UbuntuUpdates.org

Package "haproxy"

Name: haproxy

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • fast and reliable load balancing reverse proxy (HTML documentation)
  • syntax highlighting for HAProxy configuration files
Latest version: 2.8.16-0ubuntu0.24.04.1
Release: noble (24.04)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "haproxy" in Noble

Repository Area Version
base universe 2.8.5-1ubuntu3
base main 2.8.5-1ubuntu3
security universe 2.8.5-1ubuntu3.4
security main 2.8.5-1ubuntu3.4
updates main 2.8.16-0ubuntu0.24.04.1
proposed main 2.8.16-0ubuntu0.24.04.1
proposed universe 2.8.16-0ubuntu0.24.04.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.8.16-0ubuntu0.24.04.1 2026-01-15 20:12:23 UTC

  haproxy (2.8.16-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version (LP: #2127664)
    - The API for the lua HTTPMessage "class" was improved to be able to
      change the body length. It was mandatory to be able to write a lua
      filter altering the message payload. HTTPMessage:set_body_len() can now
      be used for this purpose
    - Still in lua, The HTTP client is not supposed to be used to process
      several requests but there was nothing to prevent this usage. An error
      is now triggered in that case
    - For further information, see the upstream release notes:
      + https://<email address hidden>/msg46201.html
  * d/p/CVE-2025-11230.patch: drop patch fixed upstream in 2.8.16

 -- Athos Ribeiro <email address hidden> Wed, 03 Dec 2025 12:12:24 -0300
Source diff to previous version
2127664 New HAProxy upstream microreleases 2.4.30, 2.8.16, and 3.0.12
CVE-2025-11230 BUG/CRITICAL: mjson: fix possible DoS when parsing numbers

Version: 2.8.15-0ubuntu0.24.04.1 2025-11-13 22:07:22 UTC

  haproxy (2.8.15-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version (LP: #2112526)
    - This new release introduce several fixes, including bug fixes for QUIC,
      for the SSL stack, and LUA.
    - New configuration options were introduced, and a new default value for
      the hard limit on the number of file descriptors was introduced. These
      are described in the Debian NEWS file.
    - For further information, see the upstream release notes:
      + https://<email address hidden>/msg44606.html
      + https://<email address hidden>/msg44632.html
      + https://<email address hidden>/msg44787.html
      + https://<email address hidden>/msg44790.html
      + https://<email address hidden>/msg45060.html
      + https://<email address hidden>/msg45317.html
      + https://<email address hidden>/msg45413.html
      + https://<email address hidden>/msg45486.html
      + https://<email address hidden>/msg45570.html
      + https://<email address hidden>/msg45806.html
  * d/NEWS: add NEWS file.
  * Dropped paches applied upstream:
    - d/p/CVE-2024-53008-1.patch
    - d/p/CVE-2024-53008-2.patch
    - d/p/CVE-2025-32464.patch

 -- Athos Ribeiro <email address hidden> Wed, 08 Oct 2025 10:50:30 -0300
Source diff to previous version
2112526 Micro release updates for jammy, noble, and plucky
CVE-2024-53008 Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remo
CVE-2025-32464 HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the repl

Version: 2.8.5-1ubuntu3.4 2025-10-06 21:08:25 UTC

  haproxy (2.8.5-1ubuntu3.4) noble-security; urgency=medium

  * SECURITY UPDATE: DoS via MJSON
    - debian/patches/CVE-2025-11230.patch: fix possible DoS when parsing
      numbers in src/mjson.c.
    - CVE-2025-11230

 -- Marc Deslauriers <email address hidden> Wed, 01 Oct 2025 13:01:09 -0400
Source diff to previous version
CVE-2025-11230 BUG/CRITICAL: mjson: fix possible DoS when parsing numbers

Version: 2.8.5-1ubuntu3.3 2025-04-10 18:06:59 UTC

  haproxy (2.8.5-1ubuntu3.3) noble-security; urgency=medium

  * SECURITY UPDATE: heap overflow in sample_conv_regsub
    - debian/patches/CVE-2025-32464.patch: fix risk of overflow when
      replacing multiple regex back-refs in src/sample.c.
    - CVE-2025-32464

 -- Marc Deslauriers <email address hidden> Wed, 09 Apr 2025 08:50:46 -0400
Source diff to previous version
CVE-2025-32464 HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the repl

Version: 2.8.5-1ubuntu3.2 2024-12-03 04:06:45 UTC

  haproxy (2.8.5-1ubuntu3.2) noble-security; urgency=medium

  * SECURITY UPDATE: Request smuggling
    - debian/patches/CVE-2024-53008-1.patch: Check pseudo-header method
      contains only valid characters according to RFC 9110
    - debian/patches/CVE-2024-53008-2.patch: Check pseudo-header scheme
      contains only valid characters according to RFC 9110
    - CVE-2024-53008

 -- Bruce Cable <email address hidden> Mon, 02 Dec 2024 15:01:44 +1100
CVE-2024-53008 Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remo


About   -   Send Feedback to @ubuntu_updates