Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empty header names. A remote attacker could possibly use this issue to manipulate headers and bypass certain authentication checks and restrictions.
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "binaries": [ { "binary_name": "haproxy", "binary_version": "1.6.3-1ubuntu0.3+esm2" }, { "binary_name": "haproxy-dbg", "binary_version": "1.6.3-1ubuntu0.3+esm2" }, { "binary_name": "haproxy-dbgsym", "binary_version": "1.6.3-1ubuntu0.3+esm2" }, { "binary_name": "haproxy-doc", "binary_version": "1.6.3-1ubuntu0.3+esm2" }, { "binary_name": "vim-haproxy", "binary_version": "1.6.3-1ubuntu0.3+esm2" } ] }