haproxy is vulnerable to CRLF injection. The HTTP/2 implementation is vulnerable to intermediary encapsulation attacks due to lack of validation for CRLF characters, zero and null characters in headers,
access.redhat.com/errata/RHSA-2020:1936
access.redhat.com/security/updates/classification/#moderate
git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
seclists.org/bugtraq/2019/Nov/45
security.gentoo.org/glsa/202004-01
tools.ietf.org/html/rfc7540#section-10.3
usn.ubuntu.com/4212-1/
www.debian.org/security/2019/dsa-4577