squid package vulnerable to CVE-2021-28116

Done

Details

5 participants

Leo Famulari
Léo Le Bouter
Ludovic Courtès
Maxim Cournoyer
Mark H Weaver

Owner: unassigned

Submitted by: Mark H Weaver

Severity: normal

Debbugs page

Mark H Weaver wrote on 14 Mar 2021 14:34

Recipients:(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:87czw1s9km.fsf@netris.org

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------

To: guix-devel@gnu.org

CVE-2021-28116	09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

https://www.zerodayinitiative.com/advisories/ZDI-21-157/- says it is a
low impact issue.

-------------------- End of forwarded message --------------------

Ludovic Courtès wrote on 15 Mar 2021 06:43

control message for bug #47142

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87o8fkh6s2.fsf@gnu.org

tags 47142 + security

quit

Leo Famulari wrote on 23 Mar 2021 21:06

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:YFq6wUqi070//Gk+@jasmine.lan

block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144

Léo Le Bouter wrote on 5 Apr 2021 13:42

squid package vulnerable to CVE-2021-28116

Recipients:(address . 47142@debbugs.gnu.org)

Message-ID:4cde9f87826dd847af036646f5332f893b903fe2.camel@zaclys.net

Still no fix available from upstream (unclear)

Leo Famulari wrote on 10 Apr 2021 11:47

(no subject)

Recipients:(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)

Message-ID:YHHyqn6Locu/F9cS@jasmine.lan

unblock 47297 with 47142

Maxim Cournoyer wrote on 22 Mar 2022 20:05

Re: bug#47142: squid package vulnerable to CVE-2021-28116

Recipients:(name . Mark H Weaver)(address . mhw@netris.org)

Message-ID:87ils5z7u5.fsf@gmail.com

Hello,

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (13 lines)> I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
>
>       Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout@zaclys.net>
> To: guix-devel@gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116	09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,

We're now using squid 4.17.

Closing.

Thanks,

Maxim

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 47142@patchwise.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47142

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date