Overview

File _patchinfo of Package patchinfo.11633

<patchinfo incident="11633">
  <issue tracker="bnc" id="1154980">VUL-0: CVE-2019-18277: haproxy: HTTP smuggling in messages with transfer-encoding header missing the "chunked" value</issue>
  <issue tracker="bnc" id="1082318">Packages must not mark license files as %doc</issue>
  <issue tracker="bnc" id="1157714">VUL-0: EMBARGOED: haproxy: Crash by sending HEADER frames in idle streas</issue>
  <issue tracker="bnc" id="1157712">VUL-1: EMBARGOED: haproxy: Possibility of injecting LFs in H2-to-H1 transfers</issue>
  <issue tracker="cve" id="2019-18277"/>
  <packager>varkoly</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for haproxy</summary>
  <description>This update for haproxy to version 2.0.10 fixes the following issues:

HAProxy was updated to 2.0.10 	  

Security issues fixed:

- CVE-2019-18277: Fixed a potential HTTP smuggling in messages 
  with transfer-encoding header missing the "chunked" (bsc#1154980).
- Fixed an improper handling of headers which could have led to 
  injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712)
- Fixed an issue where HEADER frames in idle streams are not rejected and    
  thus trying to decode them HAPrpxy crashes (bsc#1157714).

Other issue addressed:   

- Macro change in the spec file (bsc#1082318)

More information regarding the release at: 
http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e

This update was imported from the SUSE:SLE-15:Update update project.</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places