-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4374
              SUSE-SU-2019:3001-1 Security update for haproxy
                             19 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           haproxy
Publisher:         SUSE
Operating System:  SUSE
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-14241  

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2019/suse-su-20193001-1.html
   https://www.suse.com/support/update/announcement/2019/suse-su-20193002-1.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than SUSE. It is recommended that administrators 
         running haproxy check for an updated version of the software for 
         their operating system.
         
         This bulletin contains two (2) SUSE security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for haproxy

______________________________________________________________________________

Announcement ID:   SUSE-SU-2019:3001-1
Rating:            moderate
References:        #1142529
Cross-References:  CVE-2019-14241
Affected Products:
                   SUSE Linux Enterprise High Availability 15-SP1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for haproxy to version 2.0.5+git0.d905f49a fixes the following
issues:
Security issue fixed:

  o CVE-2019-14241: Fixed a cookie memory corruption problem. (bsc#1142529)


The update to 2.0.5 brings lots of features and bugfixes:

  o new internal native HTTP representation called HTX, was already in 1.9 and
    is now enabled by default in 2.0
  o end-to-end HTTP/2 support including trailers and continuation frames, as
    needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using the H2
    preface;
  o server connection pooling and more advanced reuse, with ALPN protocol
    negotiation (already in 1.9)
  o layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers as
    well as on the frontend
  o much more scalable multi-threading, which is even enabled by default on
    platforms where it was successfully tested ; by default, as many threads
    are started as the number of CPUs haproxy is allowed to run on. This
    removes a lot of configuration burden in VMs and containers
  o automatic maxconn setting for the process and the frontends, directly based
    on the number of available FDs (easier configuration in containers and with
    systemd)
  o logging to stdout for use in containers and systemd (already in 1.9). Logs
    can now provide micro-second resolution for some events
  o peers now support SSL, declaration of multiple stick-tables directly in the
    peers section, and synchronization of server names, not just IDs
  o In master-worker mode, the master process now exposes its own CLI and can
    communicate with all other processes (including the stopping ones), even
    allowing to connect to their CLI and check their state. It is also possible
    to start some sidecar programs and monitor them from the master, and the
    master can automatically kill old processes that survived too many reloads
  o the incoming connections are load-balanced between all threads depending on
    their load to minimize the processing time and maximize the capacity
    (already in 1.9)
  o the SPOE connection load-balancing was significantly improved in order to
    reduce high percentiles of SPOA response time (already in 1.9)
  o the "random" load balancing algorithm and a power-of-two-choices variant
    were introduced
  o statistics improvements with per-thread counters for certain things, and a
    prometheus exporter for all our statistics;
  o lots of debugging help, it's easier to produce a core dump, there are new
    commands on the CLI to control various things, there is a watchdog to fail
    cleanly when a thread deadlock or a spinning task are detected, so overall
    it should provide a better experience in field and less round trips between
    users and developers (hence less stress during an incident).
  o all 3 device detection engines are now compatible with multi-threading and
    can be build-tested without any external dependencies
  o "do-resolve" http-request action to perform a DNS resolution on any,
    sample, and resolvers now support relying on /etc/resolv.conf to match the
    local resolver
  o log sampling and balancing : it's now possible to send 1 log every 10 to a
    server, or to spread the logging load over multiple log servers;
  o a new SPOA agent (spoa_server) allows to interface haproxy with Python and
    Lua programs
  o support for Solaris' event ports (equivalent of kqueue or epoll) which will
    significantly improve the performance there when dealing with numerous
    connections
  o some warnings are now reported for some deprecated options that will be
    removed in 2.1. Since 2.0 is long term supported, there's no emergency to
    convert them, however if you see these warnings, you need to understand
    that you're among their extremely rare users and just because of this you
    may be taking risks by keeping them
  o A new SOCKS4 server-side layer was provided ; it allows outgoing
    connections to be forwarded through a SOCKS4 proxy (such as ssh -D).
  o priority- and latency- aware server queues : it is possible now to assign
    priorities to certain requests and/or to give them a time bonus or penalty
    to refine control of the traffic and be able to engage on SLAs.
  o internally the architecture was significantly redesigned to allow to
    further improve performance and make it easier to implement protocols that
    span over multiple layers (such as QUIC). This work started in 1.9 and will
    continue with 2.1.
  o the I/O, applets and tasks now share the same multi-threaded scheduler,
    giving a much better responsiveness and fairness between all tasks as is
    visible with the CLI which always responds instantly even under extreme
    loads (started in 1.9)
  o the internal buffers were redesigned to ease zero-copy operations, so that
    it is possible to sustain a high bandwidth even when forwarding HTTP/1 to/
    from HTTP/2 (already in 1.9)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise High Availability 15-SP1:
    zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2019-3001=1

