<div class="container">
<h1>Security update for haproxy</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20101-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-02-03T09:17:38Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1233973">bsc#1233973</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-53008.html">CVE-2024-53008</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-53008</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-53008</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-53008</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for haproxy fixes the following issues:</p>
<p>Update to version 2.8.11+git0.01c1056a4:</p>
<ul>
<li>VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973)</li>
<li>BUG/MINOR: cfgparse-listen: fix option httpslog override warning message</li>
<li>BUG/MEDIUM: promex: Wait to have the request before sending the response</li>
<li>BUG/MEDIUM: cache/stats: Wait to have the request before sending the response</li>
<li>BUG/MEDIUM: queue: implement a flag to check for the dequeuing</li>
<li>BUG/MINOR: clock: validate that now_offset still applies to the current date</li>
<li>BUG/MINOR: clock: make time jump corrections a bit more accurate</li>
<li>BUG/MINOR: polling: fix time reporting when using busy polling</li>
<li>BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state</li>
<li>BUG/MEDIUM: pattern: prevent UAF on reused pattern expr</li>
<li>BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()</li>
<li>BUG/MEDIUM: clock: detect and cover jumps during execution</li>
<li>REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load</li>
<li>DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line</li>
<li>BUG/MINOR: pattern: do not leave a leading comma on "set" error messages</li>
<li>BUG/MINOR: pattern: pat_ref_set: return 0 if err was found</li>
<li>BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity</li>
<li>BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full</li>
<li>BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path</li>
<li>BUG/MEDIUM: clock: also update the date offset on time jumps</li>
<li>DOC: config: correct the table for option tcplog</li>
<li>BUG/MINOR: h3: properly reject too long header responses</li>
<li>BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails</li>
<li>BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID</li>
<li>REGTESTS: mcli: test the pipelined commands on master CLI</li>
<li>BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI</li>
<li>MINOR: channel: implement ci_insert() function</li>
<li>BUG/MINOR: proto_tcp: keep error msg if listen() fails</li>
<li>BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails</li>
<li>BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE</li>
<li>BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion</li>
<li>BUG/MINOR: trace: automatically start in waiting mode with "start <evt>"</li>
<li>BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED()</li>
<li>BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc</li>
<li>BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn</li>
<li>BUG/MINOR: fcgi-app: handle a possible strdup() failure</li>
<li>BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream</li>
<li>BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams</li>
<li>BUG/MEDIUM: http-ana: Report error on write error waiting for the response</li>
<li>BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content</li>
<li>BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set</li>
<li>BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered</li>
<li>BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli</li>
<li>BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready</li>
<li>BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn</li>
<li>MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)</li>
<li>BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue()</li>
<li>MINOR: queue: add a function to check for TOCTOU after queueing</li>
<li>BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature</li>
<li>BUG/MINOR: quic: Lack of precision when computing K (cubic only cc)</li>
<li>BUG/MINOR: cli: Atomically inc the global request counter between CLI commands</li>
<li>BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution</li>
<li>BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter</li>
<li>DOC: config: improve the http-keep-alive section</li>
<li>DOC: configuration: issuers-chain-path not compatible with OCSP</li>
<li>BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path</li>
<li>BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts</li>
<li>BUG/MINOR: session: Eval L4/L5 rules defined in the default section</li>
<li>BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past</li>
<li>BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread</li>
<li>BUG/MEDIUM: h1: Reject empty Transfer-encoding header</li>
<li>BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value</li>
<li>BUG/MINOR: h1: Fail to parse empty transfer coding names</li>
<li>BUG/MINOR: jwt: fix variable initialisation</li>
