ArchLinux: 201901-15: haproxy: denial of service

    Date27 Jan 2019
    CategoryArchLinux
    732
    Posted ByAnthony Pell
    The package haproxy before version 1.9.0-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-201901-15
    ==========================================
    
    Severity: Medium
    Date    : 2019-01-24
    CVE-ID  : CVE-2018-20102 CVE-2018-20103
    Package : haproxy
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-836
    
    Summary
    =======
    
    The package haproxy before version 1.9.0-1 is vulnerable to denial of
    service.
    
    Resolution
    ==========
    
    Upgrade to 1.9.0-1.
    
    # pacman -Syu "haproxy>=1.9.0-1"
    
    The problems have been fixed upstream in version 1.9.0.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2018-20102 (denial of service)
    
    A stack-based out-of-bounds read has been found in HAProxy before
    1.8.15, in the dns_validate_dns_response() function in dns.c, where it
    can be triggered by a crafted DNS packet.
    
    - CVE-2018-20103 (denial of service)
    
    A stack-exhaustion issue has been found in HAProxy before 1.8.15, in
    the dns_read_name() function in dns.c, where an infinite recursion can
    be triggered via a crafted DNS packet.
    
    Impact
    ======
    
    A remote attacker is able to crash the server with a specially crafted
    DNS packet.
    
    References
    ==========
    
    https://www.mail-archive.com/This email address is being protected from spambots. You need JavaScript enabled to view it./msg32055.html
    https://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=2e53fe850be462dab2c1141f044a94d248d68bfe
    https://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=12e27845513f87fe2df88e5795d0273f0b992a91
    https://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=2b514b24f71af8ff8c6593636850b9a312a05278
    https://security.archlinux.org/CVE-2018-20102
    https://security.archlinux.org/CVE-2018-20103
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"4","type":"x","order":"1","pct":44.44,"resources":[]},{"id":"56","title":"No","votes":"5","type":"x","order":"2","pct":55.56,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.