CVE-2023-0836

Name	CVE-2023-0836
Description	An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5388-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
haproxy (PTS)	jessie, jessie (lts)	1.5.8-3+deb8u4	fixed
	stretch (security)	1.7.5-2+deb9u1	fixed
	stretch (lts), stretch	1.7.5-2+deb9u2	fixed
	buster (security), buster, buster (lts)	1.8.19-1+deb10u5	fixed
	bullseye (security), bullseye	2.2.9-2+deb11u6	fixed
	bookworm (security), bookworm	2.6.12-1+deb12u1	fixed
	sid, trixie	2.9.11-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
haproxy	source	jessie	(not affected)
haproxy	source	stretch	(not affected)
haproxy	source	buster	(not affected)
haproxy	source	bullseye	2.2.9-2+deb11u5	DSA-5388-1
haproxy	source	(unstable)	2.6.8-1

Notes

[buster] - haproxy <not-affected> (Vulnerable code introduced later)
https://git.haproxy.org/?p=haproxy.git;a=commit;h=2e6bf0a2722866ae0128a4392fa2375bd1f03ff8
https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=f988992d16f45ef03d5bbb024a1042ed8123e4c5 (v2.6.8)
https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=18575ba4e5057afdb80cc06135272889ae1fa2d1 (v2.2.27)
Introduced by: https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=63bbf284a131de362ad5b60d64ff3b1eff830553 (v2.1-dev2)
[stretch] - haproxy <not-affected> (Vulnerable code introduced later)
[jessie] - haproxy <not-affected> (Vulnerable code introduced later)