| Message ID | 20231209075658.3787449-1-matthias.fischer@ipfire.org |
|---|---|
| State | Accepted |
| Commit | cdbaf83bb6e4a932899ce2cb256a3a57cfc1f70c |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4SnL2H4399z3x25 for <patchwork@web04.haj.ipfire.org>; Sat, 9 Dec 2023 07:57:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4SnL2F3STKz11S; Sat, 9 Dec 2023 07:57:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4SnL2F0v58z30JM; Sat, 9 Dec 2023 07:57:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4SnL2C4zXJz2xyV for <development@lists.ipfire.org>; Sat, 9 Dec 2023 07:57:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4SnL2B67hXzXX for <development@lists.ipfire.org>; Sat, 9 Dec 2023 07:57:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1702108626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=D/H8kelvi8tqh6ElMep1vLeOK4eBl6sUYTNR0dmavmE=; b=3+3kSlRaC3NAl8TgrLPL/XyeQ0NNW9ThkgQBPQo3lGXsnxqLgApVPFNqfG0rzBsPqU7Tbe 4PPLuglJsUTwPiBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1702108626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=D/H8kelvi8tqh6ElMep1vLeOK4eBl6sUYTNR0dmavmE=; b=wwHOe5++fZ6zO78HWf59X2Qlw0ZPcN6C/qz3+/IwfcVhhr4ydtiLeehILiVTIp91iIPFCR Nykf5MPS2Sfb4vnCfu4qz6S1bKCU3mtWkzYAiy+brhORGJFN5usQVelQMB8B34RFDxzT5p 1AXthvevzJyRCusPfIygq3Gdqhp2khXtQaVntDabMybnuVr6yJOXPhyLD0jUAZqv83ZGR4 R13KRTLWFYoJPLPU97SV2kiqjcxnZoKkHzWh3y4D35dj+xofxbDCYG/EIoN+q36ZIejz8Z GJxoNXivqjdwMzT+coNAtzSrr8Q/JOPGaPog0U/+GzcOqUU1WqTlJbSONqp08Q== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] squid: Update to 6.6 Date: Sat, 9 Dec 2023 08:56:58 +0100 Message-Id: <20231209075658.3787449-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: EEHVQRYZR5G5OBXMKYTIBK2D4YROHIUK X-Message-ID-Hash: EEHVQRYZR5G5OBXMKYTIBK2D4YROHIUK X-MailFrom: matthias.fischer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/EEHVQRYZR5G5OBXMKYTIBK2D4YROHIUK/> List-Archive: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Owner: <mailto:development-owner@lists.ipfire.org> List-Post: <mailto:development@lists.ipfire.org> List-Subscribe: <mailto:development-join@lists.ipfire.org> List-Unsubscribe: <mailto:development-leave@lists.ipfire.org> |
| Series |
squid: Update to 6.6
|
|
Commit Message
Matthias Fischer
Dec. 9, 2023, 7:56 a.m. UTC
For details see:
https://github.com/squid-cache/squid/commits/v6
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
lfs/squid | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> On 09/12/2023 08:56, Matthias Fischer wrote: > For details see: > https://github.com/squid-cache/squid/commits/v6 > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > lfs/squid | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/squid b/lfs/squid > index d92341794..c0f465c16 100644 > --- a/lfs/squid > +++ b/lfs/squid > @@ -24,7 +24,7 @@ > > include Config > > -VER = 6.5 > +VER = 6.6 > > THISAPP = squid-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -46,7 +46,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de > +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc > > install : $(TARGET) >
Thank you for the patch and review. Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible. -Michael > On 9 Dec 2023, at 22:05, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> > > On 09/12/2023 08:56, Matthias Fischer wrote: >> For details see: >> https://github.com/squid-cache/squid/commits/v6 >> >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> lfs/squid | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/lfs/squid b/lfs/squid >> index d92341794..c0f465c16 100644 >> --- a/lfs/squid >> +++ b/lfs/squid >> @@ -24,7 +24,7 @@ >> include Config >> -VER = 6.5 >> +VER = 6.6 >> THISAPP = squid-$(VER) >> DL_FILE = $(THISAPP).tar.xz >> @@ -46,7 +46,7 @@ objects = $(DL_FILE) >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de >> +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc >> install : $(TARGET) >>
Hi, I would recommend updating squid as soon as possible because of CVE-2023-50269. => https://nvd.nist.gov/vuln/detail/CVE-2023-50269 "...Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6..." As far as I can see, we don't use this feature, but... ;-) Jm2c, Matthias On 11.12.2023 20:41, Michael Tremer wrote: > Thank you for the patch and review. > > Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible. > > -Michael > >> On 9 Dec 2023, at 22:05, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> >> >> On 09/12/2023 08:56, Matthias Fischer wrote: >>> For details see: >>> https://github.com/squid-cache/squid/commits/v6 >>> >>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>> --- >>> lfs/squid | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/lfs/squid b/lfs/squid >>> index d92341794..c0f465c16 100644 >>> --- a/lfs/squid >>> +++ b/lfs/squid >>> @@ -24,7 +24,7 @@ >>> include Config >>> -VER = 6.5 >>> +VER = 6.6 >>> THISAPP = squid-$(VER) >>> DL_FILE = $(THISAPP).tar.xz >>> @@ -46,7 +46,7 @@ objects = $(DL_FILE) >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de >>> +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc >>> install : $(TARGET) >>> >
Right, rather be safe than sorry. I applied this patch to master. Thanks! -Michael > On 19 Dec 2023, at 18:20, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi, > > I would recommend updating squid as soon as possible because of > CVE-2023-50269. > > => https://nvd.nist.gov/vuln/detail/CVE-2023-50269 > > "...Due to an Uncontrolled Recursion bug in versions 2.6 through > 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, > Squid may be vulnerable to a Denial of Service attack against HTTP > Request parsing. This problem allows a remote client to perform Denial > of Service attack by sending a large X-Forwarded-For header when the > follow_x_forwarded_for feature is configured. This bug is fixed by Squid > version 6.6..." > > As far as I can see, we don't use this feature, but... ;-) > > Jm2c, > Matthias > > On 11.12.2023 20:41, Michael Tremer wrote: >> Thank you for the patch and review. >> >> Is there any urgency here to include this in the update that is currently in testing? Considering that latest history of vulnerabilities in squid, I am happy to ship any fixes as soon as possible. >> >> -Michael >> >>> On 9 Dec 2023, at 22:05, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> >>> >>> On 09/12/2023 08:56, Matthias Fischer wrote: >>>> For details see: >>>> https://github.com/squid-cache/squid/commits/v6 >>>> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>> --- >>>> lfs/squid | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/lfs/squid b/lfs/squid >>>> index d92341794..c0f465c16 100644 >>>> --- a/lfs/squid >>>> +++ b/lfs/squid >>>> @@ -24,7 +24,7 @@ >>>> include Config >>>> -VER = 6.5 >>>> +VER = 6.6 >>>> THISAPP = squid-$(VER) >>>> DL_FILE = $(THISAPP).tar.xz >>>> @@ -46,7 +46,7 @@ objects = $(DL_FILE) >>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>> -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de >>>> +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc >>>> install : $(TARGET) >>>> >> >
diff --git a/lfs/squid b/lfs/squid index d92341794..c0f465c16 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.5 +VER = 6.6 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de +$(DL_FILE)_BLAKE2 = 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d7963a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc install : $(TARGET)