix a race condition in the TCP log forwarding code
- BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe()
- BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
- BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()
- BUG/MINOR: hlua: improper lock usage in hlua_filter_new()
- BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()
- BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load
- BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts
- BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack
- BUG/MINOR: tools: seed the statistical PRNG slightly better
- MINOR: hlua: Be able to disable logging from lua
- BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel
- BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener
- DOC: configuration: clarify ciphersuites usage
- LICENSE: http_ext: fix GPL license version
- LICENSE: event_hdl: fix GPL license version
- BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist
- BUG/MINOR: ist: only store NUL byte on succeeded alloc
- BUG/MINOR: quic: fix output of show quic
- BUG/MAJOR: server: fix stream crash due to deleted server
- BUG/MINOR: stats: drop srv refcount on early release
- BUG/MINOR: ist: allocate nul byte on istdup
- MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support
- DOC: quic: fix recommandation for bind on multiple address
- BUG/MEDIUM: quic: fix transient send error with listener socket
- BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data
- BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets
- BUG/MEDIUM: applet: Immediately free appctx on early error
- DOC: quic: Missing tuning setting in "Global parameters"
- BUG/MINOR: qpack: reject invalid dynamic table capacity
- BUG/MINOR: qpack: reject invalid increment count decoding
- BUG/MINOR: quic: reject HANDSHAKE_DONE as server
- BUG/MINOR: quic: reject unknown frame type
- BUG/MAJOR: promex: fix crash on deleted server
- MINOR: connection: add sample fetches to report per-connection glitches
- MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES
- MINOR: connection: add a new mux_ctl to report number of connection glitches
- MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection
- MINOR: mux-h2: always use h2c_report_glitch()
- MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch
- MINOR: mux-h2: count excess of CONTINUATION frames as a glitch
- BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control
- MINOR: mux-h2: add a counter of "glitches" on a connection
- [RELEASE] Released version 2.8.7
- BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
- [RELEASE] Released version 2.8.6
- DEV: makefile: fix POSIX compatibility for "range" target
- DEV: makefile: add a new "range" target to iteratively build all commits
- CI: Update to actions/cache@v4
- DOC: internal: update missing data types in peers-v2.0.txt
- DOC: install: recommend pcre2
- DOC: httpclient: add dedicated httpclient section
- DOC: configuration: clarify http-request wait-for-body
- BUILD: address a few remaining calloc(size, n) cases
- BUG/MINOR: ext-check: cannot use without preserve-env
- MINOR: ext-check: add an option to preserve environment variables
- BUG/MINOR: diag: run the final diags before quitting when using -c
- BUG/MINOR: diag: always show the version before dumping a diag warning
- MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()
- MINOR: quic: Add a counter for reordered packets
- MINOR: quic: Dynamic packet reordering threshold
- MINOR: quic: Update K CUBIC calculation (RFC 9438)
- BUG/MEDIUM: quic: Wrong K CUBIC calculation.
- MINOR: quic: Stop using 1024th of a second.
- BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation
- CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)
- BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.
- BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON
- BUG/MEDIUM: qpack: allow 6xx..9xx status codes
- BUG/MEDIUM: h3: do not crash on invalid response status code
- MINOR: h3: add traces for stream sending function
- BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf
- MINOR: quic: extract qc_stream_buf free in a dedicated function
- MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)
- CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.
- BUG/MEDIUM: mux-quic: report early error on stream
- BUG/MINOR: h3: fix checking on NULL Tx buffer
- BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
- REGTESTS: ssl: Add OCSP related tests
- REGTESTS: ssl: Fix empty line in cli command input
- BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"
- BUG/MINOR: ssl: Destroy ckch instances before the store during deinit
- BUG/MEDIUM: ocsp: Separate refcount per instance and per store
- MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid
- BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
- BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch
- BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
- BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
- BUG/MEDIUM: h1: always reject the NUL character in header values
- BUG/MINOR: h1-htx: properly initialize the err_pos field
- BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size
- BUG/MINOR: h1: Don't support LF only at the end of chunks
- BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up
- BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending
- BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()
- BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs
- BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
- BUG/MINOR: vars/cli: fix missing LF after "get var" output
- BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI
- REGTESTS: add a test to ensure map-ordering is preserved
- MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc
- BUG/MEDIUM: mux-h2: refine connection vs stream error on headers
- MINOR: mux-h2/traces: clarify the "rejected H2 request" event
- MINOR: mux-h2/traces: explicitly show the error/refused stream states
- MINOR: mux-h2/traces: also suggest invalid header upon parsing error
- MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT
- MINOR: debug: make ABORT_NOW() store the caller's line number when using abort
- MINOR: debug: make sure calls to ha_crash_now() are never merged
- MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding
- BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)
- BUG/MINOR: mux-h2: also count streams for refused ones
- BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control
- DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay
- MINOR: mux-h2: support limiting the total number of H2 streams per connection
- BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up
- BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable
- BUG/MEDIUM: h3: fix incorrect snd_buf return value
- CLEANUP: quic: Remaining useless code into server part
- BUG/MINOR: h3: close connection on sending alloc errors
- BUG/MINOR: h3: properly handle alloc failure on finalize
- BUG/MINOR: h3: close connection on header list too big
- MINOR: h3: check connection error during sending
- BUG/MINOR: quic: Missing call to TLS message callbacks
- BUG/MINOR: quic: Wrong keylog callback setting.
- BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission
- BUG/MEDIUM: stats: unhandled switching rules with TCP frontend
- MINOR: stats: store the parent proxy in stats ctx (http)
- DOC: config: Update documentation about local haproxy response
- BUG/MINOR: resolvers: default resolvers fails when network not configured
- BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty
- BUG/MEDIUM: quic: QUIC CID removed from tree without locking
- BUG/MEDIUM: quic: Possible buffer overflow when building TLS records
- BUG/MINOR: mworker/cli: fix set severity-output support
- DOC: configuration: typo req.ssl_hello_type
- [RELEASE] Released version 2.8.5
- BUG/MEDIUM: proxy: always initialize the default settings after init
- BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
- BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
- MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
- BUG/MINOR: ssl: Double free of OCSP Certificate ID
- BUG/MINOR: quic: Packet number spaces too lately initialized
- BUG/MINOR: quic: Missing QUIC connection path member initialization
- BUG/MINOR: quic: Possible leak of TX packets under heavy load
- BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load
- BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed
- BUG/MEDIUM: peers: fix partial message decoding
- DOC: Clarify the differences between field() and word()
- BUG/MINOR: sample: Make the `word` converter compatible with `-m found`
- REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter
- DOC: config: fix monitor-fail typo
- DOC: config: add matrix entry for "max-session-srv-conns"
- DOC: config: specify supported sections for "max-session-srv-conns"
- BUG/MINOR: cfgparse-listen: fix warning being reported as an alert
- BUG/MINOR: config: Stopped parsing upon unmatched environment variables
- BUG/MINOR: quic_tp: fix preferred_address decoding
- DOC: config: fix missing characters in set-spoe-group action
- BUG/MINOR: h3: always reject PUSH_PROMISE
- BUG/MINOR: h3: fix TRAILERS encoding
- BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1
- BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()
- BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding
- DOC: lua: fix Proxy.get_mode() output
- DOC: lua: add sticktable class reference from Proxy.stktable
- REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY
- DOC: config: fix timeout check inheritance restrictions
- DOC: 51d: updated 51Degrees repo URL for v3.2.10
- BUG/MINOR: server: do not leak default-server in defaults sections
- BUG/MINOR: quic: Possible RX packet memory leak under heavy load
- BUG/MEDIUM: quic: Possible crash for connections to be killed
- BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them
- BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly
- REGTESTS: http: add a test to validate chunked responses delivery
- BUG/MINOR: proxy/stktable: missing frees on proxy cleanup
- MINOR: stktable: add stktable_deinit function
- BUG/MINOR: stream/cli: report correct stream age in "show sess"
- BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()
- BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()
- BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()
- BUG/MAJOR: quic: complete thread migration before tcp-rules
- [RELEASE] Released version 2.8.4
- BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends
- BUG/MINOR: stconn/applet: Report send activity only if there was output data
- BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer
- BUG/MINOR: stconn: Fix streamer detection for HTX streams
- MINOR: channel: Add functions to get info on buffers and deal with HTX streams
- MINOR: htx: Use a macro for overhead induced by HTX
- BUG/MEDIUM: stconn: Update fsb date on partial sends
- BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented
- BUG/MEDIUM: mworker: set the master variable earlier
- BUG/MEDIUM: applet: Report a send activity everytime data were sent
- BUG/MEDIUM: stconn: Report a send activity everytime data were sent
- REGTESTS: http: Improve script testing abortonclose option
- BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only
- MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
- MINOR: connection: Add a CTL flag to notify mux it should wait for reads again
- BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up
- BUG/MEDIUM: connection: report connection errors even when no mux is installed
- DOC: quic: Wrong syntax for "quic-cc-algo" keyword.
- BUG/MINOR: sink: don't learn srv port from srv addr
- BUG/MEDIUM: applet: Remove appctx from buffer wait list on release
- DOC: config: use the word 'backend' instead of 'proxy' in 'track' description
- BUG/MINOR: quic: fix retry token check inconsistency
- DOC: management: -q is quiet all the time
- BUG/MEDIUM: stconn: Don't update stream expiration date if already expired
- BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures
- BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets
- BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree
- BUG/MINOR: quic: idle timer task requeued in the past
- BUG/MEDIUM: pool: fix releasable pool calculation when overloaded
- BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period
- BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts
- BUG/MINOR: stick-table/cli: Check for invalid ipv4 key
- BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure
- BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure
- CLEANUP: htx: Properly indent htx_reserve_max_data() function
- BUG/MINOR: stconn: Sanitize report for read activity
- BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room()
- BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire
- BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()
- BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
- BUG/MINOR: stktable: missing free in parse_stick_table()
- BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure
- BUG/MEDIUM: ssl: segfault when cipher is NULL
- BUG/MINOR: mux-quic: fix early close if unset client timeout
- BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA
- MEDIUM: quic: count quic_conn for global sslconns
- MEDIUM: quic: count quic_conn instance for maxconn
- MINOR: frontend: implement a dedicated actconn increment function
- BUG/MINOR: ssl: use a thread-safe sslconns increment
- BUG/MINOR: quic: do not consider idle timeout on CLOSING state
- BUG/MEDIUM: server: "proto" not working for dynamic servers
- MINOR: connection: add conn_pr_mode_to_proto_mode() helper func
- DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder
- MINOR: lua: Add flags to configure logging behaviour
- BUG/MINOR: ssl: load correctly @system-ca when ca-base is define
- DOC: internal: filters: fix reference to entities.pdf
- BUG/MINOR: mux-h2: update tracked counters with req cnt/req err
- BUG/MINOR: mux-h2: commit the current stream ID even on reject
- BUG/MEDIUM: peers: Fix synchro for huge number of tables
- BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task
- BUG/MINOR: trace: fix trace parser error reporting
- BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again
- BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending
- BUG/MINOR: mux-h2: make up other blocked streams upon removal from list
- BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request
- BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash
- BUG/MINOR: mux-quic: fix free on qcs-new fail alloc
- BUG/MINOR: h3: strengthen host/authority header parsing
- BUG/MINOR: mux-quic: support initial 0 max-stream-data
- BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream
- BUG/MINOR: quic: reject packet with no frame
- BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos
- BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
- BUG/MINOR: hq-interop: simplify parser requirement
- BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
- BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
- BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
- BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
- MINOR: hlua: Test the hlua struct first when the lua socket is connecting
- MINOR: hlua: Save the lua socket's server in its context
- MINOR: hlua: Save the lua socket's timeout in its context
- MINOR: hlua: Don't preform operations on a not connected socket
- MINOR: hlua: Set context's appctx when the lua socket is created
- BUG/MEDIUM: http-ana: Try to handle response before handling server abort
- BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed
- BUG/MEDIUM: actions: always apply a longest match on prefix lookup
- BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
- BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams
- MINOR: pattern: fix pat_{parse,match}_ip() function comments
- BUG/MINOR: server: add missing free for server->rdr_pfx
- BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
- BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
- BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1
- BUG/MINOR: promex: fix backend_agg_check_status
- BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records
- BUG/MINOR: hlua/init: coroutine may not resume itself
- BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
- CI: musl: drop shopt in workflow invocation
- CI: musl: highlight section if there are coredumps
- Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
- BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
- MINOR: hlua: add hlua_stream_ctx_prepare helper function
- BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT
- BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code
- BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind
- BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help
- MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
- MINOR: quic+openssl_compat: Do not start without "limited-quic"
- MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
- BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
- DOC: quic: Add "limited-quic" new tuning setting
- MINOR: quic: Add "limited-quic" new tuning setting
- MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.
- MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct
- MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()
- MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper
- MINOR: quic: Export some KDF functions (QUIC-TLS)
- MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper
- MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()
- MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()
- MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT
- MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header
- MINOR: quic: QUIC openssl wrapper implementation
- BUG/MINOR: quic: Wrong cluster secret initialization
- BUG/MINOR: quic: Leak of frames to send.
- BUILD: bug: make BUG_ON() void to avoid a rare warning
Patchnames
SUSE-SLE-Micro-6.0-163
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\nUpdate to version 2.8.11+git0.01c1056a4:\n\n- VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)\n- BUG/MINOR: cfgparse-listen: fix option httpslog override warning message\n- BUG/MEDIUM: promex: Wait to have the request before sending the response\n- BUG/MEDIUM: cache/stats: Wait to have the request before sending the response\n- BUG/MEDIUM: queue: implement a flag to check for the dequeuing\n- BUG/MINOR: clock: validate that now_offset still applies to the current date\n- BUG/MINOR: clock: make time jump corrections a bit more accurate\n- BUG/MINOR: polling: fix time reporting when using busy polling\n- BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state\n- BUG/MEDIUM: pattern: prevent UAF on reused pattern expr\n- BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()\n- BUG/MEDIUM: clock: detect and cover jumps during execution\n- REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load\n- DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line\n- BUG/MINOR: pattern: do not leave a leading comma on \"set\" error messages\n- BUG/MINOR: pattern: pat_ref_set: return 0 if err was found\n- BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity\n- BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full\n- BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path\n- BUG/MEDIUM: clock: also update the date offset on time jumps\n- DOC: config: correct the table for option tcplog\n- BUG/MINOR: h3: properly reject too long header responses\n- BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails\n- BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID\n- REGTESTS: mcli: test the pipelined commands on master CLI\n- BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI\n- MINOR: channel: implement ci_insert() function\n- BUG/MINOR: proto_tcp: keep error msg if listen() fails\n- BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails\n- BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE\n- BUG/MINOR: trace/quic: make \"qconn\" selectable as a lockon criterion\n- BUG/MINOR: trace: automatically start in waiting mode with \"start \u003cevt\u003e\"\n- BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()\n- BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc\n- BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn\n- BUG/MINOR: fcgi-app: handle a possible strdup() failure\n- BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream\n- BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams\n- BUG/MEDIUM: http-ana: Report error on write error waiting for the response\n- BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content\n- BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set\n- BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered\n- BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli\n- BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready\n- BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn\n- MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)\n- BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()\n- MINOR: queue: add a function to check for TOCTOU after queueing\n- BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature\n- BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)\n- BUG/MINOR: cli: Atomically inc the global request counter between CLI commands\n- BUG/MINOR: server: Don\u0027t warn fallback IP is used during init-addr resolution\n- BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter\n- DOC: config: improve the http-keep-alive section\n- DOC: configuration: issuers-chain-path not compatible with OCSP\n- BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path\n- BUG/MEDIUM: debug/cli: fix \"show threads\" crashing with low thread counts\n- BUG/MINOR: session: Eval L4/L5 rules defined in the default section\n- BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past\n- BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread\n- BUG/MEDIUM: h1: Reject empty Transfer-encoding header\n- BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value\n- BUG/MINOR: h1: Fail to parse empty transfer coding names\n- BUG/MINOR: jwt: fix variable initialisation\n- DOC: configuration: update maxconn description\n- BUG/MINOR: jwt: don\u0027t try to load files with HMAC algorithm\n- MEDIUM: ssl: initialize the SSL stack explicitely\n- DOC: configuration: more details about the master-worker mode\n- BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking\n- BUG/MINOR: quic: fix race-condition on trace for CID retrieval\n- BUG/MINOR: quic: fix race condition in qc_check_dcid()\n- BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()\n- BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid\n- BUG/MEDIUM: h3: ensure the \":method\" pseudo header is totally valid\n- MINOR: activity: make the memory profiling hash size configurable at build time\n- BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()\n- BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure\n- BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure\n- BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission\n- DOC: api/event_hdl: small updates, fix an example and add some precisions\n- SCRIPTS: git-show-backports: do not truncate git-show output\n- DOC: configuration: fix alphabetical order of bind options\n- DOC: management: rename show stats domain cli \"dns\" to \"resolvers\"\n- DOC/MINOR: management: add missed -dR and -dv options\n- BUG/MINOR: proxy: fix header_unique_id leak on deinit()\n- BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()\n- BUG/MINOR: proxy: fix dyncookie_key leak on deinit()\n- BUG/MINOR: proxy: fix check_{command,path} leak on deinit()\n- BUG/MINOR: proxy: fix log_tag leak on deinit()\n- BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()\n- BUG/MINOR: quic: fix computed length of emitted STREAM frames\n- [RELEASE] Released version 2.8.10\n- BUG/MEDIUM: quic: don\u0027t blindly rely on unaligned accesses\n- BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n- BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1\n- BUG/MAJOR: server: do not delete srv referenced by session\n- MINOR: session: rename private conns elements\n- BUG/MEDIUM: quic: fix connection freeze on post handshake\n- BUG/MEDIUM: server: fix dynamic servers initial settings\n- BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n- CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()\n- BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path\n- BUG/MINOR: