Todo #12354
openUpdate haproxy-devel to mitigate CVE-2021-40346
0%
Description
As per https://nvd.nist.gov/vuln/detail/CVE-2021-40346 need update to fix BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
HAproxy 2.2.17 Changelog available here: https://www.haproxy.org/download/2.2/src/CHANGELOG
Temporary workaround:
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
Files
Updated by Christian McDonald about 3 years ago
- Subject changed from Update haproxy-devel to mitingate CVE-2021-40346 to Update haproxy-devel to mitigate CVE-2021-40346
Updated by DRago_Angel [InV@DER] about 3 years ago
Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.
Updated by Viktor Gurov about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
Updated by Viktor Gurov about 3 years ago
DRago_Angel [InV@DER] wrote in #note-3:
Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.
You can try to apply the attached patch
Updated by DRago_Angel [InV@DER] about 3 years ago
Viktor Gurov wrote in #note-6:
You can try to apply the attached patch
No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy
Updated by Viktor Gurov almost 3 years ago
- Status changed from Pull Request Review to Feedback
Merged
Updated by Marcos M almost 3 years ago
- Status changed from Feedback to Pull Request Review
This patch results in the following warning when starting haproxy
:
haproxy: startup error output!: [WARNING] (34441) : config : 'http-request' rules ignored for frontend 'domain.tld' as they require HTTP mode.[WARNING] (34441) : config : 'http-response' rules ignored for frontend 'domain.tld' as they require HTTP mode.
Fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/162
Updated by Viktor Gurov almost 3 years ago
- Status changed from Pull Request Review to Feedback
Marcos Mendoza wrote in #note-9:
This patch results in the following warning when starting
haproxy
:
[...]Fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/162
Merged
Updated by DRago_Angel [InV@DER] almost 3 years ago
Hi I want to ask is you implemented mentioned "Temporary workaround"?
No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy
I want repeat it just in case it was skipped. No need to add Temporary workaround to config.
Updated by Micha Kersloot over 2 years ago
This patch seems to conflict with http-request redirect action:
http-request redirect scheme https http-request deny if { req.hdr_cnt(content-length) gt 1 } http-response deny if { res.hdr_cnt(content-length) gt 1 }
Updated by DRago_Angel [InV@DER] over 2 years ago
Want to tell again on version of haproxy that now this actions not needed, please remove them
Updated by Viktor Gurov over 2 years ago
- Status changed from Feedback to New
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback