The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package. However, it was found that a patch for one of these CVEs was missing, CVE-2021-39242. This issue was only found in OpenShift 4.9, it does not apply to earlier versions of OpenShift, other Red Hat products or to upstream haproxy.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:5002 https://access.redhat.com/errata/RHSA-2021:5002
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4047