Bug 29445

Summary:	haproxy new security issue CVE-2021-40346
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Bruno Cornec <bruno>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	jani.valimaa
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	haproxy-2.4.3-1.mga9.src.rpm	CVE:
Status comment:	Fixed upstream in 2.4.4

Description David Walser 2021-09-08 01:08:08 CEST

openSUSE has issued an advisory today (September 7):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z6TTUW6SSY2VZZGE3CPYLSNSIBVPT2RR/

The issue is fixed upstream in 2.4.4:
https://www.haproxy.org/download/2.4/src/CHANGELOG
https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/
https://www.mail-archive.com/haproxy@formilux.org/msg41114.html
https://www.mail-archive.com/haproxy@formilux.org/msg41115.html

David Walser 2021-09-08 01:08:20 CEST

Status comment: (none) => Fixed upstream in 2.4.4
CC: (none) => jani.valimaa

Comment 1 David Walser 2021-09-08 22:29:40 CEST

Debian has issued an advisory for this on September 7:
https://www.debian.org/security/2021/dsa-4968

Ubuntu has issued an advisory for this today (September 8):
https://ubuntu.com/security/notices/USN-5063-1

Comment 2 David Walser 2021-09-16 22:26:31 CEST

Fedora has issued an advisory for this today (September 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7V2IYO22LWVBGUNZWVKNTMDV4KINLFO/

Severity: normal => major

Bruno Cornec 2021-09-18 01:55:28 CEST

Status: NEW => ASSIGNED

Comment 3 Bruno Cornec 2021-09-18 01:56:27 CEST

2.4.4 pushed to cauldron

Comment 4 David Walser 2021-09-18 02:34:27 CEST

haproxy-2.4.4-1.mga9 uploaded for Cauldron by Bruno.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED