A buffer overflow in HAProxy might allow an attacker to execute arbitrary code.
|Package||net-proxy/haproxy on all architectures|
|Affected versions||< 2.1.4|
|Unaffected versions||>= 2.0.13
HAProxy is a TCP/HTTP reverse proxy for high availability environments.
It was discovered that HAProxy incorrectly handled certain HTTP/2 headers.
A remote attacker, by sending a specially crafted HTTP/2 request, could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.
Disable HTTP/2 support.
All HAProxy 2.0.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.13:0/2.0"
All other HAProxy users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.1.4"
December 24, 2020
December 24, 2020: 1