------------------------------------------------------------------------- Debian LTS Advisory DLA-3034-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 30, 2022 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : haproxy Version : 1.7.5-2+deb9u1 CVE ID : CVE-2018-20102 CVE-2018-20103 CVE-2019-18277 Debian Bug : 916308 916307 Nathan Davison discovered that HAProxy, a load balancing reverse proxy, did not correctly reject requests or responses featuring a transfer-encoding header missing the "chunked" value which could facilitate a HTTP request smuggling attack. Furthermore several flaws were discovered in DNS related functions that may trigger infinite recursion leading to a denial of service or to information leakage due to a out-of-bounds read. For Debian 9 stretch, these problems have been fixed in version 1.7.5-2+deb9u1. We recommend that you upgrade your haproxy packages. For the detailed security status of haproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/haproxy Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part