import CS squid-4.15-9.module_el8+880+b94e8375
This commit is contained in:
parent
aaae289e69
commit
d0f4aff59b
24
SOURCES/squid-4.15-CVE-2023-46724.patch
Normal file
24
SOURCES/squid-4.15-CVE-2023-46724.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
|
||||
index 20b9bf1..81ebb18 100644
|
||||
--- a/src/anyp/Uri.cc
|
||||
+++ b/src/anyp/Uri.cc
|
||||
@@ -173,6 +173,10 @@ urlInitialize(void)
|
||||
assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
|
||||
assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
|
||||
|
||||
+ assert(0 != matchDomainName("foo.com", ""));
|
||||
+ assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
|
||||
+ assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
|
||||
+
|
||||
/* more cases? */
|
||||
}
|
||||
|
||||
@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
|
||||
return -1;
|
||||
|
||||
dl = strlen(d);
|
||||
+ if (dl == 0)
|
||||
+ return 1;
|
||||
|
||||
/*
|
||||
* Start at the ends of the two strings and work towards the
|
1673
SOURCES/squid-4.15-CVE-2023-46728.patch
Normal file
1673
SOURCES/squid-4.15-CVE-2023-46728.patch
Normal file
File diff suppressed because it is too large
Load Diff
1281
SOURCES/squid-4.15-CVE-2023-46846.patch
Normal file
1281
SOURCES/squid-4.15-CVE-2023-46846.patch
Normal file
File diff suppressed because it is too large
Load Diff
23
SOURCES/squid-4.15-CVE-2023-46847.patch
Normal file
23
SOURCES/squid-4.15-CVE-2023-46847.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
|
||||
index 6a9736f..0a883fa 100644
|
||||
--- a/src/auth/digest/Config.cc
|
||||
+++ b/src/auth/digest/Config.cc
|
||||
@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
|
||||
break;
|
||||
|
||||
case DIGEST_NC:
|
||||
- if (value.size() != 8) {
|
||||
+ if (value.size() == 8) {
|
||||
+ // for historical reasons, the nc value MUST be exactly 8 bytes
|
||||
+ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
|
||||
+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
||||
+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
||||
+ } else {
|
||||
debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
|
||||
+ digest_request->nc[0] = 0;
|
||||
}
|
||||
- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
||||
- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
||||
break;
|
||||
|
||||
case DIGEST_CNONCE:
|
30
SOURCES/squid-4.15-CVE-2023-49285.patch
Normal file
30
SOURCES/squid-4.15-CVE-2023-49285.patch
Normal file
@ -0,0 +1,30 @@
|
||||
commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
|
||||
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
||||
Date: Wed Oct 25 19:41:45 2023 +0000
|
||||
|
||||
RFC 1123: Fix date parsing (#1538)
|
||||
|
||||
The bug was discovered and detailed by Joshua Rogers at
|
||||
https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
|
||||
where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
|
||||
Handling".
|
||||
|
||||
diff --git a/lib/rfc1123.c b/lib/rfc1123.c
|
||||
index e5bf9a4d7..cb484cc00 100644
|
||||
--- a/lib/rfc1123.c
|
||||
+++ b/lib/rfc1123.c
|
||||
@@ -50,7 +50,13 @@ make_month(const char *s)
|
||||
char month[3];
|
||||
|
||||
month[0] = xtoupper(*s);
|
||||
+ if (!month[0])
|
||||
+ return -1; // protects *(s + 1) below
|
||||
+
|
||||
month[1] = xtolower(*(s + 1));
|
||||
+ if (!month[1])
|
||||
+ return -1; // protects *(s + 2) below
|
||||
+
|
||||
month[2] = xtolower(*(s + 2));
|
||||
|
||||
for (i = 0; i < 12; i++)
|
||||
|
62
SOURCES/squid-4.15-CVE-2023-49286.patch
Normal file
62
SOURCES/squid-4.15-CVE-2023-49286.patch
Normal file
@ -0,0 +1,62 @@
|
||||
diff --git a/src/ipc.cc b/src/ipc.cc
|
||||
index 42e11e6..a68e623 100644
|
||||
--- a/src/ipc.cc
|
||||
+++ b/src/ipc.cc
|
||||
@@ -19,6 +19,11 @@
|
||||
#include "SquidConfig.h"
|
||||
#include "SquidIpc.h"
|
||||
#include "tools.h"
|
||||
+#include <cstdlib>
|
||||
+
|
||||
+#if HAVE_UNISTD_H
|
||||
+#include <unistd.h>
|
||||
+#endif
|
||||
|
||||
static const char *hello_string = "hi there\n";
|
||||
#ifndef HELLO_BUF_SZ
|
||||
@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||
}
|
||||
|
||||
PutEnvironment();
|
||||
+
|
||||
+ // A dup(2) wrapper that reports and exits the process on errors. The
|
||||
+ // exiting logic is only suitable for this child process context.
|
||||
+ const auto dupOrExit = [prog,name](const int oldFd) {
|
||||
+ const auto newFd = dup(oldFd);
|
||||
+ if (newFd < 0) {
|
||||
+ const auto savedErrno = errno;
|
||||
+ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
|
||||
+ Debug::Extra << "helper (CHILD) PID: " << getpid() <<
|
||||
+ Debug::Extra << "helper program name: " << prog <<
|
||||
+ Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
|
||||
+ _exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ return newFd;
|
||||
+ };
|
||||
+
|
||||
/*
|
||||
* This double-dup stuff avoids problems when one of
|
||||
* crfd, cwfd, or debug_log are in the rage 0-2.