<li>DOC: configuration: update maxconn description</li>
<li>BUG/MINOR: jwt: don't try to load files with HMAC algorithm</li>
<li>MEDIUM: ssl: initialize the SSL stack explicitely</li>
<li>DOC: configuration: more details about the master-worker mode</li>
<li>BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking</li>
<li>BUG/MINOR: quic: fix race-condition on trace for CID retrieval</li>
<li>BUG/MINOR: quic: fix race condition in qc_check_dcid()</li>
<li>BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()</li>
<li>BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid</li>
<li>BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid</li>
<li>MINOR: activity: make the memory profiling hash size configurable at build time</li>
<li>BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()</li>
<li>BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure</li>
<li>BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure</li>
<li>BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission</li>
<li>DOC: api/event_hdl: small updates, fix an example and add some precisions</li>
<li>SCRIPTS: git-show-backports: do not truncate git-show output</li>
<li>DOC: configuration: fix alphabetical order of bind options</li>
<li>DOC: management: rename show stats domain cli "dns" to "resolvers"</li>
<li>DOC/MINOR: management: add missed -dR and -dv options</li>
<li>BUG/MINOR: proxy: fix header_unique_id leak on deinit()</li>
<li>BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit()</li>
<li>BUG/MINOR: proxy: fix dyncookie_key leak on deinit()</li>
<li>BUG/MINOR: proxy: fix check_{command,path} leak on deinit()</li>
<li>BUG/MINOR: proxy: fix log_tag leak on deinit()</li>
<li>BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit()</li>
<li>BUG/MINOR: quic: fix computed length of emitted STREAM frames</li>
<li>[RELEASE] Released version 2.8.10</li>
<li>BUG/MEDIUM: quic: don't blindly rely on unaligned accesses</li>
<li>BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe</li>
<li>BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1</li>
<li>BUG/MAJOR: server: do not delete srv referenced by session</li>
<li>MINOR: session: rename private conns elements</li>
<li>BUG/MEDIUM: quic: fix connection freeze on post handshake</li>
<li>BUG/MEDIUM: server: fix dynamic servers initial settings</li>
<li>BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration</li>
<li>CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()</li>
<li>BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path</li>
<li>BUG/MINOR: hlua: prevent LJMP in hlua_traceback()</li>
<li>BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage</li>
<li>BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP</li>
<li>CLEANUP: hlua: use hlua_pusherror() where relevant</li>
<li>BUG/MINOR: quic: prevent crash on qc_kill_conn()</li>
<li>BUG/MINOR: hlua: use CertCache.set() from various hlua contexts</li>
<li>BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory</li>
<li>BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser</li>
<li>BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning</li>
<li>BUG/MINOR: activity: fix Delta_calls and Delta_bytes count</li>
<li>BUG/MINOR: ssl/ocsp: init callback func ptr as NULL</li>
<li>CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp</li>
<li>BUILD: fd: errno is also needed without poll()</li>
<li>CI: scripts: fix build of vtest regarding option -C</li>
<li>REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs</li>
<li>DOC: config: fix incorrect section reference about custom log format</li>
<li>DOC: quic: specify that connection migration is not supported</li>
<li>BUG/MINOR: server: Don't reset resolver options on a new default-server line</li>
<li>BUG/MINOR: http-htx: Support default path during scheme based normalization</li>
<li>BUG/MINOR: quic: adjust restriction for stateless reset emission</li>
<li>MEDIUM: config: prevent communication with privileged ports</li>
<li>BUILD: quic: fix unused variable warning when threads are disabled</li>
<li>BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream</li>
<li>BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305</li>
<li>BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)</li>
<li>BUG/MINOR: connection: parse PROXY TLV for LOCAL mode</li>
<li>DOC: configuration: update the crt-list documentation</li>
<li>CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf</li>
<li>BUG/MINOR: stats: Don't state the 303 redirect response is chunked</li>
<li>BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header</li>
<li>BUG/MEDIUM: fd: prevent memory waste in fdtab array</li>
<li>BUILD: stick-tables: better mark the stktable_data as 32-bit aligned</li>
<li>BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme</li>
<li>BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found</li>
<li>BUG/MEDIUM: stick-tables: properly mark stktable_data as packed</li>
<li>BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned</li>
<li>BUG/MINOR: qpack: fix error code reported on QPACK decoding failure</li>
