- Package:
- src:haproxy
- Source:
- src:haproxy
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-26 19:07:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for haproxy. They do not warrant a DSA, but could be fixed in the next point releases. CVE-2026-55203[0]: | HAProxy through 3.4.0, fixed in commit 5985276, contains an integer | overflow vulnerability in the fcgi_conn structure's drl field that | allows buffer misparse as new FCGI record headers. When | contentLength is 65535 and paddingLength is 1 or more, the drl field | wraps to 0, causing incorrect record consumption and allowing | malicious FastCGI backends to desynchronize the FCGI framing parser, | potentially causing request routing errors, response smuggling, or | memory safety issues. CVE-2026-55204[1]: | HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null | pointer dereference vulnerability in hpack_dht_insert() within | src/hpack-tbl.c that fails to validate the return value of | hpack_dht_defrag() when the memory pool is exhausted. An attacker | can trigger HPACK dynamic table insertions under memory pressure to | dereference a NULL pointer and crash HAProxy worker processes, | causing denial of service. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-55203 https://www.cve.org/CVERecord?id=CVE-2026-55203 https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd [1] https://security-tracker.debian.org/tracker/CVE-2026-55204 https://www.cve.org/CVERecord?id=CVE-2026-55204 https://github.com/haproxy/haproxy/commit/9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
haproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated haproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 26 Jun 2026 20:22:47 +0200
Source: haproxy
Architecture: source
Version: 3.4.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian HAProxy Maintainers <team+haproxy@tracker.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Closes: 1140430
Changes:
haproxy (3.4.1-1) experimental; urgency=medium
.
* New upstream release.
* Closes: #1140430:
- CVE-2026-55203: integer overflow when parsing FCGI header.
- CVE-2026-55204: add missing NULL check in HTTP/2 header compression.
Checksums-Sha1:
c9c228f423ed9c896ea3b4eae17a96cf1af42f6f 2460 haproxy_3.4.1-1.dsc
bc03e0ba2af05c5e9e9b6ede1b6f0e4cbf16c834 5472617 haproxy_3.4.1.orig.tar.gz
82ec95e2ae9ad996dba37d5a8d436a0f890bbdfa 84992 haproxy_3.4.1-1.debian.tar.xz
6ee6372c8efbf5e779c565a93708be9a08af7db4 9836 haproxy_3.4.1-1_amd64.buildinfo
Checksums-Sha256:
16ffb7a4af8b9b5a7287919e9597cd60a5ef7941515a037e506317c3aea6ce39 2460 haproxy_3.4.1-1.dsc
2e62c4ce4fd77d3bc7cf17e586431663454456a078b7c8465b8f0125b5bc22f8 5472617 haproxy_3.4.1.orig.tar.gz
2449bb4f45e0482d72b3a4b32c509e0d0d1df3abfcacb2090a5ff7a1fa49b569 84992 haproxy_3.4.1-1.debian.tar.xz
dd88cd4d2a9b270a0dceef7af8b1f4067abf6befdccc6fe9896d018e4001ecea 9836 haproxy_3.4.1-1_amd64.buildinfo
Files:
afe7a8e4877ab56ce59e12a83c578561 2460 net optional haproxy_3.4.1-1.dsc
1ebdffce18a57bb4414836a8ed072251 5472617 net optional haproxy_3.4.1.orig.tar.gz
524f3f66aa6bc7d2c16f603ef5e7867a 84992 net optional haproxy_3.4.1-1.debian.tar.xz
11af5fff7b077d7838b5832335e79530 9836 net optional haproxy_3.4.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmo+xJsSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5gx4P/2tCj8V8zgYaieS9jq2tlssiLQ1Jbpig
2bVfzvWAfeyuaTRiYC90XtYSX7FSbAM6uXku0kKkMZo5ft5pqiKIUSGfkfjklRps
EqPabkojNSQbsuL8BuQeBn62m2k7JK5uv4iB065ehr6VSTkmPVGpr1vKyU0iRIKe
yco41UVj6BDjx+/QvGubGPn+kqAnwxNyy3kDSE/X2vEqtqcfTPGXDJBfPDbAS0BI
sJ0Ic2pXHAreDab76wm4aVu4zwQzZT05vxi/eCV7p3iZwIWsEtgY8aOF41rijdJY
P8PSVt83I8RGZEfdENMSxH/uWu9RFMF7sOPAl6nxG4OAqAG6kcmPSwbBhm8AFcex
CvGt01FrPW7fiNatQKEZB1ZKAZp6fjaTdUmXtSj8MBBPVjxQHsVVLWDQEls8YbCQ
AIZaYVZTPiFTox1RbwxWi+Jr2trKuUYlX5dm+/NoJXGY/ctWWQBjh7g4fElJ387d
Wnm5f9+Ihrjy/rp7fxNddABh7NdZBvle9hVBmO8hygieRBK4/x5glClCUa3jdDot
FejEO+D8/5+w6R9+C0BsS2Cs61dor5EFE7HaWOhMKGq0geYFH1VhTeo1MX4pGbIg
UNuWj0g5OePGMZ2WyoCRCXWHiWW55/DE2kwfqzbHL6/LfpvMKYToxEOcdXAg6bwq
22Tp7FTHxMEi
=MzPp
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
haproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated haproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 26 Jun 2026 20:37:40 +0200
Source: haproxy
Architecture: source
Version: 3.2.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian HAProxy Maintainers <team+haproxy@tracker.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Closes: 1140430
Changes:
haproxy (3.2.20-1) unstable; urgency=medium
.
