+++ This bug was initially created as a clone of Bug #903293 +++ Description of problem: As noted in bug #894626 and in: [1] http://www.openwall.com/lists/oss-security/2013/01/23/7 haproxy previously failed to drop supplementary groups properly when trying to drop root privileges. By itself this problem is not a security flaw, but still serious enough the upstream fix: [2] git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3 to be backported into all of the affected versions. Version-Release number of selected component (if applicable): haproxy-1.4.22-1.fc17 How reproducible: Always Steps to Reproduce: 1. See https://bugzilla.redhat.com/show_bug.cgi?id=894626#c0 for further reproducer details Actual results: Supplementary groups are not dropped properly after setuid / setgid calls. Expected results: (All) Supplementary groups should be dropped when dropping root privileges.
Actually move this bug it to be a bug for version of haproxy package, as shipped with Fedora 17 release (bug for Fedora 18 is #894626 one).
haproxy-1.4.23-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/haproxy-1.4.23-1.fc17
Package haproxy-1.4.23-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing haproxy-1.4.23-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4827/haproxy-1.4.23-1.fc17 then log in and leave karma (feedback).
haproxy-1.4.23-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.