<li>BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3</li>
<li>BUG/MINOR: log: smp_rgs array issues with inherited global log directives</li>
<li>BUG/MINOR: log: keep the ref in dup_logger()</li>
<li>MINOR: log: add dup_logsrv() helper function</li>
<li>DOC: lua: fix filters.txt file location</li>
<li>BUG/MINOR: haproxy: only tid 0 must not sleep if got signal</li>
<li>BUILD: clock: improve check for pthread_getcpuclockid()</li>
<li>BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null</li>
<li>BUG/MINOR: h1: fix detection of upper bytes in the URI</li>
<li>BUG/MINOR: backend: use cum_sess counters instead of cum_conn</li>
<li>BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets</li>
<li>BUG/MINOR: sock: handle a weird condition with connect()</li>
<li>BUG/MINOR: stconn: Fix sc_mux_strm() return value</li>
<li>BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding</li>
<li>BUG/MINOR: server: fix slowstart behavior</li>
<li>BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached</li>
<li>BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame</li>
<li>BUG/MEDIUM: applet: Fix applet API to put input data in a buffer</li>
<li>BUG/MEDIUM: evports: do not clear returned events list on signal</li>
<li>BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered</li>
<li>BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses</li>
<li>MINOR: net_helper: Add support for floats/doubles.</li>
<li>CI: revert kernel addr randomization introduced in 3a0fc864</li>
<li>BUG/MEDIUM: peers/trace: fix crash when listing event types</li>
<li>BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented</li>
<li>BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values</li>
<li>BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection</li>
<li>CLEANUP: log: lf_text_len() returns a pointer not an integer</li>
<li>BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()</li>
<li>BUG/MINOR: tools/log: invalid encode_{chunk,string} usage</li>
<li>BUG/MINOR: log: fix lf_text_len() truncate inconsistency</li>
<li>BUG/MINOR: listener: always assign distinct IDs to shards</li>
<li>BUG/MINOR: cli: Report an error to user if command or payload is too big</li>
<li>[RELEASE] Released version 2.8.9</li>
<li>BUILD: proxy: Replace free_logformat_list() to manually release log-format</li>
<li>[RELEASE] Released version 2.8.8</li>
<li>BUG/MINOR: proxy: fix logformat expression leak in use_backend rules</li>
<li>BUG/MINOR: backend: properly handle redispatch 0</li>
<li>BUG/MINOR: server: ignore 'enabled' for dynamic servers</li>
<li>BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n</li>
<li>MINOR: cli: Remove useless loop on commands to find unescaped semi-colon</li>
<li>MINOR: server: allow cookie for dynamic servers</li>
<li>BUG/MINOR: server: fix persistence cookie for dynamic servers</li>
<li>BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities</li>
<li>BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message</li>
<li>BUG/MINOR: server: 'source' interface ignored from 'default-server' directive</li>
<li>OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6}</li>
<li>BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block</li>
<li>BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet</li>
<li>BUG/MEDIUM: ssl: Fix crash in ocsp-update log function</li>
<li>BUG/MINOR: session: ensure conn owner is set after insert into session</li>
<li>BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small</li>
<li>CI: temporarily adjust kernel entropy to work with ASAN/clang</li>
<li>BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop</li>
<li>BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout</li>
<li>BUG/MINOR: listener: Don't schedule frontend without task in listener_release()</li>
<li>BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release</li>
<li>BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try)</li>
<li>MINOR: hlua: use accessors for stream hlua ctx</li>
<li>DEBUG: lua: precisely identify if stream is stuck inside lua or not</li>
<li>BUG/MINOR: hlua: fix missing lock in hlua_filter_delete()</li>
<li>BUG/MINOR: hlua: missing lock in hlua_filter_new()</li>
<li>BUG/MINOR: hlua: segfault when loading the same filter from different contexts</li>
<li>BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm()</li>
<li>DOC: configuration: clarify ciphersuites usage (V2)</li>
<li>BUILD: solaris: fix compilation errors</li>
<li>BUG/MINOR: cfgparse: report proper location for log-format-sd errors</li>
<li>BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description</li>
<li>CI: skip scheduled builds on forks</li>
<li>BUG/MINOR: sink: fix a race condition in the TCP log forwarding code</li>
<li>BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe()</li>
<li>BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()</li>
<li>BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP()</li>
<li>BUG/MINOR: hlua: improper lock usage in hlua_filter_new()</li>
<li>BUG/MINOR: hlua: improper lock usage in hlua_filter_callback()</li>
<li>BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load</li>
