Hacker News new | ask | show | jobs
HAProxy Security Update (CVE-2023-25725) (mail-archive.com)
40 points by peanball 1220 days ago
4 comments
nvahalik 1220 days ago
CVE-2023-25725 on Debian: https://security-tracker.debian.org/tracker/CVE-2023-25725

It's fixed in 2.2.9-2+deb11u4.

link
wtarreau 1220 days ago
Just to clarify some doubts, distro packages issued yesterday all have the fix in them even if the base version number appears older.
link
theandrewbailey 1220 days ago 

   Branch     Vulnerable               Fixed      Maintained until
   ---------+------------------------+----------+-----------------
   ...
   2.4        2.4.0 .. 2.4.21          2.4.12       2026-Q2 (LTS)
So 2.4 was fixed a long time ago? I just did an update and got 2.4.21, so I'm still vulnerable!
link
max-m 1220 days ago
I think this was a typo in the table. 2.4.22 was released alongside the other fixed versions.
link
wtarreau 1220 days ago
confirmed, thanks for correcting me. Dealing with such reports across many versions and copy-pasting lots of data & Git commit IDs is extremely prone to failures, even after careful re-reading.
link
exabrial 1220 days ago
please tell me this won't be part of phased updates
link