Bug 1346181 (CVE-2016-5360)

Summary: CVE-2016-5360 haproxy: denial of service via reqdeny
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ccoleman, cheese, dmcphers, jialiu, joelsmith, jokerman, kseifried, lmeyer, mmccomas, mprpic, rohara, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: haproxy 1.6.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-14 08:19:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1346672    
Bug Blocks:    

Description Martin Prpič 2016-06-14 08:18:39 UTC 
A remote denial of service flaw was found in HAProxy:

http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b

This issue was introduced in version 1.6.0 of HAProxy, and thus does not affect any Red Hat products.
Comment 1 Ryan O'Hara 2016-06-14 16:08:06 UTC 
This does affect Fedora, though. Can we clone this for Fedora or do I need to create a new BZ?
Comment 2 Martin Prpič 2016-06-15 07:33:05 UTC 
(In reply to Ryan O'Hara from comment #1)
> This does affect Fedora, though. Can we clone this for Fedora or do I need
> to create a new BZ?

Well, technically only Fedora 24 and above, which are not yet released. I'll create a tracking bug for these anyway then.
Comment 3 Martin Prpič 2016-06-15 07:33:32 UTC 
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1346672]