{"id":"MGASA-2025-0242","summary":"Updated haproxy packages fix security vulnerability & bugs","details":"Haproxy has a critical, a major, few medium and few minor bugs fixed in the\nlast upstream version 2.8.16 of branch 2.8.\n\nFixed critical bug list:\n- mjson: fix possible DoS when parsing numbers\n\nFixed major bug list:\n- listeners: transfer connection accounting when switching listeners\n\nFixed medium bugs list:\n- check: Requeue healthchecks on I/O events to handle check timeout\n- check: Set SOCKERR by default when a connection error is reported\n- checks: fix ALPN inheritance from server\n- dns: Reset reconnect tempo when connection is finally established\n- fd: Use the provided tgid in fd_insert() to get tgroup_info\n- h1: Allow reception if we have early data\n- h1/h2/h3: reject forbidden chars in the Host header field\n- h2/h3: reject some forbidden chars in :authority before reassembly\n- hlua: Add function to change the body length of an HTTP Message\n- hlua: Forbid any L6/L7 sample fetche functions from lua services\n- hlua: Report to SC when data were consumed on a lua socket\n- hlua: Report to SC when output data are blocked on a lua socket\n- http-client: Ask for more room when request data cannot be xferred\n- http-client: Don't wake http-client applet if nothing was xferred\n- http-client: Drain the request if an early response is received\n- http-client: Notify applet has more data to deliver until the EOM\n- http-client: Properly inc input data when HTX blocks are xferred\n- http-client: Test HTX_FL_EOM flag before commiting the HTX buffer\n- httpclient: Throw an error if an lua httpclient instance is reused\n- mux-h2: Properly handle connection error during preface sending\n- server: Duplicate healthcheck's alpn inherited from default server\n- ssl: ca-file directory mode must read every certificates of a file\n- ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers\n- ssl: create the mux immediately on early data\n- ssl: Fix 0rtt to the server\n- ssl: fix build with AWS-LC\n- threads: Disable the workaround to load libgcc_s on macOS\n","modified":"2026-04-16T04:44:45.460823983Z","published":"2025-10-22T20:07:31Z","upstream":["CVE-2025-11230"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0242.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34673"},{"type":"WEB","url":"https://www.haproxy.org/download/2.8/src/CHANGELOG"},{"type":"WEB","url":"https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability"}],"affected":[{"package":{"name":"haproxy","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/haproxy?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.16-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0242.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}