Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5869-1

Ubuntu Security Notice 5869-1 - Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions.

Packet Storm
#vulnerability#ubuntu#auth
==========================================================================Ubuntu Security Notice USN-5869-1February 14, 2023haproxy vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:HAProxy could allow unintended access to network services.Software Description:- haproxy: fast and reliable load balancing reverse proxyDetails:Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg,and Harvey Tuch discovered that HAProxy incorrectly handled empty headernames. A remote attacker could possibly use this issue to manipulateheaders and bypass certain authentication checks and restrictions.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   haproxy                         2.4.18-1ubuntu1.2Ubuntu 22.04 LTS:   haproxy                         2.4.18-0ubuntu1.2Ubuntu 20.04 LTS:   haproxy                         2.0.29-0ubuntu1.3Ubuntu 18.04 LTS:   haproxy                         1.8.8-1ubuntu0.13In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5869-1   CVE-2023-25725Package Information:   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-1ubuntu1.2   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-0ubuntu1.2   https://launchpad.net/ubuntu/+source/haproxy/2.0.29-0ubuntu1.3   https://launchpad.net/ubuntu/+source/haproxy/1.8.8-1ubuntu0.13

Related news

Ubuntu Security Notice USN-7135-1

Ubuntu Security Notice 7135-1 - Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions.

Red Hat Security Advisory 2024-0746-03

Red Hat Security Advisory 2024-0746-03 - Updated container image for Red Hat Ceph Storage 5.3 is now available in the Red Hat Ecosystem Catalog. Issues addressed include cross site scripting and denial of service vulnerabilities.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

Red Hat Security Advisory 2023-1325-01

Red Hat Security Advisory 2023-1325-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.

Red Hat Security Advisory 2023-1328-01

Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-1326-01

Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.

RHSA-2023:1325: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has d...

RHSA-2023:1326: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...

Red Hat Security Advisory 2023-1327-01

Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.

Red Hat Security Advisory 2023-1978-01

Red Hat Security Advisory 2023-1978-01 - The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Issues addressed include a denial of service vulnerability.

RHSA-2023:1978: Red Hat Security Advisory: haproxy security update

An update for haproxy is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0056: An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. * CVE-2023-25725: A flaw was found in HAProxy's hea...

RHSA-2023:1696: Red Hat Security Advisory: haproxy security update

An update for haproxy is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0056: An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. * CVE-2023-25725: A flaw was found in HAProxy's headers processing that cause...

Debian Security Advisory 5348-1

Debian Linux Security Advisory 5348-1 - Two vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which may result in denial of service, or bypass of access controls and routing rules via specially crafted requests.

CVE-2023-25725: The Reliable, High Performance TCP/HTTP Load Balancer

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution