<div class="container">
<h1>Recommended update for haproxy</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2026:21227-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-04-17T15:13:18Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261626">bsc#1261626</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server for SAP applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for haproxy fixes the following issues:</p>
<ul>
<li>Update to version 3.2.15+git64.0fc44b458:<ul>
<li>BUG/MINOR: hlua: fix use-after-free of HTTP reason string</li>
<li>BUG/MINOR: sample: fix info leak in regsub when exp_replace fails</li>
<li>BUG/MINOR: spoe: fix pointer arithmetic overflow in spoe_decode_buffer()</li>
<li>BUG/MINOR: resolvers: fix memory leak on AAAA additional records</li>
<li>BUG/MINOR: peers: fix OOB heap write in dictionary cache update</li>
<li>BUG/MINOR: hlua: fix format-string vulnerability in Patref error path</li>
<li>BUG/MINOR: hlua: fix stack overflow in httpclient headers conversion</li>
<li>BUG/MINOR: http-act: fix a typo in the "pause" action error message</li>
<li>BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature"</li>
<li>BUG/MINOR: cfgcond: always set the error string on openssl_version checks</li>
<li>BUG/MINOR: cfgcond: properly set the error pointer on evaluation error</li>
<li>BUG/MINOR: quic: fix documentation for transport params decoding</li>
<li>BUG/MINOR: tcpcheck: Use tcpcheck context for expressions parsing</li>
<li>BUG/MINOR: tcpcheck: Don't enable http_needed when parsing HTTP samples</li>
<li>BUG/MINOR: tcpcheck: Remove unexpected flag on tcpcheck rules for httchck option</li>
<li>BUG/MINOR: stconn: Always declare the SC created from healthchecks as a back SC</li>
<li>BUG/MINOR: quic: close conn on packet reception with incompatible frame</li>
<li>BUG/MINOR: acme: fix task allocation leaked upon error</li>
<li>BUG/MINOR: http-ana: Only consider client abort for abortonclose</li>
<li>BUG/MINOR: config: Properly test warnif_misplaced_* return values</li>
<li>BUG/MINOR: acme: permission checks on the CLI</li>
<li>BUG/MINOR: acme/cli: fix argument check and error in 'acme challenge_ready'</li>
<li>BUG/MINOR: acme: replace atol with len-bounded __strl2uic() for retry-after</li>
<li>BUG/MINOR: acme: free() DER buffer on a2base64url error path</li>
<li>BUG/MINOR: acme: fix incorrect number of arguments allowed in config</li>
<li>BUG/MINOR: acme: wrong labels logic always memprintf errmsg</li>
<li>BUG/MINOR: acme: acme_ctx_destroy() leaks auth dns</li>
<li>BUG/MINOR: acme/cli: wrong argument check in 'acme renew'</li>
<li>BUG/MINOR: acme: wrong error when checking for duplicate section</li>
<li>BUG/MINOR: acme: leak of ext_san upon insertion error</li>
<li>BUG/MINOR: qpack: fix 62-bit overflow and 1-byte OOB reads in decoding</li>
<li>BUG/MINOR: sock: adjust accept() error messages for ENFILE and ENOMEM</li>
<li>BUG/MINOR: mworker: fix sort order of mworker_proc in 'show proc'</li>
<li>BUG/MINOR: mworker/cli: fix show proc pagination losing entries on resume</li>
<li>BUG/MINOR: mux-h2: properly ignore R bit in WINDOW_UPDATE increments</li>
<li>BUG/MINOR: mux-h2: properly ignore R bit in GOAWAY stream ID</li>
<li>BUG/MINOR: mworker: don't try to access an initializing process</li>
<li>BUG/MINOR: spoe: Fix condition to abort processing on client abort</li>
<li>BUG/MINOR: mjson: make mystrtod() length-aware to prevent out-of-bounds reads</li>
<li>BUG/MINOR: stream: Fix crash in stream dump if the current rule has no keyword</li>
<li>BUG/MINOR: proxy: do not forget to validate quic-initial rules</li>
<li>BUG/MINOR: http-ana: Swap L7 buffer with request buffer by hand</li>
<li>BUG/MINOR: h2/h3: Never insert partial headers/trailers in an HTX message</li>
<li>BUG/MINOR: h2/h3: Only test number of trailers inserted in HTX messag</li>
<li>BUG/MINOR: spoe: Properly switch SPOE filter to WAITING_ACK state</li>
<li>BUG/MINOR: sockpair: set FD_CLOEXEC on fd received via SCM_RIGHTS</li>
<li>BUG/MINOR: mworker: avoid passing NULL version in proc list serialization</li>
<li>BUG/MINOR: mworker: set a timeout on the worker socketpair read at startup</li>
<li>BUG/MINOR: mworker: fix typo in proc list serialization</li>
