Right, rather be safe than sorry.

I applied this patch to master.

Thanks!

-Michael

> On 19 Dec 2023, at 18:20, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> I would recommend updating squid as soon as possible because of
> CVE-2023-50269.
> 
> => https://nvd.nist.gov/vuln/detail/CVE-2023-50269
> 
> "...Due to an Uncontrolled Recursion bug in versions 2.6 through
> 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5,
> Squid may be vulnerable to a Denial of Service attack against HTTP
> Request parsing. This problem allows a remote client to perform Denial
> of Service attack by sending a large X-Forwarded-For header when the
> follow_x_forwarded_for feature is configured. This bug is fixed by Squid
> version 6.6..."
> 
> As far as I can see, we don't use this feature, but... ;-)
> 
> Jm2c,
> Matthias
> 
> On 11.12.2023 20:41, Michael Tremer wrote:
>> Thank you for the patch and review.
>> 
>> Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible.
>> 
>> -Michael
>> 
>>> On 9 Dec 2023, at 22:05, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>> 
>>> Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>
>>> 
>>> On 09/12/2023 08:56, Matthias Fischer wrote:
>>>> For details see:
>>>> https://github.com/squid-cache/squid/commits/v6
>>>> 
>>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>>> ---
>>>> lfs/squid | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>> 
>>>> diff --git a/lfs/squid b/lfs/squid
>>>> index d92341794..c0f465c16 100644
>>>> --- a/lfs/squid
>>>> +++ b/lfs/squid
>>>> @@ -24,7 +24,7 @@
>>>>   include Config
>>>> -VER        = 6.5
>>>> +VER        = 6.6
>>>>   THISAPP    = squid-$(VER)
>>>> DL_FILE    = $(THISAPP).tar.xz
>>>> @@ -46,7 +46,7 @@ objects = $(DL_FILE)
>>>>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>> -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de
>>>> +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc
>>>>   install : $(TARGET)
>>>> 
>> 
>