1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102673: haproxy: CVE-2025-32464

    From Salvatore Bonaccorso@21:1/5 to All on Fri Apr 11 21:10:01 2025
    Source: haproxy
    Version: 3.0.9-1
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
    Control: found -1 2.6.12-1+deb12u1
    Control: found -1 2.6.12-1

    Hi,

    The following vulnerability was published for haproxy.

    CVE-2025-32464[0]:
    | HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a
    | sample_conv_regsub heap-based buffer overflow because of mishandling
    | of the replacement of multiple short patterns with a longer one.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-32464
    https://www.cve.org/CVERecord?id=CVE-2025-32464
    [1] https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Bunk@21:1/5 to All on Wed Apr 23 21:10:01 2025
    Control: tags 1102673 + patch
    Control: tags 1102673 + pending

    Dear maintainer,

    I've prepared an NMU for haproxy (versioned as 3.0.10-0.1) and uploaded
    it to DELAYED/7. Please feel free to tell me if I should cancel it.

    Upgrading to 3.0.10 looked more reasonable to me than backporting just
    the (one-line) CVE fix, but either is fine for me.

    A maintainer upload of either would be my preferred option.

    cu
    Adrian

    diffstat for haproxy-3.0.9 haproxy-3.0.10

    CHANGELOG | 49 ++++++++++++
    SUBVERS | 2
    VERDATE | 4 -
    VERSION | 2
    debian/changelog | 9 ++
    doc/configuration.txt | 33 +++++++-
    include/haproxy/compiler.h | 1
    include/haproxy/fd-t.h | 6 +
    include/haproxy/fd.h | 4 +
    include/haproxy/mux_fcgi-t.h | 3
    include/haproxy/quic_conn.h | 10 +-
    include/haproxy/task-t.h | 9 +-
    include/haproxy/task.h | 62 ++++++++++++----
    include/import/plock.h | 20 ++++-
    src/backend.c | 36 ++++++---
    src/cli.c | 4 -
    src/debug.c | 17 +++-
    src/ev_epoll.c | 95 ++++++++++++++++++++++++
    src/fd.c | 7 +
    src/h3.c | 84 ++++++++++++++++++++--
    src/hlua.c | 21 ++++-
    src/hlua_fcn.c | 58 ++-------------
    src/http_ana.c | 46 ++++++++----
    src/log.c | 41 ++++++----
    src/mux_fcgi.c | 164 ++++++++++++++++++++++++++++++-------------
    src/mux_h2.c | 12 +++
    src/mux_quic.c | 41 ++++++----
    src/peers.c | 5 +
    src/proto_rhttp.c | 2
    src/sample.c | 2
    src/sink.c | 2
    src/stick_table.c | 13 +++
    src/stream.c | 29 +++++++
    src/tools.c | 10 +-
    tests/exp/filltab25.c | 2
    35 files changed, 704 insertions(+), 201 deletions(-)

    diff -Nru haproxy-3.0.9/CHANGELOG haproxy-3.0.10/CHANGELOG
    --- haproxy-3.0.9/CHANGELOG 2025-03-20 15:27:37.000000000 +0200
    +++ haproxy-3.0.10/CHANGELOG 2025-04-22 14:53:02.000000000 +0300
    @@ -1,6 +1,55 @@
    ChangeLog :
    ===========

    +2025/04/22 : 3.0.10
    + - MINOR: log: support "raw" logformat node typecast
    + - BUG/MINOR: peers: fix expire learned from a peer not converted from ms to ticks
    + - BUG/MEDIUM: peers: prevent learning expiration too far in futur from unsync node
    + - BUG/MEDIUM: mux-quic: fix crash on RS/SS emission if already close local + - BUG/MINOR: mux-quic: remove extra BUG_ON() in _qcc_send_stream()
    + - BUG/MINOR: log: fix gcc warn about truncating NUL terminator while init char arrays
    + - DOC: config: fix two missing "content" in "tcp-request" examples
    + - BUILD: compiler: undefine the CONCAT() macro if already defined
    + - BUG/MINOR: rhttp: fix incorrect dst/dst_port values
    + - BUG/MINOR: backend: do not overwrite srv dst address on reuse
    + - BUG/MEDIUM: backend: fix reuse with set-dst/set-dst-port
    +