[ANNOUNCE] haproxy-ingress v0.13.19
1 view
Skip to first unread message
Joao Morais
Oct 10, 2025, 7:34:53 AM10/10/25
to haproxy...@googlegroups.com
HAProxy Ingress v0.13.19 is here!
This release updates the embedded haproxy version, which fixes
CVE-2025-11230, see HAProxy release notes
https://www.mail-archive.com/hap...@formilux.org/msg46188.html . This
CVE cannot be exploited on HAProxy Ingress because it does not use any
of the vulnerable converters. A proxy without the fix can however be
exploited by an internal user having access to the Ingress API, from a
controller that does not deny configuration snippets via annotations.
Other issues were also found and fixed:
- Chitoku found a regression on some certificate related annotations
not working with the `file://` protocol, after implementing global
support on those annotations.
- Artyom found the fronting-proxy configuration overwriting the
`X-Forwarded-Proto` header when both the fronting proxy and the
regular HTTP share the same TCP port number.
Dependencies:
- embedded haproxy from 2.4.29 to 2.4.30
- go from 1.23.11 to 1.23.12
Links and refs of this release:
* Changelog: https://github.com/jcmoraisjr/haproxy-ingress/blob/master/CHANGELOG/CHANGELOG-v0.13.md#v01319
* GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.13.19
* Release date: 2025-10-10
* Helm chart: --version 0.13.19
* Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.13.19
* Image (Docker Hub): docker.io/jcmoraisjr/haproxy-ingress:v0.13.19
* Embedded HAProxy version: 2.4.30
List of merged fixes and improvements since v0.13.18:
* fix reading backend ca certificate from file [#1297] (jcmoraisjr)
* fix xfp header on fronting proxy shared port [#1310] (jcmoraisjr)
* update go from 1.23.11 to 1.23.12 [5327d7d] (Joao Morais)
* update haproxy from 2.4.29 to 2.4.30 [01ef489] (Joao Morais)
This release updates the embedded haproxy version, which fixes
CVE-2025-11230, see HAProxy release notes
https://www.mail-archive.com/hap...@formilux.org/msg46188.html . This
CVE cannot be exploited on HAProxy Ingress because it does not use any
of the vulnerable converters. A proxy without the fix can however be
exploited by an internal user having access to the Ingress API, from a
controller that does not deny configuration snippets via annotations.
Other issues were also found and fixed:
- Chitoku found a regression on some certificate related annotations
not working with the `file://` protocol, after implementing global
support on those annotations.
- Artyom found the fronting-proxy configuration overwriting the
`X-Forwarded-Proto` header when both the fronting proxy and the
regular HTTP share the same TCP port number.
Dependencies:
- embedded haproxy from 2.4.29 to 2.4.30
- go from 1.23.11 to 1.23.12
Links and refs of this release:
* Changelog: https://github.com/jcmoraisjr/haproxy-ingress/blob/master/CHANGELOG/CHANGELOG-v0.13.md#v01319
* GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.13.19
* Release date: 2025-10-10
* Helm chart: --version 0.13.19
* Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.13.19
* Image (Docker Hub): docker.io/jcmoraisjr/haproxy-ingress:v0.13.19
* Embedded HAProxy version: 2.4.30
List of merged fixes and improvements since v0.13.18:
* fix reading backend ca certificate from file [#1297] (jcmoraisjr)
* fix xfp header on fronting proxy shared port [#1310] (jcmoraisjr)
* update go from 1.23.11 to 1.23.12 [5327d7d] (Joao Morais)
* update haproxy from 2.4.29 to 2.4.30 [01ef489] (Joao Morais)
Reply all
Reply to author
Forward
0 new messages