Alerts This Week
Warning Icon 1 905
Alerts This Week
Warning Icon 1 905

openSUSE 13.2: openSUSE-SU-2015:1831-1 Important HAProxy Buffer Overflow

opensuse
Calendar Grey October 27, 2015
Dist Opensuse Esm H88
The upgrade for haproxy addresses major security vulnerabilities impacting openSUSE 13.2, comprising a severe memory alignment defect.
An update that solves one vulnerability and has one errata is now available.

Description

haproxy was updated to fix two security issues.

These security issues were fixed:

- CVE-2015-3281: The buffer_slow_realign function in HAProxy did not

properly realign a buffer that is used for pending outgoing data, which

allowed remote attackers to obtain sensitive information (uninitialized

memory contents of previous requests) via a crafted request (bsc#937042).

- Changed DH parameters to prevent Logjam attack.

These non-security issues were fixed:

- BUG/MAJOR: buffers: make the buffer_slow_realign() function respect

output data

- BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id

- MEDIUM: ssl: replace standards DH groups with custom ones

- BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten

- MINOR: ssl: add a destructor to free allocated SSL ressources

- BUG/MINOR: ssl: Display correct filename in error message

- MINOR: ssl: load certificates in alphabetical order

- BUG/MEDIUM: checks: fix conflicts...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory buffer overflow important sensitive information openSUSE HAProxy Logjam prevention

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2015-682=1

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.2 (i586 x86_64):

haproxy-1.5.5-3.1

haproxy-debuginfo-1.5.5-3.1

haproxy-debugsource-1.5.5-3.1

References

https://www.suse.com/security/cve/CVE-2015-3281.html

https://bugzilla.suse.com/937042

https://bugzilla.suse.com/937202

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2015:1831-1
Rating: important
Affected Products: openSUSE 13.2 le.

Topics%20covered

Topics Covered

security advisory buffer overflow important sensitive information openSUSE HAProxy Logjam prevention

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here