GNU bug report logs

#47142 squid package vulnerable to CVE-2021-28116

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Mark H Weaver <mhw@netris.org>
Date 2021-03-14T21:37:02
Severity normal
Tags security
Done Maxim Cournoyer <maxim.cournoyer@gmail.com>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47142; Package guix. (Sun, 14 Mar 2021 21:37:02 GMT) (full text, mbox, link).

Acknowledgement sent to Mark H Weaver <mhw@netris.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Sun, 14 Mar 2021 21:37:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

      Mark

-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100

[Message part 2 (text/plain, inline)]

CVE-2021-28116	09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

https://www.zerodayinitiative.com/advisories/ZDI-21-157/ - says it is a
low impact issue.

[signature.asc (application/pgp-signature, inline)]

[Message part 4 (text/plain, inline)]

-------------------- End of forwarded message --------------------

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Mon, 15 Mar 2021 13:44:02 GMT) (full text, mbox, link).

Added indication that bug 47142 blocks47297 Request was from Leo Famulari <leo@famulari.name> to control@debbugs.gnu.org. (Wed, 24 Mar 2021 04:07:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#47142; Package guix. (Mon, 05 Apr 2021 20:43:02 GMT) (full text, mbox, link).

Message #12 received at 47142@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Still no fix available from upstream (unclear)

[signature.asc (application/pgp-signature, inline)]

Removed indication that bug 47142 blocks Request was from Leo Famulari <leo@famulari.name> to control@debbugs.gnu.org. (Sat, 10 Apr 2021 18:48:02 GMT) (full text, mbox, link).

Reply sent to Maxim Cournoyer <maxim.cournoyer@gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 03:07:03 GMT) (full text, mbox, link).

Notification sent to Mark H Weaver <mhw@netris.org>:
bug acknowledged by developer. (Wed, 23 Mar 2022 03:07:03 GMT) (full text, mbox, link).

Message #19 received at 47142-done@debbugs.gnu.org (full text, mbox, reply):

Hello,

Mark H Weaver <mhw@netris.org> writes:

> I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
>
>       Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout@zaclys.net>
> To: guix-devel@gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116	09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,

We're now using squid 4.17.

Closing.

Thanks,

Maxim

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:10 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 15:46:01 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.