Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

haproxy: CVE-2016-5360: remote denial of service via reqdeny

Related Vulnerabilities: CVE-2016-5360  

Source

Debian Bug report logs - #826869
haproxy: CVE-2016-5360: remote denial of service via reqdeny

version graph

Package: src:haproxy; Maintainer for src:haproxy is Debian HAProxy Maintainers <haproxy@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 9 Jun 2016 16:27:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version haproxy/1.6.0+ds1-1

Fixed in version haproxy/1.6.5-2

Done: Vincent Bernat <bernat@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian HAProxy Maintainers <pkg-haproxy-maintainers@lists.alioth.debian.org>:
Bug#826869; Package src:haproxy. (Thu, 09 Jun 2016 16:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian HAProxy Maintainers <pkg-haproxy-maintainers@lists.alioth.debian.org>. (Thu, 09 Jun 2016 16:27:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: haproxy: CVE-2016-5360: remote denial of service via reqdeny
Date: Thu, 09 Jun 2016 18:23:34 +0200
Source: haproxy
Version: 1.6.0+ds1-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for haproxy.

CVE-2016-5360[0]:
remote denial of service via reqdeny

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5360
[1] http://www.openwall.com/lists/oss-security/2016/06/09/5
[2] http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b
[3] http://www.openwall.com/lists/oss-security/2016/06/09/6

Regards,
Salvatore

Reply sent to Vincent Bernat <bernat@debian.org>:
You have taken responsibility. (Sat, 11 Jun 2016 22:27:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 11 Jun 2016 22:27:12 GMT) (full text, mbox, link).

Message #10 received at 826869-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>
To: 826869-close@bugs.debian.org
Subject: Bug#826869: fixed in haproxy 1.6.5-2
Date: Sat, 11 Jun 2016 22:24:41 +0000
Source: haproxy
Source-Version: 1.6.5-2

We believe that the bug you reported is fixed in the latest version of
haproxy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 826869@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated haproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 11 Jun 2016 22:23:50 +0200
Source: haproxy
Binary: haproxy haproxy-doc vim-haproxy
Architecture: source amd64 all
Version: 1.6.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian HAProxy Maintainers <pkg-haproxy-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
 haproxy    - fast and reliable load balancing reverse proxy
 haproxy-doc - fast and reliable load balancing reverse proxy (HTML documentatio
 vim-haproxy - syntax highlighting for HAProxy configuration files
Closes: 826869
Changes:
 haproxy (1.6.5-2) unstable; urgency=high
 .
   * Add a patch to fix CVE-2016-5360. Closes: #826869.
     + BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
Checksums-Sha1:
 26ddb451008449ed99f349e27fcea2ca4343e9c4 2248 haproxy_1.6.5-2.dsc
 542c433b77d2e8b8713de29c27c13f296441efdf 62652 haproxy_1.6.5-2.debian.tar.xz
 f3de607c98ba7437775e4036728c133c2de49eda 2110114 haproxy-dbgsym_1.6.5-2_amd64.deb
 76cf9b91d1a636328f15621263e5579f9b0620a0 416920 haproxy-doc_1.6.5-2_all.deb
 0706f005188827888371f81ad0e63145322a4a15 910584 haproxy_1.6.5-2_amd64.deb
 389dff4a038a94e3cd480883d61c951005dfa437 127836 vim-haproxy_1.6.5-2_all.deb
Checksums-Sha256:
 09216e6d655d8b8664c89e819a12d0a64e612457bc59c5c72d7229d1f9d273ff 2248 haproxy_1.6.5-2.dsc
 587dcc5e405ff9ea9458fea5e0c98ac72bc08174a02d071fcc8edd20f82ac697 62652 haproxy_1.6.5-2.debian.tar.xz
 1c914d83739e7dd0037ec22ed537d298bb5f23520bcbf081b3913a1800887b65 2110114 haproxy-dbgsym_1.6.5-2_amd64.deb
 d695e48f499e436eff98b7c251e1d3236e947a5464f4091db8a0c2433ea729a7 416920 haproxy-doc_1.6.5-2_all.deb
 fec58a72e2fb2d86a2171b16db8780003cb98687de7b4ace8485d15a750bfb20 910584 haproxy_1.6.5-2_amd64.deb
 2cb999aa23f18bb905c032b1b9b4a8a49d149c31d7647695aa260248f790ba41 127836 vim-haproxy_1.6.5-2_all.deb
Files:
 fc17f5d299635e53fa51c40239972556 2248 net optional haproxy_1.6.5-2.dsc
 dc1928c7e3b4d3558c7018fa0d31d7ee 62652 net optional haproxy_1.6.5-2.debian.tar.xz
 46b03334fa644adedffc3fb10da1f9c6 2110114 debug extra haproxy-dbgsym_1.6.5-2_amd64.deb
 cca02fc77acdf6f3ef9d86f52c97fb00 416920 doc extra haproxy-doc_1.6.5-2_all.deb
 5517bb5d39faf6d68cad92356e314ad8 910584 net optional haproxy_1.6.5-2_amd64.deb
 01de0622e9caff224b910713a88bee0c 127836 net optional vim-haproxy_1.6.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXXHP/AAoJEJWkL+g1NSX54C4QAIxdJM/2kO7FJIKCVN2xhOA3
Pffkw15QgxXrGIWtc0uMq2YCgWLT8GKi8ac8y5dpu1HSRhFQGjIAlpe/AMzn8iQc
94/1MGUvecNEN+sG9iTqAPDpZD9NaPLejjasjmwgDa6nkx0FgQeSkODkgu8zQ7tX
R2VHbTrGwYXoUqbdINX3kQ0KmEeFO5xGfvVFbAATatTd/PzPYURBSfhw0g9a5o8e
MKXtMBuHrBbeTfUQr+IBnToZ1FQ13KQJL84gBc5LhEqOYvwewR9AptT4KcIhSdGc
OXyWyLpQJGvB6yix7mGvKEn+V/+58eK0iLcfnULdgl1zD6fxB6yBGUYm304040QF
z0MuksmuU8VWD2f4uiZofPqy/44PMBix2oWUvimpacapDC/eFcxa5j3CTCjajqrm
2TS9YtYtEVKzL9GI26oFQpDzCZKh4BWEyOkrPfUFQmlaFrkTGZJ57Rok1KXWOp6K
E/RIWJxIU+ay5xilg0yXqVtSp+wAj/AGv/e6D1c81hKCaUZrsV3TOjnA5pqrYoR2
kqPno5NWSGPRJo+l5m1mvsxwQkHF5zaSpg+8XVdxqvAkyT+2MlQv3uAEZIoRPKdr
w680IIEtCsF7bR8Q8KeSDtaLf/6SYovauOcsNsjShlECNtKqC34Kw61521LEmRu/
EycUuLcMlaVIwfFiRi59
=ZoT6
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 17 Aug 2016 07:34:56 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:16:59 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started