CVE-2023-0056 & CVE-2023-25725 (critical) - haproxy upgrade to 2.2.29 ?

Myster_fr

Hello,

Following the security warnings issued recently, and the critical patches made to all haproxy versions from 2.0->2.8, is there a way, and a plan, to upgrade the haproxy package in pfSense to 2.2.29 ?

I'm linking the Debian Security page for reference, and the port also seems to be already available according to https://www.freshports.org/net/haproxy22

How does it work for pfSense ? Can I upgrade the port myself, do I have to wait for a package update, or even a whole new pfSense version ?

Thanks !

FWIW, here is the safe versions list, from https://www.haproxy.org/:

As temporary workaround, the below statement could be added to haproxy configuration, though I don't really know where to put that with pfSense

   http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }

Other sources/references
haproxy mailing list
git commit

Myster_fr

Answering to myself :

The workaround can be put in the "Advanced Pass Thru" field of the Frontends definitions. (repeat for all frontends)

http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }

thebear

@myster_fr said in CVE-2023-0056 & CVE-2023-25725 (critical) - haproxy upgrade to 2.2.29 ?:

http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }

thans for posting this.

gguglielmi

Thank you for the workaround!
It would still be nice to know from Netgate if and when they're going to update the HAproxy package

jimp

We're working on pulling in the patched version of haproxy, it should be available soon.

The workaround should be OK for now.

There is a more detailed list of affected versions in the announcement on the haproxy mailing list:

   Branch     Vulnerable               Fixed      Maintained until
   ---------+------------------------+----------+-----------------
   2.8-dev    2.8-dev0 .. 2.8-dev3     2.8-dev4     2028-Q4 (LTS)
   2.7        2.7.0 .. 2.7.2           2.7.3        2024-Q1
   2.6        2.6.0 .. 2.6.8           2.6.9        2027-Q2 (LTS)
   2.5        2.5.0 .. 2.5.11          2.5.12       2023-Q1
   2.4        2.4.0 .. 2.4.21          2.4.12       2026-Q2 (LTS)
   2.2        2.2.0 .. 2.2.28          2.2.29       2025-Q2 (LTS)
   2.0        2.0.0 .. 2.0.30          2.0.31       2024-Q2 (LTS)

fireodo

This post is deleted!

maverick_slo

@jimp I`m bumping this thread up...

maverick_slo

@jimp
Hi.
It has been 3 weeks, can you please add updated version?
Thanks!

maverick_slo

@jimp Can we somehow do it manually?

jimp

No, it has to be done in the package builders or it will more likely than not end up breaking something. We've had some more high priority issues that needed taking care of, so it's still pending.

LoriMitchell

@jimp Is this issue resolved?