Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

HAProxy: Remote execution of arbitrary code — GLSA 202004-01

A vulnerability in HAProxy might lead to remote execution of arbitrary code.

Affected packages

Package net-proxy/haproxy on all architectures
Affected versions < 2.0.10
Unaffected versions revision >= 1.8.23
revision >= 1.9.13
revision >= 2.0.10

Background

HAProxy is a TCP/HTTP reverse proxy for high availability environments.

Description

It was discovered that HAProxy incorrectly handled certain HTTP/2 headers.

Impact

A remote attacker could send a specially crafted HTTP/2 header, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All HAProxy 1.8.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.8.23"

All HAProxy 1.9.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.9.13"

All HAProxy 2.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.10"

References

Release date
April 01, 2020

Latest revision
April 01, 2020: 1

Severity
high

Exploitable
remote

Bugzilla entries