[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index] [SECURITY] [DSA 6291-1] haproxy security update To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 6291-1] haproxy security update From: Salvatore Bonaccorso <carnil@debian.org> Date: Fri, 22 May 2026 20:18:51 +0000 Message-id: <[🔎] E1wQWKZ-00000007m2G-2aXX@seger.debian.org> Reply-to: debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6291-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 22, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : haproxy CVE ID : CVE-2026-33555 Martino Spagnuolo reported that the HTTP/3 parsing code in HAProxy, a fast and reliable load balancing reverse proxy, does not properly validate the received body size and the announced content-length header, which may result in HTTP request smuggling. For the stable distribution (trixie), this problem has been fixed in version 3.0.11-1+deb13u3. We recommend that you upgrade your haproxy packages. For the detailed security status of haproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/haproxy Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoQue9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S4UQ/+IzaSbD9r6iszn1/77EhcgaPfWHzT5Z2UOLg1vbNjjEo1x3FRWW1Tfv4P J2FjrgKh86avzkb8Jz0kfVIvZVSE7+HXdJ9LW5gnfvrZbBQKBXvIIW4p2pgaANm/ yixnrvA3q2tCRPq3eJ8XCFSPwfPPYo2xfpj2zvE9Kg9TxWJPpf5auwzKuYjIuL+V 64swsBTwppZ+t89VupDXP/I/r+T7NteL/sEc5NH6QsOb5s35yURltprxdcvrKVpO +3qPHJxKqdoLUsyFFSva62shLkiOGYz2Z/bK7TqNvvyIkyjqHBYOrdhcnBXxoTuO tCOUgT6HGTXOy4NauRH2Ok5Nd25ybxCrJgrUKIVW1Bd86mBj+LxsCb9vwDRGy0HA ZaXa+I177qrfRcO+HA3T1HpIDBu+otQ7uE88vhh7uWLDU2iO6yXK/ps3bTTZKhCs BGNOnuHSxRnq7iB/o+YrZQ0PVodJyfAyl03vxZGZzAfkrVV+/zpIQ9GLiY7OLew1 DAXhuEtj1S+1ddvCDDNTZRKsJp/OJjx2B3sTWgHpelDL1XubPakiDYkjg/eVqjXV bffJsobNRsEQdbEYcMLYHZU1jsMRITNspu1zeqcHzTkNvmJRaoCPM9dG/6Kr+syH dtwEn496dHRviQSkHvNZ3dU7nuaqZhbsq40ZjVibHkM9Rj6LGy0= =iYQK -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Salvatore Bonaccorso (on-list) Salvatore Bonaccorso (off-list) Prev by Date: [SECURITY] [DSA 6290-1] nss security update Next by Date: [SECURITY] [DSA 6292-1] haveged security update Previous by thread: [SECURITY] [DSA 6290-1] nss security update Next by thread: [SECURITY] [DSA 6292-1] haveged security update Index(es): Date Thread