Headline
Debian Security Advisory 5388-1
Debian Linux Security Advisory 5388-1 - It was reported that HAProxy, a fast and reliable load balancing reverse proxy, does not properly initialize connection buffers when encoding the FCGI_BEGIN_REQUEST record. A remote attacker can take advantage of this flaw to cause an information leak.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5388-1 [email protected]://www.debian.org/security/ Salvatore BonaccorsoApril 13, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : haproxyCVE ID : CVE-2023-0836It was reported that HAProxy, a fast and reliable load balancing reverseproxy, does not properly initialize connection buffers when encoding theFCGI_BEGIN_REQUEST record. A remote attacker can take advantage of thisflaw to cause an information leak.For the stable distribution (bullseye), this problem has been fixed inversion 2.2.9-2+deb11u5.We recommend that you upgrade your haproxy packages.For the detailed security status of haproxy please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/haproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQ4YxlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RA+g/8C9B17OgAEYmOivNLX/0SmHC0WQft66LH5a3lrr+xgncSO6h7REzVlgMXIffI+RnTxTuHH0sMb8S1rYsAfaHeAHGzXOEKiooPVwMix3TMTR6mocv5D1V4smTiI8JWZSDIzPLKn1EYKQDXxg8wz6nEVsc5njF8SAcWZ1fDDLgbbVtUEY9SL2dkGLF+QlsGWnsseN6AzNfVm7vYIdTzSFbc1Hd3mnlL+uIolhKkGLtQ+iMTLxWjxu1n4MqIYh3VR/f2BUVez9JP3GZ/BOEZU/M3b91QYjmY2OghAlNBBXlL/jMmbZAAAfFukIK1JIb23iLac/bjv6e8yixwLX0q+t0j4ZTpxmln+iiIPLSZ/1IBYXOvf6nrP/cIueGqwlMFdD6qRm7s8cIsx4Gw8bb+ge9zUCOdkX0uPzLDRWul3e+69fdmWazcmDXIFOrgBcp5cp4i33r0+T338rimyN4Q6CyqYQ756gf5mK8kq/vVLI4qyLYmVjZj2eAUI6EPWptxP0UKUarFtpYsc2XRRFb66bxaRTf1yuPvR3aRJKnBW4+KnuiTho1J5wa/HaK551NWwbgmICsbGsfI5/S0cHpYcvdSRG5SAZavFGUT/dIlsOD4OdjevHGnN021AYP1+EqLuX8Zsq5DQKh3s/yUsl6svTTBOiXZxVer9DLYD+D4yuqkqIc=6SUU-----END PGP SIGNATURE-----Related news
Ubuntu Security Notice 5994-1 - It was discovered that HAProxy incorrectly initialized certain connection buffers. A remote attacker could possibly use this issue to obtain sensitive information.
An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.