Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6

To: Tobias Frost <tobi@debian.org>, 1059427@bugs.debian.org
Subject: Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 25 Dec 2023 20:42:22 +0100
Message-id: <[🔎] ZYnbHhEuWlYEW5HR@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1059427@bugs.debian.org
In-reply-to: <[🔎] ZYlM1IAmXF_oRnzn@isildor2.loewenhoehle.ip>
References: <[🔎] ZYlM1IAmXF_oRnzn@isildor2.loewenhoehle.ip> <[🔎] ZYlM1IAmXF_oRnzn@isildor2.loewenhoehle.ip>

Hi,

On Mon, Dec 25, 2023 at 10:35:16AM +0100, Tobias Frost wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: haproxy@packages.debian.org, team@security.debian.org
> Control: affects -1 + src:haproxy
> 
> Hi,
> 
> For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539,
> and I also like to fix those for stable and oldstable.
> 
> CC'ing the security team, in case they want to issue an DSA instead.
> 
> The changes can also be found on the LTS repository:
> https://salsa.debian.org/lts-team/packages/haproxy
> 
> [ Tests ]
> I've tested the fixes manually, using netcat to inject
> problematic http requests and confirm that the patched
> version rejects the malicous requests. (using nginx and
> also netcat as http server.)
> 
> (Being verbose here to document the tests for later reference ;-))
> 
> haproxy is listening on port 8080
> 
> e.g for CVE-2023-40225:
> echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080
> must be rejected with 400 Bad Request
> and without the "#" accepted.
> 
> for CVE-2023-45539, nginx is stopped, and netcat listens on port 80:
> echo 'GET / HTTP/.1.1
> host: whatever
> content-length:
> ' | netcat localhost 8080
> 
> If the request is accepted (and forwarded to the listening netcat),
> haproxy is vulnerable. If a "400 Bad request" ist thrown, without
> netcat receiving something, haproxy is not vulnerable.
> 
> (haproxy is running on port 8080)
> 
> [ Risks ]
> Upstream patch, applied cleanly.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> Debdiff attached.
> 
> I'v uploaded the package to o-s-p-u already.

Thanks, but I have already worked on the haproxy update for bullseye
and bookworm.

SRM, can you please reject the packages from stable-new and
olstable-new so once I release the DSA, that version won't clash
versionwise?

Regards,
Salvatore

Reply to:

References:
- Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6
  - From: Tobias Frost <tobi@debian.org>

Prev by Date: Bug#1059426: bookworm-pu: package haproxy/2.6.12-1+deb12u1
Next by Date: ENHANCE YOUR CONTENT'S APPEAL THROUGH PICTORY
Previous by thread: Processed: bullseye-pu: package haproxy/2.2.9-2+deb11u6
Next by thread: Bug#1059427: marked as done (bullseye-pu: package haproxy/2.2.9-2+deb11u6)
Index(es):
- Date
- Thread