Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6
Hi,
On Mon, Dec 25, 2023 at 10:35:16AM +0100, Tobias Frost wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: haproxy@packages.debian.org, team@security.debian.org
> Control: affects -1 + src:haproxy
>
> Hi,
>
> For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539,
> and I also like to fix those for stable and oldstable.
>
> CC'ing the security team, in case they want to issue an DSA instead.
>
> The changes can also be found on the LTS repository:
> https://salsa.debian.org/lts-team/packages/haproxy
>
> [ Tests ]
> I've tested the fixes manually, using netcat to inject
> problematic http requests and confirm that the patched
> version rejects the malicous requests. (using nginx and
> also netcat as http server.)
>
> (Being verbose here to document the tests for later reference ;-))
>
> haproxy is listening on port 8080
>
> e.g for CVE-2023-40225:
> echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080
> must be rejected with 400 Bad Request
> and without the "#" accepted.
>
> for CVE-2023-45539, nginx is stopped, and netcat listens on port 80:
> echo 'GET / HTTP/.1.1
> host: whatever
> content-length:
> ' | netcat localhost 8080
>
> If the request is accepted (and forwarded to the listening netcat),
> haproxy is vulnerable. If a "400 Bad request" ist thrown, without
> netcat receiving something, haproxy is not vulnerable.
>
> (haproxy is running on port 8080)
>
> [ Risks ]
> Upstream patch, applied cleanly.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> Debdiff attached.
>
> I'v uploaded the package to o-s-p-u already.
Thanks, but I have already worked on the haproxy update for bullseye
and bookworm.
SRM, can you please reject the packages from stable-new and
olstable-new so once I release the DSA, that version won't clash
versionwise?
Regards,
Salvatore
Reply to: