Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 894480 (CVE-2023-0836, CVE-2023-25725) - <net-proxy/haproxy-{2.2.29, 2.4.22}: multiple vulnerabilities
Summary: <net-proxy/haproxy-{2.2.29, 2.4.22}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-0836, CVE-2023-25725
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [cleanup]
Keywords:
Depends on: 894526
Blocks:
  Show dependency tree
 
Reported: 2023-02-15 03:42 UTC by Sam James
Modified: 2023-10-03 21:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-15 03:42:31 UTC 
Advisory: https://www.mail-archive.com/haproxy@formilux.org/msg43229.html

"""
A team of security researchers notified me on Thursday evening that they
had found a dirty bug in HAProxy's headers processing, and that, when
properly exploited, this bug allows to build an HTTP content smuggling
attack. HTTP content smuggling attacks consist in passing extra requests
after a first one on a connection to a proxy, and making the subsequent
ones bypass the filtering in place.

[...]
"""

Please stable the fixed versions, thanks!
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2023-02-15 07:59:00 UTC 
Fixed versions are already in the tree. Feel free to stabilize:
net-proxy/haproxy-2.2.29
net-proxy/haproxy-2.4.22
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-15 07:59:59 UTC 
(In reply to Christian Ruppert (idl0r) from comment #1)
> Fixed versions are already in the tree. Feel free to stabilize:
> net-proxy/haproxy-2.2.29
> net-proxy/haproxy-2.4.22

Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-05 03:21:04 UTC 
CVE-2023-0836 (https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=2e6bf0a):

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
Comment 4 Hans de Graaff gentoo-dev Security 2023-10-03 19:25:28 UTC 
Please clean up the vulnerable version 2.4.18.