Description: "HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c." BUG (2.x): https://github.com/haproxy/haproxy/issues/181 Patches: * 2.1.x: https://git.haproxy.org/?p=haproxy-2.1.git;a=commit;h=f0f42389772b2303b162e929449a36b33e181c5f * 2.0.x: https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=fc7f52eb030b555b2c63b3261f6437aee11a5ef9 * 1.9.x: https://git.haproxy.org/?p=haproxy-1.9.git;a=commit;h=23367fabc4a1dc02185c8a8d325e67f3ecda1680 Affected versions (based on releases post patch): * 2.1.x: <2.1.3 * 2.0.x: <2.0.3 * 1.9.x: <1.9.10 (as 1.9.9 does not seem to have been in tree) Explanation of versions affected: Upstream's explanation of the CVE version details being wrong: https://github.com/haproxy/haproxy/issues/181#issuecomment-515524848: >I took a great care at explaining that only 2.0.0 to 2.0.2 and 1.9.0 to 1.9.8 were vulnerable, >and they translated this to "all haproxy up to 2.0.2" >then somehow reformulated it as 1.4 to 1.9.8. Note that the patch made it into 2.1.3 so above does not seem exactly right either. I have taken all of this into account in the "affected versions" list above. Upstream mention (in 2.1 patch) that the fix from 2.1 needed to backported to 2.0, 1.9. Given that 1.8 still seems to receive commits, it would *seem* that 1.8.x is not affected. I could not find a patch committed in 1.8.x.
@ maintainer(s): Please cleanup and drop =net-proxy/haproxy-2.1.2!
Done. [master 32af9d9ae12] net-proxy/haproxy: Cleanup old versions, also re bug 711914 7 files changed, 1049 deletions(-) delete mode 100644 net-proxy/haproxy/haproxy-1.8.23.ebuild delete mode 100644 net-proxy/haproxy/haproxy-1.9.10.ebuild delete mode 100644 net-proxy/haproxy/haproxy-1.9.13.ebuild delete mode 100644 net-proxy/haproxy/haproxy-2.0.10.ebuild delete mode 100644 net-proxy/haproxy/haproxy-2.0.12.ebuild delete mode 100644 net-proxy/haproxy/haproxy-2.1.2.ebuild
(In reply to Christian Ruppert (idl0r) from comment #2) > Done. > Thank you!
Thank you all for you work. Closing as [noglsa].