FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

haproxy -- information leak vulnerability

Affected packages
1.5.0 <= haproxy < 1.5.14

Details

VuXML ID cbfa8bd7-24b6-11e5-86ff-14dae9d210b8
Discovery 2015-07-02
Entry 2015-07-07

HAProxy reports:

A vulnerability was found when HTTP pipelining is used. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session. I want to address sincere congratulations to Charlie Smurthwaite of aTech Media for the really detailed traces he provided which made it possible to find the cause of this bug. Every user of 1.5-dev, 1.5.x or 1.6-dev must upgrade to 1.5.14 or latest 1.6-dev snapshot to fix this issue, or use the backport of the fix provided by their operating system vendors. CVE-2015-3281 was assigned to this bug.

References

CVE Name CVE-2015-3281
Message http://seclists.org/oss-sec/2015/q3/61
URL http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4
URL http://www.haproxy.org/news.html