[SECURITY] [DLA 3688-1] haproxy security update

2023-12-1415:55:00

lists.debian.org

vulnerability

cve-2023-45539

haproxy

security tracker

uri

upgrade

debian lts

buster

information disclosure

security update

debian 10

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.8%

JSON

Debian LTS Advisory DLA-3688-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
December 14, 2023 https://wiki.debian.org/LTS

Package : haproxy
Version : 1.8.19-1+deb10u5
CVE ID : CVE-2023-45539

It was discovered that there was a potential information disclosure
vulnerability in HAProxy, a reverse proxy server used to load balance
HTTP requests across multiple servers.

HAProxy formerly accepted the "#" (ie. the "pound" or "hash") symbol
as part of a URI component. This might have allowed remote attackers
to obtain sensitive information upon HAProxy's misinterpretation of a
"path_end" rule, such as by routing "index.html#.png" to a static
server.

For Debian 10 buster, this problem has been fixed in version
1.8.19-1+deb10u5.

We recommend that you upgrade your haproxy packages.

For the detailed security status of haproxy please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/haproxy

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian11arm64haproxy< 2.2.9-2+deb11u6haproxy_2.2.9-2+deb11u6_arm64.deb
Debian11amd64haproxy< 2.2.9-2+deb11u6haproxy_2.2.9-2+deb11u6_amd64.deb
Debian12armelhaproxy< 2.6.12-1+deb12u1haproxy_2.6.12-1+deb12u1_armel.deb
Debian11s390xhaproxy-dbgsym< 2.2.9-2+deb11u6haproxy-dbgsym_2.2.9-2+deb11u6_s390x.deb
Debian11armhfhaproxy< 2.2.9-2+deb11u6haproxy_2.2.9-2+deb11u6_armhf.deb
Debian11arm64haproxy-dbgsym< 2.2.9-2+deb11u6haproxy-dbgsym_2.2.9-2+deb11u6_arm64.deb
Debian12s390xhaproxy< 2.6.12-1+deb12u1haproxy_2.6.12-1+deb12u1_s390x.deb
Debian11armhfhaproxy-dbgsym< 2.2.9-2+deb11u6haproxy-dbgsym_2.2.9-2+deb11u6_armhf.deb
Debian11ppc64elhaproxy-dbgsym< 2.2.9-2+deb11u6haproxy-dbgsym_2.2.9-2+deb11u6_ppc64el.deb
Debian12mips64elhaproxy-dbgsym< 2.6.12-1+deb12u1haproxy-dbgsym_2.6.12-1+deb12u1_mips64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	arm64	haproxy	< 2.2.9-2+deb11u6	haproxy_2.2.9-2+deb11u6_arm64.deb
Debian	11	amd64	haproxy	< 2.2.9-2+deb11u6	haproxy_2.2.9-2+deb11u6_amd64.deb
Debian	12	armel	haproxy	< 2.6.12-1+deb12u1	haproxy_2.6.12-1+deb12u1_armel.deb
Debian	11	s390x	haproxy-dbgsym	< 2.2.9-2+deb11u6	haproxy-dbgsym_2.2.9-2+deb11u6_s390x.deb
Debian	11	armhf	haproxy	< 2.2.9-2+deb11u6	haproxy_2.2.9-2+deb11u6_armhf.deb
Debian	11	arm64	haproxy-dbgsym	< 2.2.9-2+deb11u6	haproxy-dbgsym_2.2.9-2+deb11u6_arm64.deb
Debian	12	s390x	haproxy	< 2.6.12-1+deb12u1	haproxy_2.6.12-1+deb12u1_s390x.deb
Debian	11	armhf	haproxy-dbgsym	< 2.2.9-2+deb11u6	haproxy-dbgsym_2.2.9-2+deb11u6_armhf.deb
Debian	11	ppc64el	haproxy-dbgsym	< 2.2.9-2+deb11u6	haproxy-dbgsym_2.2.9-2+deb11u6_ppc64el.deb
Debian	12	mips64el	haproxy-dbgsym	< 2.6.12-1+deb12u1	haproxy-dbgsym_2.6.12-1+deb12u1_mips64el.deb