Version in base suite: 3.0.11-1+deb13u1 Base version: haproxy_3.0.11-1+deb13u1 Target version: haproxy_3.0.11-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/haproxy/haproxy_3.0.11-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/haproxy/haproxy_3.0.11-1+deb13u2.dsc changelog | 6 ++ patches/0001-BUG-MAJOR-quic-reject-invalid-token.patch | 42 +++++++++++++++++ patches/series | 1 3 files changed, 49 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbyff03rd/haproxy_3.0.11-1+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbyff03rd/haproxy_3.0.11-1+deb13u2.dsc: no acceptable signature found diff -Nru haproxy-3.0.11/debian/changelog haproxy-3.0.11/debian/changelog --- haproxy-3.0.11/debian/changelog 2025-10-03 06:12:49.000000000 +0000 +++ haproxy-3.0.11/debian/changelog 2026-02-11 21:52:43.000000000 +0000 @@ -1,3 +1,9 @@ +haproxy (3.0.11-1+deb13u2) trixie-security; urgency=high + + * CVE-2026-26081: fix integer overflow in QUIC code. + + -- Vincent Bernat Wed, 11 Feb 2026 22:52:43 +0100 + haproxy (3.0.11-1+deb13u1) trixie-security; urgency=high * CVE-2025-11230: fix possible DoS when parsing JSON numbers. diff -Nru haproxy-3.0.11/debian/patches/0001-BUG-MAJOR-quic-reject-invalid-token.patch haproxy-3.0.11/debian/patches/0001-BUG-MAJOR-quic-reject-invalid-token.patch --- haproxy-3.0.11/debian/patches/0001-BUG-MAJOR-quic-reject-invalid-token.patch 1970-01-01 00:00:00.000000000 +0000 +++ haproxy-3.0.11/debian/patches/0001-BUG-MAJOR-quic-reject-invalid-token.patch 2026-02-11 21:52:43.000000000 +0000 @@ -0,0 +1,42 @@ +From 47e60d002e1a655efe55cfd2b402d84cc422ca54 Mon Sep 17 00:00:00 2001 +From: Amaury Denoyelle +Date: Mon, 9 Feb 2026 09:04:13 +0100 +Subject: [PATCH 1/2] BUG/MAJOR: quic: reject invalid token + +Token parsing code on INITIAL packet for the NEW_TOKEN format is not +robust enough and may even crash on some rare malformed packets. + +This patch fixes this by adding a check on the expected length of the +received token. The packet is now rejected if the token does not match +QUIC_TOKEN_LEN. This check is legitimate as haproxy should only parse +tokens emitted by itself. + +This issue has been introduced with the implementation of NEW_TOKEN +tokens parsing required for 0-RTT support. + +This must be backported up to 3.0. + +Reported-by: Asim Viladi Oglu Manizada +--- + src/quic_token.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/quic_token.c b/src/quic_token.c +index 4f33447dc..9c1d69cd1 100644 +--- a/src/quic_token.c ++++ b/src/quic_token.c +@@ -129,6 +129,11 @@ int quic_token_check(struct quic_rx_packet *pkt, + goto err; + } + ++ if (tokenlen != QUIC_TOKEN_LEN) { ++ TRACE_ERROR("invalid token length", QUIC_EV_CONN_LPKT, qc); ++ goto err; ++ } ++ + /* Generate the AAD. */ + aadlen = ipaddrcpy(aad, &dgram->saddr); + rand = token + tokenlen - QUIC_TOKEN_RAND_DLEN; +-- +2.53.0 + diff -Nru haproxy-3.0.11/debian/patches/series haproxy-3.0.11/debian/patches/series --- haproxy-3.0.11/debian/patches/series 2025-10-03 06:12:49.000000000 +0000 +++ haproxy-3.0.11/debian/patches/series 2026-02-11 21:52:43.000000000 +0000 @@ -4,6 +4,7 @@ reproducible.patch cross.patch 0001-BUG-CRITICAL-mjson-fix-possible-DoS-when-parsing-num.patch +0001-BUG-MAJOR-quic-reject-invalid-token.patch # applied during the build process: # debianize-dconv.patch