|
|
Subscribe / Log in / New account

haproxy: denial of service

Package(s):haproxy CVE #(s):CVE-2016-5360
Created:June 10, 2016 Updated:June 29, 2016
Description: From the Arch Linux advisory:

A problem has been discovered with the new field "rule_deny_status" into struct http_txn, which is filled only by actions "http-request deny" and "http-request tarpit". It's then used in the deny code path to emit the proper error message, but is used uninitialized when the deny comes from a "reqdeny" rule, causing random behaviours ranging from returning a 200, an empty response, or crashing the process.

A remote attacker is able to use a specially crafted request to crash the process resulting in denial of service.

Alerts:
Fedora FEDORA-2016-b38938aa8e haproxy 2016-06-29
Ubuntu USN-3011-1 haproxy 2016-06-20
Arch Linux ASA-201606-11 haproxy 2016-06-10
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds