Upstream information

CVE-2013-1912 at MITRE

Description

Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests that prevent request realignment from occurring.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5.1
Vector AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 830612 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5
  • haproxy >= 1.5.4-1.10
Patchnames:
SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5 GA haproxy
SUSE Linux Enterprise High Availability 12 SP2
  • haproxy >= 1.6.5-5.9
Patchnames:
SUSE Linux Enterprise High Availability 12 SP2 GA haproxy
SUSE Linux Enterprise High Availability 12 SP3
  • haproxy >= 1.6.11-10.2
Patchnames:
SUSE Linux Enterprise High Availability 12 SP3 GA haproxy
SUSE Linux Enterprise High Availability 15
  • haproxy >= 1.8.8-1.15
Patchnames:
SUSE Linux Enterprise High Availability 15 GA haproxy
SUSE OpenStack Cloud 6
  • haproxy >= 1.5.14-1.4
Patchnames:
SUSE OpenStack Cloud 6 GA haproxy
openSUSE Tumbleweed
  • haproxy >= 1.7.0-1.1
Patchnames:
openSUSE Tumbleweed GA haproxy