Debian 10163 Published by

Updated putty and haproxy packages are available for Debian GN/Linux:

[DSA 5588-1] putty security update
ELA-1024-1 haproxy security update




[DSA 5588-1] putty security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5588-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 24, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : putty
CVE ID : CVE-2021-36367 CVE-2023-48795
Debian Bug : 990901

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the
SSH protocol is prone to a prefix truncation attack, known as the
"Terrapin attack". This attack allows a MITM attacker to effect a
limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

For the oldstable distribution (bullseye), these problems have been fixed
in version 0.74-1+deb11u1. This update includes a fix for CVE-2021-36367.

For the stable distribution (bookworm), these problems have been fixed in
version 0.78-2+deb12u1.

We recommend that you upgrade your putty packages.

For the detailed security status of putty please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/putty

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1024-1 haproxy security update

Package : haproxy
Version : 1.5.8-3+deb8u4 (jessie), 1.7.5-2+deb9u2 (stretch)

Related CVEs :
CVE-2023-45539

It was discovered that there was a potential information disclosure vulnerability in HAProxy, a reverse proxy server used to load balance HTTP requests across multiple servers.
HAProxy formerly accepted the # (ie. the “pound” or “hash”) symbol as part of a URI component. This might have allowed remote attackers to obtain sensitive information upon HAProxy’s misinterpretation of a path_end rule, such as by routing index.html#.png to a static server.
CVE-2023-45539
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

ELA-1024-1 haproxy security update