GNU bug report logs - #47142
squid package vulnerable to CVE-2021-28116

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sun, 14 Mar 2021 21:37:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47142 in the body.
You can then email your comments to 47142 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47142; Package guix. (Sun, 14 Mar 2021 21:37:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Mark H Weaver <mhw <at> netris.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 14 Mar 2021 21:37:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: squid package vulnerable to CVE-2021-28116
Date: Sun, 14 Mar 2021 17:34:38 -0400

[Message part 1 (text/plain, inline)]
I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten.

      Mark

-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: guix-devel <at> gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100


[Message part 2 (text/plain, inline)]
CVE-2021-28116	09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

https://www.zerodayinitiative.com/advisories/ZDI-21-157/ - says it is a
low impact issue.

[signature.asc (application/pgp-signature, inline)]
[Message part 4 (text/plain, inline)]
-------------------- End of forwarded message --------------------
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 15 Mar 2021 13:44:02 GMT) Full text and rfc822 format available.
Added indication that bug 47142 blocks47297 Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Wed, 24 Mar 2021 04:07:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#47142; Package guix. (Mon, 05 Apr 2021 20:43:02 GMT) Full text and rfc822 format available.

Message #12 received at 47142 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47142 <at> debbugs.gnu.org
Subject: squid package vulnerable to CVE-2021-28116
Date: Mon, 05 Apr 2021 22:42:40 +0200

[Message part 1 (text/plain, inline)]
Still no fix available from upstream (unclear)

[signature.asc (application/pgp-signature, inline)]
Removed indication that bug 47142 blocks Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Sat, 10 Apr 2021 18:48:02 GMT) Full text and rfc822 format available.
Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 03:07:03 GMT) Full text and rfc822 format available.
Notification sent to Mark H Weaver <mhw <at> netris.org>:
bug acknowledged by developer. (Wed, 23 Mar 2022 03:07:03 GMT) Full text and rfc822 format available.

Message #19 received at 47142-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Mark H Weaver <mhw <at> netris.org>
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>,
 47142-done <at> debbugs.gnu.org
Subject: Re: bug#47142: squid package vulnerable to CVE-2021-28116
Date: Tue, 22 Mar 2022 23:05:54 -0400

Hello,

Mark H Weaver <mhw <at> netris.org> writes:

> I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten.
>
>       Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout <at> zaclys.net>
> To: guix-devel <at> gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116	09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,

We're now using squid 4.17.

Closing.

Thanks,

Maxim
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:10 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 1 day ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.