StarlingX

[Debian] CVE: CVE-2023-25725: haproxy : may allow a bypass of access control

Bug #2009334 reported by Yue Tao on 2023-03-06

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Zhixiong Chi

Bug Description

CVE-2023-25725: https://nvd.nist.gov/vuln/detail/CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2023-25725 fixed 9.1 N L N N H

References:
haproxy_2.2.9-2+deb11u4

Tags:

CVE References

Yue Tao (wrytao) on 2023-03-06

information type:	Public → Public Security
Changed in starlingx:
importance:	Undecided → High
status:	New → Confirmed
status:	Confirmed → Triaged
tags:	added: stx.9.0 stx.security

Yue Tao (wrytao) on 2023-03-07

Changed in starlingx:
assignee:	nobody → Zhixiong Chi (zhixiongchi)

Zhixiong Chi (zhixiongchi) on 2023-03-09

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-09: Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/876989
Committed: https://opendev.org/starlingx/integ/commit/46e734ac4edc3a76868bdaa9b13d7c3001dafdac
Submitter: "Zuul (22348)"
Branch: master

commit 46e734ac4edc3a76868bdaa9b13d7c3001dafdac
Author: Zhixiong Chi <email address hidden>
Date: Thu Mar 9 10:02:42 2023 -0500

Debian: haproxy: CVE-2023-0056,CVE-2023-25725

    Upgrade haproxy from "2.2.9-2+deb11u3" to "2.2.9-2+deb11u4" to
    fix below CVEs:
    CVE-2023-0056
    CVE-2023-25725

    Refer to:
    https://www.debian.org/security/2023/dsa-5348
    https://security-tracker.debian.org/tracker/DSA-5348-1

    Test Plan:
    PASS: $downloader
    PASS: $build-pkgs --clean --parallel 10
    PASS: $build-image
    PASS: Jenkins Installation
    PASS: Validation that the package version has been upgraded.

Closes-Bug: 2009334

Signed-off-by: Zhixiong Chi <email address hidden>
Change-Id: Ibe076cb75deaa212fb954aa880324220165a5523

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.