Bug 13532

Summary: [CVE 21] haproxy 2.6.6 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2023-0836, CVE-2023-25725, CVE-2023-25950, CVE-2023-40225,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-24 00:20:11 MSK 
Please patch CVEs for package haproxy version 2.6.6
  
INFO (CVEs are): haproxy 2.6.6
 cves found
CVE-2023-0836
Desc: An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0836
Severity: HIGH
CVE-2023-25725
Desc: HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-25725
Severity: CRITICAL
CVE-2023-25950
Desc: HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-25950
Severity: HIGH
CVE-2023-40225
Desc: HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-40225
Severity: HIGH
Comment 1 ilfat 2023-09-06 13:50:33 MSK 
********** QA ADVISORY **********

CVEs closed by project update:

Updated to 2.6.15

https://abf.rosalinux.ru/build_lists/4681035 aarch64
https://abf.rosalinux.ru/build_lists/4681034 x86_64
https://abf.rosalinux.ru/build_lists/4681033 i686
https://abf.rosalinux.ru/build_lists/4681037 e2kv4
https://abf.rosalinux.ru/build_lists/4681036 riscv64
Comment 2 Dmitry Postnikov 2023-09-07 12:53:30 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-12 08:48:46 MSK 
haproxy-2.6.15-1
https://abf.rosalinux.ru/build_lists/4681035 aarch64
https://abf.rosalinux.ru/build_lists/4681034 x86_64
https://abf.rosalinux.ru/build_lists/4681033 i686
https://abf.rosalinux.ru/build_lists/4681037 e2kv4
https://abf.rosalinux.ru/build_lists/4681036 riscv64
************************* Advisory ************************
CVEs closed by project update:
***********************************************************
QA Verified
Comment 4 Yury 2023-10-19 11:24:34 MSK 
secteam_verified