<li>BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts</li>
<li>BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack</li>
<li>BUG/MINOR: tools: seed the statistical PRNG slightly better</li>
<li>MINOR: hlua: Be able to disable logging from lua</li>
<li>BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel</li>
<li>BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener</li>
<li>DOC: configuration: clarify ciphersuites usage</li>
<li>LICENSE: http_ext: fix GPL license version</li>
<li>LICENSE: event_hdl: fix GPL license version</li>
<li>BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist</li>
<li>BUG/MINOR: ist: only store NUL byte on succeeded alloc</li>
<li>BUG/MINOR: quic: fix output of show quic</li>
<li>BUG/MAJOR: server: fix stream crash due to deleted server</li>
<li>BUG/MINOR: stats: drop srv refcount on early release</li>
<li>BUG/MINOR: ist: allocate nul byte on istdup</li>
<li>MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support</li>
<li>DOC: quic: fix recommandation for bind on multiple address</li>
<li>BUG/MEDIUM: quic: fix transient send error with listener socket</li>
<li>BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data</li>
<li>BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets</li>
<li>BUG/MEDIUM: applet: Immediately free appctx on early error</li>
<li>DOC: quic: Missing tuning setting in "Global parameters"</li>
<li>BUG/MINOR: qpack: reject invalid dynamic table capacity</li>
<li>BUG/MINOR: qpack: reject invalid increment count decoding</li>
<li>BUG/MINOR: quic: reject HANDSHAKE_DONE as server</li>
<li>BUG/MINOR: quic: reject unknown frame type</li>
<li>BUG/MAJOR: promex: fix crash on deleted server</li>
<li>MINOR: connection: add sample fetches to report per-connection glitches</li>
<li>MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES</li>
<li>MINOR: connection: add a new mux_ctl to report number of connection glitches</li>
<li>MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection</li>
<li>MINOR: mux-h2: always use h2c_report_glitch()</li>
<li>MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch</li>
<li>MINOR: mux-h2: count excess of CONTINUATION frames as a glitch</li>
<li>BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control</li>
<li>MINOR: mux-h2: add a counter of "glitches" on a connection</li>
<li>[RELEASE] Released version 2.8.7</li>
<li>BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI</li>
<li>[RELEASE] Released version 2.8.6</li>
<li>DEV: makefile: fix POSIX compatibility for "range" target</li>
<li>DEV: makefile: add a new "range" target to iteratively build all commits</li>
<li>CI: Update to actions/cache@v4</li>
<li>DOC: internal: update missing data types in peers-v2.0.txt</li>
<li>DOC: install: recommend pcre2</li>
<li>DOC: httpclient: add dedicated httpclient section</li>
<li>DOC: configuration: clarify http-request wait-for-body</li>
<li>BUILD: address a few remaining calloc(size, n) cases</li>
<li>BUG/MINOR: ext-check: cannot use without preserve-env</li>
<li>MINOR: ext-check: add an option to preserve environment variables</li>
<li>BUG/MINOR: diag: run the final diags before quitting when using -c</li>
<li>BUG/MINOR: diag: always show the version before dumping a diag warning</li>
<li>MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()</li>
<li>MINOR: quic: Add a counter for reordered packets</li>
<li>MINOR: quic: Dynamic packet reordering threshold</li>
<li>MINOR: quic: Update K CUBIC calculation (RFC 9438)</li>
<li>BUG/MEDIUM: quic: Wrong K CUBIC calculation.</li>
<li>MINOR: quic: Stop using 1024th of a second.</li>
<li>BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation</li>
<li>CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438)</li>
<li>BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit.</li>
<li>BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON</li>
<li>BUG/MEDIUM: qpack: allow 6xx..9xx status codes</li>
<li>BUG/MEDIUM: h3: do not crash on invalid response status code</li>
<li>MINOR: h3: add traces for stream sending function</li>
<li>BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf</li>
<li>MINOR: quic: extract qc_stream_buf free in a dedicated function</li>
<li>MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)</li>
<li>CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro.</li>
<li>BUG/MEDIUM: mux-quic: report early error on stream</li>
<li>BUG/MINOR: h3: fix checking on NULL Tx buffer</li>
<li>BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing</li>
<li>REGTESTS: ssl: Add OCSP related tests</li>
<li>REGTESTS: ssl: Fix empty line in cli command input</li>
<li>BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"</li>
<li>BUG/MINOR: ssl: Destroy ckch instances before the store during deinit</li>
<li>BUG/MEDIUM: ocsp: Separate refcount per instance and per store</li>
<li>MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid</li>
<li>BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line</li>
<li>BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch</li>
<li>BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call</li>
