[removed people from Cc whom I don't believe are relevant any more] Aleks,
Am 28.11.19 um 07:30 schrieb Aleksandar Lazic: >> Sorry to bother you again but according to CVE-2019-18277 it says A flaw was >> found in HAProxy before 2.0.6. So request you to please confirm whether all >> versions which is before 2.0.6 are Vulnerable. > > Well "all" is a strong statement. I would say the 2.0's versions just as > mentioned in the commit message. > > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 The commit message says: > This fix is only for 2.0 and older versions as legacy mode was > removed from 2.1. It should be backported to all maintained versions. Which is not 2.0 only, but 2.0 and older. Specifically the bugfix was backported as far as 1.6 already: http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=76dd4aef279030761f0c466b6d6af5a0852c86aa The bugfix is present in all the most recent "third digit versions" for 1.6, 1.7, 1.8, 1.9, 2.0, and 2.1. Not sure whether 1.5 will also receive another update for this, seeing that support for that version will end soon. Best regards Tim Düsterhus
