suse-su-2025:20230-1
Vulnerability from csaf_suse
Published
2025-03-05 14:55
Modified
2025-03-05 14:55
Summary
Security update for haproxy
Notes
Title of the patch
Security update for haproxy
Description of the patch
This update for haproxy fixes the following issues:
Update to version 2.8.11+git0.01c1056a4:
* VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)
* BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
* BUG/MEDIUM: promex: Wait to have the request before sending the response
* BUG/MEDIUM: cache/stats: Wait to have the request before sending the response
* BUG/MEDIUM: queue: implement a flag to check for the dequeuing
* BUG/MINOR: clock: validate that now_offset still applies to the current date
* BUG/MINOR: clock: make time jump corrections a bit more accurate
* BUG/MINOR: polling: fix time reporting when using busy polling
* BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
* BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
* BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()
* BUG/MEDIUM: clock: detect and cover jumps during execution
* REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
* DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line
* BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
* BUG/MINOR: pattern: pat_ref_set: return 0 if err was found
* BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity
* BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full
* BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path
* BUG/MEDIUM: clock: also update the date offset on time jumps
* DOC: config: correct the table for option tcplog
* BUG/MINOR: h3: properly reject too long header responses
* BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails
* BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID
* REGTESTS: mcli: test the pipelined commands on master CLI
* BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI
* MINOR: channel: implement ci_insert() function
* BUG/MINOR: proto_tcp: keep error msg if listen() fails
* BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails
* BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE
* BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion
* BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"
* BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()
* BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc
* BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn
* BUG/MINOR: fcgi-app: handle a possible strdup() failure
* BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream
* BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams
* BUG/MEDIUM: http-ana: Report error on write error waiting for the response
* BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
* BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set
* BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered
* BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli
* BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready
* BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn
* MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)
* BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()
* MINOR: queue: add a function to check for TOCTOU after queueing
* BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
* BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)
* BUG/MINOR: cli: Atomically inc the global request counter between CLI commands
* BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution
* BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter
* DOC: config: improve the http-keep-alive section
* DOC: configuration: issuers-chain-path not compatible with OCSP
* BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
* BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts
* BUG/MINOR: session: Eval L4/L5 rules defined in the default section
* BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past
* BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread
* BUG/MEDIUM: h1: Reject empty Transfer-encoding header
* BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
* BUG/MINOR: h1: Fail to parse empty transfer coding names
* BUG/MINOR: jwt: fix variable initialisation
* DOC: configuration: update maxconn description
* BUG/MINOR: jwt: don't try to load files with HMAC algorithm
* MEDIUM: ssl: initialize the SSL stack explicitely
* DOC: configuration: more details about the master-worker mode
* BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking
* BUG/MINOR: quic: fix race-condition on trace for CID retrieval
* BUG/MINOR: quic: fix race condition in qc_check_dcid()
* BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()
* BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
* BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
* MINOR: activity: make the memory profiling hash size configurable at build time
* BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()
* BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
* BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
* BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission
* DOC: api/event_hdl: small updates, fix an example and add some precisions
* SCRIPTS: git-show-backports: do not truncate git-show output
* DOC: configuration: fix alphabetical order of bind options
* DOC: management: rename show stats domain cli "dns" to "resolvers"
* DOC/MINOR: management: add missed -dR and -dv options
* BUG/MINOR: proxy: fix header_unique_id leak on deinit()
* BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()
* BUG/MINOR: proxy: fix dyncookie_key leak on deinit()
* BUG/MINOR: proxy: fix check_{command,path} leak on deinit()
* BUG/MINOR: proxy: fix log_tag leak on deinit()
* BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()
* BUG/MINOR: quic: fix computed length of emitted STREAM frames
* [RELEASE] Released version 2.8.10
* BUG/MEDIUM: quic: don't blindly rely on unaligned accesses
* BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
* BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
* BUG/MAJOR: server: do not delete srv referenced by session
* MINOR: session: rename private conns elements
* BUG/MEDIUM: quic: fix connection freeze on post handshake
* BUG/MEDIUM: server: fix dynamic servers initial settings
* BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration
* CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
* BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
* BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
* BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
* BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
* CLEANUP: hlua: use hlua_pusherror() where relevant
* BUG/MINOR: quic: prevent crash on qc_kill_conn()
* BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
* BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
* BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
* BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning
* BUG/MINOR: activity: fix Delta_calls and Delta_bytes count
* BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
* CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp
* BUILD: fd: errno is also needed without poll()
* CI: scripts: fix build of vtest regarding option -C
* REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
* DOC: config: fix incorrect section reference about custom log format
* DOC: quic: specify that connection migration is not supported
* BUG/MINOR: server: Don't reset resolver options on a new default-server line
* BUG/MINOR: http-htx: Support default path during scheme based normalization
* BUG/MINOR: quic: adjust restriction for stateless reset emission
* MEDIUM: config: prevent communication with privileged ports
* BUILD: quic: fix unused variable warning when threads are disabled
* BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
* BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305
* BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
* BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
* DOC: configuration: update the crt-list documentation
* CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
* BUG/MINOR: stats: Don't state the 303 redirect response is chunked
* BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header
* BUG/MEDIUM: fd: prevent memory waste in fdtab array
* BUILD: stick-tables: better mark the stktable_data as 32-bit aligned
* BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
* BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found
* BUG/MEDIUM: stick-tables: properly mark stktable_data as packed
* BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
* BUG/MINOR: qpack: fix error code reported on QPACK decoding failure
* BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3
* BUG/MINOR: log: smp_rgs array issues with inherited global log directives
* BUG/MINOR: log: keep the ref in dup_logger()
* MINOR: log: add dup_logsrv() helper function
* DOC: lua: fix filters.txt file location
* BUG/MINOR: haproxy: only tid 0 must not sleep if got signal
* BUILD: clock: improve check for pthread_getcpuclockid()
* BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null
* BUG/MINOR: h1: fix detection of upper bytes in the URI
* BUG/MINOR: backend: use cum_sess counters instead of cum_conn
* BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets
* BUG/MINOR: sock: handle a weird condition with connect()
* BUG/MINOR: stconn: Fix sc_mux_strm() return value
* BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding
* BUG/MINOR: server: fix slowstart behavior
* BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
* BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame
* BUG/MEDIUM: applet: Fix applet API to put input data in a buffer
* BUG/MEDIUM: evports: do not clear returned events list on signal
* BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered
* BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
* MINOR: net_helper: Add support for floats/doubles.
