CVE-2023-40225

2023-08-1021:15:10

Debian Security Bug Tracker

security-tracker.debian.org

haproxy

content-length

rfc 9110

http/1

vulnerability

unix

0.002 Low

EPSS

Percentile

52.5%

JSON

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

OSVersionArchitecturePackageVersionFilename
Debian12allhaproxy< 2.6.12-1+deb12u1haproxy_2.6.12-1+deb12u1_all.deb
Debian11allhaproxy< 2.2.9-2+deb11u6haproxy_2.2.9-2+deb11u6_all.deb
Debian10allhaproxy< 1.8.19-1+deb10u3haproxy_1.8.19-1+deb10u3_all.deb
Debian999allhaproxy< 2.6.15-1haproxy_2.6.15-1_all.deb
Debian13allhaproxy< 2.6.15-1haproxy_2.6.15-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	haproxy	< 2.6.12-1+deb12u1	haproxy_2.6.12-1+deb12u1_all.deb
Debian	11	all	haproxy	< 2.2.9-2+deb11u6	haproxy_2.2.9-2+deb11u6_all.deb
Debian	10	all	haproxy	< 1.8.19-1+deb10u3	haproxy_1.8.19-1+deb10u3_all.deb
Debian	999	all	haproxy	< 2.6.15-1	haproxy_2.6.15-1_all.deb
Debian	13	all	haproxy	< 2.6.15-1	haproxy_2.6.15-1_all.deb