Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872551 (CVE-2022-41317, CVE-2022-41318, SQUID-2022:1, SQUID-2022:2) - <net-proxy/squid-5.7: multiple vulnerabilities (SQUID-2022:{1,2})
Summary: <net-proxy/squid-5.7: multiple vulnerabilities (SQUID-2022:{1,2})
Status: IN_PROGRESS
Alias: CVE-2022-41317, CVE-2022-41318, SQUID-2022:1, SQUID-2022:2
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/squid-cache/squid/...
Whiteboard: B3 [stable?]
Keywords:
Depends on: 869968 873427
Blocks: CVE-2021-46784
  Show dependency tree
 
Reported: 2022-09-23 18:53 UTC by Hank Leininger
Modified: 2022-09-30 03:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2022-09-23 18:53:39 UTC
$URL is official, but not yet up to date.

https://marc.info/?l=oss-security&m=166391421412647&w=4
SQUID-2022:1 - CVE-2022-41317
Information disclosure in cache manager

https://marc.info/?l=oss-security&m=166391436712744&w=4
SQUID-2022:2 - CVE-2022-41318
Buffer overflow / memory leak in SSPI and SMB auth

Both are fixed in squid-5.7.

There is an outstanding bump request to 5.7 (https://bugs.gentoo.org/869968), but it is generic, created before these security issues were disclosed.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-24 20:05:32 UTC
Thanks for reporting!
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 16:00:20 UTC
Not sure if zlogene will get to this, feel free to make a PR
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 16:12:24 UTC
(In reply to John Helmert III from comment #2)
> Not sure if zlogene will get to this, feel free to make a PR

Working on it, got changes locally, but I overhauled the whole thing, so having to test it out
Comment 4 Larry the Git Cow gentoo-dev 2022-09-29 02:15:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69e685162ba2ccf86cf04e7ba544718bc9ae41d4

commit 69e685162ba2ccf86cf04e7ba544718bc9ae41d4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-24 06:19:24 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-29 02:14:37 +0000

    net-proxy/squid: add 5.7
    
    Bug: https://bugs.gentoo.org/858845
    Bug: https://bugs.gentoo.org/872551
    Closes: https://bugs.gentoo.org/706126
    Closes: https://bugs.gentoo.org/869968
    Signed-off-by: Sam James <sam@gentoo.org>

 net-proxy/squid/Manifest         |   1 +
 net-proxy/squid/squid-5.7.ebuild | 362 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 363 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 02:17:39 UTC
The ebuild has changed a fair bit so won't rush to stable it just yet.