Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728768 (CVE-2020-14058, CVE-2020-14059, SQUID-2020-5, SQUID-2020-6) - <net-misc/squid-4.12: Multiple vulnerabilities (CVE-2020-{14058,14059})
Summary: <net-misc/squid-4.12: Multiple vulnerabilities (CVE-2020-{14058,14059})
Status: RESOLVED FIXED
Alias: CVE-2020-14058, CVE-2020-14059, SQUID-2020-5, SQUID-2020-6
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2020-15049
  Show dependency tree
 
Reported: 2020-06-19 12:48 UTC by Sam James
Modified: 2020-06-29 18:15 UTC (History)
2 users (show)

See Also:
Package list:
=net-proxy/squid-4.12
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 12:48:26 UTC
* SQUID-2020-5 (CVE-2020-14059)

Description:
"Due to an Incorrect Synchronization, Squid is vulnerable to a
Denial of Service attack when processing objects in an SMP cache."

Advisory: http://www.squid-cache.org/Advisories/SQUID-2020_5.txt
Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-w7pw-2m4p-58hr

* SQUID-2020-6 (CVE-2020-14058)

Description:
"Due to use of a potentially dangerous function Squid and the
default certificate validation helper are vulnerable to a Denial
of Service attack when processing TLS certificates."

Advisory: http://www.squid-cache.org/Advisories/SQUID-2020_6.txt
Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 12:48:44 UTC
Please bump to 4.13.
Comment 2 Tomáš Mózes 2020-06-19 18:05:15 UTC
Ebuild for 4.12 with the debug patch removed makes it compilable at least.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-21 11:09:48 UTC
Let us know when ready to stable.
Comment 4 NATTkA bot gentoo-dev 2020-06-21 11:12:28 UTC
Unable to check for sanity:

> no match for package: =net-misc/squid-4.12
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 19:05:31 UTC
Acked on IRC
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-28 20:27:38 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-28 20:31:01 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-28 20:38:59 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-28 20:44:33 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-06-28 20:48:32 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 18:15:06 UTC
GLSA vote: no.