* CI: revert kernel addr randomization introduced in 3a0fc864
* BUG/MEDIUM: peers/trace: fix crash when listing event types
* BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
* BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
* BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection
* CLEANUP: log: lf_text_len() returns a pointer not an integer
* BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
* BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
* BUG/MINOR: log: fix lf_text_len() truncate inconsistency
* BUG/MINOR: listener: always assign distinct IDs to shards
* BUG/MINOR: cli: Report an error to user if command or payload is too big
* [RELEASE] Released version 2.8.9
* BUILD: proxy: Replace free_logformat_list() to manually release log-format
* [RELEASE] Released version 2.8.8
* BUG/MINOR: proxy: fix logformat expression leak in use_backend rules
* BUG/MINOR: backend: properly handle redispatch 0
* BUG/MINOR: server: ignore 'enabled' for dynamic servers
* BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n
* MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
* MINOR: server: allow cookie for dynamic servers
* BUG/MINOR: server: fix persistence cookie for dynamic servers
* BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities
* BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message
* BUG/MINOR: server: 'source' interface ignored from 'default-server' directive
* OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}
* BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block
* BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet
* BUG/MEDIUM: ssl: Fix crash in ocsp-update log function
* BUG/MINOR: session: ensure conn owner is set after insert into session
* BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small
* CI: temporarily adjust kernel entropy to work with ASAN/clang
* BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop
* BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout
* BUG/MINOR: listener: Don't schedule frontend without task in listener_release()
* BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release
* BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)
* MINOR: hlua: use accessors for stream hlua ctx
* DEBUG: lua: precisely identify if stream is stuck inside lua or not
* BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()
* BUG/MINOR: hlua: missing lock in hlua_filter_new()
* BUG/MINOR: hlua: segfault when loading the same filter from different contexts
* BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()
* DOC: configuration: clarify ciphersuites usage (V2)
* BUILD: solaris: fix compilation errors
* BUG/MINOR: cfgparse: report proper location for log-format-sd errors
* BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description
* CI: skip scheduled builds on forks
* BUG/MINOR: sink: fix a race condition in the TCP log forwarding code
* BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe()
* BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()
* BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()
* BUG/MINOR: hlua: improper lock usage in hlua_filter_new()
* BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()
* BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load
* BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts
* BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack
* BUG/MINOR: tools: seed the statistical PRNG slightly better
* MINOR: hlua: Be able to disable logging from lua
* BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel
* BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener
* DOC: configuration: clarify ciphersuites usage
* LICENSE: http_ext: fix GPL license version
* LICENSE: event_hdl: fix GPL license version
* BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist
* BUG/MINOR: ist: only store NUL byte on succeeded alloc
* BUG/MINOR: quic: fix output of show quic
* BUG/MAJOR: server: fix stream crash due to deleted server
* BUG/MINOR: stats: drop srv refcount on early release
* BUG/MINOR: ist: allocate nul byte on istdup
* MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support
* DOC: quic: fix recommandation for bind on multiple address
* BUG/MEDIUM: quic: fix transient send error with listener socket
* BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data
* BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets
* BUG/MEDIUM: applet: Immediately free appctx on early error
* DOC: quic: Missing tuning setting in "Global parameters"
* BUG/MINOR: qpack: reject invalid dynamic table capacity
* BUG/MINOR: qpack: reject invalid increment count decoding
* BUG/MINOR: quic: reject HANDSHAKE_DONE as server
* BUG/MINOR: quic: reject unknown frame type
* BUG/MAJOR: promex: fix crash on deleted server
* MINOR: connection: add sample fetches to report per-connection glitches
* MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES
* MINOR: connection: add a new mux_ctl to report number of connection glitches
* MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection
* MINOR: mux-h2: always use h2c_report_glitch()
* MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch
* MINOR: mux-h2: count excess of CONTINUATION frames as a glitch
* BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control
* MINOR: mux-h2: add a counter of "glitches" on a connection
* [RELEASE] Released version 2.8.7
* BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
* [RELEASE] Released version 2.8.6
* DEV: makefile: fix POSIX compatibility for "range" target
* DEV: makefile: add a new "range" target to iteratively build all commits
* CI: Update to actions/cache@v4
* DOC: internal: update missing data types in peers-v2.0.txt
* DOC: install: recommend pcre2
* DOC: httpclient: add dedicated httpclient section
* DOC: configuration: clarify http-request wait-for-body
* BUILD: address a few remaining calloc(size, n) cases
* BUG/MINOR: ext-check: cannot use without preserve-env
* MINOR: ext-check: add an option to preserve environment variables
* BUG/MINOR: diag: run the final diags before quitting when using -c
* BUG/MINOR: diag: always show the version before dumping a diag warning
* MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()
* MINOR: quic: Add a counter for reordered packets
* MINOR: quic: Dynamic packet reordering threshold
* MINOR: quic: Update K CUBIC calculation (RFC 9438)
* BUG/MEDIUM: quic: Wrong K CUBIC calculation.
* MINOR: quic: Stop using 1024th of a second.
* BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation
* CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)
* BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.
* BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON
* BUG/MEDIUM: qpack: allow 6xx..9xx status codes
* BUG/MEDIUM: h3: do not crash on invalid response status code
* MINOR: h3: add traces for stream sending function
* BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf
* MINOR: quic: extract qc_stream_buf free in a dedicated function
* MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)
* CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.
