Note:
This project will be discontinued after December 13, 2021. [more]
2019-05-09
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error.
| Products | Haproxy |
| Type | Use of a Broken or Risky Cryptographic Algorithm (CWE-327) Use of Uninitialized Resource (CWE-908) |
| First patch | - None (likely due to unavailable code) |
| Links |
• http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=8ef706502aa2000531d36e4ac56dbdc7c30f718d
• https://www.mail-archive.com/haproxy%40formilux.org/msg33410.html |