SB2013062107 - Input validation error in haproxy (Alpine package)
Published: June 21, 2013
Security Bulletin ID
SB2013062107
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2013-2175)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=71014d6f0f81d932ba86312a8c361e134cfe6978
- https://git.alpinelinux.org/aports/commit/?id=b9073a5009143c15d717fadaf3e8b37febf839f4
- https://git.alpinelinux.org/aports/commit/?id=d18986df20f642070086bc7da1c238a7aa986c87
- https://git.alpinelinux.org/aports/commit/?id=d2207b3c4708cac6038cfbb0b7c58722e49c5c4e
- https://git.alpinelinux.org/aports/commit/?id=f7f59c5c4bc4eb186d2346ccde23948d8d1d6586