Re: About haproxy and CVE-2019-14241

To: debian-user@lists.debian.org
Subject: Re: About haproxy and CVE-2019-14241
From: Reco <recoverym4n@enotuniq.net>
Date: Wed, 24 Jul 2019 12:18:58 +0300
Message-id: <[🔎] E1hqDQJ-0001ZI-8a@enotuniq.net>
In-reply-to: <[🔎] b72fb7a3-5f14-fa46-b264-de7efe634c20@online.de>
References: <[🔎] b72fb7a3-5f14-fa46-b264-de7efe634c20@online.de>

	Hi.

On Wed, Jul 24, 2019 at 10:05:49AM +0200, Martin wrote:
> I've received an advisory issued by one of my client's CERT. It is about haproxy and CVE-2019-14241:
> 
> "HAProxy contains a flaw in the htx_manage_client_side_cookies() function in proto_htx.c that is triggered when handling certain threads. This may allow a remote attacker to cause a denial of service."
> 
> At MITRE, this CVE exists, but I did not get any about it from the DSA or oss-security list. Does one of you know about more this?

[1] lists CVE-2019-14241 as "resolved".
Presumably there was no DSA because Debian haproxy is not affected by
this issue.

As for the oss-security - reporting vulnerabilities there is merely a
courtesy. Reporting a vulnerability to the upstream - that's a must.

Reco

[1] https://security-tracker.debian.org/tracker/source-package/haproxy

Reply to:

References:
- About haproxy and CVE-2019-14241
  - From: Martin <keine-eile@online.de>

Prev by Date: About haproxy and CVE-2019-14241
Next by Date: Re: buster, ekiga.
Previous by thread: About haproxy and CVE-2019-14241
Next by thread: Sending multiple copies to printers results in only one copy printing
Index(es):
- Date
- Thread