HAProxy and WebConfigurator HTTP/2 DDoS CVEs
-
https://www.kb.cert.org/vuls/id/605641/
PfSense Stable not have plans to update build-in Nginx and HAProxy 2.x? Or when PfSense 2.5 will be available at stable release?
-
I don't see the
h2keyword in the haproxy package, so I don't think HTTP/2 is enabled or possible (without manual changes).
-
Actually there is h2 support available.
Same as for WebConfigurator (it use nginx).
I'll send proof in 10 mins
-
HAProxy Package have HTTP/2 support, and it works.
This advanced field actually bugged and not add field to binding, but it have example and there is working field:
Site hosted at HAProxy:
Nginx used for host WebConfigurator have enabled http2, but for me this lower priority CVE then HAProxy - because limited amount of people have usually access to WebConfigurator.
-
@dragoangel
Yes haproxy supports H2. But it seems haproxy itself is not vulnerable to these attacks. Or at least that is what i understand from one the mails from a main developer:"So I checked between 1.8 and 2.1-dev today and the result is that we're not impacted by these issues"
Which i believe is a response regarding the same set of CVE's.
Link: https://www.mail-archive.com/haproxy@formilux.org/msg34717.htmlUnless you have other information then i am sure the haproxy developers would be really interested in that.
-
Thanks for reply, I will look at it more
-
Additionally Squid is affected another DoS CVE:
CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.