* New upstream release.
* Closes: #1140430:
- CVE-2026-55203: integer overflow when parsing FCGI header.
- CVE-2026-55204: add missing NULL check in HTTP/2 header compression.
Checksums-Sha1:
bc1f662d5fc02ea6f1bb2074322ae1d0398ff994 2438 haproxy_3.2.20-1.dsc
0d928329f0dcaf17c73a6264f73fe008065b97e8 5158781 haproxy_3.2.20.orig.tar.gz
a13cc1d01d07e46d0fa0c5cc15959a9aadcb1306 85000 haproxy_3.2.20-1.debian.tar.xz
754c8ec0fd29bec1451322fe2b6d2242fa15b774 9853 haproxy_3.2.20-1_amd64.buildinfo
Checksums-Sha256:
75b90757a81be88122c2db8ab5050443fb1662bafc4395a87acbbd445f88798d 2438 haproxy_3.2.20-1.dsc
8eef76e3d3f731ae6d9bf57594c52f29c38c9be7987c5b46a96a13bad1a88666 5158781 haproxy_3.2.20.orig.tar.gz
c0ebaecca28f04725f527b2e0c06401ba0707a52904a81206adb20eb210e2342 85000 haproxy_3.2.20-1.debian.tar.xz
8646cd15c214eb9de92f32bdf582482bb91bbd4b20ef992124d425ee05b66da6 9853 haproxy_3.2.20-1_amd64.buildinfo
Files:
7cd26d2568e295536102a7b64e796231 2438 net optional haproxy_3.2.20-1.dsc
f39309cc9fbdcaae7c870274792fb3ce 5158781 net optional haproxy_3.2.20.orig.tar.gz
d2c5e8d693ee1e62646ace7c3e968db3 85000 net optional haproxy_3.2.20-1.debian.tar.xz
a7b06851d01994505ce12a6564467091 9853 net optional haproxy_3.2.20-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmo+x6YSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5jXsQAIKSGnRSHVxnNT2G4D+cQr76E0ZK7WOi
KdgXOVQ17E0XWOPTjOOZW+JIWpc9RnniLYXIAcTp3483YkaTbKXE7KK9AU4eB1uQ
qAtvQ19D+5ITM0NS8a80cGqM/vvvaj/d4D9og8cFmXE/VwKYD5R+00MSPeo8RBTz
W17zjPvWtlm0oZ+tBSqphCZHbIr3Ybna5JCtsBGrtBQs6quPbQzHe/Ku9G/aDAu7
odxnDQrnVhYBmqoCqc80yV323/QfC5/g74bdp8GLc8+siOe0unHc9fr5bBZzBjma
cGDzr62Zhr7PXTLTL96+W2aJ+bpjTAS0JpfkdrB0MYK3ymbsVrecO/IuGcxdB2ts
vEBWtiNu5uG30FssLKy1bhismVi6TXIgTUvoTGSMRVGggm5s6HuITuwmuvbgjEsp
bFF4b+BwVsBuFntV6O+d70Hy1c2LXCeLlrMw4EZeBt85i5PZljJAij6p4IKQiPKb
UIixXlzS/EmNPPBXIxsC9Jun0Xss3RPA+YIujNDZCvIiprLfgCdGE8iXSWT+KMvK
2jRadPfu+WxAkCRcwBuxlh7sDMCPdEcMGj7UXcIQQEh/XQKZCyxP6Rf2NuBoiuOx
k2N710u/KD+kkElmWR0lTkbwg/pGH08LSaos54oAal4gnSloDM6nx3hMsPHoxOlb
Tizgbmo9sEbw
=nG2O
-----END PGP SIGNATURE-----