Understood! Thank you very much for the clarification!
On 4/15/25 17:23, Aurelien DARRAGON wrote:
Hi, On 4/15/25 19:45, Camila Camargo de Matos wrote:Dear HAProxy team, I write to you today to ask more about the issue being described in the following commit: https://git.haproxy.org/? p=haproxy-3.0.git;a=commitdiff;h=52d8b01acdc1e21aeda985c87a9ad1229149d3f2 To be more specific, I ask about the crash which is said to be caused by a use-after-free (UAF) condition. Would it be possible to confirm if said issue is considered security-relevant by the HAProxy team?Issue has very limited scope. Only Lua scripts defining custom cli (through "core.register_cli()") are at risk. Moreover the issue requires a specific combination of events on the stats socket (which is rarely found to be exposed to users) for the issue to show up. It was an opportunistic discovery when playing with an experimental Lua script which is really unconventional and tackles Lua engine limitations. Plus it doesn't seem to be reproducible on older haproxy versions. All things consider, I really don't think we should consider this as being at risk from a security point of view. Kind regards, Aurelien
Regards, -- Camila Camargo de Matos Security Engineer @ SUSE Software Solutions GPG: B9DF 0F03 0640 E780 6B47 E60E BF36 BDE9 D034 30D1
OpenPGP_signature.asc
Description: OpenPGP digital signature
