Headline
Ubuntu Security Notice USN-6530-1
Ubuntu Security Notice 6530-1 - It was discovered that HAProxy incorrectly handled URI components containing the hash character. A remote attacker could possibly use this issue to obtain sensitive information, or to bypass certain path_end rules.
==========================================================================
Ubuntu Security Notice USN-6530-1
December 05, 2023
haproxy vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
HAProxy could be made to expose sensitive information.
Software Description:
- haproxy: fast and reliable load balancing reverse proxy
Details:
It was discovered that HAProxy incorrectly handled URI components
containing the hash character (#). A remote attacker could possibly use
this issue to obtain sensitive information, or to bypass certain path_end
rules.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
haproxy 2.6.9-1ubuntu1.2
Ubuntu 22.04 LTS:
haproxy 2.4.22-0ubuntu0.22.04.3
Ubuntu 20.04 LTS:
haproxy 2.0.31-0ubuntu0.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6530-1
CVE-2023-45539
Package Information:
https://launchpad.net/ubuntu/+source/haproxy/2.6.9-1ubuntu1.2
https://launchpad.net/ubuntu/+source/haproxy/2.4.22-0ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/haproxy/2.0.31-0ubuntu0.3
Related news
Red Hat Security Advisory 2024-8874-03 - An update for haproxy is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Security Advisory 2024-8849-03 - An update for haproxy is now available for Red Hat Enterprise Linux 8.
Ubuntu Security Notice 6530-2 - Seth Manesse and Paul Plasil discovered that HAProxy incorrectly handled URI components containing the hash character. A remote attacker could possibly use this issue to obtain sensitive information, or to bypass certain path_end rules.
Red Hat Security Advisory 2024-1142-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-1089-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Debian Linux Security Advisory 5590-1 - Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling or information disclosure.
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.