Summary: | <net-proxy/haproxy-{1.8.23,1.9.13,2.0.10}: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bertrand, hydrapolic, idl0r |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=715944 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
=net-proxy/haproxy-2.0.14
=net-proxy/haproxy-2.1.4
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 699870 |
Description
GLSAMaker/CVETool Bot
2019-12-02 23:31:13 UTC
@maintainer(s), please advise if you are ready for stabilisation or call for stabilisation yourself (see also bug 699870). Permission received from maintainer via IRC. @arches, please stabilise (amd64, arm, ppc, x86). amd64 stable arm stable x86 stable Maybe we should have targeted the LTS branch 2.0. (In reply to Tomáš Mózes from comment #6) > Maybe we should have targeted the LTS branch 2.0. I meant like having 2.1 in ~testing and 2.0 stable. (In reply to Tomáš Mózes from comment #7) > (In reply to Tomáš Mózes from comment #6) > > Maybe we should have targeted the LTS branch 2.0. > > I meant like having 2.1 in ~testing and 2.0 stable. That's why 2.0.13 will be stabilized as well. I don't see a problem having both stabilized since both work pretty solid/stable for me. Not really a problem, but probably no one will run 2.0 as the latest stable is 2.1 ;) If you just install/upgrade haproxy, then everybody will receive version 2.1, so is there a point of keeping both stable? But like I said, not really a problem, just my opinion. This issue was resolved and addressed in GLSA 202004-01 at https://security.gentoo.org/glsa/202004-01 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. Still fails to build on ppc due to bug #668002. Newer Stabilization in progress, Please continue in Bug #715944 Unable to check for sanity:
> no match for package: =net-proxy/haproxy-2.0.13
All sanity-check issues have been resolved ppc stable. all arches stable Unable to check for sanity:
> dependent bug #715944 is missing keywords
Resetting sanity check; keywords are not fully specified and arches are not CC-ed. @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22a7680ab28c28d7b7f100c83500c4630c848f12 commit 22a7680ab28c28d7b7f100c83500c4630c848f12 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 01:19:54 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 01:19:54 +0000 net-analyzer/sarg: drop vulnerable Bug: https://bugs.gentoo.org/701842 Signed-off-by: Aaron Bauman <bman@gentoo.org> net-analyzer/sarg/Manifest | 1 - net-analyzer/sarg/sarg-2.3.11-r1.ebuild | 43 -------------------------------- net-analyzer/sarg/sarg-2.3.11-r2.ebuild | 44 --------------------------------- 3 files changed, 88 deletions(-) |