Project

General

Profile

Actions

Todo #12354

open

Update haproxy-devel to mitigate CVE-2021-40346

Added by DRago_Angel [InV@DER] about 1 month ago. Updated 14 days ago.

Status:
Pull Request Review
Priority:
High
Assignee:
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

As per https://nvd.nist.gov/vuln/detail/CVE-2021-40346 need update to fix BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
HAproxy 2.2.17 Changelog available here: https://www.haproxy.org/download/2.2/src/CHANGELOG

Temporary workaround:

http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }


Files

136.diff (2.56 KB) 136.diff Viktor Gurov, 10/09/2021 05:48 AM
Actions #1

Updated by Christian McDonald about 1 month ago

  • Subject changed from Update haproxy-devel to mitingate CVE-2021-40346 to Update haproxy-devel to mitigate CVE-2021-40346
Actions #2

Updated by DRago_Angel [InV@DER] about 1 month ago

Sorry for typo

Actions #3

Updated by DRago_Angel [InV@DER] 19 days ago

Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.

Actions #5

Updated by Jim Pingle 15 days ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
Actions #6

Updated by Viktor Gurov 14 days ago

DRago_Angel [InV@DER] wrote in #note-3:

Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.

You can try to apply the attached patch

Actions #7

Updated by DRago_Angel [InV@DER] 14 days ago

Viktor Gurov wrote in #note-6:

You can try to apply the attached patch

No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy

Actions

Also available in: Atom PDF