* BUG/MEDIUM: mux-quic: report early error on stream
* BUG/MINOR: h3: fix checking on NULL Tx buffer
* BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing
* REGTESTS: ssl: Add OCSP related tests
* REGTESTS: ssl: Fix empty line in cli command input
* BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"
* BUG/MINOR: ssl: Destroy ckch instances before the store during deinit
* BUG/MEDIUM: ocsp: Separate refcount per instance and per store
* MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid
* BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
* BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch
* BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
* BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions
* BUG/MEDIUM: h1: always reject the NUL character in header values
* BUG/MINOR: h1-htx: properly initialize the err_pos field
* BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size
* BUG/MINOR: h1: Don't support LF only at the end of chunks
* BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up
* BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending
* BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()
* BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs
* BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
* BUG/MINOR: vars/cli: fix missing LF after "get var" output
* BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI
* REGTESTS: add a test to ensure map-ordering is preserved
* MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc
* BUG/MEDIUM: mux-h2: refine connection vs stream error on headers
* MINOR: mux-h2/traces: clarify the "rejected H2 request" event
* MINOR: mux-h2/traces: explicitly show the error/refused stream states
* MINOR: mux-h2/traces: also suggest invalid header upon parsing error
* MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT
* MINOR: debug: make ABORT_NOW() store the caller's line number when using abort
* MINOR: debug: make sure calls to ha_crash_now() are never merged
* MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding
* BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)
* BUG/MINOR: mux-h2: also count streams for refused ones
* BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control
* DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay
* MINOR: mux-h2: support limiting the total number of H2 streams per connection
* BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up
* BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable
* BUG/MEDIUM: h3: fix incorrect snd_buf return value
* CLEANUP: quic: Remaining useless code into server part
* BUG/MINOR: h3: close connection on sending alloc errors
* BUG/MINOR: h3: properly handle alloc failure on finalize
* BUG/MINOR: h3: close connection on header list too big
* MINOR: h3: check connection error during sending
* BUG/MINOR: quic: Missing call to TLS message callbacks
* BUG/MINOR: quic: Wrong keylog callback setting.
* BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission
* BUG/MEDIUM: stats: unhandled switching rules with TCP frontend
* MINOR: stats: store the parent proxy in stats ctx (http)
* DOC: config: Update documentation about local haproxy response
* BUG/MINOR: resolvers: default resolvers fails when network not configured
* BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty
* BUG/MEDIUM: quic: QUIC CID removed from tree without locking
* BUG/MEDIUM: quic: Possible buffer overflow when building TLS records
* BUG/MINOR: mworker/cli: fix set severity-output support
* DOC: configuration: typo req.ssl_hello_type
* [RELEASE] Released version 2.8.5
* BUG/MEDIUM: proxy: always initialize the default settings after init
* BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
* BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate
* MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback
* BUG/MINOR: ssl: Double free of OCSP Certificate ID
* BUG/MINOR: quic: Packet number spaces too lately initialized
* BUG/MINOR: quic: Missing QUIC connection path member initialization
* BUG/MINOR: quic: Possible leak of TX packets under heavy load
* BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load
* BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed
* BUG/MEDIUM: peers: fix partial message decoding
* DOC: Clarify the differences between field() and word()
* BUG/MINOR: sample: Make the `word` converter compatible with `-m found`
* REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter
* DOC: config: fix monitor-fail typo
* DOC: config: add matrix entry for "max-session-srv-conns"
* DOC: config: specify supported sections for "max-session-srv-conns"
* BUG/MINOR: cfgparse-listen: fix warning being reported as an alert
* BUG/MINOR: config: Stopped parsing upon unmatched environment variables
* BUG/MINOR: quic_tp: fix preferred_address decoding
* DOC: config: fix missing characters in set-spoe-group action
* BUG/MINOR: h3: always reject PUSH_PROMISE
* BUG/MINOR: h3: fix TRAILERS encoding
* BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1
* BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()
* BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding
* DOC: lua: fix Proxy.get_mode() output
* DOC: lua: add sticktable class reference from Proxy.stktable
* REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY
* DOC: config: fix timeout check inheritance restrictions
* DOC: 51d: updated 51Degrees repo URL for v3.2.10
* BUG/MINOR: server: do not leak default-server in defaults sections
* BUG/MINOR: quic: Possible RX packet memory leak under heavy load
* BUG/MEDIUM: quic: Possible crash for connections to be killed
* BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them
* BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly
* REGTESTS: http: add a test to validate chunked responses delivery
* BUG/MINOR: proxy/stktable: missing frees on proxy cleanup
* MINOR: stktable: add stktable_deinit function
* BUG/MINOR: stream/cli: report correct stream age in "show sess"
* BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()
* BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()
* BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()
* BUG/MAJOR: quic: complete thread migration before tcp-rules
* [RELEASE] Released version 2.8.4
* BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends
* BUG/MINOR: stconn/applet: Report send activity only if there was output data
* BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer
* BUG/MINOR: stconn: Fix streamer detection for HTX streams
* MINOR: channel: Add functions to get info on buffers and deal with HTX streams
* MINOR: htx: Use a macro for overhead induced by HTX
* BUG/MEDIUM: stconn: Update fsb date on partial sends
* BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented
* BUG/MEDIUM: mworker: set the master variable earlier
* BUG/MEDIUM: applet: Report a send activity everytime data were sent
* BUG/MEDIUM: stconn: Report a send activity everytime data were sent
* REGTESTS: http: Improve script testing abortonclose option
* BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only
* MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads
* MINOR: connection: Add a CTL flag to notify mux it should wait for reads again
* BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up
* BUG/MEDIUM: connection: report connection errors even when no mux is installed
* DOC: quic: Wrong syntax for "quic-cc-algo" keyword.
