Summary: | <net-proxy/squid-3.5.27-r1 multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eray Aslan <eras> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eras |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
net-proxy/squid-3.5.27-r1
|
Runtime testing required: | --- |
Description
Eray Aslan
2018-01-22 13:26:59 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac4ddfc6691dbb79e70ec1e51feb5f6c4139a046 commit ac4ddfc6691dbb79e70ec1e51feb5f6c4139a046 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2018-01-22 13:29:11 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2018-01-22 13:29:11 +0000 net-proxy/squid: security bump Bug: https://bugs.gentoo.org/645356 Package-Manager: Portage-2.3.20, Repoman-2.3.6 net-proxy/squid/squid-3.5.27-r1.ebuild | 251 +++++++++++++++++++++++++++++++++ 1 file changed, 251 insertions(+)} Arches, please test and mark stable net-proxy/squid-3.5.27-r1 Target Keywords="alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~sparc x86 ~x86-fbsd" amd64 stable x86 stable arm stable ia64 stable hppa stable @Eray, have you checked if squid is affected by CVE-2018-1000027? Here the description: The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later. Thanks (In reply to Christopher Díaz Riveros from comment #8) > @Eray, have you checked if squid is affected by CVE-2018-1000027? We have 2 patches in net-proxy/squid-3.5.27-r1: squid-2018-1.patch (which is CVE-2018-1000024) and squid-2018-2.patch (CVE-2018-1000027) So yes, we are good re CVE-2018-1000027 Stable on alpha. ppc stable ppc64 stable @maintainer, please drop vulnerable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=290a73f764181cae77a63af83569c4d9023cbea4 commit 290a73f764181cae77a63af83569c4d9023cbea4 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2018-06-19 16:14:22 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2018-06-19 16:14:44 +0000 net-proxy/squid: remove vulnerable Bug: https://bugs.gentoo.org/645356 Package-Manager: Portage-2.3.40, Repoman-2.3.9 net-proxy/squid/Manifest | 1 - net-proxy/squid/squid-3.5.26.ebuild | 241 ---------------------------------- net-proxy/squid/squid-3.5.27.ebuild | 249 ------------------------------------ 3 files changed, 491 deletions(-) |