"In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution."
2.0.13 and 2.1.4 have been added already and can be stabilized IMO
@arches, please stabilise.
(ppc blocked on bug 668002).
ppc stable. All arches stable.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
@maintainer(s), please cleanup
Ping. Please cleanup
Maintainer, looks like the last vulnerable version in tree is 1.8.26, if that is affected it needs to be dropped. If not please let us know.
Unable to check for sanity:
> no match for package: =net-proxy/haproxy-2.0.14
This issue was resolved and addressed in
GLSA 202012-22 at https://security.gentoo.org/glsa/202012-22
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
There should be no version left that's affected by this bug.
Cleanup done, all done.