Hi.
Nov 28, 2019 2:40:56 AM [email protected]: > Hi team, > > Sorry to bother you again but according to CVE-2019-18277 it says A flaw was > found in HAProxy before 2.0.6. So request you to please confirm whether all > versions which is before 2.0.6 are Vulnerable. Well "all" is a strong statement. I would say the 2.0's versions just as mentioned in the commit message. https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 On this site are some more links found via your preferred search engine ;-) https://www.cybersecurity-help.cz/vdb/SB2019110721 > Regards, > Anurag Regards Alex > -----Original Message----- > From: APCoE Product Notifications > Sent: Wednesday, November 6, 2019 4:05 PM > To: Lucas Rolff ; [email protected] > Cc: [email protected]; [email protected]; Na, Anurag > Subject: RE: Product Info > > Okay Lucas and all. > > Thanks for all your help and have a great day ahead. > > Regards, > Anurag > > -----Original Message----- > From: Lucas Rolff > Sent: Wednesday, November 6, 2019 2:36 PM > To: APCoE Product Notifications ; [email protected] > Cc: [email protected]; [email protected]; Na, Anurag > Subject: Re: Product Info > > I think the point Willy tried to make is that it should be handled the same > way regardless of being a security patch or not. All fixes are important - so > see them as "security" fixes for bugs if you like. > > On 06/11/2019, 10.04, "[email protected]" wrote: > > Hi Willy, > > Thanks for the info but honestly I am not focusing only on security fix, I > need confirmation whether 2.0.8 is security patch or discretionary patch so > that I can work on it accordingly on the basis of patch type. > > Regards, > Anurag > > > -----Original Message----- > From: Willy Tarreau > Sent: Wednesday, November 6, 2019 2:15 PM > To: APCoE Product Notifications > Cc: [email protected]; [email protected]; Na, Anurag > Subject: Re: Product Info > > On Wed, Nov 06, 2019 at 08:09:55AM +0000, > [email protected] wrote: > > Hi Rob/Thomas, > > Good day!! > > > > Thanks for the update, so as per the link the current patch is 2.0.8 > > released on 23-10-2019, request you to please confirm whether this > > patch is also a security patch and fixing any vulnerability (please > > provide CVE if available) or not as it has one major bug fix in the release > > notes. > > Well, it was marked security since considered as such by the reporter > eventhough it requires you to use a vulnerable server and to purposely write > a bogus configuration, so my personal opinion on it is that it's very minor > compared to all the issues we fix on a daily basis. > > In addition, please note that ALL FIXES ARE IMPORTANT and that if you're > trying to only pick fixes explicitly marked as security, you'll end up with > the most bogus load balancer on earth, and you'd rather not do this at all if > you care for your site's availability. > > Focusing on CVEs only is part of what Linus Torvalds calls the "security > circus" and I fully agree with him on that, considering how harmful most bugs > can be for production and which are dropped by people focusing on CVE only > and who instead pick irrelevant stuff because these have a "security" > sticker. Also please have a look at this presentation by GregKH explaining > the ridiculous situation we've reached with CVE nowadays: > > https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/ > > In short if you're wondering what patch to pick, you WILL eventually cause > some disaster on your production that only YOU will be responsible for, by > having deliberately rejected important fixes. You'd rather rely on up-to-date > releases, either from sources if you build yourself, or from distro > maintainers if you prefer to use pre-built packages. The project maintainers > devote a lot of time maintaining stable branches containing only fixes > precisely so that nobody has to duplicate this boring and dangerous job. > > Note that if you fear regressions, it's normal. Nobody likes to face them. In > this case, just wait one week or even one month for others to deploy a new > version before you do so, and you'll know if you're taking any risk. Everyone > does this depending on the criticity. What is certain is that by not updating > you're taking the risk to hit any of the hundreds of bugs that are known and > fixed upstream. > > Willy > > >
