https://github.com/squid-cache/squid/commit/67f5496f7b72e698ad0f5aa3512c83089424f27f """ TrieNode::add() incorrectly computed an offset of an internal data structure, resulting in out-of-bounds memory accesses that could cause corruption or crashes. This bug was discovered and detailed by Joshua Rogers at https://megamansec.github.io/Squid-Security-Audit/esi-underflow.html where it was filed as "Buffer Underflow in ESI". """
Note that 6.10 disables ESI by default: -squid_opt_use_esi=auto -AH_TEMPLATE([USE_SQUID_ESI],[Define to enable the ESI processor]) -AC_ARG_ENABLE(esi, - AS_HELP_STRING([--disable-esi], - [Disable ESI for accelerators. ESI requires expat or xml2 library. +AH_TEMPLATE([USE_SQUID_ESI],[whether to enable ESI processing]) +AC_ARG_ENABLE(esi,[ + AS_HELP_STRING([--enable-esi], + [Enable ESI for accelerators. ESI requires expat or xml2 library. Enabling ESI will cause squid reverse proxies to be capable - of the Edge Acceleration Specification (www.esi.org).]), - [squid_opt_use_esi=$enableval],[]) + of the Edge Acceleration Specification (www.esi.org).]) +],[ + SQUID_DEFINE_BOOL(USE_SQUID_ESI,$enable_esi) +]) +AC_MSG_NOTICE([Enable ESI processor: ${enable_esi:=no (auto)}]) Not sure if we should add a USE for it?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8e5c266f514892438b4b5be73ab69531565026b commit d8e5c266f514892438b4b5be73ab69531565026b Author: Sam James <sam@gentoo.org> AuthorDate: 2024-08-31 07:43:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-31 07:46:16 +0000 net-proxy/squid: add 6.10 Bug: https://bugs.gentoo.org/938814 Signed-off-by: Sam James <sam@gentoo.org> net-proxy/squid/Manifest | 2 + net-proxy/squid/squid-6.10.ebuild | 402 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 404 insertions(+)
