Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905095 (CVE-2023-0056, CVE-2023-25950) - net-proxy/haproxy: multiple vulnerabilities
Summary: net-proxy/haproxy: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-0056, CVE-2023-25950
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://jvn.jp/en/jp/JVN38170084/
Whiteboard: ~3 [stable]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-26 03:14 UTC by John Helmert III
Modified: 2023-05-01 03:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-26 03:14:17 UTC 
CVE-2023-25950

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.

A 2.7 patch is referenced:

https://git.haproxy.org/?p=haproxy-2.7.git;a=commit;h=3ca4223c5e1f18a19dc93b0b09ffdbd295554d46

Does this vulnerability affect older branches?
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-26 03:18:33 UTC 
CVE-2023-0056 (https://access.redhat.com/security/cve/CVE-2023-0056):

An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.

... but, there's an upstream bug in haproxy:

https://github.com/haproxy/haproxy/issues/1972

Are we affected?
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2023-04-26 06:55:39 UTC 
>Does this vulnerability affect older branches?
No

>Are we affected?
Some old versions are still in the repo. Waiting for stabilizing via bug 894526 and bug 900737
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-01 03:54:27 UTC 
(In reply to Christian Ruppert (idl0r) from comment #2)
> >Does this vulnerability affect older branches?
> No
> 
> >Are we affected?
> Some old versions are still in the repo. Waiting for stabilizing via bug
> 894526 and bug 900737

So, what are the fixed versions for the purposes of this bug?