Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5590-1

Debian Linux Security Advisory 5590-1 - Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling or information disclosure.

Packet Storm
#vulnerability#linux#debian#kubernetes
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5590-1                   [email protected]://www.debian.org/security/                     Salvatore BonaccorsoDecember 28, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : haproxyCVE ID         : CVE-2023-40225 CVE-2023-45539Debian Bug     : 1043502Several vulnerabilities were discovered in HAProxy, a fast and reliableload balancing reverse proxy, which can result in HTTP request smugglingor information disclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 2.2.9-2+deb11u6.For the stable distribution (bookworm), these problems have been fixed inversion 2.6.12-1+deb12u1.We recommend that you upgrade your haproxy packages.For the detailed security status of haproxy please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/haproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNbchfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S/3g//a2z//lFBvMI5Awp2Sf/l4QEzwYffDa6V62Yjcryhv/+gpuDSNleuXFxu7JuDQHZzUNi+Lv1HBO5F+393dwSGLDKrdFwOJO9NNknmja9cGZgJ69D1EjDxgRMTRvTHm5T4rM6J/bdGF4z5c12TRtxQqhg3K+Eymvkv3DtSfMu/Nc5ePF9RXhiMk2U3wj+7ftDLta54BkzksCrIajfbPHN7XeSGzzJ6CI+5v7aVXbllc74WUO5hF4c51Yev+TrewQWOLg41LVXpk8SlEeGK3YN+JlQf+PtwRFlMeAeghwpGnEhm+0h5d/mg54FeQ3f4Kp46WJcPBJONn+M9nJzn6ujP99vtr3QA+mmJ+OPAUn8RLwUuLUKQdsN1PtNQImJe5LMFUQhon53i4p9yN1jmJ19l1uKjI4IbZSp2NCYBzHNyP0gfKONrbhzfp0trWbxRCC+byMBNOSwiYdCw1Zo9602HP8AoOtJd9bVa4o74gC9a+pzieKqZX0hdjlfBynJHq2KgKsu/gTNctOexjCGlckQ3EGLqgXqLBF6tZpE1AR78bpyT+XTfYRaW7mwaaAxsFDDVH757EsOqBnjKORdjlm/nLspAzoqxYSZfongjivXhYkCb27+jMizFOfjjd454amXH8UGrqf8a32gCef6ph9CEkRkxoa5lxRZx55r7Ml0MsdkiRn-----END PGP SIGNATURE-----

Related news

Ubuntu Security Notice USN-6530-2

Ubuntu Security Notice 6530-2 - Seth Manesse and Paul Plasil discovered that HAProxy incorrectly handled URI components containing the hash character. A remote attacker could possibly use this issue to obtain sensitive information, or to bypass certain path_end rules.

Red Hat Security Advisory 2024-1142-03

Red Hat Security Advisory 2024-1142-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-1089-03

Red Hat Security Advisory 2024-1089-03 - An update for haproxy is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Ubuntu Security Notice USN-6530-1

Ubuntu Security Notice 6530-1 - It was discovered that HAProxy incorrectly handled URI components containing the hash character. A remote attacker could possibly use this issue to obtain sensitive information, or to bypass certain path_end rules.

Red Hat Security Advisory 2023-7606-03

Red Hat Security Advisory 2023-7606-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2023-7473-01

Red Hat Security Advisory 2023-7473-01 - Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

CVE-2023-45539: Ambiguity about how to deal with received fragments in URI from Willy Tarreau on 2023-07-27 ([email protected] from July to September 2023)

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Ubuntu Security Notice USN-6294-2

Ubuntu Security Notice 6294-2 - USN-6294-1 fixed vulnerabilities in HAProxy. This update provides the corresponding updates for Ubuntu 20.04 LTS. Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the payload and bypass certain restrictions.

Ubuntu Security Notice USN-6294-1

Ubuntu Security Notice 6294-1 - Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the payload and bypass certain restrictions.

CVE-2023-40225

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13