Source: haproxy Version: 1.8.14-1 Severity: grave Tags: patch security upstream
Hi, The following vulnerability was published for haproxy, the RC severity might be not correct, but trying to be on safe side here. CVE-2018-20102[0]: | An out-of-bounds read in dns_validate_dns_response in dns.c was | discovered in HAProxy through 1.8.14. Due to a missing check when | validating DNS responses, remote attackers might be able read the 16 | bytes corresponding to an AAAA record from the non-initialized part of | the buffer, possibly accessing anything that was left on the stack, or | even past the end of the 8193-byte buffer, depending on the value of | accepted_payload_size. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20102 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20102 [1] http://git.haproxy.org/?p=haproxy.git;a=commit;h=efbbdf72992cd20458259962346044cafd9331c0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
