HAProxy CVE http://seclists.org/oss-sec/2013/q2/581

Asked by Keri Meredith on 2013-07-22

Per HAProxy site, all 1.4 versions should be upgraded. http://haproxy.1wt.eu/ Or does this not include using HAProxy on Ubuntu for some reason?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu haproxy Edit question
Assignee:
No assignee Edit question
Solved by:
Keri Meredith
Solved:
2013-07-22
Last query:
2013-07-22
Last reply:
2013-07-22

I suggest you report a bug. If the bug and security fixes are significant it will be upgraded sooner. Packages are not upgraded simply because new versions are released.

Keri Meredith (kmeredith) said : #2

Thanks - one of our developers pointed me to this:

http://changelogs.ubuntu.com/changelogs/pool/main/h/haproxy/haproxy_1.4.18-0ubuntu1.2/changelog
... which shows that the CVE was taken care of -
haproxy (1.4.18-0ubuntu1.2) precise-security; urgency=low

  * SECURITY UPDATE: denial of service in HTTP header parsing
    - debian/patches/CVE-2013-2175.patch: properly calculate the header
      field count in src/proto_http.c.
    - CVE-2013-2175

(It was a little confusing to me since I was looking for 1.4.24, which is what http://haproxy.1wt.eu/ points me to.)

Thanks for the prompt reply. kjm