Source: haproxy Version: 3.2.19-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for haproxy. They do not warrant a DSA, but could be fixed in the next point releases. CVE-2026-55203[0]: | HAProxy through 3.4.0, fixed in commit 5985276, contains an integer | overflow vulnerability in the fcgi_conn structure's drl field that | allows buffer misparse as new FCGI record headers. When | contentLength is 65535 and paddingLength is 1 or more, the drl field | wraps to 0, causing incorrect record consumption and allowing | malicious FastCGI backends to desynchronize the FCGI framing parser, | potentially causing request routing errors, response smuggling, or | memory safety issues. CVE-2026-55204[1]: | HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null | pointer dereference vulnerability in hpack_dht_insert() within | src/hpack-tbl.c that fails to validate the return value of | hpack_dht_defrag() when the memory pool is exhausted. An attacker | can trigger HPACK dynamic table insertions under memory pressure to | dereference a NULL pointer and crash HAProxy worker processes, | causing denial of service. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-55203 https://www.cve.org/CVERecord?id=CVE-2026-55203 https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd [1] https://security-tracker.debian.org/tracker/CVE-2026-55204 https://www.cve.org/CVERecord?id=CVE-2026-55204 https://github.com/haproxy/haproxy/commit/9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
