squid package vulnerable to CVE-2021-28116

OpenSubmitted by Mark H Weaver.
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Mark H Weaver
Owner
unassigned
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 22:34 +0100
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87czw1s9km.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------Subject: squid package vulnerable to CVE-2021-28116From: Léo Le Bouter <lle-bout@zaclys.net>To: guix-devel@gnu.orgDate: Wed, 10 Mar 2021 01:22:51 +0100
CVE-2021-28116 09.03.21 23:15Squid through 4.14 and 5.x through 5.0.5, in some configurations,allows information disclosure because of an out-of-bounds read in WCCPprotocol data. This can be leveraged as part of a chain for remote codeexecution as nobody.
Upstream did not release a patch yet. CVE entry to be monitored for afix.
https://www.zerodayinitiative.com/advisories/ZDI-21-157/- says it is alow impact issue.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIEVsACgkQRaix6GvNEKaENg//WHFfXzBXiUC10FojZyGYBpRsZ6325sj2VKok2q8eA1KkEdnMWwaGsbxC8Nl7mpoxpXB7FrwfjduC8Ayk+9oFKhwYXBI6g7XduaoQjE+xUgtNJpUH0pYNPU3dWmDmORJNFw5UWu5Ah0IoJxEubX/+M8HkdpjsMydXiNfESgUOXhPRvUxfDJfFQAlivJvpy1TdkP1UvPq3MeYU8Y6p4bZsNCzAdXh5sE/ykab93ih40TvhU/vOLMT+etkDlAXiimj9LT2yheaXONTCVDDzBwnrlhYcr1VvBYhDTbMQ1Fp2kxzEINXVofguEbtV7MENcv0mtEEAxIFEW4jNonhdwLgiilCYIo3UGOphCurXZA665edWgFLEd/ztI8VA8QvyqqVJagutBJFP4R286OBeBzuQqfNOzFkZZCEzXlhDnBisnxfSe5t6t9Kp0ILCe9+6KDu4JvhjwuxHIVNdd4xXB/hmUFznkbTCHigZsV39tuOV7K7HHG+hIyhXzULtKhCWHscQ/gfp7XUHmcfGxvIXgEqkbJvV+KhnerBHfjL+hSbHP4EX3IaVD15M8ojDUKUVa3JqpIznPCbX/lt3oW6VjjW6cu+EwHhWmPb0EmYZmpnkhbz3NHgdHZzTAnvfULPqfIelpMEQxp3TmAT43x8XY2DlL2NxfODO/pX06V/UxX3YAPc==1gPu-----END PGP SIGNATURE-----
-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 14:43 +0100
control message for bug #47142
(address . control@debbugs.gnu.org)
87o8fkh6s2.fsf@gnu.org
tags 47142 + securityquit
L
L
Leo Famulari wrote on 24 Mar 05:06 +0100
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140block 47297 with 47141block 47297 with 47142block 47297 with 47143block 47297 with 47144
L
L
Léo Le Bouter wrote on 5 Apr 22:42 +0200
squid package vulnerable to CVE-2021-28116
(address . 47142@debbugs.gnu.org)
4cde9f87826dd847af036646f5332f893b903fe2.camel@zaclys.net
Still no fix available from upstream (unclear)
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrdkAACgkQRaix6GvNEKbCVQ/+M5JRYKZ4srtBgEGUZOdkPjGx8ng4ZOkZLDKmNp7Gm7OyJCdLbP9WPcc1NwcNXdXICMJjrALbOjOGyGkn7szIe7UVDMGQ701T36oeDPeA2feOjwy3QlRZcv4QScN1qsfb7Or2UmnfaJoSmDXuzXu/3u8xQIjJI0QDIctXdGJD2XrIpgLsRjX1pR43VFfFAdomxInNRN2M0EA0JDvvoMMMqQUzPUcJ+9KVIDTkHQXUZRhzGP5f3vn3Jis4Gv69k7Fn5rntUc7Pz9FaM6tc+sHbynG95103uVI2JCV0NA47ZhtLpNnvEDrMwB3H6cUPLs1++DxOhbhYn+Ck98cFCmPp4gz7g20V/Vw08GnswiIikmkIUW0Zoy/C/ycIgR1PDW4rW5Zkq1ponvjqGManqLWTCyaHKsywXqSgadwYqccyJXLjmqEa4UPnh+pTJJCuhBSt1XymDVzdipGKNwenpYJGrOtsAnvwET3VqGTu9Ig6+aJdHfBp6PFod7FAFgEOSMZEfUSVpRyjFAt/FVVGku4F/LlyCk9Qb0eSvGGKCiJkrkZfXftvN46iVDQzfhOqgDZRfd+UeZGgBtS7OLbtXh9+EPNlwMwrQJv9OKx2FbRdDpfEG1qZzefjtXjyH2fUYUhL8L4KtKVRxFk5eaRY/LVuantT3fa/iHMbb2NUp54xZiQ==7PtE-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 10 Apr 20:47 +0200
(no subject)
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
YHHyqn6Locu/F9cS@jasmine.lan
unblock 47297 with 47142
?