StarlingX

[Debian] High CVE: CVE-2023-40225/CVE-2023-45539 haproxy : multiple CVEs

Bug #2047674 reported by Yue Tao on 2023-12-29

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Zhixiong Chi

Bug Description

CVE-2023-40225: https://nvd.nist.gov/vuln/detail/CVE-2023-40225

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

CVE-2023-45539: https://nvd.nist.gov/vuln/detail/CVE-2023-45539

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Base Score: High

Reference:

haproxy_2.2.9-2+deb11u6
https://security-tracker.debian.org/tracker/DSA-5590-1

Tags:

CVE References

Zhixiong Chi (zhixiongchi) on 2023-12-29

Changed in starlingx:
status:	Triaged → In Progress
assignee:	nobody → Zhixiong Chi (zhixiongchi)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-02: Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/904482

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-08: Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/904482
Committed: https://opendev.org/starlingx/integ/commit/eb9852003a751b530ce811ff5503fac3af3f6641
Submitter: "Zuul (22348)"
Branch: master

commit eb9852003a751b530ce811ff5503fac3af3f6641
Author: Zhixiong Chi <email address hidden>
Date: Tue Jan 2 01:01:45 2024 -0800

haproxy: Upgrade to 2.2.9-2+deb11u6

Upgrade haproxy to 2.2.9-2+deb11u6 to fix the CVE issues
CVE-2023-40225/CVE-2023-45539.

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5590-1
    https://nvd.nist.gov/vuln/detail/CVE-2023-40225
    https://nvd.nist.gov/vuln/detail/CVE-2023-45539

    Test Plan:
    PASS: $downloader
    PASS: $build-pkgs --clean --parallel 10
    PASS: $build-image
    PASS: Jenkins Installation
    PASS: dpkg -l |grep haproxy
    ii haproxy 2.2.9-2+deb11u6.stx.4

Closes-Bug: 2047674

Signed-off-by: Zhixiong Chi <email address hidden>
Change-Id: Ifeb5326d24fe2d2b655c9a87994401c8f1b7b05f

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.