An out-of-bounds read in dnsvalidatednsresponse in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when validating DNS responses, remote attackers might be able read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing anything that was left on the stack, or even past the end of the 8193-byte buffer, depending on the value of acceptedpayload_size.
{ "ubuntu_priority": "medium", "binaries": [ { "binary_name": "haproxy", "binary_version": "1.6.3-1ubuntu0.2" }, { "binary_name": "haproxy-dbg", "binary_version": "1.6.3-1ubuntu0.2" }, { "binary_name": "haproxy-dbgsym", "binary_version": "1.6.3-1ubuntu0.2" }, { "binary_name": "haproxy-doc", "binary_version": "1.6.3-1ubuntu0.2" }, { "binary_name": "vim-haproxy", "binary_version": "1.6.3-1ubuntu0.2" } ], "availability": "No subscription required" }
{ "ubuntu_priority": "medium", "binaries": [ { "binary_name": "haproxy", "binary_version": "1.8.8-1ubuntu0.3" }, { "binary_name": "haproxy-dbgsym", "binary_version": "1.8.8-1ubuntu0.3" }, { "binary_name": "haproxy-doc", "binary_version": "1.8.8-1ubuntu0.3" }, { "binary_name": "vim-haproxy", "binary_version": "1.8.8-1ubuntu0.3" } ], "availability": "No subscription required" }