21.7.2 - need to upgrade HAPROXY to 2.2.17 to fix CVE-2021-40346

[nzkiwi68]

HAPROXY reports September/2021 – CVE-2021-40346: Duplicate ‘Content-Length’ Header Fixed
https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Can we pleas update the HAPROXY package to v2.2.17

Thanks!

[franco]

Do you known when the latest version came out? Do you know how much time it takes to prepare a new one?

For the business edition micro-managing CVEs is certainly a possibility but for the community edition I think adoption rate is fast enough as it is with the usual complains of too many updates in mind.


Cheers,
Franco

[sorano]

You dont need to upgrade. You can use the mitigations instead.

[fabiodanzetta]

Hi Sorano,

how can I apply the two mitigation strings indicated at the end of the article directly from the plugin configuration GUI?

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Thanks

[sorano]

Hi Sorano,

how can I apply the two mitigation strings indicated at the end of the article directly from the plugin configuration GUI?

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Thanks

Hi.

Here is how you can do it:
https://docs.opnsense.org/manual/how-tos/haproxy.html#third-step-configure-conditions

[nzkiwi68]

Do you known when the latest version came out? Do you know how much time it takes to prepare a new one?

I am sorry, I meant no offense. I merely wished to inform, as I use HAPROXY on OPNsense extensively, and that you may not have seen the CVE.

And, no, I don't know the actual effort required to prepare a new HAPROXY package, but, I merely hoped to advise and have this added to the ever growing list of things to be done.

Yes, it looks like there was very little notice.

Lastly, let me say a big thanks to you all of the many contributors to OPNsense. You do amazing work.

[nzkiwi68]

Hi Sorano,

how can I apply the two mitigation strings indicated at the end of the article directly from the plugin configuration GUI?

1. Services > HAPROXY > Settings
2. Virtual Services > Public Services (these are your frontends)
3. Edit your public service (or services)
4. Be sure enable "advanced mode" at the top
5. Scroll down, under "Advanced settings", "Option pass-through" add these lines:

Code: [Select]

http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }


[fabiodanzetta]

Hi Nzkiwi68,

Thank you very much, for the precise indication.
Can you also tell me how I could test everything maybe even using if there is any tool?

Thanks again.

[nzkiwi68]

If your asking to test the work around as posted by HAPROXY, I can't see any guidance on how to test it.

For myself, I trust that the vendor's workaround is correct. If you want more assurance including some sort of test (which could involve crafting a malicious header), that's not something I'd every try.

Perhaps you could go back to HAPROXY and post on their forums to ask for information, it's certainly well beyond the scope of OPNsense.

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

[franco]

I am sorry, I meant no offense. I merely wished to inform, as I use HAPROXY on OPNsense extensively, and that you may not have seen the CVE.

No worries, I just want to explain. In a good release where there are no package errors from ports tree it takes 48 hours for build, upload, test, document and release. Doing this twice in one week is possible but not much else is getting done then.

In such cases where a release cycle started and then later a CVE is released even before the release the question is always: abort or continue? In most cases it's better to continue instead of delay the release since this particular issue isn't the only one that needs to be taken care of.

So there is always the next version or you can build from the ports tree yourself in the meantime:

# opnsense-code ports
# cd /usr/ports/net/haproxy22
# make reinstall


Cheers,
Franco

[fabiodanzetta]

If your asking to test the work around as posted by HAPROXY, I can't see any guidance on how to test it.

For myself, I trust that the vendor's workaround is correct. If you want more assurance including some sort of test (which could involve crafting a malicious header), that's not something I'd every try.

Perhaps you could go back to HAPROXY and post on their forums to ask for information, it's certainly well beyond the scope of OPNsense.

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Hello,

thanks again for all the support.