| Name | CVE-2019-19330 |
| Description | The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4577-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| haproxy (PTS) | jessie, jessie (lts) | 1.5.8-3+deb8u4 | fixed |
| stretch (security) | 1.7.5-2+deb9u1 | fixed | |
| stretch (lts), stretch | 1.7.5-2+deb9u2 | fixed | |
| buster (security), buster, buster (lts) | 1.8.19-1+deb10u5 | fixed | |
| bullseye (security), bullseye | 2.2.9-2+deb11u6 | fixed | |
| bookworm (security), bookworm | 2.6.12-1+deb12u1 | fixed | |
| sid, trixie | 2.9.12-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| haproxy | source | jessie | (not affected) | |||
| haproxy | source | stretch | (not affected) | |||
| haproxy | source | buster | 1.8.19-1+deb10u1 | DSA-4577-1 | ||
| haproxy | source | (unstable) | 2.0.10-1 |
[stretch] - haproxy <not-affected> (Vulnerable code introduced in 1.8)
[jessie] - haproxy <not-affected> (Vulnerable code introduced in 1.8)
https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878