From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] squid: Update to 6.6 Date: Wed, 20 Dec 2023 10:59:04 +0000 Message-ID: <34260A24-01A6-44FE-978F-E60CB2269D76@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1491858135157237257==" List-Id: --===============1491858135157237257== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Right, rather be safe than sorry. I applied this patch to master. Thanks! -Michael > On 19 Dec 2023, at 18:20, Matthias Fischer = wrote: >=20 > Hi, >=20 > I would recommend updating squid as soon as possible because of > CVE-2023-50269. >=20 > =3D> https://nvd.nist.gov/vuln/detail/CVE-2023-50269 >=20 > "...Due to an Uncontrolled Recursion bug in versions 2.6 through > 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, > Squid may be vulnerable to a Denial of Service attack against HTTP > Request parsing. This problem allows a remote client to perform Denial > of Service attack by sending a large X-Forwarded-For header when the > follow_x_forwarded_for feature is configured. This bug is fixed by Squid > version 6.6..." >=20 > As far as I can see, we don't use this feature, but... ;-) >=20 > Jm2c, > Matthias >=20 > On 11.12.2023 20:41, Michael Tremer wrote: >> Thank you for the patch and review. >>=20 >> Is there any urgency here to include this in the update that is currently = in testing? Considering that latest history of vulnerabilities in squid, I am= happy to ship any fixes as soon as possible. >>=20 >> -Michael >>=20 >>> On 9 Dec 2023, at 22:05, Adolf Belka wrote: >>>=20 >>> Reviewed-by: Adolf Belka >>>=20 >>> On 09/12/2023 08:56, Matthias Fischer wrote: >>>> For details see: >>>> https://github.com/squid-cache/squid/commits/v6 >>>>=20 >>>> Signed-off-by: Matthias Fischer >>>> --- >>>> lfs/squid | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>>=20 >>>> diff --git a/lfs/squid b/lfs/squid >>>> index d92341794..c0f465c16 100644 >>>> --- a/lfs/squid >>>> +++ b/lfs/squid >>>> @@ -24,7 +24,7 @@ >>>> include Config >>>> -VER =3D 6.5 >>>> +VER =3D 6.6 >>>> THISAPP =3D squid-$(VER) >>>> DL_FILE =3D $(THISAPP).tar.xz >>>> @@ -46,7 +46,7 @@ objects =3D $(DL_FILE) >>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >>>> -$(DL_FILE)_BLAKE2 =3D 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7= e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651= de >>>> +$(DL_FILE)_BLAKE2 =3D 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7= 963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74= dc >>>> install : $(TARGET) >>>>=20 >>=20 >=20 --===============1491858135157237257==--