Advisories » MGASA-2025-0242

Updated haproxy packages fix security vulnerability & bugs

Publication date: 22 Oct 2025
Modification date: 22 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-11230

Description

Haproxy has a critical, a major, few medium and few minor bugs fixed in the
last upstream version 2.8.16 of branch 2.8.

Fixed critical bug list:
- mjson: fix possible DoS when parsing numbers

Fixed major bug list:
- listeners: transfer connection accounting when switching listeners

Fixed medium bugs list:
- check: Requeue healthchecks on I/O events to handle check timeout
- check: Set SOCKERR by default when a connection error is reported
- checks: fix ALPN inheritance from server
- dns: Reset reconnect tempo when connection is finally established
- fd: Use the provided tgid in fd_insert() to get tgroup_info
- h1: Allow reception if we have early data
- h1/h2/h3: reject forbidden chars in the Host header field
- h2/h3: reject some forbidden chars in :authority before reassembly
- hlua: Add function to change the body length of an HTTP Message
- hlua: Forbid any L6/L7 sample fetche functions from lua services
- hlua: Report to SC when data were consumed on a lua socket
- hlua: Report to SC when output data are blocked on a lua socket
- http-client: Ask for more room when request data cannot be xferred
- http-client: Don't wake http-client applet if nothing was xferred
- http-client: Drain the request if an early response is received
- http-client: Notify applet has more data to deliver until the EOM
- http-client: Properly inc input data when HTX blocks are xferred
- http-client: Test HTX_FL_EOM flag before commiting the HTX buffer
- httpclient: Throw an error if an lua httpclient instance is reused
- mux-h2: Properly handle connection error during preface sending
- server: Duplicate healthcheck's alpn inherited from default server
- ssl: ca-file directory mode must read every certificates of a file
- ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers
- ssl: create the mux immediately on early data
- ssl: Fix 0rtt to the server
- ssl: fix build with AWS-LC
- threads: Disable the workaround to load libgcc_s on macOS
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34673
• https://www.haproxy.org/download/2.8/src/CHANGELOG
• https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11230

SRPMS

9/core

• haproxy-2.8.16-1.mga9