Arch Linux Security Advisory ASA-201507-3 ========================================= Severity: High Date : 2015-07-04 CVE-ID : CVE-2015-3281 Package : haproxy Type : information leakage Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package haproxy before version 1.5.14-1 is vulnerable to information leakage. Resolution ========== Upgrade to 1.5.14-1. # pacman -Syu "haproxy>=1.5.14-1" The problem has been fixed upstream in version 1.5.14. Workaround ========== None. Description =========== A vulnerability was found in the handling of HTTP pipelining. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session. With the proper timing and by requesting files of specific sizes from the backend servers in HTTP pipelining mode, one can trigger a call to a buffer alignment function which was not designed to work with pending output data. The effect is that the output data pointer points to the wrong location in the buffer, causing corruption on the client. It's more visible with chunked encoding and compressed bodies because the client cannot parse the response, but with a regular content-length body, the client will simply retrieve corrupted contents. That's not the worst problem in fact since pipelining is disabled in most clients. The real problem is that it allows the client to sometimes retrieve data from a previous session that remains in the buffer at the location where the output pointer lies. Thus it's an information leak vulnerability. Impact ====== A remote unauthenticated attacker can retrieve sensitive informations from a previous session by sending crafted HTTP requests. References ========== http://marc.info/?l=haproxy&m=143593901506748&w=2 http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=7ec765568883b2d4e5a... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3281