Hi, On Mon, Dec 25, 2023 at 10:35:16AM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: hapr...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:haproxy > > Hi, > > For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539, > and I also like to fix those for stable and oldstable. > > CC'ing the security team, in case they want to issue an DSA instead. > > The changes can also be found on the LTS repository: > https://salsa.debian.org/lts-team/packages/haproxy > > [ Tests ] > I've tested the fixes manually, using netcat to inject > problematic http requests and confirm that the patched > version rejects the malicous requests. (using nginx and > also netcat as http server.) > > (Being verbose here to document the tests for later reference ;-)) > > haproxy is listening on port 8080 > > e.g for CVE-2023-40225: > echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080 > must be rejected with 400 Bad Request > and without the "#" accepted. > > for CVE-2023-45539, nginx is stopped, and netcat listens on port 80: > echo 'GET / HTTP/.1.1 > host: whatever > content-length: > ' | netcat localhost 8080 > > If the request is accepted (and forwarded to the listening netcat), > haproxy is vulnerable. If a "400 Bad request" ist thrown, without > netcat receiving something, haproxy is not vulnerable. > > (haproxy is running on port 8080) > > [ Risks ] > Upstream patch, applied cleanly. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > Debdiff attached. > > I'v uploaded the package to o-s-p-u already.
Thanks, but I have already worked on the haproxy update for bullseye and bookworm. SRM, can you please reject the packages from stable-new and olstable-new so once I release the DSA, that version won't clash versionwise? Regards, Salvatore
