Bug 1777584 (CVE-2019-19330)
Summary: | CVE-2019-19330 haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bmontgom, bperkins, carl, eparis, hhorak, jburrell, jeremy, jokerman, jorton, nstielau, pavloos, rohara, sponnaga |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | haproxy 2.0.10, haproxy 1.8.23 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-07 22:31:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1777585, 1779022, 1779023, 1781027, 1781028, 1781029, 1781030, 1788780 | ||
Bug Blocks: | 1777586 |
Description
Pedro Sampaio
2019-11-27 21:39:24 UTC
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 1777585] Statement: Support for HTTP/2 protocol was added to haproxy in version 1.8, therefore previous versions are not affected by this flaw. The version of haproxy shipped in OpenShift Container Platform 4 contains the vulnerable code, however exploitation requires setting ROUTER_USE_HTTP2 in the OpenShift Ingress Operator, which is not currently possible. The impact of this vulnerability is therefore reduced in OpenShift Container Platform 4 to Low. Fixes for haproxy 1.8: http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=b8d65bb1f52849665ef6f21d90ec5fc3b7c00bc6 http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=4b37de078bfa850ea3d08d02e23b912fd5f8c168 Applied in version 1.8.23. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:1287 https://access.redhat.com/errata/RHSA-2020:1287 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19330 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1725 https://access.redhat.com/errata/RHSA-2020:1725 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:1936 https://access.redhat.com/errata/RHSA-2020:1936 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2265 https://access.redhat.com/errata/RHSA-2020:2265 |