Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701842 (CVE-2019-19330) - <net-proxy/haproxy-{1.8.23,1.9.13,2.0.10}: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330)
Summary: <net-proxy/haproxy-{1.8.23,1.9.13,2.0.10}: HTTP/2 implementation vulnerable t...
Status: RESOLVED FIXED
Alias: CVE-2019-19330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2019-18277
  Show dependency tree
 
Reported: 2019-12-02 23:31 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-21 02:32 UTC (History)
3 users (show)

See Also:
Package list:
=net-proxy/haproxy-2.0.14 =net-proxy/haproxy-2.1.4
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 23:31:13 UTC
CVE-2019-19330 (https://nvd.nist.gov/vuln/detail/CVE-2019-19330):
  The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as
  demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa),
  and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation
  Attacks.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:09:11 UTC
@maintainer(s), please advise if you are ready for stabilisation or call for stabilisation yourself (see also bug 699870).
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-27 23:26:48 UTC
Permission received from maintainer via IRC.

@arches, please stabilise (amd64, arm, ppc, x86).
Comment 3 Agostino Sarubbo gentoo-dev 2020-03-30 13:14:47 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-30 13:36:27 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-30 13:42:01 UTC
x86 stable
Comment 6 Tomáš Mózes 2020-04-01 00:45:58 UTC
Maybe we should have targeted the LTS branch 2.0.
Comment 7 Tomáš Mózes 2020-04-01 00:47:11 UTC
(In reply to Tomáš Mózes from comment #6)
> Maybe we should have targeted the LTS branch 2.0.

I meant like having 2.1 in ~testing and 2.0 stable.
Comment 8 Christian Ruppert (idl0r) gentoo-dev 2020-04-01 07:24:26 UTC
(In reply to Tomáš Mózes from comment #7)
> (In reply to Tomáš Mózes from comment #6)
> > Maybe we should have targeted the LTS branch 2.0.
> 
> I meant like having 2.1 in ~testing and 2.0 stable.

That's why 2.0.13 will be stabilized as well. I don't see a problem having both stabilized since both work pretty solid/stable for me.
Comment 9 Tomáš Mózes 2020-04-01 12:39:03 UTC
Not really a problem, but probably no one will run 2.0 as the latest stable is 2.1 ;) If you just install/upgrade haproxy, then everybody will receive version 2.1, so is there a point of keeping both stable? 

But like I said, not really a problem, just my opinion.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 19:32:08 UTC
This issue was resolved and addressed in
 GLSA 202004-01 at https://security.gentoo.org/glsa/202004-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 19:32:44 UTC
Re-opening for remaining architectures.
Comment 12 ernsteiswuerfel archtester 2020-04-05 22:08:20 UTC
Still fails to build on ppc due to bug #668002.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2020-04-06 02:18:25 UTC
Newer Stabilization in progress, Please continue in Bug #715944
Comment 14 NATTkA bot gentoo-dev 2020-04-24 09:20:47 UTC
Unable to check for sanity:

> no match for package: =net-proxy/haproxy-2.0.13
Comment 15 NATTkA bot gentoo-dev 2020-04-30 09:01:28 UTC
All sanity-check issues have been resolved
Comment 16 Matt Turner gentoo-dev 2020-05-23 19:20:36 UTC
ppc stable. all arches stable
Comment 17 NATTkA bot gentoo-dev 2020-05-23 19:20:58 UTC
Unable to check for sanity:

> dependent bug #715944 is missing keywords
Comment 18 NATTkA bot gentoo-dev 2020-05-23 19:24:51 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-23 22:36:35 UTC
@maintainer(s), please cleanup
Comment 20 Larry the Git Cow gentoo-dev 2020-06-20 01:20:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22a7680ab28c28d7b7f100c83500c4630c848f12

commit 22a7680ab28c28d7b7f100c83500c4630c848f12
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 01:19:54 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 01:19:54 +0000

    net-analyzer/sarg: drop vulnerable
    
    Bug: https://bugs.gentoo.org/701842
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 net-analyzer/sarg/Manifest              |  1 -
 net-analyzer/sarg/sarg-2.3.11-r1.ebuild | 43 --------------------------------
 net-analyzer/sarg/sarg-2.3.11-r2.ebuild | 44 ---------------------------------
 3 files changed, 88 deletions(-)