haproxy -- information leak vulnerability

ID CBFA8BD7-24B6-11E5-86FF-14DAE9D210B8
Type freebsd
Reporter FreeBSD
Modified 2015-07-02T00:00:00


HAProxy reports:

A vulnerability was found when HTTP pipelining is used. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session. I want to address sincere congratulations to Charlie Smurthwaite of aTech Media for the really detailed traces he provided which made it possible to find the cause of this bug. Every user of 1.5-dev, 1.5.x or 1.6-dev must upgrade to 1.5.14 or latest 1.6-dev snapshot to fix this issue, or use the backport of the fix provided by their operating system vendors. CVE-2015-3281 was assigned to this bug.