Releases: haproxytech/kubernetes-ingress
HAProxy Ingress Controller v1.7.12
HAProxy Technologies has announced that HAProxy 2.0 or newer, HAProxy Enterprise 2.0 or newer, and HAProxy ALOHA 12.5 or newer are affected by CVE-2023-25725. If you are using an affected product you should upgrade to the latest version immediately or apply the configuration detailed below.
For the latest information on this issue and our response, read our blog post at https://www.haproxy.com/blog/february-2023-header-parser-fixed. We will post any future updates on this page.
This vulnerability affects the header parser and permits header manipulations that might be unauthorized or dangerous.
Examples:
• a transfer-encoding header may be hidden after the presence of a content-length header is confirmed and sent to another proxy
• a transfer-encoding header or a content-length header may be hidden after the internal parser has confirmed its presence; in this scenario, the parser will consider the missing header to still be present.
Affected Versions and Remediation
HAProxy Technologies released new versions of HAProxy, HAProxy Enterprise, and HAProxy ALOHA on Tuesday, 14 February 2023. These releases patch the vulnerability described in CVE-2023-25725.
Users of the affected products should upgrade to the fixed version as soon as possible.
• HAProxy Enterprise users can follow the upgrade instructions here: https://www.haproxy.com/documentation/hapee/latest/getting-started/upgrade/linux/#update-haproxy-enterprise
• HAProxy ALOHA users can follow the upgrade instructions here: https://www.haproxy.com/documentation/aloha/latest/getting-started/firmware-updates/
Users of container images: please note that we are currently building fixed versions of the container images. We will update the blog post when they become available.
Affected Version > Fixed Version
HAProxy 2.0 > HAProxy 2.0.31
HAProxy 2.2 > HAProxy 2.2.29
HAProxy 2.4 > HAProxy 2.4.22
HAProxy 2.5 > HAProxy 2.5.12
HAProxy 2.6 > HAProxy 2.6.9
HAProxy 2.7 > HAProxy 2.7.3
HAProxy Enterprise 2.0r1 > 2.0r1-1.0.0-248.1534
HAProxy Enterprise 2.2r1 > 2.2r1-1.0.0-254.929
HAProxy Enterprise 2.4r1 > 2.4r1-1.0.0-285.1010
HAProxy Enterprise 2.5r1 > 2.5r1-1.0.0-285.653
HAProxy Enterprise 2.6r1 > 2.6r1-1.0.0-288.770
HAProxy ALOHA 12.5 > HAProxy ALOHA 12.5.18
HAProxy ALOHA 13.5 > HAProxy ALOHA 13.5.19
HAProxy ALOHA 14.0 > HAProxy ALOHA 14.0.11
HAProxy ALOHA 14.5 > HAProxy ALOHA 14.5.6
HAProxy Kubernetes Ingress Controller 1.7 > 1.7.12
HAProxy Kubernetes Ingress Controller 1.8 > 1.8.11
HAProxy Kubernetes Ingress Controller 1.9 > 1.9.3
HAProxy Enterprise Kubernetes Ingress Controller 1.7 > 1.7.12-ee1
Workaround
If you are not able to update right away, you can apply the following rules to mitigate the issues. Add this to your frontend exposed and then restart your HAProxy instance.
frontend myfrontend
http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }
Support
If you are an HAProxy Enterprise or HAProxy ALOHA customer and have questions about upgrading to the latest version or applying the configuration workaround detailed above, please get in touch with the HAProxy support team.
