[SECURITY] [DLA 3688-1] haproxy security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3688-1] haproxy security update
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 14 Dec 2023 15:55:00 +0000
Message-id: <[🔎] 170256280164.344201.2288911281895703650@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3688-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
December 14, 2023                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : haproxy
Version        : 1.8.19-1+deb10u5
CVE ID         : CVE-2023-45539

It was discovered that there was a potential information disclosure
vulnerability in HAProxy, a reverse proxy server used to load balance
HTTP requests across multiple servers.

HAProxy formerly accepted the "#" (ie. the "pound" or "hash") symbol
as part of a URI component. This might have allowed remote attackers
to obtain sensitive information upon HAProxy's misinterpretation of a
"path_end" rule, such as by routing "index.html#.png" to a static
server.

For Debian 10 buster, this problem has been fixed in version
1.8.19-1+deb10u5.

We recommend that you upgrade your haproxy packages.

For the detailed security status of haproxy please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/haproxy

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmV7C+0ACgkQHpU+J9Qx
HliSSA//W8M/NG4A82eEMpgfTRlHHQzGlpw6t5oRlXfgx7fkTGQ6fH8JouKZQ6fq
OgYiFB23945HuEe9RQx94bG4jYS1KDM6EfnzSERb3nFVuxvY5C/fybJPnesrqvTE
l354E9PqO26LzDbUv5mVtg2d51ApMDfLyBPxyaqMQFJ4oBsGYTQEfcKVFTNRL2Bh
ya0OCJ7Zqz3EHo3t59DigC5cIjCb4lKNQ8r6muo+icN0/4FpILq/rY2Dx5bZF1T1
UFSIGoslmecSuKxhw2TSjVp83EU/DKgWMkND/gq6QaPNqf7xDKPPl5xwEAGdpaun
UsEaWPZfgVMiW79aVP9BkhzryqUjSOExfmi9zvQSB4Y7flN7f398N361Ua4oLeS5
4cQ8W7QPe7FqVgL5UjkETfhuaj+KF710Mj0ONFxfctXFN94A8cJl5UO587K4qsTT
yZB0Cx2c3/pIyLzTi1w31qb1gHkEV5CyPYbApmiLyn6nl/P8AazqfU8IUfhH7UZS
gqPqHnPsLwFoowMkgAY4PKC0wVpooBIQcdMURIeu0ggcfBKOCEiE3GHoM7mBOEWI
RT3esaX65pduaxumneCGNtmJKHA97vbbhJfAzINXMe81WwNYKnnbuNuf8sQZuHLK
OXiSuW66cvcU3sKty2WI50RArHBJndygTayHdQK63vFg5JVZnlE=
=knb0
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3687-1] rabbitmq-server security update
Next by Date: [SECURITY] [DLA 3689-1] bluez security update
Previous by thread: [SECURITY] [DLA 3687-1] rabbitmq-server security update
Next by thread: [SECURITY] [DLA 3689-1] bluez security update
Index(es):
- Date
- Thread