ELA-626-1 haproxy security update

HTTP request smuggling

2022-06-15
Packagehaproxy
Version1.5.8-3+deb8u3
Related CVEs CVE-2019-18277


Nathan Davison discovered that HAProxy, a load balancing reverse proxy, did not correctly reject requests or responses featuring a transfer-encoding header missing the “chunked” value which could facilitate a HTTP request smuggling attack.

Furthermore two issues have been addressed which never received a final CVE. There was a risk of reading past the end of a buffer in src/proto_http.c. This could lead to a denial of service (segmentation fault and application crash)



For Debian 8 jessie, these problems have been fixed in version 1.5.8-3+deb8u3.

We recommend that you upgrade your haproxy packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.