* BUG/MINOR: sink: don't learn srv port from srv addr
* BUG/MEDIUM: applet: Remove appctx from buffer wait list on release
* DOC: config: use the word 'backend' instead of 'proxy' in 'track' description
* BUG/MINOR: quic: fix retry token check inconsistency
* DOC: management: -q is quiet all the time
* BUG/MEDIUM: stconn: Don't update stream expiration date if already expired
* BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures
* BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets
* BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree
* BUG/MINOR: quic: idle timer task requeued in the past
* BUG/MEDIUM: pool: fix releasable pool calculation when overloaded
* BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period
* BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts
* BUG/MINOR: stick-table/cli: Check for invalid ipv4 key
* BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure
* BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure
* CLEANUP: htx: Properly indent htx_reserve_max_data() function
* BUG/MINOR: stconn: Sanitize report for read activity
* BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room()
* BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire
* BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()
* BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure
* BUG/MINOR: stktable: missing free in parse_stick_table()
* BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure
* BUG/MEDIUM: ssl: segfault when cipher is NULL
* BUG/MINOR: mux-quic: fix early close if unset client timeout
* BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA
* MEDIUM: quic: count quic_conn for global sslconns
* MEDIUM: quic: count quic_conn instance for maxconn
* MINOR: frontend: implement a dedicated actconn increment function
* BUG/MINOR: ssl: use a thread-safe sslconns increment
* BUG/MINOR: quic: do not consider idle timeout on CLOSING state
* BUG/MEDIUM: server: "proto" not working for dynamic servers
* MINOR: connection: add conn_pr_mode_to_proto_mode() helper func
* DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder
* MINOR: lua: Add flags to configure logging behaviour
* BUG/MINOR: ssl: load correctly @system-ca when ca-base is define
* DOC: internal: filters: fix reference to entities.pdf
* BUG/MINOR: mux-h2: update tracked counters with req cnt/req err
* BUG/MINOR: mux-h2: commit the current stream ID even on reject
* BUG/MEDIUM: peers: Fix synchro for huge number of tables
* BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task
* BUG/MINOR: trace: fix trace parser error reporting
* BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again
* BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending
* BUG/MINOR: mux-h2: make up other blocked streams upon removal from list
* BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request
* BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash
* BUG/MINOR: mux-quic: fix free on qcs-new fail alloc
* BUG/MINOR: h3: strengthen host/authority header parsing
* BUG/MINOR: mux-quic: support initial 0 max-stream-data
* BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream
* BUG/MINOR: quic: reject packet with no frame
* BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos
* BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
* BUG/MINOR: hq-interop: simplify parser requirement
* BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
* BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
* BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
* BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
* MINOR: hlua: Test the hlua struct first when the lua socket is connecting
* MINOR: hlua: Save the lua socket's server in its context
* MINOR: hlua: Save the lua socket's timeout in its context
* MINOR: hlua: Don't preform operations on a not connected socket
* MINOR: hlua: Set context's appctx when the lua socket is created
* BUG/MEDIUM: http-ana: Try to handle response before handling server abort
* BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed
* BUG/MEDIUM: actions: always apply a longest match on prefix lookup
* BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
* BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams
* MINOR: pattern: fix pat_{parse,match}_ip() function comments
* BUG/MINOR: server: add missing free for server->rdr_pfx
* BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers
* BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API
* BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1
* BUG/MINOR: promex: fix backend_agg_check_status
* BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records
* BUG/MINOR: hlua/init: coroutine may not resume itself
* BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()
* CI: musl: drop shopt in workflow invocation
* CI: musl: highlight section if there are coredumps
* Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
* BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
* MINOR: hlua: add hlua_stream_ctx_prepare helper function
* BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT
* BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code
* BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind
* BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help
* MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
* MINOR: quic+openssl_compat: Do not start without "limited-quic"
* MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
* BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
* DOC: quic: Add "limited-quic" new tuning setting
* MINOR: quic: Add "limited-quic" new tuning setting
* MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.
* MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct
* MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()
* MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper
* MINOR: quic: Export some KDF functions (QUIC-TLS)
* MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper
* MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()
* MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()
* MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT
* MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header
* MINOR: quic: QUIC openssl wrapper implementation
* BUG/MINOR: quic: Wrong cluster secret initialization
* BUG/MINOR: quic: Leak of frames to send.
* BUILD: bug: make BUG_ON() void to avoid a rare warning
Patchnames
SUSE-SLE-Micro-6.1-27
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for haproxy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for haproxy fixes the following issues:\n\nUpdate to version 2.8.11+git0.01c1056a4:\n\n * VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)\n * BUG/MINOR: cfgparse-listen: fix option httpslog override warning message\n * BUG/MEDIUM: promex: Wait to have the request before sending the response\n * BUG/MEDIUM: cache/stats: Wait to have the request before sending the response\n * BUG/MEDIUM: queue: implement a flag to check for the dequeuing\n * BUG/MINOR: clock: validate that now_offset still applies to the current date\n * BUG/MINOR: clock: make time jump corrections a bit more accurate\n * BUG/MINOR: polling: fix time reporting when using busy polling\n * BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state\n * BUG/MEDIUM: pattern: prevent UAF on reused pattern expr\n * BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()\n * BUG/MEDIUM: clock: detect and cover jumps during execution\n * REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load\n * DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line\n * BUG/MINOR: pattern: do not leave a leading comma on \"set\" error messages\n * BUG/MINOR: pattern: pat_ref_set: return 0 if err was found\n * BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity\n * BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full\n * BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path\n * BUG/MEDIUM: clock: also update the date offset on time jumps\n * DOC: config: correct the table for option tcplog\n * BUG/MINOR: h3: properly reject too long header responses\n * BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails\n * BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID\n * REGTESTS: mcli: test the pipelined commands on master CLI\n * BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI\n * MINOR: channel: implement ci_insert() function\n * BUG/MINOR: proto_tcp: keep error msg if listen() fails\n * BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails\n * BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE\n * BUG/MINOR: trace/quic: make \"qconn\" selectable as a lockon criterion\n * BUG/MINOR: trace: automatically start in waiting mode with \"start \u003cevt\u003e\"\n * BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()\n * BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc\n * BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn\n * BUG/MINOR: fcgi-app: handle a possible strdup() failure\n * BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream\n * BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams\n * BUG/MEDIUM: http-ana: Report error on write error waiting for the response\n * BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content\n * BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set\n * BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered\n * BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli\n * BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready\n * BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn\n * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)\n * BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()\n * MINOR: queue: add a function to check for TOCTOU after queueing\n * BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature\n * BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)\n * BUG/MINOR: cli: Atomically inc the global request counter between CLI commands\n * BUG/MINOR: server: Don\u0027t warn fallback IP is used during init-addr resolution\n * BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter\n * DOC: config: improve the http-keep-alive section\n * DOC: configuration: issuers-chain-path not compatible with OCSP\n * BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path\n * BUG/MEDIUM: debug/cli: fix \"show threads\" crashing with low thread counts\n * BUG/MINOR: session: Eval L4/L5 rules defined in the default section\n * BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past\n * BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread\n * BUG/MEDIUM: h1: Reject empty Transfer-encoding header\n * BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value\n * BUG/MINOR: h1: Fail to parse empty transfer coding names\n * BUG/MINOR: jwt: fix variable initialisation\n * DOC: configuration: update maxconn description\n * BUG/MINOR: jwt: don\u0027t try to load files with HMAC algorithm\n * MEDIUM: ssl: initialize the SSL stack explicitely\n * DOC: configuration: more details about the master-worker mode\n * BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking\n * BUG/MINOR: quic: fix race-condition on trace for CID retrieval\n * BUG/MINOR: quic: fix race condition in qc_check_dcid()\n * BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()\n * BUG/MEDIUM: h3: ensure the \":scheme\" pseudo header is totally valid\n * BUG/MEDIUM: h3: ensure the \":method\" pseudo header is totally valid\n * MINOR: activity: make the memory profiling hash size configurable at build time\n * BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()\n * BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure\n * BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure\n * BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission\n * DOC: api/event_hdl: small updates, fix an example and add some precisions\n * SCRIPTS: git-show-backports: do not truncate git-show output\n * DOC: configuration: fix alphabetical order of bind options\n * DOC: management: rename show stats domain cli \"dns\" to \"resolvers\"\n * DOC/MINOR: management: add missed -dR and -dv options\n * BUG/MINOR: proxy: fix header_unique_id leak on deinit()\n * BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()\n * BUG/MINOR: proxy: fix dyncookie_key leak on deinit()\n * BUG/MINOR: proxy: fix check_{command,path} leak on deinit()\n * BUG/MINOR: proxy: fix log_tag leak on deinit()\n * BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()\n * BUG/MINOR: quic: fix computed length of emitted STREAM frames\n * [RELEASE] Released version 2.8.10\n * BUG/MEDIUM: quic: don\u0027t blindly rely on unaligned accesses\n * BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n * BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1\n * BUG/MAJOR: server: do not delete srv referenced by session\n * MINOR: session: rename private conns elements\n * BUG/MEDIUM: quic: fix connection freeze on post handshake\n * BUG/MEDIUM: server: fix dynamic servers initial settings\n * BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration\n * CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()\n * BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path\n * BUG/MINOR: hlua: prevent LJMP in hlua_traceback()\n * BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage\n * BUG/MINOR: hlua: don\u0027t use lua_pushfstring() when we don\u0027t expect LJMP\n * CLEANUP: hlua: use hlua_pusherror() where relevant\n * BUG/MINOR: quic: prevent crash on qc_kill_conn()\n * BUG/MINOR: hlua: use CertCache.set() from various hlua contexts\n * BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory\n * BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser\n * BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning\n * BUG/MINOR: activity: fix Delta_calls and Delta_bytes count\n * BUG/MINOR: ssl/ocsp: init callback func ptr as NULL\n * CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp\n * BUILD: fd: errno is also needed without poll()\n * CI: scripts: fix build of vtest regarding option -C\n * REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs\n * DOC: config: fix incorrect section reference about custom log format\n * DOC: quic: specify that connection migration is not supported\n * BUG/MINOR: server: Don\u0027t reset resolver options on a new default-server line\n * BUG/MINOR: http-htx: Support default path during scheme based normalization\n * BUG/MINOR: quic: adjust restriction for stateless reset emission\n * MEDIUM: config: prevent communication with privileged ports\n * BUILD: quic: fix unused variable warning when threads are disabled\n * BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream\n * BUG/MEDIUM: quic_tls: prevent LibreSSL \u003c 4.0 from negotiating CHACHA20_POLY1305\n * BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)\n * BUG/MINOR: connection: parse PROXY TLV for LOCAL mode\n * DOC: configuration: update the crt-list documentation\n * CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf\n * BUG/MINOR: stats: Don\u0027t state the 303 redirect response is chunked\n * BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header\n * BUG/MEDIUM: fd: prevent memory waste in fdtab array\n * BUILD: stick-tables: better mark the stktable_data as 32-bit aligned\n * BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme\n * BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found\n * BUG/MEDIUM: stick-tables: properly mark stktable_data as packed\n * BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned\n * BUG/MINOR: qpack: fix error code reported on QPACK decoding failure\n * BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3\n * BUG/MINOR: log: smp_rgs array issues with inherited global log directives\n * BUG/MINOR: log: keep the ref in dup_logger()\n * MINOR: log: add dup_logsrv() helper function\n * DOC: lua: fix filters.txt file location\n * BUG/MINOR: haproxy: only tid 0 must not sleep if got signal\n * BUILD: clock: improve check for pthread_getcpuclockid()\n * BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null\n * BUG/MINOR: h1: fix detection of upper bytes in the URI\n * BUG/MINOR: backend: use cum_sess counters instead of cum_conn\n * BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets\n * BUG/MINOR: sock: handle a weird condition with connect()\n * BUG/MINOR: stconn: Fix sc_mux_strm() return value\n * BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding\n * BUG/MINOR: server: fix slowstart behavior\n * BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached\n * BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame\n * BUG/MEDIUM: applet: Fix applet API to put input data in a buffer\n * BUG/MEDIUM: evports: do not clear returned events list on signal\n * BUG/MEDIUM: stconn: Don\u0027t forward channel data if input data must be filtered\n * BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses\n * MINOR: net_helper: Add support for floats/doubles.