<li>BUG/MINOR: mworker: only match worker processes when looking for unspawned proc</li>
<li>BUG/MINOR: memprof: avoid a small memory leak in "show profiling"</li>
<li>BUG/MINOR: mworker: always stop the receiving listener</li>
<li>BUG/MINOR: jws: fix memory leak in jws_b64_signature</li>
<li>BUG/MINOR: tcpcheck: Fix typo in error error message for <code>http-check expect</code></li>
<li>BUG/MINOR: mworker: don't set the PROC_O_LEAVING flag on master process</li>
<li>BUG/MEDIUM: mux-fcgi: prevent record-length truncation with large bufsize</li>
<li>BUG/MEDIUM: samples: Fix handling of SMP_T_METH samples</li>
<li>BUG/MEDIUM: jwt: fix heap overflow in ECDSA signature DER conversion</li>
<li>BUG/MEDIUM: payload: validate SNI name_len in req.ssl_sni</li>
<li>BUG/MEDIUM: mux-h1: Disable 0-copy forwarding when draining the request</li>
<li>BUG/MEDIUM: mux-h1: Don't set MSG_MORE on bodyless responses forwarded to client</li>
<li>BUG/MEDIUM: map/cli: map/acl commands warn when accessed without admin level</li>
<li>BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level</li>
<li>BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level</li>
<li>BUG/MEDIUM: acme: skip doing challenge if it is already valid</li>
<li>BUG/MEDIUM: spoe: Acquire context buffer in applet before consuming a frame</li>
<li>BUG/MEDIUM: acme: fix multiple resource leaks in acme_x509_req()</li>
<li>BUG/MEDIUM: h3: reject unaligned frames except DATA</li>
<li>BUG/MEDIUM: peers: enforce check on incoming table key type</li>
<li>BUG/MEDIUM: spoe: Properly abort processing on client abort</li>
<li>BUG/MAJOR: slz: always make sure to limit fixed output to less than worst case literals (bsc#1261626)</li>
<li>BUG/MAJOR: h3: check body size with content-length on empty FIN</li>
<li>BUG: hlua: fix stack overflow in httpclient headers conversion</li>
<li>DOC: config: fix ambiguous info in log-steps directive description</li>
<li>DOC: config: Reorder params for 'tcp-check expect' directive</li>
<li>DOC: config: Add missing 'status-code' param for 'http-check expect' directive</li>
<li>DOC/CLEANUP: config: update mentions of the old "Global parameters" section</li>
<li>DOC: configuration: http-check expect example typo</li>
<li>SCRIPTS: git-show-backports: list new commits and how to review them with -L</li>
<li>MINOR: mux-h2: report glitches on early RST_STREAM</li>
<li>MINOR: stconn: flag the stream endpoint descriptor when the app has started</li>
<li>MINOR: ncbmbuf: improve itbmap_next() code</li>
<li>CI: github: fix tag listing by implementing proper API pagination</li>
<li>BUILD: tools: potential null pointer dereference in dl_collect_libs_cb</li>
<li>BUILD: spoe: Remove unsused variable</li>
<li>Revert "BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream"</li>
<li>BUILD: sched: fix leftover of debugging test in single-run changes</li>
<li>MINOR: mux-h2: assign a limited frames processing budget</li>
<li>MINOR: mworker/cli: extract worker "show proc" row printer</li>
<li>MINOR: debug: opportunistically load libthread_db.so.1 with set-dumpable=libs</li>
<li>MINOR: debug: copy debug symbols from /usr/lib/debug when present</li>
<li>MINOR: debug: read all libs in memory when set-dumpable=libs</li>
<li>MINOR: config: support explicit "on" and "off" for "set-dumpable"</li>
<li>MINOR: tools: add a function to load a file into a tar archive</li>
<li>MINOR: tools: add a function to create a tar file header</li>
<li>MINOR: sched: do not punish self-waking tasklets anymore</li>
<li>MINOR: sched: do not requeue a tasklet into the current queue</li>
<li>MINOR: htx: Add function to truncate all blocks after a specific block</li>
<li>MINOR: memprof: attempt different retry slots for different hashes on collision</li>
<li>MINOR: tools: extend the pointer hashing code to ease manipulations</li>
<li>MEDIUM: sched: change scheduler budgets to lower TL_BULK</li>
<li>MEDIUM: sched: do not punish self-waking tasklets if TASK_WOKEN_ANY</li>
<li>MEDIUM: sched: do not run a same task multiple times in series</li>
<li>[RELEASE] Released version 3.2.15</li>
<li>CI: github: treat vX.Y.Z release tags as stable like haproxy-* branches</li>
