Bug 53400 - squid: Multiple issues (5.0)
squid: Multiple issues (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 5.0
All Linux
: P3 normal (vote)
: UCS 5.0-0-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-05 15:32 CEST by Quality Assurance
Modified: 2021-06-09 19:26 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-06-05 15:32:41 CEST
New Debian squid 4.6-1+deb10u6A~5.0.0.202106051532 fixes:
This update addresses the following issues:
* denial of service in URN processing (CVE-2021-28651)
* denial of service issue in Cache Manager (CVE-2021-28652)
* denial of service in HTTP response processing (CVE-2021-28662)
* improper input validation in HTTP Range header (CVE-2021-31806)
* incorrect memory management in HTTP Range header (CVE-2021-31807)
* integer overflow in HTTP Range header (CVE-2021-31808)
* denial of service in HTTP response processing (CVE-2021-33620)
Comment 1 Quality Assurance univentionstaff 2021-06-06 09:02:29 CEST
--- mirror/ftp/pool/main/s/squid/squid_4.6-1+deb10u5A~5.0.0.202104091504.dsc
+++ apt/ucs_5.0-0-errata5.0-0/source/squid_4.6-1+deb10u6A~5.0.0.202106051546.dsc
@@ -1,9 +1,25 @@
-4.6-1+deb10u5A~5.0.0.202104091504 [Fri, 09 Apr 2021 15:19:31 +0200] Univention builddaemon <buildd@univention.de>:
+4.6-1+deb10u6A~5.0.0.202106051546 [Sat, 05 Jun 2021 15:46:50 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     001-enable-ssl
     005-squid-4-14311
 
+4.6-1+deb10u6 [Mon, 31 May 2021 10:39:12 +0200] Santiago Garcia Mantinan <manty@debian.org>:
+
+  [ Francisco Vilmar Cardoso Ruviaro ]
+  * Add debian/patches/0029-CVE-2021-28651.patch to fix a Denial
+    of Service in URN processing. (Closes: #988893, CVE-2021-28651)
+
+  [ Santiago Garcia Mantinan ]
+  * Add patch to fix a Denial of Service in HTTP Response Processing.
+    Fixes: CVE-2021-28662. Closes: #988891.
+  * Add patch to fix a Denial of Service issue in Cache Manager.
+    Fixes: CVE-2021-28652. Closes: #988892.
+  * Add patch to fix Multiple Issues in HTTP Range header.
+    Fixes: CVE-2021-31806 CVE-2021-31807 CVE-2021-31808. Closes: #989043.
+  * Add patch to fix a Denial of Service in HTTP Response processing.
+    Fixes: GHSA-572g-rvwr-6c7f.
+
 4.6-1+deb10u5 [Mon, 22 Mar 2021 10:37:24 +0100] Santiago García Mantiñán <manty@debian.org>:
 
   * SQUID-2020:11 HTTP Request Smuggling (CVE-2020-25097) (Closes: #985068)

<http://piuparts.knut.univention.de/5.0-0/#26998272365638845>
Comment 2 Philipp Hahn univentionstaff 2021-06-06 10:07:09 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts
Comment 3 Erik Damrose univentionstaff 2021-06-09 19:26:01 CEST
<https://errata.software-univention.de/#/?erratum=5.0x8>