\n * CI: revert kernel addr randomization introduced in 3a0fc864\n * BUG/MEDIUM: peers/trace: fix crash when listing event types\n * BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented\n * BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values\n * BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection\n * CLEANUP: log: lf_text_len() returns a pointer not an integer\n * BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()\n * BUG/MINOR: tools/log: invalid encode_{chunk,string} usage\n * BUG/MINOR: log: fix lf_text_len() truncate inconsistency\n * BUG/MINOR: listener: always assign distinct IDs to shards\n * BUG/MINOR: cli: Report an error to user if command or payload is too big\n * [RELEASE] Released version 2.8.9\n * BUILD: proxy: Replace free_logformat_list() to manually release log-format\n * [RELEASE] Released version 2.8.8\n * BUG/MINOR: proxy: fix logformat expression leak in use_backend rules\n * BUG/MINOR: backend: properly handle redispatch 0\n * BUG/MINOR: server: ignore \u0027enabled\u0027 for dynamic servers\n * BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \\n\n * MINOR: cli: Remove useless loop on commands to find unescaped semi-colon\n * MINOR: server: allow cookie for dynamic servers\n * BUG/MINOR: server: fix persistence cookie for dynamic servers\n * BUG/MINOR: ssl: Detect more \u0027ocsp-update\u0027 incompatibilities\n * BUG/MINOR: ssl: Wrong ocsp-update \"incompatibility\" error message\n * BUG/MINOR: server: \u0027source\u0027 interface ignored from \u0027default-server\u0027 directive\n * OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}\n * BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block\n * BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet\n * BUG/MEDIUM: ssl: Fix crash in ocsp-update log function\n * BUG/MINOR: session: ensure conn owner is set after insert into session\n * BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small\n * CI: temporarily adjust kernel entropy to work with ASAN/clang\n * BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop\n * BUG/MEDIUM: spoe: Don\u0027t rely on stream\u0027s expiration to detect processing timeout\n * BUG/MINOR: listener: Don\u0027t schedule frontend without task in listener_release()\n * BUG/MINOR: listener: Wake proxy\u0027s mngmt task up if necessary on session release\n * BUG/MEDIUM: hlua: streams don\u0027t support mixing lua-load with lua-load-per-thread (2nd try)\n * MINOR: hlua: use accessors for stream hlua ctx\n * DEBUG: lua: precisely identify if stream is stuck inside lua or not\n * BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()\n * BUG/MINOR: hlua: missing lock in hlua_filter_new()\n * BUG/MINOR: hlua: segfault when loading the same filter from different contexts\n * BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()\n * DOC: configuration: clarify ciphersuites usage (V2)\n * BUILD: solaris: fix compilation errors\n * BUG/MINOR: cfgparse: report proper location for log-format-sd errors\n * BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description\n * CI: skip scheduled builds on forks\n * BUG/MINOR: sink: fix a race condition in the TCP log forwarding code\n * BUG/MINOR: hlua: don\u0027t call ha_alert() in hlua_event_subscribe()\n * BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n * BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()\n * BUG/MINOR: hlua: improper lock usage in hlua_filter_new()\n * BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()\n * BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load\n * BUG/MINOR: hlua: don\u0027t use lua_tostring() from unprotected contexts\n * BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack\n * BUG/MINOR: tools: seed the statistical PRNG slightly better\n * MINOR: hlua: Be able to disable logging from lua\n * BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel\n * BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener\n * DOC: configuration: clarify ciphersuites usage\n * LICENSE: http_ext: fix GPL license version\n * LICENSE: event_hdl: fix GPL license version\n * BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist\n * BUG/MINOR: ist: only store NUL byte on succeeded alloc\n * BUG/MINOR: quic: fix output of show quic\n * BUG/MAJOR: server: fix stream crash due to deleted server\n * BUG/MINOR: stats: drop srv refcount on early release\n * BUG/MINOR: ist: allocate nul byte on istdup\n * MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support\n * DOC: quic: fix recommandation for bind on multiple address\n * BUG/MEDIUM: quic: fix transient send error with listener socket\n * BUG/MEDIUM: hlua: Don\u0027t loop if a lua socket does not consume received data\n * BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets\n * BUG/MEDIUM: applet: Immediately free appctx on early error\n * DOC: quic: Missing tuning setting in \"Global parameters\"\n * BUG/MINOR: qpack: reject invalid dynamic table capacity\n * BUG/MINOR: qpack: reject invalid increment count decoding\n * BUG/MINOR: quic: reject HANDSHAKE_DONE as server\n * BUG/MINOR: quic: reject unknown frame type\n * BUG/MAJOR: promex: fix crash on deleted server\n * MINOR: connection: add sample fetches to report per-connection glitches\n * MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES\n * MINOR: connection: add a new mux_ctl to report number of connection glitches\n * MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection\n * MINOR: mux-h2: always use h2c_report_glitch()\n * MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch\n * MINOR: mux-h2: count excess of CONTINUATION frames as a glitch\n * BUG/MINOR: mux-h2: count rejected DATA frames against the connection\u0027s flow control\n * MINOR: mux-h2: add a counter of \"glitches\" on a connection\n * [RELEASE] Released version 2.8.7\n * BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI\n * [RELEASE] Released version 2.8.6\n * DEV: makefile: fix POSIX compatibility for \"range\" target\n * DEV: makefile: add a new \"range\" target to iteratively build all commits\n * CI: Update to actions/cache@v4\n * DOC: internal: update missing data types in peers-v2.0.txt\n * DOC: install: recommend pcre2\n * DOC: httpclient: add dedicated httpclient section\n * DOC: configuration: clarify http-request wait-for-body\n * BUILD: address a few remaining calloc(size, n) cases\n * BUG/MINOR: ext-check: cannot use without preserve-env\n * MINOR: ext-check: add an option to preserve environment variables\n * BUG/MINOR: diag: run the final diags before quitting when using -c\n * BUG/MINOR: diag: always show the version before dumping a diag warning\n * MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()\n * MINOR: quic: Add a counter for reordered packets\n * MINOR: quic: Dynamic packet reordering threshold\n * MINOR: quic: Update K CUBIC calculation (RFC 9438)\n * BUG/MEDIUM: quic: Wrong K CUBIC calculation.\n * MINOR: quic: Stop using 1024th of a second.\n * BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation\n * CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)\n * BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.\n * BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON\n * BUG/MEDIUM: qpack: allow 6xx..9xx status codes\n * BUG/MEDIUM: h3: do not crash on invalid response status code\n * MINOR: h3: add traces for stream sending function\n * BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf\n * MINOR: quic: extract qc_stream_buf free in a dedicated function\n * MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)\n * CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.