import UBI squid-5.5-6.el9_3.5

SOURCES/squid-5.5-CVE-2023-46724.patch

@@ -0,0 +1,24 @@
+diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
+index 20b9bf1..81ebb18 100644
+--- a/src/anyp/Uri.cc
++++ b/src/anyp/Uri.cc
+@@ -173,6 +173,10 @@ urlInitialize(void)
+     assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
+     assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
+ 
++    assert(0 != matchDomainName("foo.com", ""));
++    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
++    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
++
+     /* more cases? */
+ }
+ 
+@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
+         return -1;
+ 
+     dl = strlen(d);
++    if (dl == 0)
++        return 1;
+ 
+     /*
+      * Start at the ends of the two strings and work towards the

SOURCES/squid-5.5-CVE-2023-49285.patch

@@ -0,0 +1,30 @@
+commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Wed Oct 25 19:41:45 2023 +0000
+
+    RFC 1123: Fix date parsing (#1538)
+    
+    The bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
+    where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
+    Handling".
+
+diff --git a/lib/rfc1123.c b/lib/rfc1123.c
+index e5bf9a4d7..cb484cc00 100644
+--- a/lib/rfc1123.c
++++ b/lib/rfc1123.c
+@@ -50,7 +50,13 @@ make_month(const char *s)
+     char month[3];
+ 
+     month[0] = xtoupper(*s);
++    if (!month[0])
++        return -1; // protects *(s + 1) below
++
+     month[1] = xtolower(*(s + 1));
++    if (!month[1])
++        return -1; // protects *(s + 2) below
++
+     month[2] = xtolower(*(s + 2));
+ 
+     for (i = 0; i < 12; i++)
+

SOURCES/squid-5.5-CVE-2023-49286.patch

@@ -0,0 +1,62 @@
+diff --git a/src/ipc.cc b/src/ipc.cc
+index 42e11e6..a68e623 100644
+--- a/src/ipc.cc
++++ b/src/ipc.cc
+@@ -19,6 +19,11 @@
+ #include "SquidConfig.h"
+ #include "SquidIpc.h"
+ #include "tools.h"
++#include <cstdlib>
++
++#if HAVE_UNISTD_H
++#include <unistd.h>
++#endif
+ 
+ static const char *hello_string = "hi there\n";
+ #ifndef HELLO_BUF_SZ
+@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+     }
+ 
+     PutEnvironment();
++
++    // A dup(2) wrapper that reports and exits the process on errors. The
++    // exiting logic is only suitable for this child process context.
++    const auto dupOrExit = [prog,name](const int oldFd) {
++        const auto newFd = dup(oldFd);
++        if (newFd < 0) {
++            const auto savedErrno = errno;
++            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
++                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
++                   Debug::Extra << "helper program name: " << prog <<
++                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
++            _exit(EXIT_FAILURE);
++        }
++        return newFd;
++    };
++
+     /*
+      * This double-dup stuff avoids problems when one of
+      *  crfd, cwfd, or debug_log are in the rage 0-2.
+@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+ 
+     do {
+         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
+-        x = dup(crfd);
+-        assert(x > -1);
+-    } while (x < 3 && x > -1);
++        x = dupOrExit(crfd);
++    } while (x < 3);
+ 
+     close(x);
+ 
+-    t1 = dup(crfd);
++    t1 = dupOrExit(crfd);
+ 
+-    t2 = dup(cwfd);
++    t2 = dupOrExit(cwfd);
+ 
+-    t3 = dup(fileno(debug_log));
++    t3 = dupOrExit(fileno(debug_log));
+ 
+     assert(t1 > 2 && t2 > 2 && t3 > 2);
+ 

SOURCES/squid-5.5-CVE-2023-5824.patch

@@ -2242,7 +2242,7 @@ index 849d129..14d4e81 100644
  #include "comm/Connection.h"
  #include "errorpage.h"
 diff --git a/src/peer_digest.cc b/src/peer_digest.cc
-index 82bed13..dc1678f 100644
+index 82bed13..e1706f7 100644
 --- a/src/peer_digest.cc
 +++ b/src/peer_digest.cc
 @@ -39,7 +39,6 @@ static EVH peerDigestCheck;
@@ -2263,18 +2263,25 @@ index 82bed13..dc1678f 100644
      if (old_e)
          e->lastModified(old_e->lastModified());
  
