PublicDateAtUSN: 2016-06-10
Candidate: CVE-2016-5360
PublicDate: 2016-06-30 17:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5360
 https://ubuntu.com/security/notices/USN-3011-1
Description:
 HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows
 remote attackers to cause a denial of service (uninitialized memory access
 and crash) or possibly have unspecified other impact via unknown vectors.
Ubuntu-Description:
Notes:
 mdeslaur> issue introduced in 1.6.0
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826869
Priority: medium
Discovered-by: Falco Schmutz
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_haproxy:
 upstream: http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b
upstream_haproxy: released (1.6.5-2)
precise_haproxy: not-affected (1.4.18-0ubuntu1.2)
trusty_haproxy: not-affected (1.4.24-2ubuntu0.4)
trusty/esm_haproxy: DNE (trusty was not-affected [1.4.24-2ubuntu0.4])
vivid/stable-phone-overlay_haproxy: DNE
vivid/ubuntu-core_haproxy: DNE
wily_haproxy: not-affected (1.5.14-1ubuntu0.15.10.1)
xenial_haproxy: released (1.6.3-1ubuntu0.1)
esm-infra/xenial_haproxy: released (1.6.3-1ubuntu0.1)
devel_haproxy: not-affected (1.6.5-2)