834688 – (CVE-2022-0711) <net-proxy/haproxy-{2.2.21,2.4.14,2.5.4}: infinite loop on HTTP responses with Set-Cookie2 header

Bug 834688 (CVE-2022-0711) - <net-proxy/haproxy-{2.2.21,2.4.14,2.5.4}: infinite loop on HTTP responses with Set-Cookie2 header

Summary: <net-proxy/haproxy-{2.2.21,2.4.14,2.5.4}: infinite loop on HTTP responses wit...

Status:	CONFIRMED

Alias:	CVE-2022-0711

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	834727
Blocks:
	Show dependency tree

Reported:	2022-03-06 18:59 UTC by John Helmert III
Modified:	2023-10-02 12:19 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-03-06 18:59:24 UTC

CVE-2022-0711:

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.

Apparently unreleased patch: https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8

Comment 1 Christian Ruppert (idl0r) gentoo-dev

2022-03-06 19:15:47 UTC

Fixed versions are already in the tree.
>=2.2.21
>=2.4.13
>=2.5.2

If you want to stabilize, please stabilize:
=net-proxy/haproxy-2.0.27
=net-proxy/haproxy-2.2.21
=net-proxy/haproxy-2.4.14
=net-proxy/haproxy-2.5.4

Comment 2 John Helmert III archtester

2022-06-01 12:55:27 UTC

Please cleanup