Package List:

  o SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x
    x86_64):
       haproxy-2.0.5+git0.d905f49a-8.3.5
       haproxy-debuginfo-2.0.5+git0.d905f49a-8.3.5
       haproxy-debugsource-2.0.5+git0.d905f49a-8.3.5


References:

  o https://www.suse.com/security/cve/CVE-2019-14241.html
  o https://bugzilla.suse.com/1142529

===============================================================================

SUSE Security Update: Security update for haproxy

______________________________________________________________________________

Announcement ID:   SUSE-SU-2019:3002-1
Rating:            moderate
References:        #1142529
Cross-References:  CVE-2019-14241
Affected Products:
                   SUSE Linux Enterprise High Availability 15
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for haproxy to version 2.0.5+git0.d905f49a fixes the following
issues:
Security issue fixed:

  o CVE-2019-14241: Fixed a cookie memory corruption problem. (bsc#1142529)


The update to 2.0.5 brings lots of features and bugfixes:

  o new internal native HTTP representation called HTX, was already in 1.9 and
    is now enabled by default in 2.0
  o end-to-end HTTP/2 support including trailers and continuation frames, as
    needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using the H2
    preface;
  o server connection pooling and more advanced reuse, with ALPN protocol
    negotiation (already in 1.9)
  o layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers as
    well as on the frontend
  o much more scalable multi-threading, which is even enabled by default on
    platforms where it was successfully tested ; by default, as many threads
    are started as the number of CPUs haproxy is allowed to run on. This
    removes a lot of configuration burden in VMs and containers
  o automatic maxconn setting for the process and the frontends, directly based
    on the number of available FDs (easier configuration in containers and with
    systemd)
  o logging to stdout for use in containers and systemd (already in 1.9). Logs
    can now provide micro-second resolution for some events
  o peers now support SSL, declaration of multiple stick-tables directly in the
    peers section, and synchronization of server names, not just IDs
  o In master-worker mode, the master process now exposes its own CLI and can
    communicate with all other processes (including the stopping ones), even
    allowing to connect to their CLI and check their state. It is also possible
    to start some sidecar programs and monitor them from the master, and the
    master can automatically kill old processes that survived too many reloads
  o the incoming connections are load-balanced between all threads depending on
    their load to minimize the processing time and maximize the capacity
    (already in 1.9)
  o the SPOE connection load-balancing was significantly improved in order to
    reduce high percentiles of SPOA response time (already in 1.9)
  o the "random" load balancing algorithm and a power-of-two-choices variant
    were introduced
  o statistics improvements with per-thread counters for certain things, and a
    prometheus exporter for all our statistics;
  o lots of debugging help, it's easier to produce a core dump, there are new
    commands on the CLI to control various things, there is a watchdog to fail
    cleanly when a thread deadlock or a spinning task are detected, so overall
    it should provide a better experience in field and less round trips between
    users and developers (hence less stress during an incident).
  o all 3 device detection engines are now compatible with multi-threading and
    can be build-tested without any external dependencies
  o "do-resolve" http-request action to perform a DNS resolution on any,
    sample, and resolvers now support relying on /etc/resolv.conf to match the
    local resolver
  o log sampling and balancing : it's now possible to send 1 log every 10 to a
    server, or to spread the logging load over multiple log servers;
  o a new SPOA agent (spoa_server) allows to interface haproxy with Python and
    Lua programs
  o support for Solaris' event ports (equivalent of kqueue or epoll) which will
    significantly improve the performance there when dealing with numerous
    connections
  o some warnings are now reported for some deprecated options that will be
    removed in 2.1. Since 2.0 is long term supported, there's no emergency to
    convert them, however if you see these warnings, you need to understand
    that you're among their extremely rare users and just because of this you
    may be taking risks by keeping them
  o A new SOCKS4 server-side layer was provided ; it allows outgoing
    connections to be forwarded through a SOCKS4 proxy (such as ssh -D).
  o priority- and latency- aware server queues : it is possible now to assign
    priorities to certain requests and/or to give them a time bonus or penalty
    to refine control of the traffic and be able to engage on SLAs.
  o internally the architecture was significantly redesigned to allow to
    further improve performance and make it easier to implement protocols that
    span over multiple layers (such as QUIC). This work started in 1.9 and will
    continue with 2.1.
  o the I/O, applets and tasks now share the same multi-threaded scheduler,
    giving a much better responsiveness and fairness between all tasks as is
    visible with the CLI which always responds instantly even under extreme
    loads (started in 1.9)
  o the internal buffers were redesigned to ease zero-copy operations, so that
    it is possible to sustain a high bandwidth even when forwarding HTTP/1 to/
    from HTTP/2 (already in 1.9)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise High Availability 15:
    zypper in -t patch SUSE-SLE-Product-HA-15-2019-3002=1

