Information disclosure vulnerability was reported in HAproxy. Details (quoting attached patch): The function buffer_slow_realign() was initially designed for requests only and did not consider pending outgoing data. This causes a problem when called on responses where data remain in the buffer, which may happen with pipelined requests when the client is slow to read data. The user-visible effect is that if less than <maxrewrite> bytes are present in the buffer from a previous response and these bytes cross the <maxrewrite> boundary close to the end of the buffer, then a new response will cause a realign and will destroy these pending data and move the pointer to what's believed to contain pending output data. Thus the client receives the crap that lies in the buffer instead of the original output bytes. This new implementation now properly realigns everything including the outgoing data which are moved to the end of the buffer while the input data are moved to the beginning. This implementation still uses a buffer-to-buffer copy which is not optimal in terms of performance and which should be replaced by a buffer switch later. The proposed patch is attached to this Bugzilla.
Created attachment 1045847 [details] 0001-BUG-MAJOR-buffers-make-the-buffer_slow_realign-funct.patch
Public: http://www.haproxy.org/news.html Patch posted upstream: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 1241143]
haproxy-1.5.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
haproxy-1.5.14-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Hey Folks, Just wondering what the status of this bug report is. Will this be pushed to RHEL's repos anytime soon? Seeing how this is high severity and priority, it would be good to have a timeframe of release.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:1741 https://rhn.redhat.com/errata/RHSA-2015-1741.html
Hello, from https://rhn.redhat.com/errata/RHSA-2015-1741.html, the package name says "haproxy-1.5.4-2.el6_7.1.x86_64.rpm". Isn't this old package. when we check version it is saying it was build from 2014. [root@server ~]# haproxy -v HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy Tarreau <w>
That is the compiled version option provided by the upstream sources. To say it a different way, that is the base version that Red Hat used in creating this package. What you need to look at to determine the *real* manifest of the package is to look at the package information and changelog: # rpm -qi haproxy-1.5.4-2.el6_7.1.x86_64 Name : haproxy Relocations: (not relocatable) Version : 1.5.4 Vendor: Red Hat, Inc. Release : 2.el6_7.1 Build Date: Tue 28 Jul 2015 05:58:13 PM CEST Install Date: Fri 11 Sep 2015 04:54:47 PM CEST Build Host: x86-032.build.eng.bos.redhat.com Group : System Environment/Daemons Source RPM: haproxy-1.5.4-2.el6_7.1.src.rpm Size : 2552550 License: GPLv2+ Signature : RSA/8, Thu 03 Sep 2015 09:09:56 PM CEST, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.haproxy.org/ Summary : HAProxy is a TCP/HTTP reverse proxy for high availability environments Description : HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high <SNIP> # rpm -q --changelog haproxy-1.5.4-2.el6_7.1.x86_64 * Tue Jul 28 2015 Ryan O'Hara <rohara> - 1.5.4-2.1 - Fix buffer_slow_realign() function to respect output data Resolves: CVE-2015-3281 * Tue Mar 03 2015 Ryan O'Hara <rohara> - 1.5.4-2 - Read sysconfig file for extra options Resolves: rhbz#1166497 * Tue Nov 11 2014 Ryan O'Hara <rohara> - 1.5.4-1 - Rebase to upstream version 1.5.4 Resolves: rhbz#1136550 <SNIP> So, 1.5.4 has been, and still is, the base point the subsequent RHEL6 packages were based on, with patches applied. Typically, a package is not rebased within a RHEL major version lifecycle, but there are exceptions. For more information, please feel free to contact your Red Hat support representative.
This issue has been addressed in the following products: RHEL 6 Version of OpenShift Enterprise 2.2 Via RHSA-2015:2666 https://rhn.redhat.com/errata/RHSA-2015-2666.html