Your message dated Sat, 26 May 2018 14:40:37 +0000 with message-id <e1fman3-0009jb...@fasolo.debian.org> and subject line Bug#900084: fixed in haproxy 1.8.9-2 has caused the Debian Bug report #900084, regarding haproxy: CVE-2018-11469 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900084 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: haproxy Version: 1.8.0-1 Severity: grave Tags: patch security upstream fixed-upstream Hi, The following vulnerability was published for haproxy. CVE-2018-11469[0]: | Incorrect caching of responses to requests including an Authorization | header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows | attackers to achieve information disclosure via an unauthenticated | remote request, related to the proto_http.c | check_request_for_cacheability function. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11469 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11469 [1] https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=17514045e5d934dede62116216c1b016fe23dd06 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: haproxy Source-Version: 1.8.9-2 We believe that the bug you reported is fixed in the latest version of haproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vincent Bernat <ber...@debian.org> (supplier of updated haproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 26 May 2018 16:05:07 +0200 Source: haproxy Binary: haproxy haproxy-doc vim-haproxy Architecture: source Version: 1.8.9-2 Distribution: unstable Urgency: high Maintainer: Debian HAProxy Maintainers <hapr...@tracker.debian.org> Changed-By: Vincent Bernat <ber...@debian.org> Description: haproxy - fast and reliable load balancing reverse proxy haproxy-doc - fast and reliable load balancing reverse proxy (HTML documentatio vim-haproxy - syntax highlighting for HAProxy configuration files Closes: 900084 Changes: haproxy (1.8.9-2) unstable; urgency=high . * d/patches: fix CVE-2018-11469: do not cache when an Authorization header is present. Closes: #900084. Checksums-Sha1: 7fcfa4999e0d6906572580ccca7a2fabc33c193d 2280 haproxy_1.8.9-2.dsc f4b191b5d39d87ae59b31d9aae2d22352749bfd6 66384 haproxy_1.8.9-2.debian.tar.xz 3803b677d9eb798bd905c12a279f735632551b62 8516 haproxy_1.8.9-2_amd64.buildinfo Checksums-Sha256: 9b4c04c878651afe619a7d569551343b138250ed8e683c3b71a9f9832b165b7d 2280 haproxy_1.8.9-2.dsc 1e46cb34951f55481446eb2775f28441d0cdc1472bfebdab867fe8a52ddcce29 66384 haproxy_1.8.9-2.debian.tar.xz 66a7e112b6ea578d4d969539daf1dbfb876d691eeb0f7b10ad954acaac0a8eb9 8516 haproxy_1.8.9-2_amd64.buildinfo Files: 661940160b32bdf04a1d456fb4a43b25 2280 net optional haproxy_1.8.9-2.dsc 923fbcc36358dff20cfbdc9415728884 66384 net optional haproxy_1.8.9-2.debian.tar.xz f6b8ffe385a02ec2c009979e7efaf4fc 8516 net optional haproxy_1.8.9-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAlsJasASHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5qdwP+OIuh0jkX5n3Uh4ciq6BK/nz1skA+56k VkpjcuFqKkz66d5VNIeBLcaMn6Fy1BC+SQp508U92iOZ7+3or6KuFQq+xCml4NTi 9fzp5myaj1PdtRBC4LzAtNsqlN5r1SL7+j2BUjbH5/oWf6CCgr4jK6HlGPq5ZMVg 9OLYYshmAKFfFzDBHpX+2maQuCJYX09Khh+KcQNtCwpCWDB/N4bjFNHcV+SYnO8/ GOYch6zKBaFEwyyT6koSlqA43Lffj75clyCf4gx4q3qcjj2IIrjcPc6NpbRliCgH PK7VQzvLoaVpufS4cNHcxUK7ySay41Mwh2syEI6MeLJDxDXDAV2vXKQY0mqbbwl/ UB0bGcsUYt0SS44qd4mMuUkkpnnWWmEDzTfQlFYoZyElYJXgCfDbIkFsEfxfJTCO k4fHMGR0QU81DA+66Yu9orBUuD9PFOfi2V310lAF448nK7lw1J2H23xVex5gNFmi WJkw8DUYLxcXwV6R9hx6GpQHy5JUXs1YeMP8GeA4mTMwcEDAEOphxvhn/vVnRA19 aQwFozvnWM4BbgRQGujzFivtk6SF+ZX+m1bc1Afdce2vrtWc1xWLBc6apjljPDZs DT+j+g3gkZscWc7A44Cci91Iu35c/JpNNQywujCHClKdMCVVzEbp/gE4haTA+Ftd N4oD0Vyl75k= =hfp9 -----END PGP SIGNATURE-----
--- End Message ---
