RedHat: RHSA-2019-1436:01 Moderate: rh-haproxy18-haproxy security, bug fix,

    Date11 Jun 2019
    CategoryRed Hat
    2348
    Posted ByLinuxSecurity Advisories
    An update for rh-haproxy18-haproxy is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: rh-haproxy18-haproxy security, bug fix, and enhancement update
    Advisory ID:       RHSA-2019:1436-01
    Product:           Red Hat Software Collections
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1436
    Issue date:        2019-06-11
    CVE Names:         CVE-2018-11469 CVE-2018-20102 CVE-2018-20103 
    =====================================================================
    
    1. Summary:
    
    An update for rh-haproxy18-haproxy is now available for Red Hat Software
    Collections.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
    Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - x86_64
    Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - x86_64
    Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - x86_64
    Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
    
    3. Description:
    
    HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
    availability environments.
    
    The following packages have been upgraded to a later upstream version:
    rh-haproxy18-haproxy (1.8.17). (BZ#1660514)
    
    Security Fix(es):
    
    * haproxy: Infinite recursion via crafted packet allows stack exhaustion
    and denial of service (CVE-2018-20103)
    
    * haproxy: Information disclosure in check_request_for_cacheability
    function in proto_http.c (CVE-2018-11469)
    
    * haproxy: Out-of-bounds read in dns.c:dns_validate_dns_response() allows
    for memory disclosure (CVE-2018-20102)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es):
    
    * ALPN is not enabled due to old OpenSSL dependancy (BZ#1595865)
    
    * HAProxy 1.8: Seamless reload does not work with send-/accept-proxy
    (BZ#1649041)
    
    Enhancement(s):
    
    * RFE : Haproxy does not resolve ipv6 resolvable hostnames in the backend
    section. (BZ#1575585)
    
    Additional Changes:
    
    For detailed information on changes in this release, see the Red Hat
    Software Collections 3.3 Release Notes linked from the References section.
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1575585 - RFE : Haproxy does not resolve ipv6 resolvable hostnames in the backend section.
    1582635 - CVE-2018-11469 haproxy: Information disclosure in check_request_for_cacheability function in proto_http.c
    1595865 - ALPN is not enabled due to old OpenSSL dependancy
    1649041 - HAProxy 1.8: Seamless reload does not work with send-/accept-proxy
    1658874 - CVE-2018-20102 haproxy: Out-of-bounds read in dns.c:dns_validate_dns_response() allows for memory disclosure
    1658876 - CVE-2018-20103 haproxy: Infinite recursion via crafted packet allows stack exhaustion and denial of service
    
    6. Package List:
    
    Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
    
    Source:
    rh-haproxy18-haproxy-1.8.17-1.el7.src.rpm
    
    x86_64:
    rh-haproxy18-haproxy-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-debuginfo-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-syspaths-1.8.17-1.el7.x86_64.rpm
    
    Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
    
    Source:
    rh-haproxy18-haproxy-1.8.17-1.el7.src.rpm
    
    x86_64:
    rh-haproxy18-haproxy-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-debuginfo-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-syspaths-1.8.17-1.el7.x86_64.rpm
    
    Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
    
    Source:
    rh-haproxy18-haproxy-1.8.17-1.el7.src.rpm
    
    x86_64:
    rh-haproxy18-haproxy-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-debuginfo-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-syspaths-1.8.17-1.el7.x86_64.rpm
    
    Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
    
    Source:
    rh-haproxy18-haproxy-1.8.17-1.el7.src.rpm
    
    x86_64:
    rh-haproxy18-haproxy-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-debuginfo-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-syspaths-1.8.17-1.el7.x86_64.rpm
    
    Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
    
    Source:
    rh-haproxy18-haproxy-1.8.17-1.el7.src.rpm
    
    x86_64:
    rh-haproxy18-haproxy-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-debuginfo-1.8.17-1.el7.x86_64.rpm
    rh-haproxy18-haproxy-syspaths-1.8.17-1.el7.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2018-11469
    https://access.redhat.com/security/cve/CVE-2018-20102
    https://access.redhat.com/security/cve/CVE-2018-20103
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html-single/3.3_release_notes/
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXP+YQNzjgjWX9erEAQgZdA//Va/TfmQDB1+XKQSPe16Pj++gZQKYwL9k
    wjq1a/+fJl9bSGdxD0wRLuBvxRb1hNh6LENNlOzlMUC4GdrQJJF5wY8Iz3lEkv6z
    NsmOwP40VrKm/GBQJls5Cceqam5IfY4NjzzLapvGDXpVoOl3sW9FM29Q2bH7YQNo
    ehLnFY61CgqLpHJADCS/tmGnJP1+hgRZ4KPzr9cYSXvmBBHEUOQ70KXHE+ClY0wv
    x/y89o3YazJHyzQ/7oH4Js6joevYelNZX9Es3ytV93fxuL60wDn+lKga8fXQK6Z5
    V5iYyiMufaeQaOzmaYt99M/Cvu4GiSNy9fCIOlcC0c0XREHHdFJWiIpZ8Y44rSxT
    2f6XyFKLW+VyWRM4g7KfhIuiiMfMS8T5qBiYqGY1yRNxmLFnMNMVxOD4b2W3Suef
    qJ+UT+P/oTuw8NRW1eBFe9MIl0FqrW4VVglcOfqsGcCeQJunpYNe4Dq8hDsX2O6p
    7kzxPXVkTkada3/sEMHIcItRteMrHYjWgcqQEjNUGMStN60+QfUB86eaZOlLjDIH
    3K7MVG4T1xf7CTMwwjTXfjeConkPsNlZ2CBGB3fEwm3D/Pxjs+2SAfmVHxYc1aVV
    8OKk2FtIAdT5sGL+QJXXSmk2pE6NMSTZkVKI1x7RZUCDys83WAqAWgnjPXkyS4SG
    v6/inzTcsa4=
    =/KLo
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com page/section?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    20
    radio
    [{"id":"73","title":"News","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"74","title":"Advisories ","votes":"5","type":"x","order":"2","pct":83.33,"resources":[]},{"id":"75","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"76","title":"Latest Features ","votes":"1","type":"x","order":"4","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.