microsoft · jslobodzian · Jun 30, 2026 · Jun 27, 2026 · Jun 30, 2026
@@ -0,0 +1,42 @@
+From e8bd92de9fce0fa19b2782479ebff53a74c8e886 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Tue, 16 Jun 2026 10:46:03 +0200
+Subject: [PATCH] BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp
+
+The FCGI demux record length field (drl) is uint16_t. In the
+ignore_record path, the expression "fconn->drl += fconn->drp" overflows
+to 0 when contentLength=65535 and paddingLength>=1. This causes the
+state machine to consider the record complete without consuming any
+buffer data. The remaining buffer contents are then parsed as new FCGI
+record headers.
+
+The same drl+=drp pattern at lines 2382/2418/2475 is not affected
+because drl is guaranteed to be 0 at those points (all content bytes
+are consumed before reaching end_transfer).
+
+Widen drl from uint16_t to uint32_t so that the addition of drp
+(uint8_t, max 255) cannot overflow.
+
+Reported-by: Tristan (@TristanInSec)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/haproxy/haproxy/commit/5985276735777634d8c85f1d73bb7764aab0d6dd.patch
+---
+ src/mux_fcgi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
+index 58ac8bb..45fe0d5 100644
+--- a/src/mux_fcgi.c
++++ b/src/mux_fcgi.c
+@@ -55,7 +55,7 @@ struct fcgi_conn {
+ 	uint32_t flags;                      /* Connection flags: FCGI_CF_* */
+
+ 	int16_t  dsi;                        /* dmux stream ID (<0 = idle ) */
+-	uint16_t drl;                        /* demux record length (if dsi >= 0) */
++	uint32_t drl;                        /* demux record length (if dsi >= 0) */
+ 	uint8_t  drt;                        /* demux record type (if dsi >= 0) */
+ 	uint8_t  drp;                        /* demux record padding (if dsi >= 0) */
+
+-- 
+2.45.4
+
@@ -0,0 +1,42 @@
+From 8a62ddba690d9aff4bfc860af5371745c5796d1d Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Tue, 16 Jun 2026 10:42:10 +0200
+Subject: [PATCH] BUG/MINOR: hpack-tbl: add missing NULL check after
+ hpack_dht_defrag()
+
+hpack_dht_insert() has three call sites for hpack_dht_defrag(). Two of
+them (lines 293 and 306) correctly check for a NULL return and bail out
+with -1. The third (line 353, data-space defrag path) assigns the return
+value to dht and immediately dereferences it without a NULL check.
+
+When pool_head_hpack_tbl is exhausted, hpack_dht_alloc() returns NULL,
+hpack_dht_defrag() propagates it, and line 354 dereferences NULL+0x0a
+(offsetof wrap), crashing the worker with SIGSEGV.
+
+Add a NULL check consistent with the two other call sites.
+
+This must be backported to all stable versions.
+
+Reported-by: Tristan (@TristanInSec)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/haproxy/haproxy/commit/9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513.patch
+---
+ src/hpack-tbl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
+index 990d2f7..92a6f44 100644
+--- a/src/hpack-tbl.c
++++ b/src/hpack-tbl.c
+@@ -351,6 +351,8 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
+ 	else {
+ 		/* need to defragment the table before inserting upfront */
+ 		dht = hpack_dht_defrag(dht);
++		if (!dht)
++			return -1;
+ 		wrap = dht->wrap + 1;
+ 		head = dht->head + 1;
+ 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        A fast, reliable HA, load balancing, and proxy solution.
 Name:           haproxy
 Version:        2.9.11
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,8 @@ Source0:        https://www.haproxy.org/download/2.9/src/%{name}-%{version}.tar.
 Patch0:         CVE-2025-32464.patch
 Patch1:         CVE-2025-11230.patch
 Patch2:         CVE-2026-33555.patch
+Patch3:         CVE-2026-55203.patch
+Patch4:         CVE-2026-55204.patch
 BuildRequires:  lua-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pcre2-devel
@@ -62,6 +64,9 @@ install -vDm644 examples/transparent_proxy.cfg  %{buildroot}/%{_sysconfdir}/hapr
 %{_mandir}/*
 
 %changelog
+* Sat Jun 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.9.11-7
+- Patch for CVE-2026-55204, CVE-2026-55203
+
 * Mon May 18 2026 Sudipta Pandit <sudpandit@microsoft.com> - 2.9.11-6
 - Mark /etc/haproxy/haproxy.cfg as %%config(noreplace) to prevent overwrite on upgrade