squid package vulnerable to CVE-2021-28116

Mark H Weaver wrote on 14 Mar 2021 22:34

Recipients:(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:87czw1s9km.fsf@netris.org

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------

To: guix-devel@gnu.org

CVE-2021-28116	09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

https://www.zerodayinitiative.com/advisories/ZDI-21-157/- says it is a
low impact issue.

-------------------- End of forwarded message --------------------

Ludovic Courtès wrote on 15 Mar 2021 14:43

control message for bug #47142

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87o8fkh6s2.fsf@gnu.org

tags 47142 + security

quit

Leo Famulari wrote on 24 Mar 2021 05:06

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:YFq6wUqi070//Gk+@jasmine.lan

block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144

Léo Le Bouter wrote on 5 Apr 2021 22:42

squid package vulnerable to CVE-2021-28116

Recipients:(address . 47142@debbugs.gnu.org)

Message-ID:4cde9f87826dd847af036646f5332f893b903fe2.camel@zaclys.net

Still no fix available from upstream (unclear)

Leo Famulari wrote on 10 Apr 2021 20:47

(no subject)

Recipients:(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)

Message-ID:YHHyqn6Locu/F9cS@jasmine.lan

unblock 47297 with 47142

Maxim Cournoyer wrote on 23 Mar 04:05 +0100

Re: bug#47142: squid package vulnerable to CVE-2021-28116

Recipients:(name . Mark H Weaver)(address . mhw@netris.org)

Message-ID:87ils5z7u5.fsf@gmail.com

Hello,

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (13 lines)> I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
>
>       Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout@zaclys.net>
> To: guix-devel@gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116	09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,

We're now using squid 4.17.

Closing.

Thanks,

Maxim

Closed

Your comment

This issue is archived.

To comment on this conversation send email to 47142@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date