squid package vulnerable to CVE-2021-28116

  • Done
  • quality assurance status badge
Details
5 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Maxim Cournoyer
  • Mark H Weaver
Owner
unassigned
Submitted by
Mark H Weaver
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 2021 22:34
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87czw1s9km.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100
CVE-2021-28116 09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

low impact issue.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIEVsACgkQRaix6GvN
EKaENg//WHFfXzBXiUC10FojZyGYBpRsZ6325sj2VKok2q8eA1KkEdnMWwaGsbxC
8Nl7mpoxpXB7FrwfjduC8Ayk+9oFKhwYXBI6g7XduaoQjE+xUgtNJpUH0pYNPU3d
WmDmORJNFw5UWu5Ah0IoJxEubX/+M8HkdpjsMydXiNfESgUOXhPRvUxfDJfFQAli
vJvpy1TdkP1UvPq3MeYU8Y6p4bZsNCzAdXh5sE/ykab93ih40TvhU/vOLMT+etkD
lAXiimj9LT2yheaXONTCVDDzBwnrlhYcr1VvBYhDTbMQ1Fp2kxzEINXVofguEbtV
7MENcv0mtEEAxIFEW4jNonhdwLgiilCYIo3UGOphCurXZA665edWgFLEd/ztI8VA
8QvyqqVJagutBJFP4R286OBeBzuQqfNOzFkZZCEzXlhDnBisnxfSe5t6t9Kp0ILC
e9+6KDu4JvhjwuxHIVNdd4xXB/hmUFznkbTCHigZsV39tuOV7K7HHG+hIyhXzULt
KhCWHscQ/gfp7XUHmcfGxvIXgEqkbJvV+KhnerBHfjL+hSbHP4EX3IaVD15M8ojD
UKUVa3JqpIznPCbX/lt3oW6VjjW6cu+EwHhWmPb0EmYZmpnkhbz3NHgdHZzTAnvf
ULPqfIelpMEQxp3TmAT43x8XY2DlL2NxfODO/pX06V/UxX3YAPc=
=1gPu
-----END PGP SIGNATURE-----

-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 2021 14:43
control message for bug #47142
(address . control@debbugs.gnu.org)
87o8fkh6s2.fsf@gnu.org
tags 47142 + security
quit
L
L
Leo Famulari wrote on 24 Mar 2021 05:06
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144
L
L
Léo Le Bouter wrote on 5 Apr 2021 22:42
squid package vulnerable to CVE-2021-28116
(address . 47142@debbugs.gnu.org)
4cde9f87826dd847af036646f5332f893b903fe2.camel@zaclys.net
Still no fix available from upstream (unclear)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrdkAACgkQRaix6GvN
EKbCVQ/+M5JRYKZ4srtBgEGUZOdkPjGx8ng4ZOkZLDKmNp7Gm7OyJCdLbP9WPcc1
NwcNXdXICMJjrALbOjOGyGkn7szIe7UVDMGQ701T36oeDPeA2feOjwy3QlRZcv4Q
ScN1qsfb7Or2UmnfaJoSmDXuzXu/3u8xQIjJI0QDIctXdGJD2XrIpgLsRjX1pR43
VFfFAdomxInNRN2M0EA0JDvvoMMMqQUzPUcJ+9KVIDTkHQXUZRhzGP5f3vn3Jis4
Gv69k7Fn5rntUc7Pz9FaM6tc+sHbynG95103uVI2JCV0NA47ZhtLpNnvEDrMwB3H
6cUPLs1++DxOhbhYn+Ck98cFCmPp4gz7g20V/Vw08GnswiIikmkIUW0Zoy/C/ycI
gR1PDW4rW5Zkq1ponvjqGManqLWTCyaHKsywXqSgadwYqccyJXLjmqEa4UPnh+pT
JJCuhBSt1XymDVzdipGKNwenpYJGrOtsAnvwET3VqGTu9Ig6+aJdHfBp6PFod7FA
FgEOSMZEfUSVpRyjFAt/FVVGku4F/LlyCk9Qb0eSvGGKCiJkrkZfXftvN46iVDQz
fhOqgDZRfd+UeZGgBtS7OLbtXh9+EPNlwMwrQJv9OKx2FbRdDpfEG1qZzefjtXjy
H2fUYUhL8L4KtKVRxFk5eaRY/LVuantT3fa/iHMbb2NUp54xZiQ=
=7PtE
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 10 Apr 2021 20:47
(no subject)
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
YHHyqn6Locu/F9cS@jasmine.lan
unblock 47297 with 47142
M
M
Maxim Cournoyer wrote on 23 Mar 2022 04:05
Re: bug#47142: squid package vulnerable to CVE-2021-28116
(name . Mark H Weaver)(address . mhw@netris.org)
87ils5z7u5.fsf@gmail.com
Hello,

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (13 lines)
> I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
>
> Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout@zaclys.net>
> To: guix-devel@gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116 09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,

We're now using squid 4.17.

Closing.

Thanks,

Maxim
Closed
?