From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] squid: Update to 6.6
Date: Wed, 20 Dec 2023 10:59:04 +0000 [thread overview]
Message-ID: <34260A24-01A6-44FE-978F-E60CB2269D76@ipfire.org> (raw)
In-Reply-To: <ba6b855a-b0f4-4220-a100-26c1819fd4fd@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2388 bytes --]
Right, rather be safe than sorry.
I applied this patch to master.
Thanks!
-Michael
> On 19 Dec 2023, at 18:20, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>
> Hi,
>
> I would recommend updating squid as soon as possible because of
> CVE-2023-50269.
>
> => https://nvd.nist.gov/vuln/detail/CVE-2023-50269
>
> "...Due to an Uncontrolled Recursion bug in versions 2.6 through
> 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5,
> Squid may be vulnerable to a Denial of Service attack against HTTP
> Request parsing. This problem allows a remote client to perform Denial
> of Service attack by sending a large X-Forwarded-For header when the
> follow_x_forwarded_for feature is configured. This bug is fixed by Squid
> version 6.6..."
>
> As far as I can see, we don't use this feature, but... ;-)
>
> Jm2c,
> Matthias
>
> On 11.12.2023 20:41, Michael Tremer wrote:
>> Thank you for the patch and review.
>>
>> Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible.
>>
>> -Michael
>>
>>> On 9 Dec 2023, at 22:05, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>
>>> Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>
>>>
>>> On 09/12/2023 08:56, Matthias Fischer wrote:
>>>> For details see:
>>>> https://github.com/squid-cache/squid/commits/v6
>>>>
>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>> ---
>>>> lfs/squid | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/lfs/squid b/lfs/squid
>>>> index d92341794..c0f465c16 100644
>>>> --- a/lfs/squid
>>>> +++ b/lfs/squid
>>>> @@ -24,7 +24,7 @@
>>>> include Config
>>>> -VER = 6.5
>>>> +VER = 6.6
>>>> THISAPP = squid-$(VER)
>>>> DL_FILE = $(THISAPP).tar.xz
>>>> @@ -46,7 +46,7 @@ objects = $(DL_FILE)
>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>> -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de
>>>> +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc
>>>> install : $(TARGET)
>>>>
>>
>
prev parent reply other threads:[~2023-12-20 10:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-09 7:56 Matthias Fischer
2023-12-09 22:05 ` Adolf Belka
2023-12-11 19:41 ` Michael Tremer
2023-12-19 18:20 ` Matthias Fischer
2023-12-20 10:59 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34260A24-01A6-44FE-978F-E60CB2269D76@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox