DescriptionA flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)buster1.8.19-1+deb10u3fixed
buster (security)1.8.19-1+deb10u5fixed
bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm, bookworm (security)2.6.12-1+deb12u1fixed
sid, trixie2.9.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysourcestretch(not affected)
haproxysourcebuster(not affected)


[buster] - haproxy <not-affected> (Vulnerable code introduced later)
[stretch] - haproxy <not-affected> (Vulnerable code introduced later);a=commit;h=bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 (v2.6-dev2);a=commit;h=86032c309b1f42177826deaa39f7c26903a074ca (v2.4.13);a=commit;h=eb1bdcb7cf6e7bd1690f7dcc6d97de3d79b54cdc (v2.2.21)

Search for package or bug name: Reporting problems