David Torgerson

**Name of the Vulnerable Software and Affected Versions** HAProxy versions 1.4 through 1.4.23 HAProxy versions 1.5 through 1.5-dev18 **Description** The issue allows remote attackers to cause a denial of service, potentially leading to a crash, by exploiting the hdr ip or other hdr * functions with a negative occurrence count in HTTP headers. This is related to the MAX HDR HISTORY variable. Multiple vulnerabilities in the HAProxy package can lead to breaches of confidentiality, integrity, and availability of protected information, and can be exploited remotely. **Recommendations** For HAProxy versions 1.4 through 1.4.23, update to version 1.4.24 or later to resolve the issue. For HAProxy versions 1.5 through 1.5-dev18, update to version 1.5-dev19 or later to resolve the issue. As a temporary workaround, consider restricting the use of hdr * functions with negative occurrence counts until a patch is available.