hlua: prevent LJMP in hlua_traceback()\n- BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage\n- BUG/MINOR: hlua: don\u0027t use lua_pushfstring() when we don\u0027t expect LJMP\n- CLEANUP: hlua: use hlua_pusherror() where relevant\n- BUG/MINOR: quic: prevent crash on qc_kill_conn()\n- BUG/MINOR: hlua: use CertCache.set() from various hlua contexts\n- BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory\n- BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser\n- BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning\n- BUG/MINOR: activity: fix Delta_calls and Delta_bytes count\n- BUG/MINOR: ssl/ocsp: init callback func ptr as NULL\n- CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp\n- BUILD: fd: errno is also needed without poll()\n- CI: scripts: fix build of vtest regarding option -C\n- REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs\n- DOC: config: fix incorrect section reference about custom log format\n- DOC: quic: specify that connection migration is not supported\n- BUG/MINOR: server: Don\u0027t reset resolver options on a new default-server line\n- BUG/MINOR: http-htx: Support default path during scheme based normalization\n- BUG/MINOR: quic: adjust restriction for stateless reset emission\n- MEDIUM: config: prevent communication with privileged ports\n- BUILD: quic: fix unused variable warning when threads are disabled\n- BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream\n- BUG/MEDIUM: quic_tls: prevent LibreSSL \u003c 4.0 from negotiating CHACHA20_POLY1305\n- BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)\n- BUG/MINOR: connection: parse PROXY TLV for LOCAL mode\n- DOC: configuration: update the crt-list documentation\n- CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf\n- BUG/MINOR: stats: Don\u0027t state the 303 redirect response is chunked\n- BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header\n- BUG/MEDIUM: fd: prevent memory waste in fdtab array\n- BUILD: stick-tables: better mark the stktable_data as 32-bit aligned\n- BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme\n- BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found\n- BUG/MEDIUM: stick-tables: properly mark stktable_data as packed\n- BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned\n- BUG/MINOR: qpack: fix error code reported on QPACK decoding failure\n- BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3\n- BUG/MINOR: log: smp_rgs array issues with inherited global log directives\n- BUG/MINOR: log: keep the ref in dup_logger()\n- MINOR: log: add dup_logsrv() helper function\n- DOC: lua: fix filters.txt file location\n- BUG/MINOR: haproxy: only tid 0 must not sleep if got signal\n- BUILD: clock: improve check for pthread_getcpuclockid()\n- BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null\n- BUG/MINOR: h1: fix detection of upper bytes in the URI\n- BUG/MINOR: backend: use cum_sess counters instead of cum_conn\n- BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets\n- BUG/MINOR: sock: handle a weird condition with connect()\n- BUG/MINOR: stconn: Fix sc_mux_strm() return value\n- BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding\n- BUG/MINOR: server: fix slowstart behavior\n- BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached\n- BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame\n- BUG/MEDIUM: applet: Fix applet API to put input data in a buffer\n- BUG/MEDIUM: evports: do not clear returned events list on signal\n- BUG/MEDIUM: stconn: Don\u0027t forward channel data if input data must be filtered\n- BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses\n- MINOR: net_helper: Add support for floats/doubles.\n- CI: revert kernel addr randomization introduced in 3a0fc864\n- BUG/MEDIUM: peers/trace: fix crash when listing event types\n- BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented\n- BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values\n- BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection\n- CLEANUP: log: lf_text_len() returns a pointer not an integer\n- BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()\n- BUG/MINOR: tools/log: invalid encode_{chunk,string} usage\n- BUG/MINOR: log: fix lf_text_len() truncate inconsistency\n- BUG/MINOR: listener: always assign distinct IDs to shards\n- BUG/MINOR: cli: Report an error to user if command or payload is too big\n- [RELEASE] Released version 2.8.9\n- BUILD: proxy: Replace free_logformat_list() to manually release log-format\n- [RELEASE] Released version 2.8.8\n- BUG/MINOR: proxy: fix logformat expression leak in use_backend rules\n- BUG/MINOR: backend: properly handle redispatch 0\n- BUG/MINOR: server: ignore \u0027enabled\u0027 for dynamic servers\n- BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \\n\n- MINOR: cli: Remove useless loop on commands to find unescaped semi-colon\n- MINOR: server: allow cookie for dynamic servers\n- BUG/MINOR: server: fix persistence cookie for dynamic servers\n- BUG/MINOR: ssl: Detect more \u0027ocsp-update\u0027 incompatibilities\n- BUG/MINOR: ssl: Wrong ocsp-update \"incompatibility\" error message\n- BUG/MINOR: server: \u0027source\u0027 interface ignored from \u0027default-server\u0027 directive\n- OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}\n- BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block\n- BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet\n- BUG/MEDIUM: ssl: Fix crash in ocsp-update log function\n- BUG/MINOR: session: ensure conn owner is set after insert into session\n- BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small\n- CI: temporarily adjust kernel entropy to work with ASAN/clang\n- BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop\n- BUG/MEDIUM: spoe: Don\u0027t rely on stream\u0027s expiration to detect processing timeout\n- BUG/MINOR: listener: Don\u0027t schedule frontend without task in listener_release()\n- BUG/MINOR: listener: Wake proxy\u0027s mngmt task up if necessary on session release\n- BUG/MEDIUM: hlua: streams don\u0027t support mixing lua-load with lua-load-per-thread (2nd try)\n- MINOR: hlua: use accessors for stream hlua ctx\n- DEBUG: lua: precisely identify if stream is stuck inside lua or not\n- BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()\n- BUG/MINOR: hlua: missing lock in hlua_filter_new()\n- BUG/MINOR: hlua: segfault when loading the same filter from different contexts\n- BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()\n- DOC: configuration: clarify ciphersuites usage (V2)\n- BUILD: solaris: fix compilation errors\n- BUG/MINOR: cfgparse: report proper location for log-format-sd errors\n- BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description\n- CI: skip scheduled builds on forks\n- BUG/MINOR: sink: fix a race condition in the TCP log forwarding code\n- BUG/MINOR: hlua: don\u0027t call ha_alert() in hlua_event_subscribe()\n- BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n- BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()\n- BUG/MINOR: hlua: improper lock usage in hlua_filter_new()\n- BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()\n- BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load\n- BUG/MINOR: hlua: don\u0027t use lua_tostring() from unprotected contexts\n- BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack\n- BUG/MINOR: tools: seed the statistical PRNG slightly better\n- MINOR: hlua: Be able to disable logging from lua\n- BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel\n- BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener\n- DOC: configuration: clarify ciphersuites usage\n- LICENSE: http_ext: fix GPL license version\n- LICENSE: event_hdl: fix GPL license version\n- BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist\n- BUG/MINOR: ist: only store NUL byte on succeeded alloc\n- BUG/MINOR: quic: fix output of show quic\n- BUG/MAJOR: server: fix stream crash due to deleted server\n- BUG/MINOR: stats: drop srv refcount on early release\n- BUG/MINOR: ist: allocate nul byte on istdup\n- MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support\n- DOC: quic: fix recommandation for bind on multiple address\n- BUG/MEDIUM: quic: fix transient send error with listener socket\n- BUG/MEDIUM: hlua: Don\u0027t loop if a lua socket does not consume received data\n- BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets\n- BUG/MEDIUM: applet: Immediately free appctx on early error\n- DOC: quic: Missing tuning setting in \"Global parameters\"\n- BUG/MINOR: qpack: reject invalid dynamic table capacity\n- BUG/MINOR: qpack: reject invalid increment count decoding\n- BUG/MINOR: quic: reject HANDSHAKE_DONE as server\n- BUG/MINOR: quic: reject unknown frame type\n- BUG/MAJOR: promex: fix crash on deleted server\n- MINOR: connection: add sample fetches to report per-connection glitches\n- MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES\n- MINOR: connection: add a new mux_ctl to report number of connection glitches\n- MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection\n- MINOR: mux-h2: always use h2c_report_glitch()\n- MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch\n- MINOR: mux-h2: count excess of CONTINUATION frames as a glitch\n- BUG/MINOR: mux-h2: count rejected DATA frames against the connection\u0027s flow control\n- MINOR: mux-h2: add a counter of \"glitches\" on a connection\n- [RELEASE] Released version 2.8.7\n- BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI\n- [RELEASE] Released version 2.8.6\n- DEV: makefile: fix POSIX compatibility for \"range\" target\n- DEV: makefile: add a new \"range\" target to iteratively build all commits\n- CI: Update to actions/cache@v4\n- DOC: internal: update missing data types in peers-v2.0.txt\n- DOC: install: recommend pcre2\n- DOC: httpclient: add dedicated httpclient section\n- DOC: configuration: clarify http-request wait-for-body\n- BUILD: address a few remaining calloc(size, n) cases\n- BUG/MINOR: ext-check: cannot use without preserve-env\n- MINOR: ext-check: add an option to preserve environment variables\n- BUG/MINOR: diag: run the final diags before quitting when using -c\n- BUG/MINOR: diag: always show the version before dumping a diag warning\n- MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()\n- MINOR: quic: Add a counter for reordered packets\n- MINOR: quic: Dynamic packet reordering threshold\n- MINOR: quic: Update K CUBIC calculation (RFC 9438)\n- BUG/MEDIUM: quic: Wrong K CUBIC calculation.\n- MINOR: quic: Stop using 1024th of a second.\n- BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation\n- CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)\n- BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.\n- BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON\n- BUG/MEDIUM: qpack: allow 6xx..9xx status codes\n- BUG/MEDIUM: h3: do not crash on invalid response status code\n- MINOR: h3: add traces for stream sending function\n- BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf\n- MINOR: quic: extract qc_stream_buf free in a dedicated function\n- MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)\n- CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.\n- BUG/MEDIUM: mux-quic: report early error on stream\n- BUG/MINOR: h3: fix checking on NULL Tx buffer\n- BUG/MEDIUM: ssl: Fix crash when calling \"update ssl ocsp-response\" when an update is ongoing\n- REGTESTS: ssl: Add OCSP related tests\n- REGTESTS: ssl: Fix empty line in cli command input\n- BUG/MINOR: ssl: Reenable ocsp auto-update after an \"add ssl crt-list\"\n- BUG/MINOR: ssl: Destroy ckch instances before the store during deinit\n- BUG/MEDIUM: ocsp: Separate refcount per instance and per store\n- MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid\n- BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line\n- BUG/MINOR: ssl: Duplicate ocsp update mode when dup\u0027ing ckch\n- BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call\n- BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n- BUG/MEDIUM: h1: always reject the NUL character in header values\n- BUG/MINOR: h1-htx: properly initialize the err_pos field\n- BUG/MEDIUM: h1: Don\u0027t support LF only to mark the end of a chunk size\n- BUG/MINOR: h1: Don\u0027t support LF only at the end of chunks\n- BUG/MEDIUM: stconn: Don\u0027t check pending shutdown to wake an applet up\n- BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending\n- BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()\n- BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs\n- BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs\n- BUG/MINOR: vars/cli: fix missing LF after \"get var\" output\n- BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat\u0027s CLI\n- REGTESTS: add a test to ensure map-ordering is preserved\n- MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc\n- BUG/MEDIUM: mux-h2: refine connection vs stream error on headers\n- MINOR: mux-h2/traces: clarify the \"rejected H2 request\" event\n- MINOR: mux-h2/traces: explicitly show the error/refused stream states\n- MINOR: mux-h2/traces: also suggest invalid header upon parsing error\n- MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT\n- MINOR: debug: make ABORT_NOW() store the caller\u0027s line number when using abort\n- MINOR: debug: make sure calls to ha_crash_now() are never merged\n- MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding\n- BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)\n- BUG/MINOR: mux-h2: also count streams for refused ones\n- BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control\n- DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay\n- MINOR: mux-h2: support limiting the total number of H2 streams per connection\n- BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up\n- BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable\n- BUG/MEDIUM: h3: fix incorrect snd_buf return value\n- CLEANUP: quic: Remaining useless code into server part\n- BUG/MINOR: h3: close connection on sending alloc errors\n- BUG/MINOR: h3: properly handle alloc failure on finalize\n- BUG/MINOR: h3: close connection on header list too big\n- MINOR: h3: check connection error during sending\n- BUG/MINOR: quic: Missing call to TLS message callbacks\n- BUG/MINOR: quic: Wrong keylog callback setting.\n- BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission\n- BUG/MEDIUM: stats: unhandled switching rules with TCP frontend\n- MINOR: stats: store the parent proxy in stats ctx (http)\n- DOC: config: Update documentation about local haproxy response\n- BUG/MINOR: resolvers: default resolvers fails when network not configured\n- BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty\n- BUG/MEDIUM: quic: QUIC CID removed from tree without locking\n- BUG/MEDIUM: quic: Possible buffer overflow when building TLS records\n- BUG/MINOR: mworker/cli: fix set severity-output support\n- DOC: configuration: typo req.ssl_hello_type\n- [RELEASE] Released version 2.8.5\n- BUG/MEDIUM: proxy: always initialize the default settings after init\n- BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)\n- BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate\n- MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback\n- BUG/MINOR: ssl: Double free of OCSP Certificate ID\n- BUG/MINOR: quic: Packet number spaces too lately initialized\n- BUG/MINOR: quic: Missing QUIC connection path member initialization\n- BUG/MINOR: quic: Possible leak of TX packets under heavy load\n- BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load\n- BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed\n- BUG/MEDIUM: peers: fix partial message decoding\n- DOC: Clarify the differences between field() and word()\n- BUG/MINOR: sample: Make the `word` converter compatible with `-m found`\n- REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter\n- DOC: config: fix monitor-fail typo\n- DOC: config: add matrix entry for \"max-session-srv-conns\"\n- DOC: config: specify supported sections for \"max-session-srv-conns\"\n- BUG/MINOR: cfgparse-listen: fix warning being reported as an alert\n- BUG/MINOR: config: Stopped parsing upon unmatched environment variables\n- BUG/MINOR: quic_tp: fix preferred_address decoding\n- DOC: config: fix missing characters in set-spoe-group action\n- BUG/MINOR: h3: always reject PUSH_PROMISE\n- BUG/MINOR: h3: fix TRAILERS encoding\n- BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1\n- BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()\n- BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding\n- DOC: lua: fix Proxy.get_mode() output\n- DOC: lua: add sticktable class reference from Proxy.stktable\n- REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY\n- DOC: config: fix timeout check inheritance restrictions\n- DOC: 51d: updated 51Degrees repo URL for v3.2.10\n- BUG/MINOR: server: do not leak default-server in defaults sections\n- BUG/MINOR: quic: Possible RX packet memory leak under heavy load\n- BUG/MEDIUM: quic: Possible crash for connections to be killed\n- BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them\n- BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly\n- REGTESTS: http: add a test to validate chunked responses delivery\n- BUG/MINOR: proxy/stktable: missing frees on proxy cleanup\n- MINOR: stktable: add stktable_deinit function\n- BUG/MINOR: stream/cli: report correct stream age in \"show sess\"\n- BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()\n- BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()\n- BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()\n- BUG/MAJOR: quic: complete thread migration before tcp-rules\n- [RELEASE] Released version 2.8.4\n- BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends\n- BUG/MINOR: stconn/applet: Report send activity only if there was output data\n- BUG/MINOR: stconn: Use HTX-aware channel\u0027s functions to get info on buffer\n- BUG/MINOR: stconn: Fix streamer detection for HTX streams\n- MINOR: channel: Add functions to get info on buffers and deal with HTX streams\n- MINOR: htx: Use a macro for overhead induced by HTX\n- BUG/MEDIUM: stconn: Update fsb date on partial sends\n- BUG/MEDIUM: stream: Don\u0027t call mux .ctl() callback if not implemented\n- BUG/MEDIUM: mworker: set the master variable earlier\n- BUG/MEDIUM: applet: Report a send activity everytime data were sent\n- BUG/MEDIUM: stconn: Report a send activity everytime data were sent\n- REGTESTS: http: Improve script testing abortonclose option\n- BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only\n- MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads\n- MINOR: connection: Add a CTL flag to notify mux it should wait for reads again\n- BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up\n- BUG/MEDIUM: connection: report connection errors even when no mux is installed\n- DOC: quic: Wrong syntax for \"quic-cc-algo\" keyword.\n- BUG/MINOR: sink: don\u0027t learn srv port from srv addr\n- BUG/MEDIUM: applet: Remove appctx from buffer wait list on release\n- DOC: config: use the word \u0027backend\u0027 instead of \u0027proxy\u0027 in \u0027track\u0027 description\n- BUG/MINOR: quic: fix retry token check inconsistency\n- DOC: management: -q is quiet all the time\n- BUG/MEDIUM: stconn: Don\u0027t update stream expiration date if already expired\n- BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures\n- BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets\n- BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree\n- BUG/MINOR: quic: idle timer task requeued in the past\n- BUG/MEDIUM: pool: fix releasable pool calculation when overloaded\n- BUG/MEDIUM: freq-ctr: Don\u0027t report overshoot for long inactivity period\n- BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts\n- BUG/MINOR: stick-table/cli: Check for invalid ipv4 key\n- BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure\n- BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure\n- CLEANUP: htx: Properly indent htx_reserve_max_data() function\n- BUG/MINOR: stconn: Sanitize report for read activity\n- BUG/MEDIUM: Don\u0027t apply a max value on room_needed in sc_need_room()\n- BUG/MEDIUM: stconn: Don\u0027t report rcv/snd expiration date if SC cannot epxire\n- BUG/MEDIUM: pattern: don\u0027t trim pools under lock in pat_ref_purge_range()\n- BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure\n- BUG/MINOR: stktable: missing free in parse_stick_table()\n- BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure\n- BUG/MEDIUM: ssl: segfault when cipher is NULL\n- BUG/MINOR: mux-quic: fix early close if unset client timeout\n- BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA\n- MEDIUM: quic: count quic_conn for global sslconns\n- MEDIUM: quic: count quic_conn instance for maxconn\n- MINOR: frontend: implement a dedicated actconn increment function\n- BUG/MINOR: ssl: use a thread-safe sslconns increment\n- BUG/MINOR: quic: do not consider idle timeout on CLOSING state\n- BUG/MEDIUM: server: \"proto\" not working for dynamic servers\n- MINOR: connection: add conn_pr_mode_to_proto_mode() helper func\n- DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder\n- MINOR: lua: Add flags to configure logging behaviour\n- BUG/MINOR: ssl: load correctly @system-ca when ca-base is define\n- DOC: internal: filters: fix reference to entities.pdf\n- BUG/MINOR: mux-h2: update tracked counters with req cnt/req err\n- BUG/MINOR: mux-h2: commit the current stream ID even on reject\n- BUG/MEDIUM: peers: Fix synchro for huge number of tables\n- BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task\n- BUG/MINOR: trace: fix trace parser error reporting\n- BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again\n- BUG/MEDIUM: mux-h2: Don\u0027t report an error on shutr if a shutw is pending\n- BUG/MINOR: mux-h2: make up other blocked streams upon removal from list\n- BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request\n- BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash\n- BUG/MINOR: mux-quic: fix free on qcs-new fail alloc\n- BUG/MINOR: h3: strengthen host/authority header parsing\n- BUG/MINOR: mux-quic: support initial 0 max-stream-data\n- BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream\n- BUG/MINOR: quic: reject packet with no frame\n- BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos\n- BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()\n- BUG/MINOR: hq-interop: simplify parser requirement\n- BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set\n- BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set\n- BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried\n- BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only\n- MINOR: hlua: Test the hlua struct first when the lua socket is connecting\n- MINOR: hlua: Save the lua socket\u0027s server in its context\n- MINOR: hlua: Save the lua socket\u0027s timeout in its context\n- MINOR: hlua: Don\u0027t preform operations on a not connected socket\n- MINOR: hlua: Set context\u0027s appctx when the lua socket is created\n- BUG/MEDIUM: http-ana: Try to handle response before handling server abort\n- BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed\n- BUG/MEDIUM: actions: always apply a longest match on prefix lookup\n- BUG/MINOR: mux-quic: remove full demux flag on ncbuf release\n- BUG/MEDIUM: server/cli: don\u0027t delete a dynamic server that has streams\n- MINOR: pattern: fix pat_{parse,match}_ip() function comments\n- BUG/MINOR: server: add missing free for server-\u003erdr_pfx\n- BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers\n- BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API\n- BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1\n- BUG/MINOR: promex: fix backend_agg_check_status\n- BUG/MEDIUM: mux-fcgi: Don\u0027t swap trash and dbuf when handling STDERR records\n- BUG/MINOR: hlua/init: coroutine may not resume itself\n- BUG/MEDIUM: hlua: don\u0027t pass stale nargs argument to lua_resume()\n- CI: musl: drop shopt in workflow invocation\n- CI: musl: highlight section if there are coredumps\n- Revert \"BUG/MEDIUM: quic: missing check of dcid for init pkt including a token\"\n- BUG/MEDIUM: hlua: streams don\u0027t support mixing lua-load with lua-load-per-thread\n- MINOR: hlua: add hlua_stream_ctx_prepare helper function\n- BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT\n- BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code\n- BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind\n- BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help\n- MINOR: quic+openssl_compat: Emit an alert for \"allow-0rtt\" option\n- MINOR: quic+openssl_compat: Do not start without \"limited-quic\"\n- MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without \"limited-quic\"\n- BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels\n- DOC: quic: Add \"limited-quic\" new tuning setting\n- MINOR: quic: Add \"limited-quic\" new tuning setting\n- MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.\n- MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct\n- MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()\n- MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper\n- MINOR: quic: Export some KDF functions (QUIC-TLS)\n- MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper\n- MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()\n- MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()\n- MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT\n- MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header\n- MINOR: quic: QUIC openssl wrapper implementation\n- BUG/MINOR: quic: Wrong cluster secret initialization\n- BUG/MINOR: quic: Leak of frames to send.\n- BUILD: bug: make BUG_ON() void to avoid a rare warning\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-163",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20101-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20101-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520101-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20101-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021219.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233973",
"url": "https://bugzilla.suse.com/1233973"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53008 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53008/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2025-02-03T09:17:08Z",
"generator": {
"date": "2025-02-03T09:17:08Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20101-1",
"initial_release_date": "2025-02-03T09:17:08Z",
"revision_history": [
{
"date": "2025-02-03T09:17:08Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.aarch64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.aarch64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.s390x",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.s390x",
"product_id": "haproxy-2.8.11+git0.01c1056a4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.x86_64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.x86_64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.aarch64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.s390x"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.x86_64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53008",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53008"
}
],
"notes": [
{
"category": "general",
"text": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.aarch64",
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.s390x",
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53008",
"url": "https://www.suse.com/security/cve/CVE-2024-53008"
},
{
"category": "external",
"summary": "SUSE Bug 1233973 for CVE-2024-53008",
"url": "https://bugzilla.suse.com/1233973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.aarch64",
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.s390x",
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.aarch64",
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.s390x",
"SUSE Linux Micro 6.0:haproxy-2.8.11+git0.01c1056a4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T09:17:08Z",
"details": "moderate"
}
],
"title": "CVE-2024-53008"
}
]
}
fkie_cve-2024-53008
Vulnerability from fkie_nvd
Published
2024-11-28 03:15
Modified
2024-11-28 03:15
Severity ?
Summary
Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=1afca10150ac3e4e2224055cc31b6f1e4a70efe2 | ||
| vultures@jpcert.or.jp | https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=01c1056a44823c5ffb8f74660b32c099d9b5355b | ||
| vultures@jpcert.or.jp | https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=4bcaece344c8738dac1ab5bd8cc81e2a22701d71 | ||
| vultures@jpcert.or.jp | https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=95a607c4b3af09be2a495b9c2872ea252ccff603 | ||
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN88385716/ | ||
| vultures@jpcert.or.jp | https://www.haproxy.org/ |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information."
