Hi, On Fri, May 17, 2019 at 02:54:05AM +0000, ??? wrote: > Recently I found an issue CVE-2019-11323, it already fixed in 1.9.7 > > But it looks like all other haproxy branches affected by this issue according > to the following link. > > > https://www.cvedetails.com/cve/CVE-2019-11323/ > > CVE-2019-11323 : HAProxy before 1.9.7 mishandles a reload with rotated keys, > which triggers use of uninitialized, and very predictable, > H<https://www.cvedetails.com/cve/CVE-2019-11323/> > www.cvedetails.com > CVE-2019-11323 : HAProxy before 1.9.7 mishandles a reload with rotated keys, > which triggers use of uninitialized, and very predictable, HMAC keys. This is > related to an include/types/ssl_sock.h error. > > > Unfortunately I'm using haproxy 1.7.11, I don't want to upgrade 1.9 right now. (...)
I've just checked right now and only 1.9.2 and above have the affected feature, the version details in the CVE are thus incorrect. It was developed in 2.0-dev and was backported to 1.9 earlier this year to adapt to newer OpenSSL versions. So on 1.8 and earlier you're not affected. Hoping this helps, Willy
