haproxy security update

2015-09-0819:57:39

CentOS Project

lists.centos.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.003

Percentile

71.4%

JSON

CentOS Errata and Security Advisory CESA-2015:1741

HAProxy provides high availability, load balancing, and proxying for TCP
and HTTP-based applications.

An implementation error related to the memory management of request and
responses was found within HAProxy’s buffer_slow_realign() function.
An unauthenticated remote attacker could possibly use this flaw to leak
certain memory buffer contents from a past request or session.
(CVE-2015-3281)

All haproxy users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2015-September/083538.html
https://lists.centos.org/pipermail/centos-announce/2015-September/083540.html

Affected packages:
haproxy

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:1741

OSVersionArchitecturePackageVersionFilename
CentOS6i686haproxy< 1.5.4-2.el6_7.1haproxy-1.5.4-2.el6_7.1.i686.rpm
CentOS6x86_64haproxy< 1.5.4-2.el6_7.1haproxy-1.5.4-2.el6_7.1.x86_64.rpm
CentOS7x86_64haproxy< 1.5.4-4.el7_1.1haproxy-1.5.4-4.el7_1.1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	6	i686	haproxy	< 1.5.4-2.el6_7.1	haproxy-1.5.4-2.el6_7.1.i686.rpm
CentOS	6	x86_64	haproxy	< 1.5.4-2.el6_7.1	haproxy-1.5.4-2.el6_7.1.x86_64.rpm
CentOS	7	x86_64	haproxy	< 1.5.4-4.el7_1.1	haproxy-1.5.4-4.el7_1.1.x86_64.rpm