SUSE-RU-2026:21227-1: moderate: Recommended update for haproxy
SLE-UPDATES
null at suse.de
Tue Apr 21 12:30:08 UTC 2026
# Recommended update for haproxy
Announcement ID: SUSE-RU-2026:21227-1
Release Date: 2026-04-17T15:13:18Z
Rating: moderate
References:
* bsc#1261626
Affected Products:
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that has one fix can now be installed.
## Description:
This update for haproxy fixes the following issues:
* Update to version 3.2.15+git64.0fc44b458:
* BUG/MINOR: hlua: fix use-after-free of HTTP reason string
* BUG/MINOR: sample: fix info leak in regsub when exp_replace fails
* BUG/MINOR: spoe: fix pointer arithmetic overflow in spoe_decode_buffer()
* BUG/MINOR: resolvers: fix memory leak on AAAA additional records
* BUG/MINOR: peers: fix OOB heap write in dictionary cache update
* BUG/MINOR: hlua: fix format-string vulnerability in Patref error path
* BUG/MINOR: hlua: fix stack overflow in httpclient headers conversion
* BUG/MINOR: http-act: fix a typo in the "pause" action error message
* BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature"
* BUG/MINOR: cfgcond: always set the error string on openssl_version checks
* BUG/MINOR: cfgcond: properly set the error pointer on evaluation error
* BUG/MINOR: quic: fix documentation for transport params decoding
* BUG/MINOR: tcpcheck: Use tcpcheck context for expressions parsing
* BUG/MINOR: tcpcheck: Don't enable http_needed when parsing HTTP samples
* BUG/MINOR: tcpcheck: Remove unexpected flag on tcpcheck rules for httchck option
* BUG/MINOR: stconn: Always declare the SC created from healthchecks as a back SC
* BUG/MINOR: quic: close conn on packet reception with incompatible frame
* BUG/MINOR: acme: fix task allocation leaked upon error
* BUG/MINOR: http-ana: Only consider client abort for abortonclose
* BUG/MINOR: config: Properly test warnif_misplaced_* return values
* BUG/MINOR: acme: permission checks on the CLI
* BUG/MINOR: acme/cli: fix argument check and error in 'acme challenge_ready'
* BUG/MINOR: acme: replace atol with len-bounded __strl2uic() for retry-after
* BUG/MINOR: acme: free() DER buffer on a2base64url error path
* BUG/MINOR: acme: fix incorrect number of arguments allowed in config
* BUG/MINOR: acme: wrong labels logic always memprintf errmsg
* BUG/MINOR: acme: acme_ctx_destroy() leaks auth dns
* BUG/MINOR: acme/cli: wrong argument check in 'acme renew'
* BUG/MINOR: acme: wrong error when checking for duplicate section
* BUG/MINOR: acme: leak of ext_san upon insertion error
* BUG/MINOR: qpack: fix 62-bit overflow and 1-byte OOB reads in decoding
* BUG/MINOR: sock: adjust accept() error messages for ENFILE and ENOMEM
* BUG/MINOR: mworker: fix sort order of mworker_proc in 'show proc'
* BUG/MINOR: mworker/cli: fix show proc pagination losing entries on resume
* BUG/MINOR: mux-h2: properly ignore R bit in WINDOW_UPDATE increments
* BUG/MINOR: mux-h2: properly ignore R bit in GOAWAY stream ID
* BUG/MINOR: mworker: don't try to access an initializing process
* BUG/MINOR: spoe: Fix condition to abort processing on client abort
* BUG/MINOR: mjson: make mystrtod() length-aware to prevent out-of-bounds reads
* BUG/MINOR: stream: Fix crash in stream dump if the current rule has no keyword
* BUG/MINOR: proxy: do not forget to validate quic-initial rules
* BUG/MINOR: http-ana: Swap L7 buffer with request buffer by hand
* BUG/MINOR: h2/h3: Never insert partial headers/trailers in an HTX message
* BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX messag
* BUG/MINOR: spoe: Properly switch SPOE filter to WAITING_ACK state
* BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS
* BUG/MINOR: mworker: avoid passing NULL version in proc list serialization
* BUG/MINOR: mworker: set a timeout on the worker socketpair read at startup
* BUG/MINOR: mworker: fix typo in proc list serialization
