HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.
A 2.7 patch is referenced:
Does this vulnerability affect older branches?
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
... but, there's an upstream bug in haproxy:
Are we affected?
>Does this vulnerability affect older branches?
>Are we affected?
Some old versions are still in the repo. Waiting for stabilizing via bug 894526 and bug 900737
(In reply to Christian Ruppert (idl0r) from comment #2)
> >Does this vulnerability affect older branches?
> >Are we affected?
> Some old versions are still in the repo. Waiting for stabilizing via bug
> 894526 and bug 900737
So, what are the fixed versions for the purposes of this bug?