Todo #12354
open
- Subject changed from Update haproxy-devel to mitingate CVE-2021-40346 to Update haproxy-devel to mitigate CVE-2021-40346
Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
DRago_Angel [InV@DER] wrote in #note-3:
Hi, this is serious CVE, and still no updates? Even it possible to workaround issue by adding own check, I sure most people don't aware about it. Also HAproxy 2.4 LTS already released, it safe to update pfsense devel to it I think.
You can try to apply the attached patch
Viktor Gurov wrote in #note-6:
You can try to apply the attached patch
No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy
- Status changed from Pull Request Review to Feedback
- Status changed from Feedback to Pull Request Review
This patch results in the following warning when starting haproxy:
haproxy: startup error output!: [WARNING] (34441) : config : 'http-request' rules ignored for frontend 'domain.tld' as they require HTTP mode.[WARNING] (34441) : config : 'http-response' rules ignored for frontend 'domain.tld' as they require HTTP mode.
Fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/162
- Status changed from Pull Request Review to Feedback
Hi I want to ask is you implemented mentioned "Temporary workaround"?
No need to add this if version of haproxy will be updated. This lines can be added via global settings once without any custom stuff. The idea, just to have up to date version of haproxy
I want repeat it just in case it was skipped. No need to add Temporary workaround to config.
This patch seems to conflict with http-request redirect action:
http-request redirect scheme https
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
Want to tell again on version of haproxy that now this actions not needed, please remove them
- Status changed from Feedback to New
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by