Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919054 - net-proxy/squid-6.5: stablereq
Summary: net-proxy/squid-6.5: stablereq
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Hank Leininger
URL:
Whiteboard:
Keywords: CC-ARCHES
Depends on:
Blocks: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848, CVE-2023-5824, SQUID-2023:1, SQUID-2023:2, SQUID-2023:3, SQUID-2023:4, SQUID-2023:5, SQUID-2023:7, SQUID-2023:8, SQUID-2023:9 CVE-2023-46728, SQUID-2020:13, SQUID-2021:8
  Show dependency tree
 
Reported: 2023-12-02 18:23 UTC by Hank Leininger
Modified: 2023-12-22 01:33 UTC (History)
1 user (show)

See Also:
Package list:
=net-proxy/squid-6.5
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2023-12-02 18:23:08 UTC 
Please stabilize.

May seem a little early since 6.5 has only been in tree since 2023-11-17, 15 days. By https://www.gentoo.org/support/security/vulnerability-treatment-policy.html I'd put this at a B2, so a target/delay of 10 days.

Every previous version including the only stable one 5.7-r1 is unsafe, unpatched, and unmaintained, likely affected by at least CVE-2023-46728, SQUID-2020:13, SQUID-2021:8, CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848, CVE-2023-5824, SQUID-2023:1, SQUID-2023:2, SQUID-2023:3, SQUID-2023:5.

There are others from https://megamansec.github.io/Squid-Security-Audit/ that haven't been assigned CVEs or GHSA identifiers yet; some may have been fixed silently by now in 6.5, others likely still pending.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-02 20:27:49 UTC 
x86 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-02 21:25:34 UTC 
arm done
Comment 3 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2023-12-03 09:33:19 UTC 
amd64 done

all arches done