ALT-BU-2022-6987-1
Branch sisyphus_mipsel update bulletin.
Package haproxy updated to version 2.6.6-alt1 for branch sisyphus_mipsel.
Closed vulnerabilities
BDU:2022-06892
Уязвимость серверного программного обеспечения HAProxy, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным
BDU:2022-06893
Уязвимость функции htx_add_header компонента include/haproxy/htx.h серверного программного обеспечения HAProxy, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2022-06897
Уязвимость серверного программного обеспечения HAProxy, связанная с недостатками в обработке исключительных состояний, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2022-06920
Уязвимость серверного программного обеспечения HAProxy, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-00287
Уязвимость метода HTTP серверного программного обеспечения HAProxy, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2021-39240
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a495e0d94876c9d39763db319f609351907a31e8
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a495e0d94876c9d39763db319f609351907a31e8
- FEDORA-2021-3ab4512c98
- FEDORA-2021-3ab4512c98
- FEDORA-2021-e6557245e8
- FEDORA-2021-e6557245e8
- DSA-4960
- DSA-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
Modified: 2024-11-21
CVE-2021-39241
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=89265224d314a056d77d974284802c1b8a0dc97f
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=89265224d314a056d77d974284802c1b8a0dc97f
- FEDORA-2021-3ab4512c98
- FEDORA-2021-3ab4512c98
- FEDORA-2021-e6557245e8
- FEDORA-2021-e6557245e8
- DSA-4960
- DSA-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
Modified: 2024-11-21
CVE-2021-39242
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1
- FEDORA-2021-3ab4512c98
- FEDORA-2021-3ab4512c98
- FEDORA-2021-e6557245e8
- FEDORA-2021-e6557245e8
- DSA-4960
- DSA-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
Modified: 2024-11-21
CVE-2021-40346
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
- https://git.haproxy.org/?p=haproxy.git
- https://git.haproxy.org/?p=haproxy.git
- https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95
- https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95
- https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/
- https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/
- [cloudstack-dev] 20210910 CVE-2021-40346 (haproxy 2.x)
- [cloudstack-dev] 20210910 CVE-2021-40346 (haproxy 2.x)
- [cloudstack-dev] 20210910 Re: CVE-2021-40346 (haproxy 2.x)
- [cloudstack-dev] 20210910 Re: CVE-2021-40346 (haproxy 2.x)
- FEDORA-2021-3493f9f6ab
- FEDORA-2021-3493f9f6ab
- FEDORA-2021-cd5ee418f6
- FEDORA-2021-cd5ee418f6
- DSA-4968
- DSA-4968
- https://www.mail-archive.com/haproxy%40formilux.org
- https://www.mail-archive.com/haproxy%40formilux.org
- https://www.mail-archive.com/haproxy%40formilux.org/msg41114.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg41114.html
Modified: 2024-11-21
CVE-2022-0711
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.
- https://access.redhat.com/security/cve/cve-2022-0711
- https://access.redhat.com/security/cve/cve-2022-0711
- https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- DSA-5102
- DSA-5102
- https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html