Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    CVE-2023-0056 & CVE-2023-25725 (critical) - haproxy upgrade to 2.2.29 ?

    Cache/Proxy
    7
    11
    882
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Myster_fr last edited by Myster_fr

      Hello,

      Following the security warnings issued recently, and the critical patches made to all haproxy versions from 2.0->2.8, is there a way, and a plan, to upgrade the haproxy package in pfSense to 2.2.29 ?

      I'm linking the Debian Security page for reference, and the port also seems to be already available according to https://www.freshports.org/net/haproxy22

      How does it work for pfSense ? Can I upgrade the port myself, do I have to wait for a package update, or even a whole new pfSense version ?

      Thanks !

      FWIW, here is the safe versions list, from https://www.haproxy.org/:
      48d76a24-2fba-443a-a224-cace0b4ef3a8-image.png

      As temporary workaround, the below statement could be added to haproxy configuration, though I don't really know where to put that with pfSense 🤕

         http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }
      

      Other sources/references
      haproxy mailing list
      git commit

      1 Reply Last reply Reply Quote 0
      • M
        Myster_fr last edited by

        Answering to myself :

        The workaround can be put in the "Advanced Pass Thru" field of the Frontends definitions. (repeat for all frontends)

        http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }
        

        325af2cd-ebe6-44b0-9678-1065c96558a3-image.png

        T 1 Reply Last reply Reply Quote 2
        • T
          thebear @Myster_fr last edited by

          @myster_fr said in CVE-2023-0056 & CVE-2023-25725 (critical) - haproxy upgrade to 2.2.29 ?:

          http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }

          thans for posting this.

          1 Reply Last reply Reply Quote 0
          • G
            gguglielmi last edited by

            Thank you for the workaround!
            It would still be nice to know from Netgate if and when they're going to update the HAproxy package

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              We're working on pulling in the patched version of haproxy, it should be available soon.

              The workaround should be OK for now.

              There is a more detailed list of affected versions in the announcement on the haproxy mailing list:

                 Branch     Vulnerable               Fixed      Maintained until
                 ---------+------------------------+----------+-----------------
                 2.8-dev    2.8-dev0 .. 2.8-dev3     2.8-dev4     2028-Q4 (LTS)
                 2.7        2.7.0 .. 2.7.2           2.7.3        2024-Q1
                 2.6        2.6.0 .. 2.6.8           2.6.9        2027-Q2 (LTS)
                 2.5        2.5.0 .. 2.5.11          2.5.12       2023-Q1
                 2.4        2.4.0 .. 2.4.21          2.4.12       2026-Q2 (LTS)
                 2.2        2.2.0 .. 2.2.28          2.2.29       2025-Q2 (LTS)
                 2.0        2.0.0 .. 2.0.30          2.0.31       2024-Q2 (LTS)
              

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              M 2 Replies Last reply Reply Quote 3
              • fireodo
                fireodo last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • M
                  maverick_slo @jimp last edited by

                  @jimp I`m bumping this thread up...

                  1 Reply Last reply Reply Quote 0
                  • M
                    maverick_slo @jimp last edited by

                    @jimp
                    Hi.
                    It has been 3 weeks, can you please add updated version?
                    Thanks!

                    M 1 Reply Last reply Reply Quote 2
                    • M
                      maverick_slo @maverick_slo last edited by

                      @jimp Can we somehow do it manually?

                      1 Reply Last reply Reply Quote 1
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        No, it has to be done in the package builders or it will more likely than not end up breaking something. We've had some more high priority issues that needed taking care of, so it's still pending.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        L 1 Reply Last reply Reply Quote 0
                        • L
                          LoriMitchell @jimp last edited by

                          @jimp Is this issue resolved?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post