Summary: | <net-proxy/haproxy-1.4.23: crash on TCP content inspection rules (CVE-2013-1912) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | idl0r, net-proxy+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/04/03/1 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-04-03 12:54:02 UTC
I just added 1.4.23 so feel free to stabilze. Arches, please test and mark stable: =net-proxy/haproxy-1.4.23 Target keywords : "amd64 ppc x86" amd64 stable x86 stable ppc stable GLSA vote: no. CVE-2013-1912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1912): Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests that prevent request realignment from occurring. This issue was resolved and addressed in GLSA 201307-01 at http://security.gentoo.org/glsa/glsa-201307-01.xml by GLSA coordinator Sean Amoss (ackle). |