Package List:

  o SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64):
       haproxy-2.0.5+git0.d905f49a-3.12.6
       haproxy-debuginfo-2.0.5+git0.d905f49a-3.12.6
       haproxy-debugsource-2.0.5+git0.d905f49a-3.12.6


References:

  o https://www.suse.com/security/cve/CVE-2019-14241.html
  o https://bugzilla.suse.com/1142529

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXdNrPGaOgq3Tt24GAQjg6hAAqVvvmoSosOQOvudFNLRfStgswjkO7oY2
vajIimrsUCWWqnfhVt/NwIwHVoq1cgKnwulo30Y/56EA8YVrAui0WeOk2xD/s7zO
AXLpuDqWL1UPANmcMxsXjKPwOZsewedgOvjszHc0lwRhReavNGCC3FjFcRp96Ktg
ODNLfFnKHuh0OQCCMVLaEBk24u9gSNPQBcPcNM8SWqmHbKpta6JjE/EcuPIjttL4
yEZwnoOfKNiNwmZXlHFXtaOHLffIA1jsrjsTRlucAFnNzqck0Nvt9MYP128/e0wg
+/HBYwywr2JQ6Y/w0j5zTJtUOAeEyn4CkNdlQD0R7hRknm4IyI9sA5fyOr/JJs+Y
pW2AgZPJItVC66S8Cu1tnrqwijH6CV9hSIG1s9f8mGWdQkhMrCANHcUnL0A+D77Q
4XfRObcfApEJd6kjwl5xAZ3eYlgvzGpoOvjk6Km3D7DVhU/EeeRh7cE/R+cXS2Ce
GybV+mu71f1Vce54CL3hFRMZE8cOO5AniOHdBqtGpWCvBHiVVKB/XqTTzzRYTBXb
xEE0GMJH5GV9eHCk4UT/nsgTeKY1VC79QJzhpqR3iRE0/IOkwfZpbual1sUy2hfq
GsW8TD9idEdfd6k+t0KXkUMFa+xvnUEb2ISUSL7oGiEADqVmtYFYnx0uUEJV86qh
pG6yTinFxJk=
=QXc1
-----END PGP SIGNATURE-----