<li>BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions</li>
<li>BUG/MEDIUM: h1: always reject the NUL character in header values</li>
<li>BUG/MINOR: h1-htx: properly initialize the err_pos field</li>
<li>BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size</li>
<li>BUG/MINOR: h1: Don't support LF only at the end of chunks</li>
<li>BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up</li>
<li>BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending</li>
<li>BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush()</li>
<li>BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs</li>
<li>BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs</li>
<li>BUG/MINOR: vars/cli: fix missing LF after "get var" output</li>
<li>BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI</li>
<li>REGTESTS: add a test to ensure map-ordering is preserved</li>
<li>MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc</li>
<li>BUG/MEDIUM: mux-h2: refine connection vs stream error on headers</li>
<li>MINOR: mux-h2/traces: clarify the "rejected H2 request" event</li>
<li>MINOR: mux-h2/traces: explicitly show the error/refused stream states</li>
<li>MINOR: mux-h2/traces: also suggest invalid header upon parsing error</li>
<li>MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT</li>
<li>MINOR: debug: make ABORT_NOW() store the caller's line number when using abort</li>
<li>MINOR: debug: make sure calls to ha_crash_now() are never merged</li>
<li>MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding</li>
<li>BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)</li>
<li>BUG/MINOR: mux-h2: also count streams for refused ones</li>
<li>BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control</li>
<li>DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay</li>
<li>MINOR: mux-h2: support limiting the total number of H2 streams per connection</li>
<li>BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up</li>
<li>BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable</li>
<li>BUG/MEDIUM: h3: fix incorrect snd_buf return value</li>
<li>CLEANUP: quic: Remaining useless code into server part</li>
<li>BUG/MINOR: h3: close connection on sending alloc errors</li>
<li>BUG/MINOR: h3: properly handle alloc failure on finalize</li>
<li>BUG/MINOR: h3: close connection on header list too big</li>
<li>MINOR: h3: check connection error during sending</li>
<li>BUG/MINOR: quic: Missing call to TLS message callbacks</li>
<li>BUG/MINOR: quic: Wrong keylog callback setting.</li>
<li>BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission</li>
<li>BUG/MEDIUM: stats: unhandled switching rules with TCP frontend</li>
<li>MINOR: stats: store the parent proxy in stats ctx (http)</li>
<li>DOC: config: Update documentation about local haproxy response</li>
<li>BUG/MINOR: resolvers: default resolvers fails when network not configured</li>
<li>BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty</li>
<li>BUG/MEDIUM: quic: QUIC CID removed from tree without locking</li>
<li>BUG/MEDIUM: quic: Possible buffer overflow when building TLS records</li>
<li>BUG/MINOR: mworker/cli: fix set severity-output support</li>
<li>DOC: configuration: typo req.ssl_hello_type</li>
<li>[RELEASE] Released version 2.8.5</li>
<li>BUG/MEDIUM: proxy: always initialize the default settings after init</li>
<li>BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)</li>
<li>BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate</li>
<li>MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback</li>
<li>BUG/MINOR: ssl: Double free of OCSP Certificate ID</li>
<li>BUG/MINOR: quic: Packet number spaces too lately initialized</li>
<li>BUG/MINOR: quic: Missing QUIC connection path member initialization</li>
<li>BUG/MINOR: quic: Possible leak of TX packets under heavy load</li>
<li>BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load</li>
<li>BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed</li>
<li>BUG/MEDIUM: peers: fix partial message decoding</li>
<li>DOC: Clarify the differences between field() and word()</li>
<li>BUG/MINOR: sample: Make the <code>word</code> converter compatible with <code>-m found</code></li>
<li>REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter</li>
<li>DOC: config: fix monitor-fail typo</li>
<li>DOC: config: add matrix entry for "max-session-srv-conns"</li>
<li>DOC: config: specify supported sections for "max-session-srv-conns"</li>
<li>BUG/MINOR: cfgparse-listen: fix warning being reported as an alert</li>
<li>BUG/MINOR: config: Stopped parsing upon unmatched environment variables</li>
<li>BUG/MINOR: quic_tp: fix preferred_address decoding</li>
<li>DOC: config: fix missing characters in set-spoe-group action</li>
<li>BUG/MINOR: h3: always reject PUSH_PROMISE</li>
<li>BUG/MINOR: h3: fix TRAILERS encoding</li>
<li>BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1</li>
<li>BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request()</li>
<li>BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding</li>
<li>DOC: lua: fix Proxy.get_mode() output</li>
<li>DOC: lua: add sticktable class reference from Proxy.stktable</li>
<li>REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY</li>
<li>DOC: config: fix timeout check inheritance restrictions</li>
<li>DOC: 51d: updated 51Degrees repo URL for v3.2.10</li>
<li>BUG/MINOR: server: do not leak default-server in defaults sections</li>
<li>BUG/MINOR: quic: Possible RX packet memory leak under heavy load</li>
<li>BUG/MEDIUM: quic: Possible crash for connections to be killed</li>
<li>BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them</li>
<li>BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly</li>
<li>REGTESTS: http: add a test to validate chunked responses delivery</li>
<li>BUG/MINOR: proxy/stktable: missing frees on proxy cleanup</li>
<li>MINOR: stktable: add stktable_deinit function</li>
<li>BUG/MINOR: stream/cli: report correct stream age in "show sess"</li>
<li>BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover()</li>
<li>BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover()</li>
<li>BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover()</li>
<li>BUG/MAJOR: quic: complete thread migration before tcp-rules</li>
<li>[RELEASE] Released version 2.8.4</li>
<li>BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends</li>
<li>BUG/MINOR: stconn/applet: Report send activity only if there was output data</li>
<li>BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer</li>
<li>BUG/MINOR: stconn: Fix streamer detection for HTX streams</li>
<li>MINOR: channel: Add functions to get info on buffers and deal with HTX streams</li>
<li>MINOR: htx: Use a macro for overhead induced by HTX</li>
<li>BUG/MEDIUM: stconn: Update fsb date on partial sends</li>
<li>BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented</li>
<li>BUG/MEDIUM: mworker: set the master variable earlier</li>
<li>BUG/MEDIUM: applet: Report a send activity everytime data were sent</li>
<li>BUG/MEDIUM: stconn: Report a send activity everytime data were sent</li>
<li>REGTESTS: http: Improve script testing abortonclose option</li>
<li>BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only</li>
<li>MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads</li>
<li>MINOR: connection: Add a CTL flag to notify mux it should wait for reads again</li>
<li>BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up</li>
<li>BUG/MEDIUM: connection: report connection errors even when no mux is installed</li>
<li>DOC: quic: Wrong syntax for "quic-cc-algo" keyword.</li>
<li>BUG/MINOR: sink: don't learn srv port from srv addr</li>
<li>BUG/MEDIUM: applet: Remove appctx from buffer wait list on release</li>
<li>DOC: config: use the word 'backend' instead of 'proxy' in 'track' description</li>
<li>BUG/MINOR: quic: fix retry token check inconsistency</li>
<li>DOC: management: -q is quiet all the time</li>
<li>BUG/MEDIUM: stconn: Don't update stream expiration date if already expired</li>
<li>BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures</li>
<li>BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets</li>
<li>BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree</li>
<li>BUG/MINOR: quic: idle timer task requeued in the past</li>
<li>BUG/MEDIUM: pool: fix releasable pool calculation when overloaded</li>
<li>BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period</li>
<li>BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts</li>
<li>BUG/MINOR: stick-table/cli: Check for invalid ipv4 key</li>
<li>BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure</li>
<li>BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure</li>
<li>CLEANUP: htx: Properly indent htx_reserve_max_data() function</li>
<li>BUG/MINOR: stconn: Sanitize report for read activity</li>
<li>BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room()</li>
<li>BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire</li>
<li>BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range()</li>
<li>BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure</li>
<li>BUG/MINOR: stktable: missing free in parse_stick_table()</li>
<li>BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure</li>
<li>BUG/MEDIUM: ssl: segfault when cipher is NULL</li>
<li>BUG/MINOR: mux-quic: fix early close if unset client timeout</li>
<li>BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA</li>
<li>MEDIUM: quic: count quic_conn for global sslconns</li>
<li>MEDIUM: quic: count quic_conn instance for maxconn</li>
<li>MINOR: frontend: implement a dedicated actconn increment function</li>
<li>BUG/MINOR: ssl: use a thread-safe sslconns increment</li>
<li>BUG/MINOR: quic: do not consider idle timeout on CLOSING state</li>
<li>BUG/MEDIUM: server: "proto" not working for dynamic servers</li>
<li>MINOR: connection: add conn_pr_mode_to_proto_mode() helper func</li>
<li>DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder</li>
<li>MINOR: lua: Add flags to configure logging behaviour</li>
<li>BUG/MINOR: ssl: load correctly @system-ca when ca-base is define</li>
<li>DOC: internal: filters: fix reference to entities.pdf</li>
<li>BUG/MINOR: mux-h2: update tracked counters with req cnt/req err</li>
