haproxy-2.4.22-3.el9_3

エラータID: AXSA:2024-7579:01

Release date: 
Friday, March 8, 2024 - 13:45
Subject: 
haproxy-2.4.22-3.el9_3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.

Security Fix(es):

* haproxy: Proxy forwards malformed empty Content-Length headers (CVE-2023-40225)
* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-40225
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
CVE-2023-45539
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Solution: 

Update packages.

CVEs: 
CVE-2023-40225
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
CVE-2023-45539
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Additional Info: 

N/A

Download: 

SRPMS
  1. haproxy-2.4.22-3.el9_3.src.rpm
    MD5: cf88cb484b211a582c989daf5c6d5dd2
    SHA-256: bef4a0c9148c429f013fbb68f27a74a08960e2965396430d37d035b5db677396
    Size: 3.51 MB

Asianux Server 9 for x86_64
  1. haproxy-2.4.22-3.el9_3.x86_64.rpm
    MD5: 8e41d72815aff991a7c18291326e6175
    SHA-256: f0d2e44a5a0b27b04413c804467cff3fa8ad14a98985b22e77c14151c40adfd4
    Size: 2.18 MB