Hi. On Wed, Jul 24, 2019 at 10:05:49AM +0200, Martin wrote: > I've received an advisory issued by one of my client's CERT. It is about > haproxy and CVE-2019-14241: > > "HAProxy contains a flaw in the htx_manage_client_side_cookies() function in > proto_htx.c that is triggered when handling certain threads. This may allow a > remote attacker to cause a denial of service." > > At MITRE, this CVE exists, but I did not get any about it from the DSA or > oss-security list. Does one of you know about more this?
[1] lists CVE-2019-14241 as "resolved". Presumably there was no DSA because Debian haproxy is not affected by this issue. As for the oss-security - reporting vulnerabilities there is merely a courtesy. Reporting a vulnerability to the upstream - that's a must. Reco [1] https://security-tracker.debian.org/tracker/source-package/haproxy