[Bugs] [Bug 13532] New: [CVE 21] haproxy 2.6.6 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:20:11 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13532

          Platform: 2021.1
            Bug ID: 13532
           Summary: [CVE 21] haproxy 2.6.6  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-0836, CVE-2023-25725, CVE-2023-25950,
                    CVE-2023-40225,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package haproxy version 2.6.6

INFO (CVEs are): haproxy 2.6.6
 cves found
CVE-2023-0836
Desc: An information leak vulnerability was discovered in HAProxy 2.1, 2.2
before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7
before 2.7.1. There are 5 bytes left uninitialized in the connection buffer
when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to
configured FastCGI backends in an unexpected way.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0836
Severity: HIGH
CVE-2023-25725
Desc: HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1
headers are inadvertently lost in some situations, aka "request smuggling." The
HTTP header parsers in HAProxy may accept empty header field names, which could
be used to truncate the list of HTTP headers and thus make some headers
disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For
HTTP/2 and HTTP/3, the impact is limited because the headers disappear before
being parsed and processed, as if they had not been sent by the client. The
fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-25725
Severity: CRITICAL
CVE-2023-25950
Desc: HTTP request/response smuggling vulnerability in HAProxy version 2.7.0,
and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's
request. As a result, the attacker may obtain sensitive information or cause a
denial-of-service (DoS) condition.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-25950
Severity: HIGH
CVE-2023-40225
Desc: HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x
through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x
before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section
8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the
payload as an extra request.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-40225
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/062c0000/attachment.html>

Подробная информация о списке рассылки Bugs