Headline
Ubuntu Security Notice USN-5994-1
Ubuntu Security Notice 5994-1 - It was discovered that HAProxy incorrectly initialized certain connection buffers. A remote attacker could possibly use this issue to obtain sensitive information.
==========================================================================
Ubuntu Security Notice USN-5994-1
April 03, 2023
haproxy vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
Summary:
HAProxy could be made to expose sensitive information over the network.
Software Description:
- haproxy: fast and reliable load balancing reverse proxy
Details:
It was discovered that HAProxy incorrectly initialized certain connection
buffers. A remote attacker could possibly use this issue to obtain
sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
haproxy 2.4.18-1ubuntu1.3
Ubuntu 22.04 LTS:
haproxy 2.4.18-0ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5994-1
CVE-2023-0836
Package Information:
https://launchpad.net/ubuntu/+source/haproxy/2.4.18-1ubuntu1.3
https://launchpad.net/ubuntu/+source/haproxy/2.4.18-0ubuntu1.3
Related news
Debian Linux Security Advisory 5388-1 - It was reported that HAProxy, a fast and reliable load balancing reverse proxy, does not properly initialize connection buffers when encoding the FCGI_BEGIN_REQUEST record. A remote attacker can take advantage of this flaw to cause an information leak.
An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.