<li>DEV: gdb: add a new utility to extract libs from a core dump: libs-from-core</li>
<li>DEV: gdb: add a utility to find the post-mortem address from a core</li>
</ul>
</li>
<li>Update to version 3.2.14+git0.951507193:<ul>
<li>[RELEASE] Released version 3.2.14</li>
<li>SCRIPTS: git-show-backports: add a restart-from-last option</li>
<li>SCRIPTS: git-show-backports: hide the common ancestor warning in quiet mode</li>
<li>BUG/MINOR: backend: Don't get proto to use for webscoket if there is no server</li>
<li>BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures</li>
<li>BUG/MINOR: ssl: error with ssl-f-use when no "crt"</li>
<li>BUG/MINOR: ssl: clarify ssl-f-use errors in post-section parsing</li>
<li>BUG/MINOR: ssl: fix leak in ssl-f-use parser upon error</li>
<li>BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser</li>
<li>BUG/MINOR: ssl: lack crtlist_dup_ssl_conf() declaration</li>
<li>BUG/MINOR: deviceatlas: set cache_size on hot-reloaded atlas instance</li>
<li>BUG/MINOR: deviceatlas: fix deinit to only finalize when initialized</li>
<li>BUG/MINOR: deviceatlas: fix resource leak on hot-reload compile failure</li>
<li>BUG/MINOR: deviceatlas: fix double-checked locking race in checkinst</li>
<li>BUG/MINOR: deviceatlas: fix cookie vlen using wrong length after extraction</li>
<li>BUG/MINOR: deviceatlas: fix off-by-one in da_haproxy_conv()</li>
<li>BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/"</li>
<li>BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx()</li>
<li>BUG/MINOR: promex: fix server iteration when last server is deleted</li>
<li>BUG/MINOR: http-ana: Stop to wait for body on client error/abort</li>
<li>BUG/MINOR: flt-trace: Properly compute length of the first DATA block</li>
<li>BUG/MINOR: deviceatlas: add NULL checks on strdup() results in config parsers</li>
<li>BUG/MINOR: deviceatlas: add missing return on error in config parsers</li>
<li>BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for sending</li>
<li>BUG/MEDIUM: hpack: correctly deal with too large decoded numbers</li>
<li>BUG/MEDIUM: stream: Handle TASK_WOKEN_RES as a stream event</li>
<li>BUG/MEDIUM: qpack: correctly deal with too large decoded numbers</li>
<li>BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream</li>
<li>BUG/MEDIUM: applet: Fix test on shut flags for legacy applets (v2)</li>
<li>BUG/MEDIUM: mux-h1: Stop sending vi fast-forward for unexpected states</li>
<li>BUG/MEDIUM: mux-h2/quic: Stop sending via fast-forward if stream is closed</li>
<li>BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented</li>
<li>BUG/MEDIUM: deviceatlas: fix resource leaks on init error paths</li>
<li>BUG/MAJOR: Revert "MEDIUM: mux-quic: add BUG_ON if sending on locally closed QCS"</li>
<li>BUG/MAJOR: resolvers: Properly lowered the names found in DNS response</li>
<li>BUG/MAJOR: fcgi: Fix param decoding by properly checking its size</li>
<li>BUG/MAJOR: qpack: unchecked length passed to huffman decoder</li>
<li>MINOR: filters: Set last_entity when a filter fails on stream_start callback</li>
<li>MINOR: mux-h2: add a new setting, "tune.h2.log-errors" to tweak error logging</li>
<li>MINOR: mux-h2: also count glitches on invalid trailers</li>
<li>MINOR: stconn: Add missing SC_FL_NO_FASTFWD flag in sc_show_flags</li>
<li>DEBUG: stream: Display the currently running rule in stream dump</li>
<li>[RELEASE] Released version 3.2.13</li>
<li>CLEANUP: mux-h1: Remove unneeded null check</li>
<li>CLEANUP: compression: Remove unused static buffers</li>
<li>CI: github: disable windows.yml by default on unofficials repo</li>
<li>CI: vtest: move the vtest2 URL to vinyl-cache.org</li>
<li>DEV: term-events: Fix hanshake events decoding</li>
<li>DOC: proxy-proto: underline the packed attribute for struct pp2_tlv_ssl</li>
<li>DOC: internals: addd mworker V3 internals</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-588=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
<ul>
<li>haproxy-debuginfo-3.2.15+git64.0fc44b458-160000.1.1</li>
<li>haproxy-debugsource-3.2.15+git64.0fc44b458-160000.1.1</li>
<li>haproxy-3.2.15+git64.0fc44b458-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261626">https://bugzilla.suse.com/show_bug.cgi?id=1261626</a>
</li>
</ul>
</div>