Advisory: https://www.mail-archive.com/haproxy@formilux.org/msg43229.html """ A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxy's headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. HTTP content smuggling attacks consist in passing extra requests after a first one on a connection to a proxy, and making the subsequent ones bypass the filtering in place. [...] """ Please stable the fixed versions, thanks!
Fixed versions are already in the tree. Feel free to stabilize: net-proxy/haproxy-2.2.29 net-proxy/haproxy-2.4.22
(In reply to Christian Ruppert (idl0r) from comment #1) > Fixed versions are already in the tree. Feel free to stabilize: > net-proxy/haproxy-2.2.29 > net-proxy/haproxy-2.4.22 Thanks!
CVE-2023-0836 (https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=2e6bf0a): An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
Please clean up the vulnerable version 2.4.18.