|
||||
@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||
|
||||
do {
|
||||
/* First make sure 0-2 is occupied by something. Gets cleaned up later */
|
||||
- x = dup(crfd);
|
||||
- assert(x > -1);
|
||||
- } while (x < 3 && x > -1);
|
||||
+ x = dupOrExit(crfd);
|
||||
+ } while (x < 3);
|
||||
|
||||
close(x);
|
||||
|
||||
- t1 = dup(crfd);
|
||||
+ t1 = dupOrExit(crfd);
|
||||
|
||||
- t2 = dup(cwfd);
|
||||
+ t2 = dupOrExit(cwfd);
|
||||
|
||||
- t3 = dup(fileno(debug_log));
|
||||
+ t3 = dupOrExit(fileno(debug_log));
|
||||
|
||||
assert(t1 > 2 && t2 > 2 && t3 > 2);
|
||||
|
50
SOURCES/squid-4.15-CVE-2023-50269.patch
Normal file
50
SOURCES/squid-4.15-CVE-2023-50269.patch
Normal file
@ -0,0 +1,50 @@
|
||||
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
|
||||
index fe2edf6..47aa935 100644
|
||||
--- a/src/ClientRequestContext.h
|
||||
+++ b/src/ClientRequestContext.h
|
||||
@@ -81,6 +81,10 @@ public:
|
||||
#endif
|
||||
ErrorState *error; ///< saved error page for centralized/delayed processing
|
||||
bool readNextRequest; ///< whether Squid should read after error handling
|
||||
+
|
||||
+#if FOLLOW_X_FORWARDED_FOR
|
||||
+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
|
||||
+#endif
|
||||
};
|
||||
|
||||
#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
|
||||
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
|
||||
index 1c6ff62..b758f6f 100644
|
||||
--- a/src/client_side_request.cc
|
||||
+++ b/src/client_side_request.cc
|
||||
@@ -78,6 +78,11 @@
|
||||
static const char *const crlf = "\r\n";
|
||||
|
||||
#if FOLLOW_X_FORWARDED_FOR
|
||||
+
|
||||
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
|
||||
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
|
||||
+#endif
|
||||
+
|
||||
static void clientFollowXForwardedForCheck(allow_t answer, void *data);
|
||||
#endif /* FOLLOW_X_FORWARDED_FOR */
|
||||
|
||||
@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
|
||||
/* override the default src_addr tested if we have to go deeper than one level into XFF */
|
||||
Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
|
||||
}
|
||||
- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
||||
- return;
|
||||
+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
|
||||
+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
||||
+ return;
|
||||
+ }
|
||||
+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
|
||||
+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
|
||||
+ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
|
||||
+ Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
|
||||
+ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
|
||||
+ // fall through to resume clientAccessCheck() processing
|
||||
}
|
||||
}
|
||||
|
4352
SOURCES/squid-4.15-CVE-2023-5824.patch
Normal file
4352
SOURCES/squid-4.15-CVE-2023-5824.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 4.15
|
||||
Release: 7%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -48,6 +48,24 @@ Patch300: squid-4.15-CVE-2021-28116.patch
|
||||
Patch301: squid-4.15-CVE-2021-46784.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
|
||||
Patch302: squid-4.15-CVE-2022-41318.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2245910
|
||||
# +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270
|
||||
Patch303: squid-4.15-CVE-2023-46846.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2245916
|
||||
Patch304: squid-4.15-CVE-2023-46847.patch
|
||||
# https://issues.redhat.com/browse/RHEL-14792
|
||||
Patch305: squid-4.15-CVE-2023-5824.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2248521
|
||||
Patch306: squid-4.15-CVE-2023-46728.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2247567
|
||||
Patch307: squid-4.15-CVE-2023-46724.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2252926
|
||||
Patch308: squid-4.15-CVE-2023-49285.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2252923
|
||||
Patch309: squid-4.15-CVE-2023-49286.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2254663
|
||||
Patch310: squid-4.15-CVE-2023-50269.patch
|
||||
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
@ -115,6 +133,15 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
%patch300 -p1 -b .CVE-2021-28116
|
||||
%patch301 -p1 -b .CVE-2021-46784
|
||||
%patch302 -p1 -b .CVE-2022-41318
|
||||
%patch303 -p1 -b .CVE-2023-46846
|
||||
%patch304 -p1 -b .CVE-2023-46847
|
||||
%patch305 -p1 -b .CVE-2023-5824
|
||||
%patch306 -p1 -b .CVE-2023-46728
|
||||
%patch307 -p1 -b .CVE-2023-46724
|
||||
%patch308 -p1 -b .CVE-2023-49285
|
||||
%patch309 -p1 -b .CVE-2023-49286
|
||||
%patch310 -p1 -b .CVE-2023-50269
|
||||
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
@ -331,6 +358,27 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
|
||||
- Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request
|
||||
parsing (CVE-2023-50269)
|
||||
|
||||
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
|
||||
- Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
|
||||
processing feature (CVE-2023-49285)
|
||||
- Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return
|
||||
Value In Helper Process management (CVE-2023-49286)
|
||||
- Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate
|
||||
validation (CVE-2023-46724)
|
||||
- Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher
|
||||
protocol code (CVE-2023-46728)
|
||||
- Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists
|
||||
- Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching
|
||||
(CVE-2023-5824)
|
||||
- Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest
|
||||
Authentication (CVE-2023-46847)
|
||||
- Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1
|
||||
and ICAP (CVE-2023-46846)
|
||||
|
||||
* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
|
||||
- Resolves: #2076717 - Crash with half_closed_client on
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user