| Package | haproxy |
|---|---|
| Version | 1.5.8-3+deb8u3 |
| Related CVEs | CVE-2019-18277 |
Nathan Davison discovered that HAProxy, a load balancing reverse proxy, did not correctly reject requests or responses featuring a transfer-encoding header missing the “chunked” value which could facilitate a HTTP request smuggling attack.
Furthermore two issues have been addressed which never received a final CVE. There was a risk of reading past the end of a buffer in src/proto_http.c. This could lead to a denial of service (segmentation fault and application crash)
For Debian 8 jessie, these problems have been fixed in version 1.5.8-3+deb8u3.
We recommend that you upgrade your haproxy packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.