HAProxy Security Update (CVE-2023-25725)

40 points by peanball 3 years ago · 6 comments

Reader

CVE-2023-25725 on Debian: https://security-tracker.debian.org/tracker/CVE-2023-25725

It's fixed in 2.2.9-2+deb11u4.

Just to clarify some doubts, distro packages issued yesterday all have the fix in them even if the base version number appears older.

theandrewbailey 3 years ago

   Branch     Vulnerable               Fixed      Maintained until
   ---------+------------------------+----------+-----------------
   ...
   2.4        2.4.0 .. 2.4.21          2.4.12       2026-Q2 (LTS)

So 2.4 was fixed a long time ago? I just did an update and got 2.4.21, so I'm still vulnerable!

max-m 3 years ago

I think this was a typo in the table. 2.4.22 was released alongside the other fixed versions.
- wtarreau 3 years ago
  
  confirmed, thanks for correcting me. Dealing with such reports across many versions and copy-pasting lots of data & Git commit IDs is extremely prone to failures, even after careful re-reading.

exabrial 3 years ago

please tell me this won't be part of phased updates

Settings

HAProxy Security Update (CVE-2023-25725)

Keyboard Shortcuts