Skip to content
GitLab
Explore
Projects
Groups
Topics
Snippets
Projects
Groups
Topics
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Register
Sign in
Toggle navigation
Menu
upstream
rpms
squid
Commits
cabab691
Commit
cabab691
authored
1 month ago
by
CentOS Sources
Browse files
Options
Download
Patches
Plain Diff
import squid-4.15-10.module+el8.10.0+22489+b920747d.3
parent
6f901670
c8-stream-4
imports/c8-stream-4/squid-4.15-10.module+el8.10.0+22489+b920747d.3
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
SOURCES/squid-4.15-CVE-2024-23638.patch
+31
-0
SOURCES/squid-4.15-CVE-2024-23638.patch
SPECS/squid.spec
+14
-5
SPECS/squid.spec
with
45 additions
and
5 deletions
+45
-5
SOURCES/squid-4.15-CVE-2024-23638.patch
0 → 100644
+
31
−
0
View file @
cabab691
commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
Author: Alex Rousskov <rousskov@measurement-factory.com>
Date: Sun Nov 12 09:33:20 2023 +0000
Do not update StoreEntry expiration after errorAppendEntry() (#1580)
errorAppendEntry() is responsible for setting entry expiration times,
which it does by calling StoreEntry::storeErrorResponse() that calls
StoreEntry::negativeCache().
This change was triggered by a vulnerability report by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
it was filed as "Use-After-Free in Cache Manager Errors". The reported
"use after free" vulnerability was unknowingly addressed by 2022 commit
1fa761a that removed excessively long "reentrant" store_client calls
responsible for the disappearance of the properly locked StoreEntry in
this (and probably other) contexts.
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
index 8055ece..fdcc9cf 100644
--- a/src/cache_manager.cc
+++ b/src/cache_manager.cc
@@ -323,7 +323,6 @@
CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request
const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request);
err->url = xstrdup(entry->url());
errorAppendEntry(entry, err);
- entry->expires = squid_curtime;
return;
}
This diff is collapsed.
Click to expand it.
SPECS/squid.spec
+
14
−
5
View file @
cabab691
...
...
@@ -2,7 +2,7 @@
Name: squid
Version: 4.15
Release: 10%{?dist}.
1
Release: 10%{?dist}.
3
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
...
...
@@ -72,7 +72,8 @@ Patch312: squid-4.15-CVE-2024-25111.patch
# Regression caused by squid-4.15-CVE-2023-46846.patch
# Upstream PR: https://github.com/squid-cache/squid/pull/1914
Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2260051
Patch314: squid-4.15-CVE-2024-23638.patch
Requires: bash >= 2.0
Requires(pre): shadow-utils
...
...
@@ -89,8 +90,6 @@ BuildRequires: openssl-devel
BuildRequires: krb5-devel
# time_quota requires DB
BuildRequires: libdb-devel
# ESI support requires Expat & libxml2
BuildRequires: expat-devel libxml2-devel
# TPROXY requires libcap, and also increases security somewhat
BuildRequires: libcap-devel
# eCAP support
...
...
@@ -151,6 +150,7 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch311 -p1 -b .CVE-2024-25617
%patch312 -p1 -b .CVE-2024-25111
%patch313 -p1 -b .ignore-wsp-chunk-sz
%patch314 -p1 -b .CVE-2024-23638
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation
...
...
@@ -195,7 +195,7 @@ autoconf
--enable-storeio="aufs,diskd,ufs,rock" \
--enable-diskio \
--enable-wccpv2 \
--
en
able-esi \
--
dis
able-esi \
--enable-ecap \
--with-aio \
--with-default-user="squid" \
...
...
@@ -367,6 +367,15 @@ fi
%changelog
* Wed Nov 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.3
- Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to
a Denial of Service attack against Cache Manager error responses
* Thu Nov 07 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.2
- Disable ESI support
- Resolves: RHEL-65075 - CVE-2024-45802 squid:4/squid: Denial of Service
processing ESI response content
* Mon Oct 14 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.1
- Resolves: RHEL-56024 - (Regression) Transfer-encoding:chunked data is not sent
to the client in its complementary
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
Menu
Explore
Projects
Groups
Topics
Snippets