Summary: | <net-proxy/haproxy-1.4.21 : Trash Buffer Overflow Vulnerability (CVE-2012-2942) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | idl0r, net-proxy+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/49261/ | ||
Whiteboard: | C1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-05-22 13:19:08 UTC
1.4.21 has just been committed. arches, please test and mark stable: =net-proxy/haproxy-1.4.21 target KEYWORDS : "amd64 ppc x86" x86 stable amd64 stable No problems with it in production btw. *ping ppc* ppc done Thanks, folks. GLSA request filed. CVE-2012-2942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2942): Buffer overflow in the trash buffer in the header capture functionality in HAProxy before 1.4.21, when global.tune.bufsize is set to a value greater than the default and header rewriting is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors. Duplicate CVE identifiers have been assigned to this issue. Red Hat has requested clarification/rejection from Mitre [1], but there has not been a response as of yet. [1] http://www.openwall.com/lists/oss-security/2012/05/28/1 (In reply to comment #9) > Duplicate CVE identifiers have been assigned to this issue. Red Hat has > requested clarification/rejection from Mitre [1], but there has not been a > response as of yet. > > [1] http://www.openwall.com/lists/oss-security/2012/05/28/1 Vulnerability Summary for CVE-2012-2391 Original release date:08/17/2012 Last revised:08/17/2012 Source: US-CERT/NIST Overview ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-2942. Reason: This candidate is a duplicate of CVE-2012-2942. Notes: All CVE users should reference CVE-2012-2942 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. This issue was resolved and addressed in GLSA 201301-02 at http://security.gentoo.org/glsa/glsa-201301-02.xml by GLSA coordinator Sean Amoss (ackle). |