* BUG/MINOR: mworker: only match worker processes when looking for unspawned proc
* BUG/MINOR: memprof: avoid a small memory leak in "show profiling"
* BUG/MINOR: mworker: always stop the receiving listener
* BUG/MINOR: jws: fix memory leak in jws_b64_signature
* BUG/MINOR: tcpcheck: Fix typo in error error message for `http-check expect`
* BUG/MINOR: mworker: don't set the PROC_O_LEAVING flag on master process
* BUG/MEDIUM: mux-fcgi: prevent record-length truncation with large bufsize
* BUG/MEDIUM: samples: Fix handling of SMP_T_METH samples
* BUG/MEDIUM: jwt: fix heap overflow in ECDSA signature DER conversion
* BUG/MEDIUM: payload: validate SNI name_len in req.ssl_sni
* BUG/MEDIUM: mux-h1: Disable 0-copy forwarding when draining the request
* BUG/MEDIUM: mux-h1: Don't set MSG_MORE on bodyless responses forwarded to client
* BUG/MEDIUM: map/cli: map/acl commands warn when accessed without admin level
* BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level
* BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level
* BUG/MEDIUM: acme: skip doing challenge if it is already valid
* BUG/MEDIUM: spoe: Acquire context buffer in applet before consuming a frame
* BUG/MEDIUM: acme: fix multiple resource leaks in acme_x509_req()
* BUG/MEDIUM: h3: reject unaligned frames except DATA
* BUG/MEDIUM: peers: enforce check on incoming table key type
* BUG/MEDIUM: spoe: Properly abort processing on client abort
* BUG/MAJOR: slz: always make sure to limit fixed output to less than worst case literals (bsc#1261626)
* BUG/MAJOR: h3: check body size with content-length on empty FIN
* BUG: hlua: fix stack overflow in httpclient headers conversion
* DOC: config: fix ambiguous info in log-steps directive description
* DOC: config: Reorder params for 'tcp-check expect' directive
* DOC: config: Add missing 'status-code' param for 'http-check expect' directive
* DOC/CLEANUP: config: update mentions of the old "Global parameters" section
* DOC: configuration: http-check expect example typo
* SCRIPTS: git-show-backports: list new commits and how to review them with -L
* MINOR: mux-h2: report glitches on early RST_STREAM
* MINOR: stconn: flag the stream endpoint descriptor when the app has started
* MINOR: ncbmbuf: improve itbmap_next() code
* CI: github: fix tag listing by implementing proper API pagination
* BUILD: tools: potential null pointer dereference in dl_collect_libs_cb
* BUILD: spoe: Remove unsused variable
* Revert "BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream"
* BUILD: sched: fix leftover of debugging test in single-run changes
* MINOR: mux-h2: assign a limited frames processing budget
* MINOR: mworker/cli: extract worker "show proc" row printer
* MINOR: debug: opportunistically load libthread_db.so.1 with set-dumpable=libs
* MINOR: debug: copy debug symbols from /usr/lib/debug when present
* MINOR: debug: read all libs in memory when set-dumpable=libs
* MINOR: config: support explicit "on" and "off" for "set-dumpable"
* MINOR: tools: add a function to load a file into a tar archive
* MINOR: tools: add a function to create a tar file header
* MINOR: sched: do not punish self-waking tasklets anymore
* MINOR: sched: do not requeue a tasklet into the current queue
* MINOR: htx: Add function to truncate all blocks after a specific block
* MINOR: memprof: attempt different retry slots for different hashes on collision
* MINOR: tools: extend the pointer hashing code to ease manipulations
* MEDIUM: sched: change scheduler budgets to lower TL_BULK
* MEDIUM: sched: do not punish self-waking tasklets if TASK_WOKEN_ANY
* MEDIUM: sched: do not run a same task multiple times in series
* [RELEASE] Released version 3.2.15
* CI: github: treat vX.Y.Z release tags as stable like haproxy-* branches
* DEV: gdb: add a new utility to extract libs from a core dump: libs-from-core
