Bugzilla – Bug 937042
VUL-0: CVE-2015-3281: haproxy: information leak vulnerability
Last modified: 2015-12-01 08:51:55 UTC
A vulnerability was found when HTTP pipelining is used. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session. I want to address sincere congratulations to Charlie Smurthwaite of aTech Media for the really detailed traces he provided which made it possible to find the cause of this bug. Every user of 1.5-dev, 1.5.x or 1.6-dev must upgrade to 1.5.14 or latest 1.6-dev snapshot to fix this issue, or use the backport of the fix provided by their operating system vendors. CVE-2015-3281 was assigned to this bug.
1.5.14 submitted to server:http: https://build.opensuse.org/request/show/315012
This is an autogenerated message for OBS integration: This bug (937042) was mentioned in https://build.opensuse.org/request/show/315017 Factory / haproxy
Taking a security incident. dev branch commit: http://git.haproxy.org/?p=haproxy.git;a=commit;h=27187ab56a2f1104818c2f21c5139c1edd8b838f 1.5 branch commit: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4
POC reproducer from the commit message: > Prior to this patch, the following script would return different hashes > on each round when run from a 100 Mbps-connected machine : > > i=0 > while usleep 100000; do > echo round $((i++)) > set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum) > if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi > done > > The file contains 1000 times this request with "Connection: close" on the > last one : > > GET /?s=5k&R=1 HTTP/1.1 > > The config is very simple : > > global > tune.bufsize 16384 > tune.maxrewrite 8192 > > defaults > mode http > timeout client 10s > timeout server 5s > timeout connect 3s > > listen px > bind :8001 > option http-server-close > server s1 127.0.0.1:8000 > > And httpterm-1.7.2 is used as the server on port 8000. > > After the fix, 1 million requests were sent and all returned the same > contents.
Created attachment 640246 [details] CVE-2015-3281.patch http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4;hp=6de4c2fbaf8b8dc72959a1fd6c51bd0f3aa8204d
SUSE-SU-2015:1663-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 937042,937202 CVE References: CVE-2015-3281,CVE-2015-4000 Sources used: SUSE OpenStack Cloud Compute 5 (src): haproxy-1.5.4-2.4.1 SUSE Linux Enterprise High Availability 12 (src): haproxy-1.5.4-2.4.1
SUSE-SU-2015:1776-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 937042,937202,947204 CVE References: CVE-2015-3281 Sources used: SUSE OpenStack Cloud 5 (src): haproxy-1.5.4-12.1
This is an autogenerated message for OBS integration: This bug (937042) was mentioned in https://build.opensuse.org/request/show/339915 13.2 / haproxy
openSUSE-SU-2015:1831-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 937042,937202 CVE References: CVE-2015-3281 Sources used: openSUSE 13.2 (src): haproxy-1.5.5-3.1
What is the status of this, is it released as comment #32 indicates? The whiteboard still says planned update.
(In reply to Kristoffer Gronlund from comment #33) It is released. The whiteboard entry was wrong. Thanks again for the submit
(In reply to Johannes Segitz from comment #34) > (In reply to Kristoffer Gronlund from comment #33) > It is released. The whiteboard entry was wrong. Thanks again for the submit Thanks!