Bug 1709229 (CVE-2019-11323) - CVE-2019-11323 haproxy: weak HMAC keys used to TLS session resumption after reload with rotated keys
Summary: CVE-2019-11323 haproxy: weak HMAC keys used to TLS session resumption after r...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-11323
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1709230
Blocks: 1709232
TreeView+ depends on / blocked
 
Reported: 2019-05-13 08:35 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:13 UTC (History)
15 users (show)

Fixed In Version: haproxy 1.9.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-17 11:01:46 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-05-13 08:35:38 UTC
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use
of uninitialized, and very predictable, HMAC keys. This is related to an
include/types/ssl_sock.h error.

Reference:
https://www.mail-archive.com/haproxy@formilux.org/msg33410.html

Upstream commit:
http://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d

Comment 1 Dhananjay Arunesh 2019-05-13 08:35:56 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1709230]

Comment 2 Ryan O'Hara 2019-05-14 20:41:07 UTC
We don't currently have haproxy-1.9 in Fedora and this doesn't appear to be an issue for 1.8, so I think we can close this?

Comment 3 Dhananjay Arunesh 2019-05-15 06:24:36 UTC
In reply to comment #2:
> We don't currently have haproxy-1.9 in Fedora and this doesn't appear to be
> an issue for 1.8, so I think we can close this?

yes, I have also checked in koji and found that we don't have haproxy-1.9 for fedora. Hence, you can close this from your end.

Comment 5 Tomas Hoger 2019-05-17 11:01:46 UTC
In reply to comment #4:
> Introduced by:
> 
> http://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547740cc2d0a6851de8ca9ac57488bdbb8bf2

This was first included in version 1.9.2.  Hence only versions 1.9.2 - 1.9.6 were affected.  Those versions are not included in any Red Hat products.

Comment 6 Tomas Hoger 2019-05-17 11:04:48 UTC
In reply to comment #5:
> This was first included in version 1.9.2.  Hence only versions 1.9.2 - 1.9.6
> were affected.

Upstream confirms this only affected 1.9.2 and above in this upstream mailing list post:

https://www.mail-archive.com/haproxy@formilux.org/msg33818.html


Note You need to log in before you can comment on or make changes to this bug.