ELA-626-1 haproxy security update
Package haproxy
ELA-626-1 haproxy security update
Version 1.5.8-3+deb8u3
Related CVEs CVE-2019-18277
Nathan Davison discovered that HAProxy, a load balancing reverse proxy, did not correctly reject requests or responses featuring a transfer-encoding header missing the “chunked” value which could facilitate a HTTP request smuggling attack.
Furthermore two issues have been addressed which never received a final CVE. There was a risk of reading past the end of a buffer in src/proto_http.c. This could lead to a denial of service (segmentation fault and application crash)
For Debian 8 jessie, these problems have been fixed in version 1.5.8-3+deb8u3.
We recommend that you upgrade your haproxy packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A haproxy security update has been released for Debian GNU/Linux 8 Extended LTS to address a denial of service issue.