},
{
"lang": "es",
"value": "Existe un problema de interpretaci\u00f3n inconsistente de las solicitudes HTTP (\u0027Contrabando de solicitudes/respuestas HTTP\u0027) en HAProxy. Si se aprovecha esta vulnerabilidad, un atacante remoto puede acceder a una ruta restringida por la ACL (lista de control de acceso) establecida en el producto. Como resultado, el atacante puede obtener informaci\u00f3n confidencial."
}
],
"id": "CVE-2024-53008",
"lastModified": "2024-11-28T03:15:16.363",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
},
"published": "2024-11-28T03:15:16.363",
"references": [
{
"source": "vultures@jpcert.or.jp",
"url": "https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=1afca10150ac3e4e2224055cc31b6f1e4a70efe2"
},
{
"source": "vultures@jpcert.or.jp",
"url": "https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=01c1056a44823c5ffb8f74660b32c099d9b5355b"
},
{
"source": "vultures@jpcert.or.jp",
"url": "https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=4bcaece344c8738dac1ab5bd8cc81e2a22701d71"
},
{
"source": "vultures@jpcert.or.jp",
"url": "https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=95a607c4b3af09be2a495b9c2872ea252ccff603"
},
{
"source": "vultures@jpcert.or.jp",
"url": "https://jvn.jp/en/jp/JVN88385716/"
},
{
"source": "vultures@jpcert.or.jp",
"url": "https://www.haproxy.org/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
}
ghsa-qq72-vh82-fwv9
Vulnerability from github
Published
2024-11-28 06:32
Modified
2024-11-28 06:32
Severity ?
VLAI Severity ?
Details
Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-53008"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-28T03:15:16Z",
"severity": "MODERATE"
},
"details": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.",
"id": "GHSA-qq72-vh82-fwv9",
"modified": "2024-11-28T06:32:42Z",
"published": "2024-11-28T06:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53008"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=1afca10150ac3e4e2224055cc31b6f1e4a70efe2"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=01c1056a44823c5ffb8f74660b32c099d9b5355b"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=4bcaece344c8738dac1ab5bd8cc81e2a22701d71"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=95a607c4b3af09be2a495b9c2872ea252ccff603"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN88385716"
},
{
"type": "WEB",
"url": "https://www.haproxy.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
wid-sec-w-2024-3560
Vulnerability from csaf_certbund
Published
2024-11-27 23:00
Modified
2025-06-03 22:00
Summary
HAProxy: Schwachstelle ermöglicht Offenlegung von Informationen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
HAProxy Enterprise ist ein weit verbreiteter Open Source Software Load Balancer und Application Delivery Controller.
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HAProxy ausnutzen, um Informationen offenzulegen.
Betroffene Betriebssysteme
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "HAProxy Enterprise ist ein weit verbreiteter Open Source Software Load Balancer und Application Delivery Controller.\r\nRed Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HAProxy ausnutzen, um Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3560 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3560.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3560 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3560"
},
{
"category": "external",
"summary": "Red Hat Bugtracker vom 2024-11-27",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329284"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2024-11-27",
"url": "https://github.com/advisories/GHSA-qq72-vh82-fwv9"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7133-1 vom 2024-12-03",
"url": "https://ubuntu.com/security/notices/USN-7133-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4390-1 vom 2024-12-20",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YYMU6HIOATWS24SM3Y4PCD66O3QKGYCQ/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20230-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021093.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20101-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021219.html"
}
],
"source_lang": "en-US",
"title": "HAProxy: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
"tracking": {
"current_release_date": "2025-06-03T22:00:00.000+00:00",
"generator": {
"date": "2025-06-04T11:26:57.849+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2024-3560",
"initial_release_date": "2024-11-27T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-11-27T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-12-02T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2024-12-22T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-03T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.1.0",
"product": {
"name": "HAProxy HAProxy \u003c3.1.0",
"product_id": "T039500"
}
},
{
"category": "product_version",
"name": "3.1.0",
"product": {
"name": "HAProxy HAProxy 3.1.0",
"product_id": "T039500-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:haproxy:haproxy:3.1.0"
}
}
}
],
"category": "product_name",
"name": "HAProxy"
}
],
"category": "vendor",
"name": "HAProxy"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Container Platform 4",
"product": {
"name": "Red Hat OpenShift Container Platform 4",
"product_id": "T039501",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform_4"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53008",
"product_status": {
"known_affected": [
"T002207",
"T000126",
"T039501",
"T039500"
]
},
"release_date": "2024-11-27T23:00:00.000+00:00",
"title": "CVE-2024-53008"
}
]
}
cve-2024-53008
Vulnerability from jvndb
Published
2024-11-27 14:36
Modified
2024-11-27 14:36
Severity ?
Summary
HAProxy vulnerable to HTTP request/response smuggling
Details
HAProxy HTTP/3 implementation contains an issue on accepting malformed HTTP headers. When a request including malformed HTTP headers is forwarded to a HTTP/1.1 non-compliant back-end server, it is exploited to conduct an HTTP request/response smuggling attack (CWE-444).
Yuki Mogi of FFRI Security, Inc. reported this vulnerability to the developer and coordinated. After the coordination was completed, JPCERT/CC coordinated with the developer to publish this advisory in order to notify users of the solution through JVN.
References
| ► | Type | URL |
|---|---|---|
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000122.html",
"dc:date": "2024-11-27T14:36+09:00",
"dcterms:issued": "2024-11-27T14:36+09:00",
"dcterms:modified": "2024-11-27T14:36+09:00",
"description": "HAProxy HTTP/3 implementation contains an issue on accepting malformed HTTP headers. When a request including malformed HTTP headers is forwarded to a HTTP/1.1 non-compliant back-end server, it is exploited to conduct an HTTP request/response smuggling attack (CWE-444).\r\n\r\nYuki Mogi of FFRI Security, Inc. reported this vulnerability to the developer and coordinated. After the coordination was completed, JPCERT/CC coordinated with the developer to publish this advisory in order to notify users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000122.html",
"sec:cpe": {
"#text": "cpe:/a:haproxy:haproxy",
"@product": "HAProxy",
"@vendor": "HAProxy Technologies",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000122",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN88385716/index.html",
"@id": "JVN#88385716",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-53008",
"@id": "CVE-2024-53008",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "HAProxy vulnerable to HTTP request/response smuggling"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…