HAProxy Ingress Controller v1.9.2
Changelog
- 8fd6d60 BUILD/MINOR: go: use Go version 1.20
HAProxy Ingress Controller v1.8.10
Changelog
- 72d97b4 BUILD/MINOR: go: use Go version 1.20
HAProxy Ingress Controller v1.9.1
HAProxy Ingress Controller v1.8.9
HAProxy Ingress Controller v1.8.8
Changelog
- 1d80d8f MINOR: removal of unused ingresschan
HAProxy Ingress Controller v1.9.0
Changelog
4e2d3a0 - BUILD/MAJOR: ci: change latest branch to 1.9
4801d8e - DOC/MAJOR: update doc to reflect latest version
cd5d159 - MINOR: removal of unused ingresschan
ccff59b - DOC/MEDIUM: #489 allow multiple rewrites in single annotation
effdda4 - MEDIUM: config: #489 allow multiple rewrites in single annotation
df3d1df - CLEANUP/MINOR: format test yaml files
165e000 - MEDIUM: crd: leave support for v1alpha1 crds
0948245 - MEDIUM: cr: Update global, defaults and backend Custom Resource Definitions to v1alpha2
50bae0c - MINOR: cr: Update helper script for CR spec
fb118ea - MINOR: cr: fix plural name of defaults CR
c38aa87 - BUG/MINOR: properly set default value for queue timeout
28e13c6 - BUG/MAJOR: set hard-stop-after with default value of 30m
8c8a6d9 - TEST: ci: add additional info on CI for number of parallel tests
5ae4638 - BUILD/MEDIUM: ci: update k8s version to v1.25.2
2a8b907 - MINOR: set src-ip-header on default backend
09e380d - BUILD/MAJOR: haproxy: upgrade release to 2.6
e3b7ce1 - BUILD/MAJOR: raise minimum Go version to 1.19
6fab443 - BUG/MINOR: upgrade golang.org/x/sys and golang.org/x/net modules
8b5cfbb - BUG/MINOR: ci: add push rule to all jobs
501a93d - TEST: ci: in scheduled mode, run only one k8s cluster per time
82c040a - TEST: gitlab: increase artefact expiration time
71dc94f - CLEANUP/MINOR: s6: do not double stop signal
ff2284e - TEST/MINOR: ci: combine two tags for go parallel testing
6afd804 - BUG/MINOR: s6: React to SIGUSR1 when pod is getting deleted
8bddf5e - TEST: ci: extract https tests to separate ci job on github
2dac94e - BUG/MINOR: e2e: use correct configmap.yaml file
4623bb4 - BUILD: ci: speed up ci with parallel start e2e stages
48e9e92 - BUG/MINOR: service: do not override service status
4dddf0a - DOC/MINOR: add a missing licence to file
38c1e14 - TEST/MEDIUM: Use the builtin HTTP server as default backend
55be603 - TEST: Fix failing e2e tests with kubernetes
3dbd1eb - MEDIUM: Add Cgroups v1 and v2 limits to MEMLIMIT and GOMEMLIMIT calculation
744f122 - TEST/MAJOR: Use networking.k8s.io/v1 instead of v1beta1
025a11d - BUG/MINOR: avoid hard restarts when using a Global CRD
000976f - DOC/MINOR: Upgrade Ingress API version in Canary example
a923fce - TEST: modification of custom resource poc integration test
57aff86 - MEDIUM: Add GOMEMLIMIT support and switch Go runtime to 1.19
4974a22 - TEST: add non regression test for use_backend multiplication
3445475 - MINOR: add event processed channel to monitoring
0f295d1 - BUG: BackendSwitchingRuleDeleteAll does not delete all rules
f04679a - BUG: fix ssl-redirect precedence order with configmap and ingress
93815b8 - BUG/MINOR: Prevent unnecessary reloads when cookie-persistence is enabled
15d4efa - DOC/MEDIUM: add http-connection-mode and deprecate http-server-close and http-keep-alive
0217c3e - MEDIUM: merge HTTPConnectionMode annotations into one.
18b47de - BUG/MINOR: triggers a reload if an Ingress is deleted
f0c92bf - BUG: fixes ssl passthrough disable redirect
52e14de - BUG: fixes error on recreation of default local backend
182a14e - MINOR: add trace logs for endpoints and servers
a8018e2 - BUG/MINOR: prevents unnecessary reloading when the attribute client-ca is not used.
410e8f2 - MINOR: fixes log message
cfcb9dc - MINOR: copies controller binary last, to favor caching and speed up the image build
98d2b90 - BUG/MINOR: prevents unecessary restart when using multiple syslog servers
fe28b69 - MINOR: allow custom ports for local peer, stats and healthz
HAProxy Ingress Controller v1.8.7
Changelog
- a267585 BUG/MINOR: properly set default value for queue timeout
HAProxy Ingress Controller v1.8.6
Changelog
- cf81f3a BUG/MINOR: s6: React to SIGUSR1 when pod is getting deleted
HAProxy Ingress Controller v1.8.5
Changelog
ca59756 - TEST: ci: extract https tests to separate ci job on github (2022-09-13T10:13:13+02:00)
7b1878a - BUG/MINOR: e2e: use correct configmap.yaml file (2022-09-13T09:33:59+02:00)
4194cf1 - BUILD: ci: speed up ci with parallel start e2e stages (2022-08-25T15:13:16+02:00)
6f1a33f - TEST/MEDIUM: Use the builtin HTTP server as default backend (2022-09-05T08:48:30+02:00)
eb3e848 - BUG/MINOR: service: do not override service status (2022-08-25T15:09:24+02:00)
cf68a3b - BUG/MINOR: avoid hard restarts when using a Global CRD (2022-08-03T18:32:10-03:00)
1ca13cf - BUG: BackendSwitchingRuleDeleteAll does not delete all rules (2022-08-09T10:43:18+02:00)
3acf675 - MEDIUM: Add Cgroups v1 and v2 limits to MEMLIMIT and GOMEMLIMIT calculation (2022-09-01T08:11:10+00:00)
28bd5d3 - MEDIUM: Changes for Go 1.19 runtime (2022-08-17T11:18:31+00:00)
a31bb45 - MEDIUM: Add GOMEMLIMIT support and switch Go runtime to 1.19 (2022-08-17T08:56:57+00:00)