Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 728768 (CVE-2020-14058, CVE-2020-14059, SQUID-2020-5, SQUID-2020-6)

Summary: <net-misc/squid-4.12: Multiple vulnerabilities (CVE-2020-{14058,14059})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, zlogene
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=net-proxy/squid-4.12
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 729760    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 12:48:26 UTC 
* SQUID-2020-5 (CVE-2020-14059)

Description:
"Due to an Incorrect Synchronization, Squid is vulnerable to a
Denial of Service attack when processing objects in an SMP cache."

Advisory: http://www.squid-cache.org/Advisories/SQUID-2020_5.txt
Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-w7pw-2m4p-58hr

* SQUID-2020-6 (CVE-2020-14058)

Description:
"Due to use of a potentially dangerous function Squid and the
default certificate validation helper are vulnerable to a Denial
of Service attack when processing TLS certificates."

Advisory: http://www.squid-cache.org/Advisories/SQUID-2020_6.txt
Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 12:48:44 UTC 
Please bump to 4.13.
Comment 2 Tomáš Mózes 2020-06-19 18:05:15 UTC 
Ebuild for 4.12 with the debug patch removed makes it compilable at least.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-21 11:09:48 UTC 
Let us know when ready to stable.
Comment 4 NATTkA bot gentoo-dev Security 2020-06-21 11:12:28 UTC 
Unable to check for sanity:

> no match for package: =net-misc/squid-4.12
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 19:05:31 UTC 
Acked on IRC
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-28 20:27:38 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-28 20:31:01 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-28 20:38:59 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-28 20:44:33 UTC 
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-06-28 20:48:32 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 18:15:06 UTC 
GLSA vote: no.