Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 715944 (CVE-2020-11100) - <net-proxy/haproxy-{2.0.13,2.1.4}: hpack_dht_insert (hpack-tbl.c) allows possible remote code execution (CVE-2020-11100)
Summary: <net-proxy/haproxy-{2.0.13,2.1.4}: hpack_dht_insert (hpack-tbl.c) allows poss...
Status: RESOLVED FIXED
Alias: CVE-2020-11100
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mail-archive.com/haproxy@...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: 668002
Blocks:
  Show dependency tree
 
Reported: 2020-04-02 19:12 UTC by Sam James
Modified: 2021-04-05 00:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-02 19:12:15 UTC
Description:
"In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution."

Patch: https://git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88

Announcement: https://www.mail-archive.com/haproxy@formilux.org/msg36876.html
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2020-04-03 07:15:08 UTC
2.0.13 and 2.1.4 have been added already and can be stabilized IMO
Comment 2 Sam James archtester gentoo-dev Security 2020-04-05 22:17:11 UTC
@maintainer: thanks!

@arches, please stabilise.
Comment 3 Sam James archtester gentoo-dev Security 2020-04-05 22:23:37 UTC
(ppc blocked on bug 668002).
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-07 10:32:57 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-08 09:49:05 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-14 12:33:03 UTC
x86 stable
Comment 7 Matt Turner gentoo-dev 2020-05-23 19:19:51 UTC
ppc stable. All arches stable.
Comment 8 NATTkA bot gentoo-dev 2020-05-23 19:20:48 UTC Comment hidden (obsolete)
Comment 9 Sam James archtester gentoo-dev Security 2020-05-23 22:37:22 UTC
@maintainer(s), please cleanup
Comment 10 John Helmert III gentoo-dev Security 2020-07-30 06:00:20 UTC
Ping. Please cleanup
Comment 11 John Helmert III gentoo-dev Security 2020-10-30 02:16:36 UTC
Maintainer, looks like the last vulnerable version in tree is 1.8.26, if that is affected it needs to be dropped. If not please let us know.
Comment 12 NATTkA bot gentoo-dev 2020-12-10 19:57:08 UTC Comment hidden (obsolete)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-12-24 14:17:06 UTC
This issue was resolved and addressed in
 GLSA 202012-22 at https://security.gentoo.org/glsa/202012-22
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Thomas Deutschmann gentoo-dev Security 2020-12-24 14:19:39 UTC
Re-opening for cleanup.
Comment 15 NATTkA bot gentoo-dev 2021-04-01 20:13:13 UTC
Unable to check for sanity:

> no match for package: =net-proxy/haproxy-2.0.14
Comment 16 Christian Ruppert (idl0r) gentoo-dev 2021-04-03 09:53:32 UTC
There should be no version left that's affected by this bug.
Comment 17 John Helmert III gentoo-dev Security 2021-04-05 00:06:56 UTC
Cleanup done, all done.