Bug 919054

Summary:	net-proxy/squid-6.5: stablereq
Product:	Gentoo Linux	Reporter:	Hank Leininger <hlein>
Component:	Stabilization	Assignee:	Hank Leininger <hlein>
Status:	RESOLVED FIXED
Severity:	normal	CC:	proxy-maint
Priority:	Normal	Keywords:	CC-ARCHES
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=917615 https://bugs.gentoo.org/show_bug.cgi?id=916334
Whiteboard:
Package list:	=net-proxy/squid-6.5	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	916334, 917615

Description Hank Leininger 2023-12-02 18:23:08 UTC

Please stabilize.

May seem a little early since 6.5 has only been in tree since 2023-11-17, 15 days. By https://www.gentoo.org/support/security/vulnerability-treatment-policy.html I'd put this at a B2, so a target/delay of 10 days.

Every previous version including the only stable one 5.7-r1 is unsafe, unpatched, and unmaintained, likely affected by at least CVE-2023-46728, SQUID-2020:13, SQUID-2021:8, CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848, CVE-2023-5824, SQUID-2023:1, SQUID-2023:2, SQUID-2023:3, SQUID-2023:5.

There are others from https://megamansec.github.io/Squid-Security-Audit/ that haven't been assigned CVEs or GHSA identifiers yet; some may have been fixed silently by now in 6.5, others likely still pending.

Comment 1 Sam James archtester

2023-12-02 20:27:49 UTC

x86 done

Comment 2 Sam James archtester

2023-12-02 21:25:34 UTC

arm done

Comment 3 Arthur Zamarin archtester

2023-12-03 09:33:19 UTC

amd64 done

all arches done