Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585522 (CVE-2016-5360) - <net-proxy/haproxy-1.6.6: remote denial of service via reqdeny (CVE-2016-5360)
Summary: <net-proxy/haproxy-1.6.6: remote denial of service via reqdeny (CVE-2016-5360)
Status: RESOLVED FIXED
Alias: CVE-2016-5360
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-10 13:06 UTC by Agostino Sarubbo
Modified: 2016-07-05 03:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-10 13:06:43 UTC
From ${URL} :


This is a remote denial of service against haproxy (uncontrollable crash).

http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b

The problem was apparently introduced in haproxy 1.6.0, and is fixed in git (which will become 1.6.6).



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2016-07-04 18:05:08 UTC
1.6.5 has been removed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-07-05 03:35:30 UTC
CVE-2016-5360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5360):
  HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows
  remote attackers to cause a denial of service (uninitialized memory access
  and crash) or possibly have unspecified other impact via unknown vectors.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-05 03:39:34 UTC
Upstream commit verifies that the issue was introduced in 1.6-dev2:

"Commit 108b1dd ("MEDIUM: http: configurable http result codes for http-request deny") introduced in 1.6-dev2 was incomplete."

@Christian, thanks for the bump and cleanup!