HAProxy: Arbitrary code execution

HAProxy: Arbitrary code execution A buffer overflow in HAProxy might allow an attacker to execute arbitrary code. haproxy 2020-12-24 2020-12-24 715944 remote 2.0.13 2.1.4 2.1.4

HAProxy is a TCP/HTTP reverse proxy for high availability environments.

It was discovered that HAProxy incorrectly handled certain HTTP/2 headers.

A remote attacker, by sending a specially crafted HTTP/2 request, could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Disable HTTP/2 support.

All HAProxy 2.0.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.13:0/2.0"

All other HAProxy users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.1.4"

CVE-2020-11100 sam_c sam_c