UbuntuUpdates.org

Package "haproxy"

Name: haproxy

Description:

fast and reliable load balancing reverse proxy

Latest version: 2.4.22-0ubuntu0.22.04.3
Release: jammy (22.04)
Level: security
Repository: main
Homepage: http://www.haproxy.org/

Links


Download "haproxy"


Other versions of "haproxy" in Jammy

Repository Area Version
base main 2.4.14-1ubuntu1
base universe 2.4.14-1ubuntu1
security universe 2.4.22-0ubuntu0.22.04.3
updates main 2.4.24-0ubuntu0.22.04.1
updates universe 2.4.24-0ubuntu0.22.04.1

Changelog

Version: 2.4.22-0ubuntu0.22.04.3 2023-12-05 15:06:55 UTC

  haproxy (2.4.22-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: info disclosure or end_rule issue via hash character
    - debian/patches/CVE-2023-45539.patch: do not accept '#' as part of the
      URI component in src/h1.c.
    - CVE-2023-45539

 -- Marc Deslauriers <email address hidden> Mon, 04 Dec 2023 13:00:27 -0500

Source diff to previous version
CVE-2023-45539 HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified o

Version: 2.4.22-0ubuntu0.22.04.2 2023-08-16 15:06:55 UTC

  haproxy (2.4.22-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: incorrect handling of empty content-length header
    - debian/patches/CVE-2023-40225-1.patch: add a proper check for empty
      content-length header buffer in src/h1.c and src/h2.c. Also add
      tests for it in reg-tests/http-messaging/h1_to_h1.vtc and
      reg-tests/http-messaging/h2_to_h1.vtc.
    - debian/patches/CVE-2023-40225-2.patch: add a check for leading zero
      in content-length header buffer in src/h1.c and src/h2.c. Also add
      tests in reg-tests/http-rules/h1or2_to_h1c.vtc.
    - CVE-2023-40225

 -- Rodrigo Figueiredo Zaiden <email address hidden> Mon, 14 Aug 2023 20:00:52 -0300

Source diff to previous version
CVE-2023-40225 HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x

Version: 2.4.18-0ubuntu1.3 2023-04-03 15:06:57 UTC

  haproxy (2.4.18-0ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: information leak via uninitialized bytes
    - debian/patches/CVE-2023-0836.patch: initialize output buffer in
      src/fcgi.c.
    - CVE-2023-0836

 -- Marc Deslauriers <email address hidden> Fri, 31 Mar 2023 13:18:03 -0400

Source diff to previous version
CVE-2023-0836 An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7

Version: 2.4.18-0ubuntu1.2 2023-02-14 19:07:05 UTC

  haproxy (2.4.18-0ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: incorrect handling of empty http header field names
    - debian/patches/CVE-2023-25725.patch: properly reject empty http
      header field names in src/h1.c, src/hpack-dec.c.
    - CVE-2023-25725

 -- Marc Deslauriers <email address hidden> Mon, 13 Feb 2023 07:42:24 -0500

Source diff to previous version

Version: 2.4.18-0ubuntu1.1 2023-01-23 16:07:58 UTC

  haproxy (2.4.18-0ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via certain interim responses
    - debian/patches/CVE-2023-0056.patch: refuse interim responses with
      end-stream flag set in src/mux_h2.c.
    - CVE-2023-0056

 -- Marc Deslauriers <email address hidden> Thu, 19 Jan 2023 10:47:52 -0500

CVE-2023-0056 RESERVED



About   -   Send Feedback to @ubuntu_updates