English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 143769 CVE descriptions
and 71225 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.852063
Category:SuSE Local Security Checks
Title:SuSE Update for haproxy openSUSE-SU-2018:3324-1 (haproxy)
Summary:The remote host is missing an update for the 'haproxy'; package(s) announced via the openSUSE-SU-2018:3324_1 advisory.
Description:Summary:
The remote host is missing an update for the 'haproxy'
package(s) announced via the openSUSE-SU-2018:3324_1 advisory.

Vulnerability Insight:
This update for haproxy to version 1.8.14 fixes the following issues:

These security issues were fixed:

- CVE-2018-14645: A flaw was discovered in the HPACK decoder what caused an
out-of-bounds read in hpack_valid_idx() that resulted in a remote crash
and denial of service (bsc#1108683)

- CVE-2018-11469: Incorrect caching of responses to requests including an
Authorization header allowed attackers to achieve information disclosure
via an unauthenticated remote request (bsc#1094846).

These non-security issues were fixed:

- Require apparmor-abstractions to reduce dependencies (bsc#1100787)

- hpack: fix improper sign check on the header index value

- cli: make sure the 'getsock' command is only called on connections

- tools: fix set_net_port() / set_host_port() on IPv4

- patterns: fix possible double free when reloading a pattern list

- server: Crash when setting FQDN via CLI.

- kqueue: Don't reset the changes number by accident.

- snapshot: take the proxy's lock while dumping errors

- http/threads: atomically increment the error snapshot ID

- dns: check and link servers' resolvers right after config parsing

- h2: fix risk of memory leak on malformated wrapped frames

- session: fix reporting of handshake processing time in the logs

- stream: use atomic increments for the request counter

- thread: implement HA_ATOMIC_XADD()

- ECC cert should work with TLS v1.2 and openssl = 1.1.1

- dns/server: fix incomatibility between SRV resolution and server state
file

- hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.

- thread: lua: Wrong SSL context initialization.

- hlua: Make sure we drain the output buffer when done.

- lua: reset lua transaction between http requests

- mux_pt: dereference the connection with care in mux_pt_wake()

- lua: Bad HTTP client request duration.

- unix: provide a - drain() function

- Fix spelling error in configuration doc

- cli/threads: protect some server commands against concurrent operations

- cli/threads: protect all 'proxy' commands against concurrent updates

- lua: socket timeouts are not applied

- ssl: Use consistent naming for TLS protocols

- dns: explain set server ... fqdn requires resolver

- map: fix map_regm with backref

- ssl: loading dh param from certifile causes unpredictable error.

- ssl: fix missing error loading a keytype cert from a bundle.

- ssl: empty connections reported as errors.

- cli: make 'show fd' thread-safe

- hathreads: implement a more flexible rendez-vous point

- threads: fix the no-thread case after the change to the sync point
...

Description truncated, please see the referenced URL(s) for more information.

Affected Software/OS:
haproxy on openSUSE Leap 15.0.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2018-11469
Common Vulnerability Exposure (CVE) ID: CVE-2018-14645
CopyrightCopyright (C) 2018 Greenbone Networks GmbH

This is only one of 71225 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe

© 1998-2019 E-Soft Inc. All rights reserved.