Headline
Ubuntu Security Notice USN-6294-1
Ubuntu Security Notice 6294-1 - Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the payload and bypass certain restrictions.
==========================================================================
Ubuntu Security Notice USN-6294-1
August 16, 2023
haproxy vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.04 LTS
Summary:
HAProxy could allow unintended access to network services.
Software Description:
- haproxy: fast and reliable load balancing reverse proxy
Details:
Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length
headers. A remote attacker could possibly use this issue to manipulate the
payload and bypass certain restrictions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
haproxy 2.6.9-1ubuntu1.1
Ubuntu 22.04 LTS:
haproxy 2.4.22-0ubuntu0.22.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6294-1
CVE-2023-40225
Package Information:
https://launchpad.net/ubuntu/+source/haproxy/2.6.9-1ubuntu1.1
https://launchpad.net/ubuntu/+source/haproxy/2.4.22-0ubuntu0.22.04.2
Related news
Red Hat Security Advisory 2024-1142-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-1089-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Debian Linux Security Advisory 5590-1 - Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling or information disclosure.
Red Hat Security Advisory 2023-7606-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-7473-01 - Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6294-2 - USN-6294-1 fixed vulnerabilities in HAProxy. This update provides the corresponding updates for Ubuntu 20.04 LTS. Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the payload and bypass certain restrictions.
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.