HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error. Reference: https://www.mail-archive.com/haproxy@formilux.org/msg33410.html Upstream commit: http://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 1709230]
We don't currently have haproxy-1.9 in Fedora and this doesn't appear to be an issue for 1.8, so I think we can close this?
In reply to comment #2: > We don't currently have haproxy-1.9 in Fedora and this doesn't appear to be > an issue for 1.8, so I think we can close this? yes, I have also checked in koji and found that we don't have haproxy-1.9 for fedora. Hence, you can close this from your end.
Introduced by: http://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547740cc2d0a6851de8ca9ac57488bdbb8bf2
In reply to comment #4: > Introduced by: > > http://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547740cc2d0a6851de8ca9ac57488bdbb8bf2 This was first included in version 1.9.2. Hence only versions 1.9.2 - 1.9.6 were affected. Those versions are not included in any Red Hat products.
In reply to comment #5: > This was first included in version 1.9.2. Hence only versions 1.9.2 - 1.9.6 > were affected. Upstream confirms this only affected 1.9.2 and above in this upstream mailing list post: https://www.mail-archive.com/haproxy@formilux.org/msg33818.html