Rancher Security Advisory: CVE-2020-11100 reported by HAProxy

Table of Contents

Release update | May 04, 2020:

Rancher v1.6.30 release is generally available. Refer release notes here.

Dear Rancher 1.6 User,

HAProxy recently released a new version to address the following serious vulnerability:

  • CVE-2020-11100: "In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution."

For more details on the announcements, see:

This communication is to let you know of a new Rancher v1.6.x release that will be made available this week (likely, as v1.6.30).  This release will include the new HAProxy image that addresses the above vulnerability.


  • Rancher v1.6.x is currently in limited support mode only, as it is between its EOM (31DEC2019) and EOL(30JUN2020) product lifecycle dates.
  • This communication does not impact the Rancher 2.x product line.

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.

Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.