Project

General

Profile

Actions

Todo #12354

open

Update haproxy-devel to mitigate CVE-2021-40346

Added by DRago_Angel [InV@DER] about 3 years ago. Updated over 2 years ago.

Status:
Feedback
Priority:
High
Assignee:
Viktor Gurov
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

As per https://nvd.nist.gov/vuln/detail/CVE-2021-40346 need update to fix BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
HAproxy 2.2.17 Changelog available here: https://www.haproxy.org/download/2.2/src/CHANGELOG

Temporary workaround:

http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }


Files

136.diff (2.56 KB) 136.diff Viktor Gurov, 10/09/2021 05:48 AM
clipboard-202205111713-miifc.png (25.5 KB) clipboard-202205111713-miifc.png Micha Kersloot, 05/11/2022 10:13 AM
Actions #1

Updated by Christian McDonald about 3 years ago

  • Subject changed from Update haproxy-devel to mitingate CVE-2021-40346 to Update haproxy-devel to mitigate CVE-2021-40346
Actions #2

Updated by DRago_Angel [InV@DER] about 3 years ago

Sorry for typo

Actions #3

Updated by DRago_Angel [InV@DER] about 3 years ago

Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.

Actions #5

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
Actions #6

Updated by Viktor Gurov about 3 years ago

DRago_Angel [InV@DER] wrote in #note-3:

Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.

You can try to apply the attached patch

Actions #7

Updated by DRago_Angel [InV@DER] about 3 years ago

Viktor Gurov wrote in #note-6:

You can try to apply the attached patch

No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy

Actions #8

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #9

Updated by Marcos M almost 3 years ago

  • Status changed from Feedback to Pull Request Review

This patch results in the following warning when starting haproxy:

haproxy: startup error output!: [WARNING] (34441) : config : 'http-request' rules ignored for frontend 'domain.tld' as they require HTTP mode.[WARNING] (34441) : config : 'http-response' rules ignored for frontend 'domain.tld' as they require HTTP mode.

Fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/162

Actions #10

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Pull Request Review to Feedback

Marcos Mendoza wrote in #note-9:

This patch results in the following warning when starting haproxy:
[...]

Fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/162

Merged

Actions #11

Updated by DRago_Angel [InV@DER] almost 3 years ago

Hi I want to ask is you implemented mentioned "Temporary workaround"?

No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy

I want repeat it just in case it was skipped. No need to add Temporary workaround to config.

Actions #12

Updated by Micha Kersloot over 2 years ago

This patch seems to conflict with http-request redirect action:

    http-request redirect scheme https 
    http-request  deny if { req.hdr_cnt(content-length) gt 1 }
    http-response deny if { res.hdr_cnt(content-length) gt 1 }

Actions #13

Updated by DRago_Angel [InV@DER] over 2 years ago

Want to tell again on version of haproxy that now this actions not needed, please remove them

Actions #14

Updated by Viktor Gurov over 2 years ago

  • Status changed from Feedback to New
Actions #15

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
Actions #16

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback
Actions

Also available in: Atom PDF