<li>BUG/MINOR: mux-h2: commit the current stream ID even on reject</li>
<li>BUG/MEDIUM: peers: Fix synchro for huge number of tables</li>
<li>BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task</li>
<li>BUG/MINOR: trace: fix trace parser error reporting</li>
<li>BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again</li>
<li>BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending</li>
<li>BUG/MINOR: mux-h2: make up other blocked streams upon removal from list</li>
<li>BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request</li>
<li>BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash</li>
<li>BUG/MINOR: mux-quic: fix free on qcs-new fail alloc</li>
<li>BUG/MINOR: h3: strengthen host/authority header parsing</li>
<li>BUG/MINOR: mux-quic: support initial 0 max-stream-data</li>
<li>BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream</li>
<li>BUG/MINOR: quic: reject packet with no frame</li>
<li>BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos</li>
<li>BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()</li>
<li>BUG/MINOR: hq-interop: simplify parser requirement</li>
<li>BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set</li>
<li>BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set</li>
<li>BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried</li>
<li>BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only</li>
<li>MINOR: hlua: Test the hlua struct first when the lua socket is connecting</li>
<li>MINOR: hlua: Save the lua socket's server in its context</li>
<li>MINOR: hlua: Save the lua socket's timeout in its context</li>
<li>MINOR: hlua: Don't preform operations on a not connected socket</li>
<li>MINOR: hlua: Set context's appctx when the lua socket is created</li>
<li>BUG/MEDIUM: http-ana: Try to handle response before handling server abort</li>
<li>BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed</li>
<li>BUG/MEDIUM: actions: always apply a longest match on prefix lookup</li>
<li>BUG/MINOR: mux-quic: remove full demux flag on ncbuf release</li>
<li>BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams</li>
<li>MINOR: pattern: fix pat_{parse,match}_ip() function comments</li>
<li>BUG/MINOR: server: add missing free for server->rdr_pfx</li>
<li>BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers</li>
<li>BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API</li>
<li>BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1</li>
<li>BUG/MINOR: promex: fix backend_agg_check_status</li>
<li>BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records</li>
<li>BUG/MINOR: hlua/init: coroutine may not resume itself</li>
<li>BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume()</li>
<li>CI: musl: drop shopt in workflow invocation</li>
<li>CI: musl: highlight section if there are coredumps</li>
<li>Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"</li>
<li>BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread</li>
<li>MINOR: hlua: add hlua_stream_ctx_prepare helper function</li>
<li>BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT</li>
<li>BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code</li>
<li>BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind</li>
<li>BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help</li>
<li>MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option</li>
<li>MINOR: quic+openssl_compat: Do not start without "limited-quic"</li>
<li>MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"</li>
<li>BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels</li>
<li>DOC: quic: Add "limited-quic" new tuning setting</li>
<li>MINOR: quic: Add "limited-quic" new tuning setting</li>
<li>MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.</li>
<li>MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct</li>
<li>MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()</li>
<li>MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper</li>
<li>MINOR: quic: Export some KDF functions (QUIC-TLS)</li>
<li>MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper</li>
<li>MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()</li>
<li>MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()</li>
<li>MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT</li>
<li>MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header</li>
<li>MINOR: quic: QUIC openssl wrapper implementation</li>
<li>BUG/MINOR: quic: Wrong cluster secret initialization</li>
<li>BUG/MINOR: quic: Leak of frames to send.</li>
<li>BUILD: bug: make BUG_ON() void to avoid a rare warning</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-163=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>haproxy-debuginfo-2.8.11+git0.01c1056a4-1.1</li>
<li>haproxy-2.8.11+git0.01c1056a4-1.1</li>
<li>haproxy-debugsource-2.8.11+git0.01c1056a4-1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-53008.html">https://www.suse.com/security/cve/CVE-2024-53008.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1233973">https://bugzilla.suse.com/show_bug.cgi?id=1233973</a>
</li>
</ul>
</div>