squid package vulnerable to CVE-2021-28116

  • Done
  • quality assurance status badge
Details
5 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Maxim Cournoyer
  • Mark H Weaver
Owner
unassigned
Submitted by
Mark H Weaver
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 2021 22:34
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87czw1s9km.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100
CVE-2021-28116 09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

low impact issue.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIEVsACgkQRaix6GvN
EKaENg//WHFfXzBXiUC10FojZyGYBpRsZ6325sj2VKok2q8eA1KkEdnMWwaGsbxC
8Nl7mpoxpXB7FrwfjduC8Ayk+9oFKhwYXBI6g7XduaoQjE+xUgtNJpUH0pYNPU3d
WmDmORJNFw5UWu5Ah0IoJxEubX/+M8HkdpjsMydXiNfESgUOXhPRvUxfDJfFQAli
vJvpy1TdkP1UvPq3MeYU8Y6p4bZsNCzAdXh5sE/ykab93ih40TvhU/vOLMT+etkD
lAXiimj9LT2yheaXONTCVDDzBwnrlhYcr1VvBYhDTbMQ1Fp2kxzEINXVofguEbtV
7MENcv0mtEEAxIFEW4jNonhdwLgiilCYIo3UGOphCurXZA665edWgFLEd/ztI8VA
8QvyqqVJagutBJFP4R286OBeBzuQqfNOzFkZZCEzXlhDnBisnxfSe5t6t9Kp0ILC
e9+6KDu4JvhjwuxHIVNdd4xXB/hmUFznkbTCHigZsV39tuOV7K7HHG+hIyhXzULt
KhCWHscQ/gfp7XUHmcfGxvIXgEqkbJvV+KhnerBHfjL+hSbHP4EX3IaVD15M8ojD
UKUVa3JqpIznPCbX/lt3oW6VjjW6cu+EwHhWmPb0EmYZmpnkhbz3NHgdHZzTAnvf
ULPqfIelpMEQxp3TmAT43x8XY2DlL2NxfODO/pX06V/UxX3YAPc=
=1gPu
-----END PGP SIGNATURE-----

-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 2021 14:43
control message for bug #47142
(address . control@debbugs.gnu.org)
87o8fkh6s2.fsf@gnu.org
tags 47142 + security
quit
L
L
Leo Famulari wrote on 24 Mar 2021 05:06
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144
L
L
Léo Le Bouter wrote on 5 Apr 2021 22:42
squid package vulnerable to CVE-2021-28116
(address . 47142@debbugs.gnu.org)
4cde9f87826dd847af036646f5332f893b903fe2.camel@zaclys.net
Still no fix available from upstream (unclear)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrdkAACgkQRaix6GvN
EKbCVQ/+M5JRYKZ4srtBgEGUZOdkPjGx8ng4ZOkZLDKmNp7Gm7OyJCdLbP9WPcc1
NwcNXdXICMJjrALbOjOGyGkn7szIe7UVDMGQ701T36oeDPeA2feOjwy3QlRZcv4Q
ScN1qsfb7Or2UmnfaJoSmDXuzXu/3u8xQIjJI0QDIctXdGJD2XrIpgLsRjX1pR43
VFfFAdomxInNRN2M0EA0JDvvoMMMqQUzPUcJ+9KVIDTkHQXUZRhzGP5f3vn3Jis4
Gv69k7Fn5rntUc7Pz9FaM6tc+sHbynG95103uVI2JCV0NA47ZhtLpNnvEDrMwB3H
6cUPLs1++DxOhbhYn+Ck98cFCmPp4gz7g20V/Vw08GnswiIikmkIUW0Zoy/C/ycI
gR1PDW4rW5Zkq1ponvjqGManqLWTCyaHKsywXqSgadwYqccyJXLjmqEa4UPnh+pT
JJCuhBSt1XymDVzdipGKNwenpYJGrOtsAnvwET3VqGTu9Ig6+aJdHfBp6PFod7FA
FgEOSMZEfUSVpRyjFAt/FVVGku4F/LlyCk9Qb0eSvGGKCiJkrkZfXftvN46iVDQz
fhOqgDZRfd+UeZGgBtS7OLbtXh9+EPNlwMwrQJv9OKx2FbRdDpfEG1qZzefjtXjy
H2fUYUhL8L4KtKVRxFk5eaRY/LVuantT3fa/iHMbb2NUp54xZiQ=
=7PtE
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 10 Apr 2021 20:47
(no subject)
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
YHHyqn6Locu/F9cS@jasmine.lan
unblock 47297 with 47142
M
M
Maxim Cournoyer wrote on 23 Mar 2022 04:05
Re: bug#47142: squid package vulnerable to CVE-2021-28116
(name . Mark H Weaver)(address . mhw@netris.org)
87ils5z7u5.fsf@gmail.com
Hello,

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (13 lines)
> I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
>
> Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout@zaclys.net>
> To: guix-devel@gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116 09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,

We're now using squid 4.17.

Closing.

Thanks,

Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47142@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47142
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch