From 82b8297bd279ec677613fed8e065c9966f241fd9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 30 Sep 2024 16:40:47 +0000 Subject: [PATCH] import CS squid-5.5-14.el9 --- SOURCES/squid-5.5-CVE-2024-23638.patch | 30 ++++ SOURCES/squid-5.5-CVE-2024-25111.patch | 192 +++++++++++++++++++++++++ SOURCES/squid-5.5-CVE-2024-25617.patch | 105 ++++++++++++++ SOURCES/squid-5.5-CVE-2024-37894.patch | 13 ++ SOURCES/squid-5.5-ipv6-crash.patch | 113 +++++++++++++++ SPECS/squid.spec | 37 ++++- 6 files changed, 487 insertions(+), 3 deletions(-) create mode 100644 SOURCES/squid-5.5-CVE-2024-23638.patch create mode 100644 SOURCES/squid-5.5-CVE-2024-25111.patch create mode 100644 SOURCES/squid-5.5-CVE-2024-25617.patch create mode 100644 SOURCES/squid-5.5-CVE-2024-37894.patch create mode 100644 SOURCES/squid-5.5-ipv6-crash.patch diff --git a/SOURCES/squid-5.5-CVE-2024-23638.patch b/SOURCES/squid-5.5-CVE-2024-23638.patch new file mode 100644 index 0000000..16b246e --- /dev/null +++ b/SOURCES/squid-5.5-CVE-2024-23638.patch @@ -0,0 +1,30 @@ +commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8 +Author: Alex Rousskov +Date: Sun Nov 12 09:33:20 2023 +0000 + + Do not update StoreEntry expiration after errorAppendEntry() (#1580) + + errorAppendEntry() is responsible for setting entry expiration times, + which it does by calling StoreEntry::storeErrorResponse() that calls + StoreEntry::negativeCache(). + + This change was triggered by a vulnerability report by Joshua Rogers at + https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where + it was filed as "Use-After-Free in Cache Manager Errors". The reported + "use after free" vulnerability was unknowingly addressed by 2022 commit + 1fa761a that removed excessively long "reentrant" store_client calls + responsible for the disappearance of the properly locked StoreEntry in + this (and probably other) contexts. + +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index 61c7f65be..65bf22dd0 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request, + err->url = xstrdup(entry->url()); + err->detailError(new ExceptionErrorDetail(Here().id())); + errorAppendEntry(entry, err); +- entry->expires = squid_curtime; + return; + } + diff --git a/SOURCES/squid-5.5-CVE-2024-25111.patch b/SOURCES/squid-5.5-CVE-2024-25111.patch new file mode 100644 index 0000000..e39e922 --- /dev/null +++ b/SOURCES/squid-5.5-CVE-2024-25111.patch @@ -0,0 +1,192 @@ +diff --git a/src/http.cc b/src/http.cc +index 98e3969..8b55bf3 100644 +--- a/src/http.cc ++++ b/src/http.cc +@@ -54,6 +54,7 @@ + #include "rfc1738.h" + #include "SquidConfig.h" + #include "SquidTime.h" ++#include "SquidMath.h" + #include "StatCounters.h" + #include "Store.h" + #include "StrList.h" +@@ -1235,18 +1236,26 @@ HttpStateData::readReply(const CommIoCbParams &io) + * Plus, it breaks our lame *HalfClosed() detection + */ + +- Must(maybeMakeSpaceAvailable(true)); +- CommIoCbParams rd(this); // will be expanded with ReadNow results +- rd.conn = io.conn; +- rd.size = entry->bytesWanted(Range(0, inBuf.spaceSize())); ++ const auto moreDataPermission = canBufferMoreReplyBytes(); ++ if (!moreDataPermission) { ++ abortTransaction("ready to read required data, but the read buffer is full and cannot be drained"); ++ return; ++ } ++ ++ const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission.value()); ++ // TODO: Move this logic inside maybeMakeSpaceAvailable(): ++ const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range(0, readSizeMax)) : 0; + +- if (rd.size <= 0) { ++ if (readSizeWanted <= 0) { + assert(entry->mem_obj); + AsyncCall::Pointer nilCall; + entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall))); + return; + } + ++ CommIoCbParams rd(this); // will be expanded with ReadNow results ++ rd.conn = io.conn; ++ rd.size = readSizeWanted; + switch (Comm::ReadNow(rd, inBuf)) { + case Comm::INPROGRESS: + if (inBuf.isEmpty()) +@@ -1617,8 +1626,10 @@ HttpStateData::maybeReadVirginBody() + if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing()) + return; + +- if (!maybeMakeSpaceAvailable(false)) ++ if (!canBufferMoreReplyBytes()) { ++ abortTransaction("more response bytes required, but the read buffer is full and cannot be drained"); + return; ++ } + + // XXX: get rid of the do_next_read flag + // check for the proper reasons preventing read(2) +@@ -1636,40 +1647,78 @@ HttpStateData::maybeReadVirginBody() + Comm::Read(serverConnection, call); + } + +-bool +-HttpStateData::maybeMakeSpaceAvailable(bool doGrow) ++/// Desired inBuf capacity based on various capacity preferences/limits: ++/// * a smaller buffer may not hold enough for look-ahead header/body parsers; ++/// * a smaller buffer may result in inefficient tiny network reads; ++/// * a bigger buffer may waste memory; ++/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize); ++size_t ++HttpStateData::calcReadBufferCapacityLimit() const + { +- // how much we are allowed to buffer +- const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize); +- +- if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) { +- // when buffer is at or over limit already +- debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); +- debugs(11, DBG_DATA, "buffer has {" << inBuf << "}"); +- // Process next response from buffer +- processReply(); +- return false; ++ if (!flags.headers_parsed) ++ return Config.maxReplyHeaderSize; ++ ++ // XXX: Our inBuf is not used to maintain the read-ahead gap, and using ++ // Config.readAheadGap like this creates huge read buffers for large ++ // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the ++ // primary read buffer capacity factor. ++ // ++ // TODO: Cannot reuse throwing NaturalCast() here. Consider removing ++ // .value() dereference in NaturalCast() or add/use NaturalCastOrMax(). ++ const auto configurationPreferences = NaturalSum(Config.readAheadGap).value_or(SBuf::maxSize); ++ ++ // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements ++ // (when explicit configurationPreferences are set too low). ++ ++ return std::min(configurationPreferences, SBuf::maxSize); ++} ++ ++/// The maximum number of virgin reply bytes we may buffer before we violate ++/// the currently configured response buffering limits. ++/// \retval std::nullopt means that no more virgin response bytes can be read ++/// \retval 0 means that more virgin response bytes may be read later ++/// \retval >0 is the number of bytes that can be read now (subject to other constraints) ++std::optional ++HttpStateData::canBufferMoreReplyBytes() const ++{ ++#if USE_ADAPTATION ++ // If we do not check this now, we may say the final "no" prematurely below ++ // because inBuf.length() will decrease as adaptation drains buffered bytes. ++ if (responseBodyBuffer) { ++ debugs(11, 3, "yes, but waiting for adaptation to drain read buffer"); ++ return 0; // yes, we may be able to buffer more (but later) ++ } ++#endif ++ ++ const auto maxCapacity = calcReadBufferCapacityLimit(); ++ if (inBuf.length() >= maxCapacity) { ++ debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity); ++ return std::nullopt; // no, configuration prohibits buffering more + } + ++ const auto maxReadSize = maxCapacity - inBuf.length(); // positive ++ debugs(11, 7, "yes, may read up to " << maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize()); ++ return maxReadSize; // yes, can read up to this many bytes (subject to other constraints) ++} ++ ++/// prepare read buffer for reading ++/// \return the maximum number of bytes the caller should attempt to read ++/// \retval 0 means that the caller should delay reading ++size_t ++HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize) ++{ + // how much we want to read +- const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length())); ++ const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize); + +- if (!read_size) { ++ if (read_size < 2) { + debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); +- return false; ++ return 0; + } + +- // just report whether we could grow or not, do not actually do it +- if (doGrow) +- return (read_size >= 2); +- + // we may need to grow the buffer + inBuf.reserveSpace(read_size); +- debugs(11, 8, (!flags.do_next_read ? "will not" : "may") << +- " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() << +- ") from " << serverConnection); +- +- return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available ++ debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); ++ return read_size; + } + + /// called after writing the very last request byte (body, last-chunk, etc) +diff --git a/src/http.h b/src/http.h +index e70cd7e..f7ed40d 100644 +--- a/src/http.h ++++ b/src/http.h +@@ -15,6 +15,8 @@ + #include "http/StateFlags.h" + #include "sbuf/SBuf.h" + ++#include ++ + class FwdState; + class HttpHeader; + class String; +@@ -112,16 +114,9 @@ private: + + void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination + +- /** +- * determine if read buffer can have space made available +- * for a read. +- * +- * \param grow whether to actually expand the buffer +- * +- * \return whether the buffer can be grown to provide space +- * regardless of whether the grow