-@@ -409,6 +411,11 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
+@@ -409,11 +411,16 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
      digest_read_state_t prevstate;
      int newsize;
  
+-    assert(fetch->pd && receivedData.data);
 +    if (receivedData.flags.error) {
 +        peerDigestFetchAbort(fetch, fetch->buf, "failure loading digest reply from Store");
 +        return;
 +    }
 +
-     assert(fetch->pd && receivedData.data);
++    assert(fetch->pd);
      /* The existing code assumes that the received pointer is
       * where we asked the data to be put
+      */
+-    assert(fetch->buf + fetch->bufofs == receivedData.data);
++    assert(!receivedData.data || fetch->buf + fetch->bufofs == receivedData.data);
+ 
+     /* Update the buffer size */
+     fetch->bufofs += receivedData.length;
 @@ -445,10 +452,6 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
              retsize = peerDigestFetchReply(fetch, fetch->buf, fetch->bufofs);
              break;
@@ -2415,6 +2422,15 @@ index 82bed13..dc1678f 100644
  }
  
  int
+@@ -756,7 +707,7 @@ peerDigestFetchedEnough(DigestFetchState * fetch, char *buf, ssize_t size, const
+     }
+ 
+     /* continue checking (maybe-successful eof case) */
+-    if (!reason && !size) {
++    if (!reason && !size && fetch->state != DIGEST_READ_REPLY) {
+         if (!pd->cd)
+             reason = "null digest?!";
+         else if (fetch->mask_offset != pd->cd->mask_size)
 diff --git a/src/stmem.cc b/src/stmem.cc
 index 8483f86..95218af 100644
 --- a/src/stmem.cc

SPECS/squid.spec

@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  5.5
-Release:  6%{?dist}.2
+Release:  6%{?dist}.5
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -60,6 +60,14 @@ Patch504: squid-5.5-CVE-2023-46847.patch
 Patch505: squid-5.5-CVE-2023-46848.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2245914
 Patch506: squid-5.5-CVE-2023-5824.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2248521
+Patch507: squid-5.5-CVE-2023-46728.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2247567
+Patch508: squid-5.5-CVE-2023-46724.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2252926
+Patch509: squid-5.5-CVE-2023-49285.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2252923
+Patch510: squid-5.5-CVE-2023-49286.patch
 
 # cache_swap.sh
 Requires: bash gawk
@@ -141,6 +149,10 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch504 -p1 -b .CVE-2023-46847
 %patch505 -p1 -b .CVE-2023-46848
 %patch506 -p1 -b .CVE-2023-5824
+%patch507 -p1 -b .CVE-2023-46728
+%patch508 -p1 -b .CVE-2023-46724
+%patch509 -p1 -b .CVE-2023-49285
+%patch510 -p1 -b .CVE-2023-49286
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -367,6 +379,21 @@ fi
 
 
 %changelog
+* Wed Dec 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-6.5
+- Resolves: RHEL-18484 - squid: Buffer over-read in the HTTP Message processing
+  feature (CVE-2023-49285)
+- Resolves: RHEL-18486 - squid: Incorrect Check of Function Return Value In
+  Helper Process management (CVE-2023-49286)
+
+* Wed Dec 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-6.4
+- Resolves: RHEL-16767 - squid: Denial of Service in SSL Certificate validation
+  (CVE-2023-46724)
+- Resolves: RHEL-18250 - squid crashes in assertion when a parent peer exists
+
+* Wed Dec 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-6.3
+- Resolves: RHEL-16778 - squid: NULL pointer dereference in the gopher protocol
+  code (CVE-2023-46728)
+
 * Mon Nov 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-6.2
 - Resolves: RHEL-14800 - squid: squid multiple issues in HTTP response caching