Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of
Service (CVE-2024-37894) Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against Cache Manager error responses (CVE-2024-23638)
This commit is contained in:
parent
c606686d6e
commit
dd9c76343a
30
squid-5.5-CVE-2024-23638.patch
Normal file
30
squid-5.5-CVE-2024-23638.patch
Normal file
@ -0,0 +1,30 @@
|
||||
commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
|
||||
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
||||
Date: Sun Nov 12 09:33:20 2023 +0000
|
||||
|
||||
Do not update StoreEntry expiration after errorAppendEntry() (#1580)
|
||||
|
||||
errorAppendEntry() is responsible for setting entry expiration times,
|
||||
which it does by calling StoreEntry::storeErrorResponse() that calls
|
||||
StoreEntry::negativeCache().
|
||||
|
||||
This change was triggered by a vulnerability report by Joshua Rogers at
|
||||
https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
|
||||
it was filed as "Use-After-Free in Cache Manager Errors". The reported
|
||||
"use after free" vulnerability was unknowingly addressed by 2022 commit
|
||||
1fa761a that removed excessively long "reentrant" store_client calls
|
||||
responsible for the disappearance of the properly locked StoreEntry in
|
||||
this (and probably other) contexts.
|
||||
|
||||
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
|
||||
index 61c7f65be..65bf22dd0 100644
|
||||
--- a/src/cache_manager.cc
|
||||
+++ b/src/cache_manager.cc
|
||||
@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
|
||||
err->url = xstrdup(entry->url());
|
||||
err->detailError(new ExceptionErrorDetail(Here().id()));
|
||||
errorAppendEntry(entry, err);
|
||||
- entry->expires = squid_curtime;
|
||||
return;
|
||||
}
|
||||
|
13
squid-5.5-CVE-2024-37894.patch
Normal file
13
squid-5.5-CVE-2024-37894.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc
|
||||
index b379856..5d87279 100644
|
||||
--- a/lib/libTrie/TrieNode.cc
|
||||
+++ b/lib/libTrie/TrieNode.cc
|
||||
@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar
|
||||
/* We trust that privatedata and existant keys have already been checked */
|
||||
|
||||
if (theLength) {
|
||||
- int index = transform ? (*transform)(*aString): *aString;
|
||||
+ const unsigned char index = transform ? (*transform)(*aString): *aString;
|
||||
|
||||
if (!internal[index])
|
||||
internal[index] = new TrieNode;
|
15
squid.spec
15
squid.spec
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 5.5
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -76,7 +76,10 @@ Patch511: squid-5.5-CVE-2023-50269.patch
|
||||
Patch512: squid-5.5-CVE-2024-25617.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2268366
|
||||
Patch513: squid-5.5-CVE-2024-25111.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2294353
|
||||
Patch514: squid-5.5-CVE-2024-37894.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2260051
|
||||
Patch515: squid-5.5-CVE-2024-23638.patch
|
||||
|
||||
# cache_swap.sh
|
||||
Requires: bash gawk
|
||||
@ -166,6 +169,8 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
%patch511 -p1 -b .CVE-2023-50269
|
||||
%patch512 -p1 -b .CVE-2024-25617
|
||||
%patch513 -p1 -b .CVE-2024-25111
|
||||
%patch514 -p1 -b .CVE-2024-37894
|
||||
%patch515 -p1 -b .CVE-2024-23638
|
||||
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
@ -393,6 +398,12 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-14
|
||||
- Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of
|
||||
Service (CVE-2024-37894)
|
||||
- Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against
|
||||
Cache Manager error responses (CVE-2024-23638)
|
||||
|
||||
* Thu May 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
|
||||
- Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled
|
||||
at kernel level but it is asked to connect to an ipv6 address by a client
|
||||
|
Loading…
Reference in New Issue
Block a user