OPENSUSE-SU-2026:10581-1 haproxy-3.3.6+git91.af5637e93-1.1 on GA media

These are all security issues fixed in the haproxy-3.3.6+git91.af5637e93-1.1 package on the GA media of openSUSE Tumbleweed...

PT-2026-33845

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config//show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and it...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: haproxy: haproxy-3.0.19-1.1.hum1 aarch64, x8664 haproxy-3.0.19-1.1.hum1.src src...

Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: haproxy: haproxy-3.0.19-1.hum1 aarch64, x8664 haproxy-3.0.19-1.hum1.src src...

haproxy: Fix of CVE-2019-18277

CVE-2019-18277: reject messages where "chunked" is missing from transfer-encoding...

CLSA-2026-1776337242 haproxy: Fix of CVE-2019-18277

CVE-2019-18277: reject messages where "chunked" is missing from transfer-encoding...

CLSA-2026-1776343034 haproxy: Fix of CVE-2023-45539

CVE-2023-45539: reject '' as part of the URI to prevent ACL bypass via pathend rules...

CLSA-2026-1776342757 haproxy: Fix of CVE-2023-45539

CVE-2023-45539: reject '' as part of the URI to prevent ACL bypass via pathend rules...

CLSA-2026-1776336742 haproxy: Fix of CVE-2019-18277

CVE-2019-18277: reject messages where "chunked" is missing from transfer-encoding...

SUSE CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

CVE-2026-33555

A flaw was found in HAProxy. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP/3 request. The HTTP/3 parser fails to verify that the received body length matches the announced content-length when a stream is closed with an empty payload. This desynchronization...

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

UBUNTU-CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

PT-2026-32395

Name of the Vulnerable Software and Affected Versions HAProxy versions 2.6 through 3.3.5 Description The HTTP/3 parser fails to verify that the received body length aligns with a previously announced content-length when a stream is closed using a frame with an empty payload. This discrepancy can...

CVE-2026-33555

HAProxy

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

Linux Distros Unpatched Vulnerability : CVE-2026-33555

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length wh...

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...