Subject: [ASA-202004-7] haproxy: arbitrary code execution Arch Linux Security Advisory ASA-202004-7 ========================================= Severity: Critical Date : 2020-04-08 CVE-ID : CVE-2020-11100 Package : haproxy Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1124 Summary ======= The package haproxy before version 2.1.4-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.1.4-1. # pacman -Syu "haproxy>=2.1.4-1" The problem has been fixed upstream in version 2.1.4. Workaround ========== None. Description =========== An out-of-bounds memory write has been found in HAProxy before 2.1.4, in the HPACK table management code. Impact ====== A remote attacker might be able to execute code via a crafted HTTP/2 request. References ========== https://git.haproxy.org/?p=haproxy-2.1.git;a=commitdiff;h=f17f86304f187b0f10ca6a8d46346afd9851a543;hp=dd6f0b1a74fb1241d276484f3c4aced513a95b78 https://security.archlinux.org/CVE-2020-11100