\n * BUG/MEDIUM: mux-quic: report early error on stream\n * BUG/MINOR: h3: fix checking on NULL Tx buffer\n * BUG/MEDIUM: ssl: Fix crash when calling \"update ssl ocsp-response\" when an update is ongoing\n * REGTESTS: ssl: Add OCSP related tests\n * REGTESTS: ssl: Fix empty line in cli command input\n * BUG/MINOR: ssl: Reenable ocsp auto-update after an \"add ssl crt-list\"\n * BUG/MINOR: ssl: Destroy ckch instances before the store during deinit\n * BUG/MEDIUM: ocsp: Separate refcount per instance and per store\n * MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid\n * BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line\n * BUG/MINOR: ssl: Duplicate ocsp update mode when dup\u0027ing ckch\n * BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call\n * BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n * BUG/MEDIUM: h1: always reject the NUL character in header values\n * BUG/MINOR: h1-htx: properly initialize the err_pos field\n * BUG/MEDIUM: h1: Don\u0027t support LF only to mark the end of a chunk size\n * BUG/MINOR: h1: Don\u0027t support LF only at the end of chunks\n * BUG/MEDIUM: stconn: Don\u0027t check pending shutdown to wake an applet up\n * BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending\n * BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()\n * BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs\n * BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs\n * BUG/MINOR: vars/cli: fix missing LF after \"get var\" output\n * BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat\u0027s CLI\n * REGTESTS: add a test to ensure map-ordering is preserved\n * MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc\n * BUG/MEDIUM: mux-h2: refine connection vs stream error on headers\n * MINOR: mux-h2/traces: clarify the \"rejected H2 request\" event\n * MINOR: mux-h2/traces: explicitly show the error/refused stream states\n * MINOR: mux-h2/traces: also suggest invalid header upon parsing error\n * MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT\n * MINOR: debug: make ABORT_NOW() store the caller\u0027s line number when using abort\n * MINOR: debug: make sure calls to ha_crash_now() are never merged\n * MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding\n * BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)\n * BUG/MINOR: mux-h2: also count streams for refused ones\n * BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control\n * DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay\n * MINOR: mux-h2: support limiting the total number of H2 streams per connection\n * BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up\n * BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable\n * BUG/MEDIUM: h3: fix incorrect snd_buf return value\n * CLEANUP: quic: Remaining useless code into server part\n * BUG/MINOR: h3: close connection on sending alloc errors\n * BUG/MINOR: h3: properly handle alloc failure on finalize\n * BUG/MINOR: h3: close connection on header list too big\n * MINOR: h3: check connection error during sending\n * BUG/MINOR: quic: Missing call to TLS message callbacks\n * BUG/MINOR: quic: Wrong keylog callback setting.\n * BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission\n * BUG/MEDIUM: stats: unhandled switching rules with TCP frontend\n * MINOR: stats: store the parent proxy in stats ctx (http)\n * DOC: config: Update documentation about local haproxy response\n * BUG/MINOR: resolvers: default resolvers fails when network not configured\n * BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty\n * BUG/MEDIUM: quic: QUIC CID removed from tree without locking\n * BUG/MEDIUM: quic: Possible buffer overflow when building TLS records\n * BUG/MINOR: mworker/cli: fix set severity-output support\n * DOC: configuration: typo req.ssl_hello_type\n * [RELEASE] Released version 2.8.5\n * BUG/MEDIUM: proxy: always initialize the default settings after init\n * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)\n * BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate\n * MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback\n * BUG/MINOR: ssl: Double free of OCSP Certificate ID\n * BUG/MINOR: quic: Packet number spaces too lately initialized\n * BUG/MINOR: quic: Missing QUIC connection path member initialization\n * BUG/MINOR: quic: Possible leak of TX packets under heavy load\n * BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load\n * BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed\n * BUG/MEDIUM: peers: fix partial message decoding\n * DOC: Clarify the differences between field() and word()\n * BUG/MINOR: sample: Make the `word` converter compatible with `-m found`\n * REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter\n * DOC: config: fix monitor-fail typo\n * DOC: config: add matrix entry for \"max-session-srv-conns\"\n * DOC: config: specify supported sections for \"max-session-srv-conns\"\n * BUG/MINOR: cfgparse-listen: fix warning being reported as an alert\n * BUG/MINOR: config: Stopped parsing upon unmatched environment variables\n * BUG/MINOR: quic_tp: fix preferred_address decoding\n * DOC: config: fix missing characters in set-spoe-group action\n * BUG/MINOR: h3: always reject PUSH_PROMISE\n * BUG/MINOR: h3: fix TRAILERS encoding\n * BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1\n * BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()\n * BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding\n * DOC: lua: fix Proxy.get_mode() output\n * DOC: lua: add sticktable class reference from Proxy.stktable\n * REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY\n * DOC: config: fix timeout check inheritance restrictions\n * DOC: 51d: updated 51Degrees repo URL for v3.2.10\n * BUG/MINOR: server: do not leak default-server in defaults sections\n * BUG/MINOR: quic: Possible RX packet memory leak under heavy load\n * BUG/MEDIUM: quic: Possible crash for connections to be killed\n * BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them\n * BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly\n * REGTESTS: http: add a test to validate chunked responses delivery\n * BUG/MINOR: proxy/stktable: missing frees on proxy cleanup\n * MINOR: stktable: add stktable_deinit function\n * BUG/MINOR: stream/cli: report correct stream age in \"show sess\"\n * BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()\n * BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()\n * BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()\n * BUG/MAJOR: quic: complete thread migration before tcp-rules\n * [RELEASE] Released version 2.8.4\n * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends\n * BUG/MINOR: stconn/applet: Report send activity only if there was output data\n * BUG/MINOR: stconn: Use HTX-aware channel\u0027s functions to get info on buffer\n * BUG/MINOR: stconn: Fix streamer detection for HTX streams\n * MINOR: channel: Add functions to get info on buffers and deal with HTX streams\n * MINOR: htx: Use a macro for overhead induced by HTX\n * BUG/MEDIUM: stconn: Update fsb date on partial sends\n * BUG/MEDIUM: stream: Don\u0027t call mux .ctl() callback if not implemented\n * BUG/MEDIUM: mworker: set the master variable earlier\n * BUG/MEDIUM: applet: Report a send activity everytime data were sent\n * BUG/MEDIUM: stconn: Report a send activity everytime data were sent\n * REGTESTS: http: Improve script testing abortonclose option\n * BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only\n * MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads\n * MINOR: connection: Add a CTL flag to notify mux it should wait for reads again\n * BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up\n * BUG/MEDIUM: connection: report connection errors even when no mux is installed\n * DOC: quic: Wrong syntax for \"quic-cc-algo\" keyword.