Description Sam James 2020-03-08 22:31:26 UTC

Description:
"HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c."

BUG (2.x): https://github.com/haproxy/haproxy/issues/181

Patches:
* 2.1.x: https://git.haproxy.org/?p=haproxy-2.1.git;a=commit;h=f0f42389772b2303b162e929449a36b33e181c5f
* 2.0.x: https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=fc7f52eb030b555b2c63b3261f6437aee11a5ef9
* 1.9.x: https://git.haproxy.org/?p=haproxy-1.9.git;a=commit;h=23367fabc4a1dc02185c8a8d325e67f3ecda1680

Affected versions (based on releases post patch):
* 2.1.x: <2.1.3
* 2.0.x: <2.0.3
* 1.9.x: <1.9.10 (as 1.9.9 does not seem to have been in tree)

Explanation of versions affected:

Upstream's explanation of the CVE version details being wrong: https://github.com/haproxy/haproxy/issues/181#issuecomment-515524848:
>I took a great care at explaining that only 2.0.0 to 2.0.2 and 1.9.0 to 1.9.8 were vulnerable, 
>and they translated this to "all haproxy up to 2.0.2"
>then somehow reformulated it as 1.4 to 1.9.8.

Note that the patch made it into 2.1.3 so above does not seem exactly right either. I have taken all of this into account in the "affected versions" list above.

Upstream mention (in 2.1 patch) that the fix from 2.1 needed to backported to 2.0, 1.9. 

Given that 1.8 still seems to receive commits, it would *seem* that 1.8.x is not affected. I could not find a patch committed in 1.8.x.