HAProxy CVE http://seclists.org/oss-sec/2013/q2/581

Asked by Keri Meredith

Per HAProxy site, all 1.4 versions should be upgraded. http://haproxy.1wt.eu/ Or does this not include using HAProxy on Ubuntu for some reason?

Question information

English Edit question
Ubuntu haproxy Edit question
No assignee Edit question
Solved by:
Keri Meredith
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :

I suggest you report a bug. If the bug and security fixes are significant it will be upgraded sooner. Packages are not upgraded simply because new versions are released.

Revision history for this message
Keri Meredith (kmeredith) said :

Thanks - one of our developers pointed me to this:

... which shows that the CVE was taken care of -
haproxy (1.4.18-0ubuntu1.2) precise-security; urgency=low

  * SECURITY UPDATE: denial of service in HTTP header parsing
    - debian/patches/CVE-2013-2175.patch: properly calculate the header
      field count in src/proto_http.c.
    - CVE-2013-2175

(It was a little confusing to me since I was looking for 1.4.24, which is what http://haproxy.1wt.eu/ points me to.)

Thanks for the prompt reply. kjm