Debian Bug report logs -
#900084
haproxy: CVE-2018-11469
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 25 May 2018 20:39:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version haproxy/1.8.0-1
Fixed in version haproxy/1.8.9-2
Done: Vincent Bernat <bernat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian HAProxy Maintainers <pkg-haproxy-maintainers@lists.alioth.debian.org>:
Bug#900084; Package src:haproxy.
(Fri, 25 May 2018 20:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian HAProxy Maintainers <pkg-haproxy-maintainers@lists.alioth.debian.org>.
(Fri, 25 May 2018 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: haproxy
Version: 1.8.0-1
Severity: grave
Tags: patch security upstream fixed-upstream
Hi,
The following vulnerability was published for haproxy.
CVE-2018-11469[0]:
| Incorrect caching of responses to requests including an Authorization
| header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows
| attackers to achieve information disclosure via an unauthenticated
| remote request, related to the proto_http.c
| check_request_for_cacheability function.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11469
[1] https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=17514045e5d934dede62116216c1b016fe23dd06
Regards,
Salvatore
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Sat, 26 May 2018 14:45:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 26 May 2018 14:45:04 GMT) (full text, mbox, link).
Message #10 received at 900084-close@bugs.debian.org (full text, mbox, reply):
Source: haproxy
Source-Version: 1.8.9-2
We believe that the bug you reported is fixed in the latest version of
haproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900084@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated haproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 26 May 2018 16:05:07 +0200
Source: haproxy
Binary: haproxy haproxy-doc vim-haproxy
Architecture: source
Version: 1.8.9-2
Distribution: unstable
Urgency: high
Maintainer: Debian HAProxy Maintainers <haproxy@tracker.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
haproxy - fast and reliable load balancing reverse proxy
haproxy-doc - fast and reliable load balancing reverse proxy (HTML documentatio
vim-haproxy - syntax highlighting for HAProxy configuration files
Closes: 900084
Changes:
haproxy (1.8.9-2) unstable; urgency=high
.
* d/patches: fix CVE-2018-11469: do not cache when an Authorization
header is present. Closes: #900084.
Checksums-Sha1:
7fcfa4999e0d6906572580ccca7a2fabc33c193d 2280 haproxy_1.8.9-2.dsc
f4b191b5d39d87ae59b31d9aae2d22352749bfd6 66384 haproxy_1.8.9-2.debian.tar.xz
3803b677d9eb798bd905c12a279f735632551b62 8516 haproxy_1.8.9-2_amd64.buildinfo
Checksums-Sha256:
9b4c04c878651afe619a7d569551343b138250ed8e683c3b71a9f9832b165b7d 2280 haproxy_1.8.9-2.dsc
1e46cb34951f55481446eb2775f28441d0cdc1472bfebdab867fe8a52ddcce29 66384 haproxy_1.8.9-2.debian.tar.xz
66a7e112b6ea578d4d969539daf1dbfb876d691eeb0f7b10ad954acaac0a8eb9 8516 haproxy_1.8.9-2_amd64.buildinfo
Files:
661940160b32bdf04a1d456fb4a43b25 2280 net optional haproxy_1.8.9-2.dsc
923fbcc36358dff20cfbdc9415728884 66384 net optional haproxy_1.8.9-2.debian.tar.xz
f6b8ffe385a02ec2c009979e7efaf4fc 8516 net optional haproxy_1.8.9-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAwFiEErvI0h4bzccaJpzYAlaQv6DU1JfkFAlsJasASHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5qdwP+OIuh0jkX5n3Uh4ciq6BK/nz1skA+56k
VkpjcuFqKkz66d5VNIeBLcaMn6Fy1BC+SQp508U92iOZ7+3or6KuFQq+xCml4NTi
9fzp5myaj1PdtRBC4LzAtNsqlN5r1SL7+j2BUjbH5/oWf6CCgr4jK6HlGPq5ZMVg
9OLYYshmAKFfFzDBHpX+2maQuCJYX09Khh+KcQNtCwpCWDB/N4bjFNHcV+SYnO8/
GOYch6zKBaFEwyyT6koSlqA43Lffj75clyCf4gx4q3qcjj2IIrjcPc6NpbRliCgH
PK7VQzvLoaVpufS4cNHcxUK7ySay41Mwh4syEI6MeLJDxDXDAV2vXKQY0mqbbwl/
UB0bGcsUYt0SS44qd4mMuUkkpnnWWmEDzTfQlFYoZyElYJXgCfDbIkFsEfxfJTCO
k4fHMGR0QU81DA+66Yu9orBUuD9PFOfi2V310lAF448nK7lw1J2H23xVex5gNFmi
WJkw8DUYLxcXwV6R9hx6GpQHy5JUXs1YeMP8GeA4mTMwcEDAEOphxvhn/vVnRA19
aQwFozvnWM4BbgRQGujzFivtk6SF+ZX+m1bc1Afdce2vrtWc1xWLBc6apjljPDZs
DT+j+g3gkZscWc7A44Cci91Iu35c/JpNNQywujCHClKdMCVVzEbp/gE4haTA+Ftd
N4oD0Vyl75k=
=hfp9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 28 Jul 2018 07:29:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon