For details see: https://github.com/squid-cache/squid/commits/v6
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/squid b/lfs/squid index d92341794..c0f465c16 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 6.5 +VER = 6.6
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc
install : $(TARGET)
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 09/12/2023 08:56, Matthias Fischer wrote:
For details see: https://github.com/squid-cache/squid/commits/v6
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/squid b/lfs/squid index d92341794..c0f465c16 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 6.5 +VER = 6.6
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc
install : $(TARGET)
Thank you for the patch and review.
Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible.
-Michael
On 9 Dec 2023, at 22:05, Adolf Belka adolf.belka@ipfire.org wrote:
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 09/12/2023 08:56, Matthias Fischer wrote:
For details see: https://github.com/squid-cache/squid/commits/v6
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/squid b/lfs/squid index d92341794..c0f465c16 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.5 +VER = 6.6 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc install : $(TARGET)
Hi,
I would recommend updating squid as soon as possible because of CVE-2023-50269.
=> https://nvd.nist.gov/vuln/detail/CVE-2023-50269
"...Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6..."
As far as I can see, we don't use this feature, but... ;-)
Jm2c, Matthias
On 11.12.2023 20:41, Michael Tremer wrote:
Thank you for the patch and review.
Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible.
-Michael
On 9 Dec 2023, at 22:05, Adolf Belka adolf.belka@ipfire.org wrote:
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 09/12/2023 08:56, Matthias Fischer wrote:
For details see: https://github.com/squid-cache/squid/commits/v6
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/squid b/lfs/squid index d92341794..c0f465c16 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.5 +VER = 6.6 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc install : $(TARGET)
Right, rather be safe than sorry.
I applied this patch to master.
Thanks!
-Michael
On 19 Dec 2023, at 18:20, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
I would recommend updating squid as soon as possible because of CVE-2023-50269.
=> https://nvd.nist.gov/vuln/detail/CVE-2023-50269
"...Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6..."
As far as I can see, we don't use this feature, but... ;-)
Jm2c, Matthias
On 11.12.2023 20:41, Michael Tremer wrote:
Thank you for the patch and review.
Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible.
-Michael
On 9 Dec 2023, at 22:05, Adolf Belka adolf.belka@ipfire.org wrote:
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 09/12/2023 08:56, Matthias Fischer wrote:
For details see: https://github.com/squid-cache/squid/commits/v6
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/squid b/lfs/squid index d92341794..c0f465c16 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.5 +VER = 6.6 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc install : $(TARGET)
-
Adolf Belka -
Matthias Fischer -
Michael Tremer