Ubuntu has issued an advisory on April 10: https://ubuntu.com/security/notices/USN-7431-1 Upstream fix: https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559
Status comment: (none) => Patch available from upstream and UbuntuCVE: (none) => CVE-2025-32464Source RPM: (none) => haproxy-3.1.6-1.mga10.src.rpm, haproxy-2.8.14-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO
This used to be Raphael's baby, but I do not think he is with us any more; so assigning globally. The patch is small!
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory on April 15: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QIY5CFNUWQY6R6BCFXJMFVWXB3WVUQRS/
I try this
Assignee: pkg-bugs => j.alberto.vc
Packages: haproxy-2.8.14-1.1.mga9 haproxy-noquic-2.8.14-1.1.mga9 haproxy-quic-2.8.14-1.1.mga9 haproxy-utils-2.8.14-1.1.mga9 SRPM: haproxy-2.8.14-1.1.mga9
Source RPM: haproxy-3.1.6-1.mga10.src.rpm, haproxy-2.8.14-1.mga9.src.rpm => haproxy-2.8.14-1.mga9Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: j.alberto.vc => qa-bugs
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Ref bug 34105 for testing: # systemctl start haproxy # systemctl -l status haproxy ● haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Wed 2025-04-23 17:36:30 CEST; 16s ago Process: 17217 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 17222 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.0M CPU: 349ms CGroup: /system.slice/haproxy.service ├─17222 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─17226 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws Apr 23 17:36:30 mach3.hviaene.thuis systemd[1]: Starting haproxy.service... Apr 23 17:36:30 mach3.hviaene.thuis systemd[1]: Started haproxy.service. and $ curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache $ curl -I -k https://127.0.0.1:8000 HTTP/2 503 cache-control: no-cache content-type: text/html Looks good to go
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Keywords: (none) => advisory
RH x86_64 Test noquic LC_ALL=C urpmi haproxy haproxy-utils In order to satisfy the 'haproxy-server[== 2.8.14-1.1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.14-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.14-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.14 1.1.mga9 x86_64 haproxy-noquic 2.8.14 1.1.mga9 x86_64 haproxy-utils 2.8.14 1.1.mga9 x86_64 5MB of additional disk space will be used. 1.6MB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y installing haproxy-2.8.14-1.1.mga9.x86_64.rpm haproxy-noquic-2.8.14-1.1.mga9.x86_64.rpm haproxy-utils-2.8.14-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: haproxy-noquic ################################################################################################## 2/3: haproxy ################################################################################################## 3/3: haproxy-utils ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.14-1.1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8000, 8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl -l status haproxy haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Wed 2025-04-23 14:46:01 CST; 13s ago Process: 20887 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 20893 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 16.1M CPU: 135ms CGroup: /system.slice/haproxy.service ├─20893 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─20895 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws abr 23 14:46:01 jgrey.phoenix systemd[1]: Starting haproxy.service... abr 23 14:46:01 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Wed, 23 Apr 2025 20:48:17 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 Looks good
RH x86_64 Test quic LC_ALL=C urpmi haproxy In order to satisfy the 'haproxy-server[== 2.8.14-1.1.mga9]' dependency, one of the following packages is needed: 1- haproxy-noquic-2.8.14-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) 2- haproxy-quic-2.8.14-1.1.mga9.x86_64: Reliable High Performance TCP/HTTP Load Balancer (to install) What is your choice? (1-2) 2 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") haproxy 2.8.14 1.1.mga9 x86_64 haproxy-quic 2.8.14 1.1.mga9 x86_64 5.2MB of additional disk space will be used. 1.7MB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y installing haproxy-quic-2.8.14-1.1.mga9.x86_64.rpm haproxy-2.8.14-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: haproxy ################################################################################################## 2/2: haproxy-quic ################################################################################################## ---------------------------------------------------------------------- More information on package haproxy-2.8.14-1.1.mga9.x86_64 Haproxy is now installed. Configuration file is /etc/haproxy/haproxy.conf The server listen on any:8000, 8080 and 8443 by default. Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy: # Redirect tcp traffic from net on port 80 to 8000 REDIRECT net 8000 tcp 80 # Redirect tcp traffic from net on port 443 to 8000 REDIRECT net 8000 tcp 443 # Redirect udp traffic from net on port 443 to 8443 #REDIRECT net 8443 udp 443 Enable the service with: # systemctl enable haproxy.service Start the service with: # systemctl start haproxy.service ---------------------------------------------------------------------- systemctl start haproxy.service systemctl -l status haproxy haproxy.service - HAproxy Loadbalancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled) Active: active (running) since Wed 2025-04-23 14:51:22 CST; 9s ago Process: 47507 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS) Main PID: 47512 (haproxy) Status: "Ready." Tasks: 9 (limit: 65000) Memory: 21.3M CPU: 123ms CGroup: /system.slice/haproxy.service ├─47512 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws └─47514 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws abr 23 14:51:21 jgrey.phoenix systemd[1]: Starting haproxy.service... abr 23 14:51:22 jgrey.phoenix systemd[1]: Started haproxy.service. curl -I http://127.0.0.1:8000 HTTP/1.1 302 Found content-length: 0 location: https://127.0.0.1:8000/ cache-control: no-cache curl -I -k https://127.0.0.1:8000 HTTP/2 200 date: Wed, 23 Apr 2025 20:52:43 GMT server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 last-modified: Fri, 22 Dec 2023 20:41:41 GMT etag: "ab-60d1f3e5ca682" accept-ranges: bytes content-length: 171 content-type: text/html; charset=UTF-8 With the Herman test should be enough additional confirmation
CC: (none) => andrewsfarm
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0138.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED