Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by AlmaLinux, the forever-free enterprise Linux distribution, focused on long-term stability, and providing a robust production-grade platform.

This week, important updates have been issued for HAProxy, QEMU and c-ares.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our site!

Yours in Open Source,

Brittany Signature 150

HAProxy

The Discovery 

A critical security vulnerability (CVE-2021-40346) has been disclosed in HAProxy, a widely used open-source load balancer and proxy server. The Integer Overflow vulnerability, which involves HAProxy incorrectly handling HTTP header name length encoding, has a severity rating of 8.6 on the CVSHaproxyS scoring system. 

The Impact

This flaw could potentially be exploited by a remote attacker to inject a duplicate content-length header and perform request smuggling or response splitting attacks, resulting in unauthorized access to sensitive data and execution of arbitrary commands.

The Fix

HAProxy has released an upgrade remediating this weakness by adding size checks for the name and value lengths. We recommend that you upgrade your HAProxy packages immediately to protect sensitive information and prevent attacks.

Users who cannot upgrade HAProxy to version 2.0.25, 2.2.17, 2.3.14 or 2.4.4.are recommended to add the following snippet to the proxy's configuration to mitigate attacks:

http-request deny if { req.hdr_cnt(content-length) gt 1 }

http-response deny if { res.hdr_cnt(content-length) gt 1 }

Your Related Advisories:

Register to Customize Your Advisories

QEMU

The Discovery 

Qemu

It was found that the patch for CVE-2021-3592 - an invalid pointer initialization issue in the SLiRP networking implementation of the QEMU emulator and virtualizer - introduced a regression which prevented ssh connections to the host system. 

The Impact

Since there is no imminent solution for the problem, the patch for CVE-2021-3592 has been reverted. 

The Fix

Updated QEMU packages are now available to correct this issue. Update promptly to ensure your system remains secure!

Your Related Advisories:

Register to Customize Your Advisories

c-ares

The Discovery

C Ares

Missing input validation of host names returned by Domain Name Servers has been discovered in the c-ares asynchronous resolver library before version 1.17.2 (CVE-2021-3672). 

The Impact

This flaw could be exploited by a remote attacker with the ability to create DNS entries to create crafted entries that output the wrong hostname when resolved with c-ares, leading to potential domain hijacking.

The Fix

This problem has been fixed upstream in c-ares version 1.17.2. Upgrade to 1.17.2-1 as soon as possible!

# pacman -Syu "c-ares>=1.17.2-1"

Your Related Advisories:

Register to Customize Your Advisories