Astra Linux - уязвимость в haproxy

A vulnerability related to information leaks was discovered in HAProxy versions 2.1, 2.2 before 2.2.27, 2.3, and 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, and 2.7 before 2.7.1. There are 5 bytes that are not initialized in the connection buffer when encoding the FCGIBEGINREQUEST...

Astra Linux - уязвимость в haproxy

A flaw was discovered in the way HAProxy processed HTTP responses containing the “Set-Cookie2” header. This flaw could allow an attacker to send crafted HTTP response packets, leading to an infinite loop and ultimately causing a denial-of-service condition. The most significant threat from this...

Astra Linux - уязвимость в haproxy

There is an integer overflow in HAProxy versions 2.0 to 2.5, specifically in the htxaddheader function, which can be exploited to perform an HTTP request smuggling attack. This allows an attacker to bypass all configured http-request HAProxy Access Control Lists and possibly other access control...

Astra Linux - уязвимость в haproxy

A vulnerability related to uncontrolled resource consumption was discovered in HAProxy, which could cause the service to crash. This issue could allow an authenticated remote attacker to run a specially crafted malicious server within an OpenShift cluster. The most significant impact is related t...

Astra Linux - уязвимость в haproxy

Before version 2.7.3, HAProxy might allow a bypass of access control mechanisms, as HTTP/1 headers were inadvertently lost in certain situations, also known as “request smuggling.” The HTTP header parsers in HAProxy might accept empty header field names, which could be used to omit the list of HT...

Astra Linux - уязвимость в haproxy

The vulnerability in the src/cfgparse.c component of the HAProxy server software is related to pointer dereferencing errors. Exploiting this vulnerability allows an attacker to cause service failures...

CLEANSTART-2026-AW97162 Security fixes for CVE-2025-61732, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33814, ghsa-mh2q-q3fh-2475 applied in versions: 0.15.1-r0, 0.15.4-r0, 0.15.4-r1

Multiple security vulnerabilities affect the haproxy-ingress package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-RK40393 Security fixes for CVE-2025-61732, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33814 applied in versions: 0.15.1-r0, 0.16.1-r0

Multiple security vulnerabilities affect the haproxy-ingress package. These issues are resolved in later releases. See references for individual vulnerability details...

MGASA-2026-0146 Updated haproxy packages fix security vulnerability

The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. CVE-2026-33555...

Updated haproxy packages fix security vulnerability

The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. CVE-2026-33555...

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...

SUSE CVE-2024-37082

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...

Unity Linux 20.1060e / 20.1070e Security Update: haproxy (UTSA-2026-017431)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017431 advisory. An integer overflow exists in HAProxy 2.0 through 2.5 in htxaddheader that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypa...

Unity Linux 20.1060e / 20.1070e Security Update: haproxy (UTSA-2026-017418)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017418 advisory. An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the...

Unity Linux 20.1060e / 20.1070e Security Update: haproxy (UTSA-2026-017416)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017416 advisory. An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host heade...

Unity Linux 20.1060e / 20.1070e Security Update: haproxy (UTSA-2026-017423)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017423 advisory. An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by...

CVE-2026-33555 affecting package haproxy for versions less than 2.9.11-5

CVE-2026-33555 affecting package haproxy for versions less than 2.9.11-5. A patched version of the package is available...

Unity Linux 20.1070e Security Update: haproxy (UTSA-2026-017372)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017372 advisory. A flaw was found in the way HAProxy processed HTTP responses containing the Set-Cookie2 header. This flaw could allow an attacker to send crafted HTTP response packe...

RHCOS 4 : OpenShift Container Platform 4.6.53 (RHSA-2022:0024)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:0024 advisory. - haproxy: an HTTP method name may contain a space followed by the name of a protected resource CVE-2021-39241 - haproxy: request...

RHCOS : OpenShift Container Platform 4.8.25 (RHSA-2021:5208)

The remote Red Hat Enterprise Linux CoreOS host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5208 advisory. - haproxy: does not ensure that the scheme and path portions of a URI have the expected characters CVE-2021-39240 - haproxy: an HTTP...