Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 894480 (CVE-2023-0836, CVE-2023-25725)

Summary: <net-proxy/haproxy-{2.2.29, 2.4.22}: multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: bertrand, idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 894526    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-15 03:42:31 UTC
Advisory: https://www.mail-archive.com/haproxy@formilux.org/msg43229.html

"""
A team of security researchers notified me on Thursday evening that they
had found a dirty bug in HAProxy's headers processing, and that, when
properly exploited, this bug allows to build an HTTP content smuggling
attack. HTTP content smuggling attacks consist in passing extra requests
after a first one on a connection to a proxy, and making the subsequent
ones bypass the filtering in place.

[...]
"""

Please stable the fixed versions, thanks!
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2023-02-15 07:59:00 UTC
Fixed versions are already in the tree. Feel free to stabilize:
net-proxy/haproxy-2.2.29
net-proxy/haproxy-2.4.22
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-15 07:59:59 UTC
(In reply to Christian Ruppert (idl0r) from comment #1)
> Fixed versions are already in the tree. Feel free to stabilize:
> net-proxy/haproxy-2.2.29
> net-proxy/haproxy-2.4.22

Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-05 03:21:04 UTC
CVE-2023-0836 (https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=2e6bf0a):

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
Comment 4 Hans de Graaff gentoo-dev Security 2023-10-03 19:25:28 UTC
Please clean up the vulnerable version 2.4.18.