CVE-2023-0056 & CVE-2023-25725 (critical) - haproxy upgrade to 2.2.29 ?

fireodo

This post is deleted!

maverick_slo

@jimp I`m bumping this thread up...

maverick_slo

@jimp
Hi.
It has been 3 weeks, can you please add updated version?
Thanks!

maverick_slo

@jimp Can we somehow do it manually?

jimp

No, it has to be done in the package builders or it will more likely than not end up breaking something. We've had some more high priority issues that needed taking care of, so it's still pending.

LoriMitchell

@jimp Is this issue resolved?

jsiegfried

does anyone know when the patched haproxy version will be available in pfsense?

michmoor

@jsiegfried To be fair to the netgate team, there is a workaround for this as stated on the HA blog.

https://www.haproxy.com/blog/february-2023-header-parser-fixed/

The fix is very straight forward and easy to apply.

So yes an upgrade is nice, but the workaround is literally a copy and paste in your front end configuration.

jsiegfried

@michmoor
Thank you very much for your reply.
I have already set the workaround in my shared-frontends.
But if I read it correctly, this is only the workaround for CVE-2023-25725.

What about a patch or workaround for CVE-2023-0056?

michmoor

@jsiegfried I don’t see any notification from HA Proxy about that CVE. They haven’t addressed it or spoken about it at least on their blog.
The CVE score is pretty low compared to the other one tho.

https://www.cvedetails.com/cve/CVE-2023-0056/