GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Apr 01, 2020 8:26 pm Post subject: [ GLSA 202004-01 ] HAProxy |
 |
|
Gentoo Linux Security Advisory
Title: HAProxy: Remote execution of arbitrary code (GLSA 202004-01)
Severity: high
Exploitable: remote
Date: 2020-04-01
Bug(s): #701842
ID: 202004-01
Synopsis
A vulnerability in HAProxy might lead to remote execution of
arbitrary code.
Background
HAProxy is a TCP/HTTP reverse proxy for high availability environments.
Affected Packages
Package: net-proxy/haproxy
Vulnerable: < 2.0.10
Unaffected: >= 1.8.23 < 1.8.24
Unaffected: >= 1.9.13 < 1.9.14
Unaffected: >= 2.0.10 < 2.0.11
Architectures: All supported architectures
Description
It was discovered that HAProxy incorrectly handled certain HTTP/2
headers.
Impact
A remote attacker could send a specially crafted HTTP/2 header, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All HAProxy 1.8.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.8.23"
|
All HAProxy 1.9.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.9.13"
|
All HAProxy 2.0.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.10"
|
References
CVE-2019-19330 |
|
News & Announcements