* DEV: gdb: add a utility to find the post-mortem address from a core
* Update to version 3.2.14+git0.951507193:
* [RELEASE] Released version 3.2.14
* SCRIPTS: git-show-backports: add a restart-from-last option
* SCRIPTS: git-show-backports: hide the common ancestor warning in quiet mode
* BUG/MINOR: backend: Don't get proto to use for webscoket if there is no server
* BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures
* BUG/MINOR: ssl: error with ssl-f-use when no "crt"
* BUG/MINOR: ssl: clarify ssl-f-use errors in post-section parsing
* BUG/MINOR: ssl: fix leak in ssl-f-use parser upon error
* BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser
* BUG/MINOR: ssl: lack crtlist_dup_ssl_conf() declaration
* BUG/MINOR: deviceatlas: set cache_size on hot-reloaded atlas instance
* BUG/MINOR: deviceatlas: fix deinit to only finalize when initialized
* BUG/MINOR: deviceatlas: fix resource leak on hot-reload compile failure
* BUG/MINOR: deviceatlas: fix double-checked locking race in checkinst
* BUG/MINOR: deviceatlas: fix cookie vlen using wrong length after extraction
* BUG/MINOR: deviceatlas: fix off-by-one in da_haproxy_conv()
* BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/"
* BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx()
* BUG/MINOR: promex: fix server iteration when last server is deleted
* BUG/MINOR: http-ana: Stop to wait for body on client error/abort
* BUG/MINOR: flt-trace: Properly compute length of the first DATA block
* BUG/MINOR: deviceatlas: add NULL checks on strdup() results in config parsers
* BUG/MINOR: deviceatlas: add missing return on error in config parsers
* BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for sending
* BUG/MEDIUM: hpack: correctly deal with too large decoded numbers
* BUG/MEDIUM: stream: Handle TASK_WOKEN_RES as a stream event
* BUG/MEDIUM: qpack: correctly deal with too large decoded numbers
* BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream
* BUG/MEDIUM: applet: Fix test on shut flags for legacy applets (v2)
* BUG/MEDIUM: mux-h1: Stop sending vi fast-forward for unexpected states
* BUG/MEDIUM: mux-h2/quic: Stop sending via fast-forward if stream is closed
* BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented
* BUG/MEDIUM: deviceatlas: fix resource leaks on init error paths
* BUG/MAJOR: Revert "MEDIUM: mux-quic: add BUG_ON if sending on locally closed QCS"
* BUG/MAJOR: resolvers: Properly lowered the names found in DNS response
* BUG/MAJOR: fcgi: Fix param decoding by properly checking its size
* BUG/MAJOR: qpack: unchecked length passed to huffman decoder
* MINOR: filters: Set last_entity when a filter fails on stream_start callback
* MINOR: mux-h2: add a new setting, "tune.h2.log-errors" to tweak error logging
* MINOR: mux-h2: also count glitches on invalid trailers
* MINOR: stconn: Add missing SC_FL_NO_FASTFWD flag in sc_show_flags
* DEBUG: stream: Display the currently running rule in stream dump
* [RELEASE] Released version 3.2.13
* CLEANUP: mux-h1: Remove unneeded null check
* CLEANUP: compression: Remove unused static buffers
* CI: github: disable windows.yml by default on unofficials repo
* CI: vtest: move the vtest2 URL to vinyl-cache.org
* DEV: term-events: Fix hanshake events decoding
* DOC: proxy-proto: underline the packed attribute for struct pp2_tlv_ssl
* DOC: internals: addd mworker V3 internals
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-588=1
## Package List:
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* haproxy-debuginfo-3.2.15+git64.0fc44b458-160000.1.1
* haproxy-debugsource-3.2.15+git64.0fc44b458-160000.1.1
* haproxy-3.2.15+git64.0fc44b458-160000.1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1261626
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260421/982cba95/attachment.htm>
More information about the sle-updates
mailing list