\n * BUG/MINOR: sink: don\u0027t learn srv port from srv addr\n * BUG/MEDIUM: applet: Remove appctx from buffer wait list on release\n * DOC: config: use the word \u0027backend\u0027 instead of \u0027proxy\u0027 in \u0027track\u0027 description\n * BUG/MINOR: quic: fix retry token check inconsistency\n * DOC: management: -q is quiet all the time\n * BUG/MEDIUM: stconn: Don\u0027t update stream expiration date if already expired\n * BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures\n * BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets\n * BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree\n * BUG/MINOR: quic: idle timer task requeued in the past\n * BUG/MEDIUM: pool: fix releasable pool calculation when overloaded\n * BUG/MEDIUM: freq-ctr: Don\u0027t report overshoot for long inactivity period\n * BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts\n * BUG/MINOR: stick-table/cli: Check for invalid ipv4 key\n * BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure\n * BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure\n * CLEANUP: htx: Properly indent htx_reserve_max_data() function\n * BUG/MINOR: stconn: Sanitize report for read activity\n * BUG/MEDIUM: Don\u0027t apply a max value on room_needed in sc_need_room()\n * BUG/MEDIUM: stconn: Don\u0027t report rcv/snd expiration date if SC cannot epxire\n * BUG/MEDIUM: pattern: don\u0027t trim pools under lock in pat_ref_purge_range()\n * BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure\n * BUG/MINOR: stktable: missing free in parse_stick_table()\n * BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure\n * BUG/MEDIUM: ssl: segfault when cipher is NULL\n * BUG/MINOR: mux-quic: fix early close if unset client timeout\n * BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA\n * MEDIUM: quic: count quic_conn for global sslconns\n * MEDIUM: quic: count quic_conn instance for maxconn\n * MINOR: frontend: implement a dedicated actconn increment function\n * BUG/MINOR: ssl: use a thread-safe sslconns increment\n * BUG/MINOR: quic: do not consider idle timeout on CLOSING state\n * BUG/MEDIUM: server: \"proto\" not working for dynamic servers\n * MINOR: connection: add conn_pr_mode_to_proto_mode() helper func\n * DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder\n * MINOR: lua: Add flags to configure logging behaviour\n * BUG/MINOR: ssl: load correctly @system-ca when ca-base is define\n * DOC: internal: filters: fix reference to entities.pdf\n * BUG/MINOR: mux-h2: update tracked counters with req cnt/req err\n * BUG/MINOR: mux-h2: commit the current stream ID even on reject\n * BUG/MEDIUM: peers: Fix synchro for huge number of tables\n * BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task\n * BUG/MINOR: trace: fix trace parser error reporting\n * BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again\n * BUG/MEDIUM: mux-h2: Don\u0027t report an error on shutr if a shutw is pending\n * BUG/MINOR: mux-h2: make up other blocked streams upon removal from list\n * BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request\n * BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash\n * BUG/MINOR: mux-quic: fix free on qcs-new fail alloc\n * BUG/MINOR: h3: strengthen host/authority header parsing\n * BUG/MINOR: mux-quic: support initial 0 max-stream-data\n * BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream\n * BUG/MINOR: quic: reject packet with no frame\n * BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos\n * BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()\n * BUG/MINOR: hq-interop: simplify parser requirement\n * BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set\n * BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set\n * BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried\n * BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only\n * MINOR: hlua: Test the hlua struct first when the lua socket is connecting\n * MINOR: hlua: Save the lua socket\u0027s server in its context\n * MINOR: hlua: Save the lua socket\u0027s timeout in its context\n * MINOR: hlua: Don\u0027t preform operations on a not connected socket\n * MINOR: hlua: Set context\u0027s appctx when the lua socket is created\n * BUG/MEDIUM: http-ana: Try to handle response before handling server abort\n * BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed\n * BUG/MEDIUM: actions: always apply a longest match on prefix lookup\n * BUG/MINOR: mux-quic: remove full demux flag on ncbuf release\n * BUG/MEDIUM: server/cli: don\u0027t delete a dynamic server that has streams\n * MINOR: pattern: fix pat_{parse,match}_ip() function comments\n * BUG/MINOR: server: add missing free for server-\u003erdr_pfx\n * BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers\n * BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API\n * BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1\n * BUG/MINOR: promex: fix backend_agg_check_status\n * BUG/MEDIUM: mux-fcgi: Don\u0027t swap trash and dbuf when handling STDERR records\n * BUG/MINOR: hlua/init: coroutine may not resume itself\n * BUG/MEDIUM: hlua: don\u0027t pass stale nargs argument to lua_resume()\n * CI: musl: drop shopt in workflow invocation\n * CI: musl: highlight section if there are coredumps\n * Revert \"BUG/MEDIUM: quic: missing check of dcid for init pkt including a token\"\n * BUG/MEDIUM: hlua: streams don\u0027t support mixing lua-load with lua-load-per-thread\n * MINOR: hlua: add hlua_stream_ctx_prepare helper function\n * BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT\n * BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code\n * BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind\n * BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help\n * MINOR: quic+openssl_compat: Emit an alert for \"allow-0rtt\" option\n * MINOR: quic+openssl_compat: Do not start without \"limited-quic\"\n * MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without \"limited-quic\"\n * BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels\n * DOC: quic: Add \"limited-quic\" new tuning setting\n * MINOR: quic: Add \"limited-quic\" new tuning setting\n * MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.\n * MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct\n * MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()\n * MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper\n * MINOR: quic: Export some KDF functions (QUIC-TLS)\n * MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper\n * MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()\n * MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()\n * MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT\n * MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header\n * MINOR: quic: QUIC openssl wrapper implementation\n * BUG/MINOR: quic: Wrong cluster secret initialization\n * BUG/MINOR: quic: Leak of frames to send.\n * BUILD: bug: make BUG_ON() void to avoid a rare warning\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-27",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20230-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20230-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520230-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20230-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021093.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233973",
"url": "https://bugzilla.suse.com/1233973"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53008 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53008/"
}
],
"title": "Security update for haproxy",
"tracking": {
"current_release_date": "2025-03-05T14:55:47Z",
"generator": {
"date": "2025-03-05T14:55:47Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20230-1",
"initial_release_date": "2025-03-05T14:55:47Z",
"revision_history": [
{
"date": "2025-03-05T14:55:47Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"product_id": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64",
"product": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64",
"product_id": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
},
"product_reference": "haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53008",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53008"
}
],
"notes": [
{
"category": "general",
"text": "Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response Smuggling\u0027) issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53008",
"url": "https://www.suse.com/security/cve/CVE-2024-53008"
},
{
"category": "external",
"summary": "SUSE Bug 1233973 for CVE-2024-53008",
"url": "https://bugzilla.suse.com/1233973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:haproxy-2.8.11+git0.01c1056a4-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-05T14:55:47Z",
"details": "moderate"
}
],
"title": "CVE-2024-53008"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…