Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554162 (CVE-2015-3281) - <net-proxy/haproxy-1.5.14: Information leak vulnerability (CVE-2015-3281)
Summary: <net-proxy/haproxy-1.5.14: Information leak vulnerability (CVE-2015-3281)
Status: RESOLVED FIXED
Alias: CVE-2015-3281
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q3/61
Whiteboard: B4 [noglsa/cve]
Keywords:
Depends on: 554048
Blocks:
  Show dependency tree
 
Reported: 2015-07-07 17:47 UTC by Kristian Fiskerstrand
Modified: 2016-02-25 08:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2015-07-07 17:47:47 UTC
From ${URL}:
Hi,

I think this should be brought in here, from the news section on the
HAProxy website:

http://www.haproxy.org/news.html

"July, 3rd, 2015 : 1.5.14 : fixes an information leak vulnerability
(CVE-2015-3281) 

A vulnerability was found when HTTP pipelining is used.  In some cases,
a client might be able to cause a buffer alignment issue and retrieve
uninitialized memory contents that exhibit data from a past request or
session.  I want to address sincere congratulations to Charlie
Smurthwaite of aTech Media for the really detailed traces he provided
which made it possible to find the cause of this bug.  Every user of
1.5-dev, 1.5.x or 1.6-dev must upgrade to 1.5.14 or latest 1.6-dev
snapshot to fix this issue, or use the backport of the fix provided by
their operating system vendors.  CVE-2015-3281 was assigned to this bug."

Fix:

http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4

CVE:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3281

"The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and
1.6-dev does not properly realign a buffer that is used for pending
outgoing data, which allows remote attackers to obtain sensitive
information (uninitialized memory contents of previous requests) via a
crafted request."

Debian and Ubuntu have already sent out advisories.

Alexander
Comment 1 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-07 20:23:42 UTC
1.5.14 has just been added.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2015-07-07 21:10:11 UTC
(In reply to Christian Ruppert (idl0r) from comment #1)
> 1.5.14 has just been added.

Thanks, please call arches when ready for stabilization
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-07-07 21:31:44 UTC
CVE-2015-3281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3281):
  The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev
  does not properly realign a buffer that is used for pending outgoing data,
  which allows remote attackers to obtain sensitive information (uninitialized
  memory contents of previous requests) via a crafted request.
Comment 4 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-10 20:57:56 UTC
@Arches, please stabilize =net-proxy/haproxy-1.5.14
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-14 10:36:57 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-14 10:37:41 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:37 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:47:59 UTC
Vote: no.
Comment 9 Kristian Fiskerstrand gentoo-dev Security 2015-11-09 21:57:26 UTC
GLSA Vote: No
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2016-01-26 03:38:06 UTC
Maintainer(s), please drop the vulnerable version(s).