haproxy-1.7.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10114 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z haproxy-1.7.0-1.1 on GA media These are all security issues fixed in the haproxy-1.7.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10114 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10114 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2012-2391/ SUSE CVE CVE-2012-2391 page https://www.suse.com/security/cve/CVE-2013-1912/ SUSE CVE CVE-2013-1912 page https://www.suse.com/security/cve/CVE-2013-2175/ SUSE CVE CVE-2013-2175 page https://www.suse.com/security/cve/CVE-2014-6269/ SUSE CVE CVE-2014-6269 page https://www.suse.com/security/cve/CVE-2015-3281/ SUSE CVE CVE-2015-3281 page openSUSE Tumbleweed haproxy-1.7.0-1.1 haproxy-1.7.0-1.1 as a component of openSUSE Tumbleweed ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-2942. Reason: This candidate is a duplicate of CVE-2012-2942. Notes: All CVE users should reference CVE-2012-2942 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2012-2391 openSUSE Tumbleweed:haproxy-1.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-2391.html CVE-2012-2391 https://bugzilla.suse.com/763833 SUSE Bug 763833 Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests that prevent request realignment from occurring. CVE-2013-1912 openSUSE Tumbleweed:haproxy-1.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1912.html CVE-2013-1912 https://bugzilla.suse.com/830612 SUSE Bug 830612 HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable. CVE-2013-2175 openSUSE Tumbleweed:haproxy-1.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2175.html CVE-2013-2175 https://bugzilla.suse.com/825412 SUSE Bug 825412 Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remote attackers to cause a denial of service (crash) via a large stream of data, which triggers a buffer overflow and an out-of-bounds read. CVE-2014-6269 openSUSE Tumbleweed:haproxy-1.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-6269.html CVE-2014-6269 https://bugzilla.suse.com/895849 SUSE Bug 895849 The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pending outgoing data, which allows remote attackers to obtain sensitive information (uninitialized memory contents of previous requests) via a crafted request. CVE-2015-3281 openSUSE Tumbleweed:haproxy-1.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3281.html CVE-2015-3281 https://bugzilla.suse.com/937042 SUSE Bug 937042 https://bugzilla.suse.com/937202 SUSE Bug 937202