CVE-2024-49214

Publication date 14 October 2024

Last updated 29 October 2024

Ubuntu priority

QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
haproxy	24.10 oracular	Vulnerable
	24.04 LTS noble	Vulnerable, fix deferred
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

Per the CVE description, this affects 2.9.x+, per the commit description, this affects 2.6+. As of 2024-10-29, there is no backport to 2.8.x available.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
haproxy	Upstream: f627b92 Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=8f0d380f3905e7a5814e9ffed29bc83c66383864 Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=fa00c0a1b692f4bfbb0dd1360d35528e554607d8 Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=d60edbde4834ce3db567053ab9b8973dc62dbe2f Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=78f36a6ee40ff00ec1519ad1a5aec73c6371c51b Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=0282a82f79ceb9f15515edf49542e7199eede408 Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=cf4b5e1001880bcece3c4d12b5aa422d378dcf1d Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=ab5a390451239282d8a3fd2c45f56162b92a3bd3 Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=fe5685af820ae62fe5b0d80b5ed7a2ffc41a036f

Package

Patch details

haproxy

Upstream: f627b92
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=8f0d380f3905e7a5814e9ffed29bc83c66383864
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=fa00c0a1b692f4bfbb0dd1360d35528e554607d8
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=d60edbde4834ce3db567053ab9b8973dc62dbe2f
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=78f36a6ee40ff00ec1519ad1a5aec73c6371c51b
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=0282a82f79ceb9f15515edf49542e7199eede408
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=cf4b5e1001880bcece3c4d12b5aa422d378dcf1d
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=ab5a390451239282d8a3fd2c45f56162b92a3bd3
Upstream: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=fe5685af820ae62fe5b0d80b5ed7a2ffc41a036f

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-49214
https://www.haproxy.org/download/3.1/src/CHANGELOG
https://www.haproxy.org/download/3.0/src/CHANGELOG
https://www.haproxy.org/download/2.9/src/CHANGELOG
https://www.mail-archive.com/haproxy%40formilux.org/msg45291.html
https://www.mail-archive.com/haproxy%40formilux.org/msg45314.html
https://www.mail-archive.com/haproxy%40formilux.org/msg45315.html