GNU bug report logs

#47142 squid package vulnerable to CVE-2021-28116

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:36:14 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 14 17:36:14 2021
Received: from localhost ([127.0.0.1]:34331 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lLYPG-0002xv-Ht
	for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:36:14 -0400
Received: from lists.gnu.org ([209.51.188.17]:54356)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1lLYPE-0002xn-VE
 for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:36:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55596)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lLYPD-0008OU-Kq
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:36:12 -0400
Received: from world.peace.net ([64.112.178.59]:55708)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lLYPC-0003FF-6K
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:36:11 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lLYPA-00015o-NU; Sun, 14 Mar 2021 17:36:08 -0400
From: Mark H Weaver <mhw@netris.org>
To: bug-guix@gnu.org
Subject: squid package vulnerable to CVE-2021-28116
References: <bc19eecdf5b924f0681c0fba22ffeb500540d988.camel@zaclys.net>
Date: Sun, 14 Mar 2021 17:34:38 -0400
Message-ID: <87czw1s9km.fsf@netris.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Léo Le Bouter <lle-bout@zaclys.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
[Message part 1 (text/plain, inline)]
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

      Mark

-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100

[Message part 2 (text/plain, inline)]
CVE-2021-28116	09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

https://www.zerodayinitiative.com/advisories/ZDI-21-157/ - says it is a
low impact issue.
[signature.asc (application/pgp-signature, inline)]
[Message part 4 (text/plain, inline)]
-------------------- End of forwarded message --------------------

Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:22:46 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.