Debian 10032 Published by

A haproxy security update has been released for Debian GNU/Linux 8 Extended LTS to address a denial of service issue.

ELA-626-1 haproxy security update

Package haproxy
Version 1.5.8-3+deb8u3
Related CVEs CVE-2019-18277

Nathan Davison discovered that HAProxy, a load balancing reverse proxy, did not correctly reject requests or responses featuring a transfer-encoding header missing the “chunked” value which could facilitate a HTTP request smuggling attack.

Furthermore two issues have been addressed which never received a final CVE. There was a risk of reading past the end of a buffer in src/proto_http.c. This could lead to a denial of service (segmentation fault and application crash)

For Debian 8 jessie, these problems have been fixed in version 1.5.8-3+deb8u3.

We recommend that you upgrade your haproxy packages.

Further information about Extended LTS security advisories can be found at:

  ELA-626-1 haproxy security update