Headline
RHSA-2023:1978: Red Hat Security Advisory: haproxy security update
An update for haproxy is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-0056: An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
- CVE-2023-25725: A flaw was found in HAProxy’s headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-25
Updated:
2023-04-25
RHSA-2023:1978 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: haproxy security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for haproxy is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
- haproxy: segfault DoS (CVE-2023-0056)
- haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
- Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0 aarch64
- Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0 s390x
Fixes
- BZ - 2160808 - CVE-2023-0056 haproxy: segfault DoS
- BZ - 2169089 - CVE-2023-25725 haproxy: request smuggling attack in HTTP/1 header parsing
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
x86_64
haproxy-2.4.7-2.el9_0.2.x86_64.rpm
SHA-256: 49abe3b76f47c45c8b54582b12ea1103fa67ba7edb9def440b380da609cfcff0
haproxy-debuginfo-2.4.7-2.el9_0.2.x86_64.rpm
SHA-256: 6d0daa29af7965ad3e8ad4af6e5555c6dffcbb993634a8a90a5e431347422655
haproxy-debugsource-2.4.7-2.el9_0.2.x86_64.rpm
SHA-256: b7808e1ce6553f1acf6a2d12b51afc92bd0d3979d869a1e83e2d18b88057463c
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
s390x
haproxy-2.4.7-2.el9_0.2.s390x.rpm
SHA-256: 8baec11a4cc33f90e22f604a3393ae4392b95f9b7822aa03b481ccdfa796a2a7
haproxy-debuginfo-2.4.7-2.el9_0.2.s390x.rpm
SHA-256: 197d96a75d0e84659c8b9c27445a08f97c639684bb6ab6007a425b8bed8e0431
haproxy-debugsource-2.4.7-2.el9_0.2.s390x.rpm
SHA-256: 5d88ee1528313738b3a90a50a2748faa2398271c477145033d0cb45f86b6395a
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
ppc64le
haproxy-2.4.7-2.el9_0.2.ppc64le.rpm
SHA-256: c42f9fdc1569ed45c8a30918d2decc3247cf36938ba4548cfdec5e1a207565bf
haproxy-debuginfo-2.4.7-2.el9_0.2.ppc64le.rpm
SHA-256: bcdd63450770e17e71a83555efbe5ea3d5b2961f63e9ed58b12b2cf1954bf8e1
haproxy-debugsource-2.4.7-2.el9_0.2.ppc64le.rpm
SHA-256: 1c5101ffe73d076215924fa48f81072b545b1646884f7ec8715a789d176d9aea
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
aarch64
haproxy-2.4.7-2.el9_0.2.aarch64.rpm
SHA-256: 8ef5fcd44f1789bce0810e5a68b5fafb65a2be16dabcf84572751b5c4f4096f9
haproxy-debuginfo-2.4.7-2.el9_0.2.aarch64.rpm
SHA-256: 6646f61ee3ab5f14e31cf4878c9f5e63a062172bf7f537a9cb1e5689a4bf5aa2
haproxy-debugsource-2.4.7-2.el9_0.2.aarch64.rpm
SHA-256: 4c9e6722d95f0458dc22b1c5b1fa731678bb6085f076eab592eac0dc94b50451
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
ppc64le
haproxy-2.4.7-2.el9_0.2.ppc64le.rpm
SHA-256: c42f9fdc1569ed45c8a30918d2decc3247cf36938ba4548cfdec5e1a207565bf
haproxy-debuginfo-2.4.7-2.el9_0.2.ppc64le.rpm
SHA-256: bcdd63450770e17e71a83555efbe5ea3d5b2961f63e9ed58b12b2cf1954bf8e1
haproxy-debugsource-2.4.7-2.el9_0.2.ppc64le.rpm
SHA-256: 1c5101ffe73d076215924fa48f81072b545b1646884f7ec8715a789d176d9aea
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
x86_64
haproxy-2.4.7-2.el9_0.2.x86_64.rpm
SHA-256: 49abe3b76f47c45c8b54582b12ea1103fa67ba7edb9def440b380da609cfcff0
haproxy-debuginfo-2.4.7-2.el9_0.2.x86_64.rpm
SHA-256: 6d0daa29af7965ad3e8ad4af6e5555c6dffcbb993634a8a90a5e431347422655
haproxy-debugsource-2.4.7-2.el9_0.2.x86_64.rpm
SHA-256: b7808e1ce6553f1acf6a2d12b51afc92bd0d3979d869a1e83e2d18b88057463c
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
aarch64
haproxy-2.4.7-2.el9_0.2.aarch64.rpm
SHA-256: 8ef5fcd44f1789bce0810e5a68b5fafb65a2be16dabcf84572751b5c4f4096f9
haproxy-debuginfo-2.4.7-2.el9_0.2.aarch64.rpm
SHA-256: 6646f61ee3ab5f14e31cf4878c9f5e63a062172bf7f537a9cb1e5689a4bf5aa2
haproxy-debugsource-2.4.7-2.el9_0.2.aarch64.rpm
SHA-256: 4c9e6722d95f0458dc22b1c5b1fa731678bb6085f076eab592eac0dc94b50451
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0
SRPM
haproxy-2.4.7-2.el9_0.2.src.rpm
SHA-256: a5f78ad826ab2b6aaa771dae9a8441c4add813e861e280ef465e3ba50e25bd49
s390x
haproxy-2.4.7-2.el9_0.2.s390x.rpm
SHA-256: 8baec11a4cc33f90e22f604a3393ae4392b95f9b7822aa03b481ccdfa796a2a7
haproxy-debuginfo-2.4.7-2.el9_0.2.s390x.rpm
SHA-256: 197d96a75d0e84659c8b9c27445a08f97c639684bb6ab6007a425b8bed8e0431
haproxy-debugsource-2.4.7-2.el9_0.2.s390x.rpm
SHA-256: 5d88ee1528313738b3a90a50a2748faa2398271c477145033d0cb45f86b6395a
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 7135-1 - Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions.
Red Hat Security Advisory 2024-0746-03 - Updated container image for Red Hat Ceph Storage 5.3 is now available in the Red Hat Ecosystem Catalog. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Red Hat Security Advisory 2023-1325-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.
Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has d...
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.
Red Hat Security Advisory 2023-1978-01 - The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Issues addressed include a denial of service vulnerability.
An update for haproxy is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0056: An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. * CVE-2023-25725: A flaw was found in HAProxy's headers processing that cause...
An update for haproxy is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0056: An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. * CVE-2023-25725: A flaw was found in HAProxy's headers processing that cause...
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
Debian Linux Security Advisory 5348-1 - Two vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which may result in denial of service, or bypass of access controls and routing rules via specially crafted requests.
Debian Linux Security Advisory 5348-1 - Two vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which may result in denial of service, or bypass of access controls and routing rules via specially crafted requests.
Ubuntu Security Notice 5869-1 - Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions.
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.