CVE-2020-11100

Priority
Description
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8
through 2.x before 2.1.4, a remote attacker can write arbitrary bytes
around a certain location on the heap via a crafted HTTP/2 request,
possibly causing remote code execution.
Assigned-to
leosilva
Notes
Package
Upstream:released (2.0.14)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.8.8-1ubuntu0.10)
Ubuntu 19.10 (Eoan Ermine):released (2.0.5-1ubuntu0.4)
Ubuntu 20.04 (Focal Fossa):released (2.0.13-2)
Patches:
Upstream:https://github.com/haproxy/haproxy/commit/5dfc5d5cd0d2128d77253ead3acf03a421ab5b88
More Information

Updated: 2020-04-16 14:17:13 UTC (commit 51b927900319f5ad01968dd4076559bc1f457caa)