Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 441
Alerts This Week
Warning Icon 1 441

SUSE: 2018:3249-1 Important: Haproxy Denial of Service & Info Disclosure

suse
Calendar Grey October 19, 2018
Dist Suse Esm H88
SUSE has released a security update for nginx, rectifying serious vulnerabilities and delivering essential fixes. Ensure your systems are protected with the most recent updates.
An update that solves two vulnerabilities and has one errata is now available

Summary

This update for haproxy to version 1.8.14 fixes the following issues: These security issues were fixed: - CVE-2018-14645: A flaw was discovered in the HPACK decoder what caused an out-of-bounds read in hpack_valid_idx() that resulted in a remote crash and denial of service (bsc#1108683) - CVE-2018-11469: Incorrect caching of responses to requests including an Authorization header allowed attackers to achieve information disclosure via an unauthenticated remote request (bsc#1094846). These non-security issues were fixed: - Require apparmor-abstractions to reduce dependencies (bsc#1100787) - hpack: fix improper sign check on the header index value - cli: make sure the "getsock" command is only called on connections - tools: fix set_net_port() / set_host_port() on IPv4

References

#1094846 #1100787 #1108683

Cross- CVE-2018-11469 CVE-2018-14645

Affected Products:

SUSE Linux Enterprise High Availability 15

https://www.suse.com/security/cve/CVE-2018-11469.html

https://www.suse.com/security/cve/CVE-2018-14645.html

https://bugzilla.suse.com/1094846

https://bugzilla.suse.com/1100787

https://bugzilla.suse.com/1108683

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2018:3249-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.