RedHat: RHSA-2020-1288:01 Critical: haproxy security update

    Date 02 Apr 2020
    635
    Posted By LinuxSecurity Advisories
    An update for haproxy is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Critical: haproxy security update
    Advisory ID:       RHSA-2020:1288-01
    Product:           Red Hat Enterprise Linux
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1288
    Issue date:        2020-04-02
    CVE Names:         CVE-2020-11100 
    =====================================================================
    
    1. Summary:
    
    An update for haproxy is now available for Red Hat Enterprise Linux 8.
    
    Red Hat Product Security has rated this update as having a security impact
    of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
    
    3. Description:
    
    The haproxy packages provide a reliable, high-performance network load
    balancer for TCP and HTTP-based applications.
    
    Security Fix(es):
    
    * haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
    (CVE-2020-11100)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1819111 - CVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
    
    6. Package List:
    
    Red Hat Enterprise Linux AppStream (v. 8):
    
    Source:
    haproxy-1.8.15-6.el8_1.1.src.rpm
    
    aarch64:
    haproxy-1.8.15-6.el8_1.1.aarch64.rpm
    haproxy-debuginfo-1.8.15-6.el8_1.1.aarch64.rpm
    haproxy-debugsource-1.8.15-6.el8_1.1.aarch64.rpm
    
    ppc64le:
    haproxy-1.8.15-6.el8_1.1.ppc64le.rpm
    haproxy-debuginfo-1.8.15-6.el8_1.1.ppc64le.rpm
    haproxy-debugsource-1.8.15-6.el8_1.1.ppc64le.rpm
    
    s390x:
    haproxy-1.8.15-6.el8_1.1.s390x.rpm
    haproxy-debuginfo-1.8.15-6.el8_1.1.s390x.rpm
    haproxy-debugsource-1.8.15-6.el8_1.1.s390x.rpm
    
    x86_64:
    haproxy-1.8.15-6.el8_1.1.x86_64.rpm
    haproxy-debuginfo-1.8.15-6.el8_1.1.x86_64.rpm
    haproxy-debugsource-1.8.15-6.el8_1.1.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2020-11100
    https://access.redhat.com/security/updates/classification/#critical
    https://access.redhat.com/security/vulnerabilities/haproxy
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXoXxVdzjgjWX9erEAQgfog/+NTeMnoqI06oHbWeUyuKA6oXCNHSAC4ck
    F/2KqlSrr3TyZiMyhmbmPShm24ket9ikONu9R1jpJuOsoUVwExUev/cA6O5xAW9O
    Dk3qOppWL0+/E6N4mtA9PGEP6Ji9HBfWlL/dpwzpGPnbY2gXa0+J/vjtZ+b055pq
    5IExseNsY7PBp07rGKg3XZ3orSbQmmvRAzTEOoZouLf1nTlp5DItj2W6kYa8BOCj
    WMB57Npy5LcwpQzoHgDUvk5tQv8UQ4Fzb4m1NLAfDtwGOYXoKbN5Nz7N8WPm82Bj
    VklesazBSv8W2FGnKJpfT73J3GDGoI6K6fAOCmMN3BJoGB4afuhxLmfMl87rXROR
    K/FtZJCROXyWv/tIw6rEtX5ZhZc4zCrjI4aXROFBM51K02HHZdeCAORlAq5cUcI8
    YCBPRnhM9a99YKty4b52GRzc+mHA4wOec2nf9cVERwJu0BI85YGmRLm3EprllXiI
    kfMR0qIqaYmQ4hi8KDLoomCc6TIdRp6uxyu6P03z5q460CBWLUy8Po/KNBKr9PnR
    kvohuZ0YAnakH/KcEk0OYAu2UM/JR9DAPcr5RiF+WJNmmnRvihtdIxHaSSKStWRW
    IKL87+1k5G0QofArjSDK/BRIi4IHkg8mbtwktMU9J+5N1AFHByccZwKvtb8tlPa1
    Acz2tCopbTc=
    =3bNX
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Do you agree with Linus Torvalds' decision to reject the controversial patch mitigating the Snoop attack on Intel CPUs?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/28-do-you-agree-with-linus-torvalds-decision-to-reject-the-controversial-patch-mitigating-the-snoop-attack-on-intel-cpus?task=poll.vote&format=json
    28
    radio
    [{"id":"100","title":"Yes - this was undoubtedly the right decision.","votes":"1","type":"x","order":"1","pct":33.33,"resources":[]},{"id":"101","title":"Not sure...","votes":"2","type":"x","order":"2","pct":66.67,"resources":[]},{"id":"102","title":"No - he made a big mistake here.","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.