actually happened. +- */ +- bool maybeMakeSpaceAvailable(bool grow); ++ size_t calcReadBufferCapacityLimit() const; ++ std::optional canBufferMoreReplyBytes() const; ++ size_t maybeMakeSpaceAvailable(size_t maxReadSize); + + // consuming request body + virtual void handleMoreRequestBodyAvailable(); diff --git a/SOURCES/squid-5.5-CVE-2024-25617.patch b/SOURCES/squid-5.5-CVE-2024-25617.patch new file mode 100644 index 0000000..307ef66 --- /dev/null +++ b/SOURCES/squid-5.5-CVE-2024-25617.patch @@ -0,0 +1,105 @@ +diff --git a/src/SquidString.h b/src/SquidString.h +index e36cd27..ea613ad 100644 +--- a/src/SquidString.h ++++ b/src/SquidString.h +@@ -140,7 +140,16 @@ private: + + size_type len_ = 0; /* current length */ + +- static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers ++ /// An earlier 64KB limit was meant to protect some fixed-size buffers, but ++ /// (a) we do not know where those buffers are (or whether they still exist) ++ /// (b) too many String users unknowingly exceeded that limit and asserted. ++ /// We are now using a larger limit to reduce the number of (b) cases, ++ /// especially cases where "compact" lists of items grow 50% in size when we ++ /// convert them to canonical form. The new limit is selected to withstand ++ /// concatenation and ~50% expansion of two HTTP headers limited by default ++ /// request_header_max_size and reply_header_max_size settings. ++ static const size_type SizeMax_ = 3*64*1024 - 1; ++ + /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_ + static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; } + +diff --git a/src/cache_cf.cc b/src/cache_cf.cc +index cb746dc..c4ade96 100644 +--- a/src/cache_cf.cc ++++ b/src/cache_cf.cc +@@ -950,6 +950,18 @@ configDoConfigure(void) + (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize); + } + ++ // Warn about the dangers of exceeding String limits when manipulating HTTP ++ // headers. Technically, we do not concatenate _requests_, so we could relax ++ // their check, but we keep the two checks the same for simplicity sake. ++ const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3; ++ // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings ++ if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax) ++ debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax << ++ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes"); ++ if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax) ++ debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax << ++ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes"); ++ + /* + * Disable client side request pipelining if client_persistent_connections OFF. + * Waste of resources queueing any pipelined requests when the first will close the connection. +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 67a66b0..61a66f1 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -6489,11 +6489,14 @@ TYPE: b_size_t + DEFAULT: 64 KB + LOC: Config.maxRequestHeaderSize + DOC_START +- This specifies the maximum size for HTTP headers in a request. +- Request headers are usually relatively small (about 512 bytes). +- Placing a limit on the request header size will catch certain +- bugs (for example with persistent connections) and possibly +- buffer-overflow or denial-of-service attacks. ++ This directives limits the header size of a received HTTP request ++ (including request-line). Increasing this limit beyond its 64 KB default ++ exposes certain old Squid code to various denial-of-service attacks. This ++ limit also applies to received FTP commands. ++ ++ This limit has no direct affect on Squid memory consumption. ++ ++ Squid does not check this limit when sending requests. + DOC_END + + NAME: reply_header_max_size +@@ -6502,11 +6505,14 @@ TYPE: b_size_t + DEFAULT: 64 KB + LOC: Config.maxReplyHeaderSize + DOC_START +- This specifies the maximum size for HTTP headers in a reply. +- Reply headers are usually relatively small (about 512 bytes). +- Placing a limit on the reply header size will catch certain +- bugs (for example with persistent connections) and possibly +- buffer-overflow or denial-of-service attacks. ++ This directives limits the header size of a received HTTP response ++ (including status-line). Increasing this limit beyond its 64 KB default ++ exposes certain old Squid code to various denial-of-service attacks. This ++ limit also applies to FTP command responses. ++ ++ Squid also checks this limit when loading hit responses from disk cache. ++ ++ Squid does not check this limit when sending responses. + DOC_END + + NAME: request_body_max_size +diff --git a/src/http.cc b/src/http.cc +index 7c9ae70..98e3969 100644 +--- a/src/http.cc ++++ b/src/http.cc +@@ -1926,8 +1926,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request, + + String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR); + +- // if we cannot double strFwd size, then it grew past 50% of the limit +- if (!strFwd.canGrowBy(strFwd.size())) { ++ // Detect unreasonably long header values. And paranoidly check String ++ // limits: a String ought to accommodate two reasonable-length values. ++ if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) { + // There is probably a forwarding loop with Via detection disabled. + // If we do nothing, String will assert on overflow soon. + // TODO: Terminate all transactions with huge XFF? diff --git a/SOURCES/squid-5.5-CVE-2024-37894.patch b/SOURCES/squid-5.5-CVE-2024-37894.patch new file mode 100644 index 0000000..f8352a9 --- /dev/null +++ b/SOURCES/squid-5.5-CVE-2024-37894.patch @@ -0,0 +1,13 @@ +diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc +index b379856..5d87279 100644 +--- a/lib/libTrie/TrieNode.cc ++++ b/lib/libTrie/TrieNode.cc +@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar + /* We trust that privatedata and existant keys have already been checked */ + + if (theLength) { +- int index = transform ? (*transform)(*aString): *aString; ++ const unsigned char index = transform ? (*transform)(*aString): *aString; + + if (!internal[index]) + internal[index] = new TrieNode; diff --git a/SOURCES/squid-5.5-ipv6-crash.patch b/SOURCES/squid-5.5-ipv6-crash.patch new file mode 100644 index 0000000..c47f89d --- /dev/null +++ b/SOURCES/squid-5.5-ipv6-crash.patch @@ -0,0 +1,113 @@ +From a0a9e6dc69d0c7b9ba237702b4c5020abc7ad1f8 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Sat, 4 Nov 2023 00:30:42 +0000 +Subject: [PATCH] Bug 5154: Do not open IPv6 sockets when IPv6 is disabled + (#1567) + +... but allow basic IPv6 manipulations like getSockAddr(). + + Address.cc:663 getAddrInfo() assertion failed: false + +Squids receives IPv6 addresses from traffic, configuration, or +hard-coded constants even when ./configured with --disable-ipv6 or when +IPv6 support was automatically disabled at startup after failing IPv6 +tests. To handle IPv6 correctly, such Squids must support basic IPv6 +operations like recognizing an IPv6 address in a request-target or +reporting an unsolicited IPv6 DNS record. At least for now, such Squids +must also correctly parse configuration-related IPv6 addresses. + +All those activities rely on various low-level operations like filling +addrinfo structure with IP address information. Since 2012 commit +c5fbbc7, Ip::Address::getAddrInfo() was failing for IPv6 addresses when +Ip::EnableIpv6 was falsy. That change correctly recognized[^1] the need +for such Squids to handle IPv6, but to support basic operations, we need +to reject IPv6 addresses at a higher level and without asserting. + +That high-level rejection work is ongoing, but initial attempts have +exposed difficult problems that will take time to address. For now, we +just avoid the assertion while protecting IPv6-disabled Squid from +listening on or opening connections to IPv6 addresses. Since Squid +already expects (and usually correctly handles) socket opening failures, +disabling those operations is better than failing in low-level IP +manipulation code. + +The overall IPv6 posture of IPv6-disabled Squids that lack http_access +or other rules to deny IPv6 requests will change: This fix exposes more +of IPv6-disabled Squid code to IPv6 addresses. It is possible that such +exposure will make some IPv6 resources inside Squid (e.g., a previously +cached HTTP response) accessible to external requests. Squids will not +open or accept IPv6 connections but may forward requests with raw IPv6 +targets to IPv4 cache_peers. Whether these and similar behavior changes +are going to be permanent is open for debate, but even if they are +temporary, they are arguably better than the corresponding assertions. + +These changes do not effect IPv6-enabled Squids. + +The assertion in IPv6-disabled Squid was reported by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/ipv6-assert.html where +it was filed as "Assertion on IPv6 Host Requests with --disable-ipv6". + +[^1]: https://bugs.squid-cache.org/show_bug.cgi?id=3593#c1 +--- + src/comm.cc | 6 ++++++ + src/ip/Address.cc | 2 +- + src/ip/Intercept.cc | 8 ++++++++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/comm.cc b/src/comm.cc +index 4659955b011..271ba04d4da 100644 +--- a/src/comm.cc ++++ b/src/comm.cc +@@ -344,6 +344,12 @@ comm_openex(int sock_type, + /* Create socket for accepting new connections. */ + ++ statCounter.syscalls.sock.sockets; + ++ if (!Ip::EnableIpv6 && addr.isIPv6()) { ++ debugs(50, 2, "refusing to open an IPv6 socket when IPv6 support is disabled: " << addr); ++ errno = ENOTSUP; ++ return -1; ++ } ++ + /* Setup the socket addrinfo details for use */ + addr.getAddrInfo(AI); + AI->ai_socktype = sock_type; +diff --git a/src/ip/Address.cc b/src/ip/Address.cc +index b6f810bfc25..ae6db37da5e 100644 +--- a/src/ip/Address.cc ++++ b/src/ip/Address.cc +@@ -623,7 +623,7 @@ Ip::Address::getAddrInfo(struct addrinfo *&dst, int force) const + && dst->ai_protocol == 0) + dst->ai_protocol = IPPROTO_UDP; + +- if (force == AF_INET6 || (force == AF_UNSPEC && Ip::EnableIpv6 && isIPv6()) ) { ++ if (force == AF_INET6 || (force == AF_UNSPEC && isIPv6()) ) { + dst->ai_addr = (struct sockaddr*)new sockaddr_in6; + + memset(dst->ai_addr,0,sizeof(struct sockaddr_in6)); +diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc +index 1a5e2d15af1..a8522efaac0 100644 +--- a/src/ip/Intercept.cc ++++ b/src/ip/Intercept.cc +@@ -15,6 +15,7 @@ + #include "comm/Connection.h" + #include "fde.h" + #include "ip/Intercept.h" ++#include "ip/tools.h" + #include "src/tools.h" + + #include +@@ -430,6 +431,13 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test) + + debugs(3, 3, "Detect TPROXY support on port " << test); + ++ if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) { ++ debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled"); ++ if (doneSuid) ++ leave_suid(); ++ return false; ++ } ++ + int tos = 1; + int tmp_sock = -1; + + diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 9ddda72..9879588 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.5 -Release: 10%{?dist} +Release: 14%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -25,8 +25,8 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -Patch101: squid-5.5-ip-bind-address-no-port.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2151188 +Patch101: squid-5.5-ip-bind-address-no-port.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -46,6 +46,8 @@ Patch207: squid-5.0.6-active-ftp.patch Patch208: squid-5.1-test-store-cppsuite.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2231827 Patch209: squid-5.5-halfclosed.patch +# https://issues.redhat.com/browse/RHEL-30352 +Patch210: squid-5.5-ipv6-crash.patch # Security patches # https://bugzilla.redhat.com/show_bug.cgi?id=2100721 @@ -70,7 +72,14 @@ Patch509: squid-5.5-CVE-2023-49285.patch Patch510: squid-5.5-CVE-2023-49286.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2254663 Patch511: squid-5.5-CVE-2023-50269.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=2264309 +Patch512: squid-5.5-CVE-2024-25617.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2268366 +Patch513: squid-5.5-CVE-2024-25111.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2294353 +Patch514: squid-5.5-CVE-2024-37894.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2260051 +Patch515: squid-5.5-CVE-2024-23638.patch # cache_swap.sh Requires: bash gawk @@ -145,6 +154,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch207 -p1 -b .active-ftp %patch208 -p1 -b .test-store-cpp %patch209 -p1 -b .halfclosed +%patch210 -p1 -b .ipv6-crash %patch501 -p1 -b .CVE-2021-46784 %patch502 -p1 -b .CVE-2022-41318 @@ -157,6 +167,11 @@ lookup program (dnsserver), a program for retrieving FTP data %patch509 -p1 -b .CVE-2023-49285 %patch510 -p1 -b .CVE-2023-49286 %patch511 -p1 -b .CVE-2023-50269 +%patch512 -p1 -b .CVE-2024-25617 +%patch513 -p1 -b .CVE-2024-25111 +%patch514 -p1 -b .CVE-2024-37894 +%patch515 -p1 -b .CVE-2024-23638 + # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -383,6 +398,22 @@ fi %changelog +* Mon Jul 01 2024 Luboš Uhliarik - 7:5.5-14 +- Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of + Service (CVE-2024-37894) +- Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against + Cache Manager error responses (CVE-2024-23638) + +* Thu May 09 2024 Luboš Uhliarik - 7:5.5-13 +- Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled + at kernel level but it is asked to connect to an ipv6 address by a client + +* Tue Mar 19 2024 Luboš Uhliarik - 7:5.5-12 +- Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked + Decoding (CVE-2024-25111) +- Resolves: RHEL-26092 - squid: denial of service in HTTP header + parser (CVE-2024-25617) + * Fri Feb 02 2024 Luboš Uhliarik - 7:5.5-10 - Resolves: RHEL-19556 - squid: denial of service in HTTP request parsing (CVE-2023-50269)