CVE-2023-25950 HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition. A 2.7 patch is referenced: https://git.haproxy.org/?p=haproxy-2.7.git;a=commit;h=3ca4223c5e1f18a19dc93b0b09ffdbd295554d46 Does this vulnerability affect older branches?
CVE-2023-0056 (https://access.redhat.com/security/cve/CVE-2023-0056): An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. ... but, there's an upstream bug in haproxy: https://github.com/haproxy/haproxy/issues/1972 Are we affected?
>Does this vulnerability affect older branches? No >Are we affected? Some old versions are still in the repo. Waiting for stabilizing via bug 894526 and bug 900737
(In reply to Christian Ruppert (idl0r) from comment #2) > >Does this vulnerability affect older branches? > No > > >Are we affected? > Some old versions are still in the repo. Waiting for stabilizing via bug > 894526 and bug 900737 So, what are the fixed versions for the purposes of this bug?