OPNsense's stable 23.1 release ships with HAProxy v2.6.8 that is affected by CVE-2023-25725. They already updated the package manifest three days ago on GitHub to v2.6.9 that has the fix for the CVE, but did not build and upload it to the package repositories. There was even a patch release 23.1.1_2 today, that still doesn't have the updated package.
I filed an issue asking them when they would build and upload the package, and... well you can see the discussion for yourself.
I guess I'll be spending my weekend investigating alternatives.
I filed an issue asking them when they would build and upload the package, and... well you can see the discussion for yourself.
I guess I'll be spending my weekend investigating alternatives.
Archive link: https://web.archive.org/web/20230217175225/https://github.co... / https://archive.is/KjPOx
Note: This is not an invitation to brigade the GH issue.