Leo Famulari <leo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 47142) by debbugs.gnu.org; 5 Apr 2021 20:43:00 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 05 16:43:00 2021 Received: from localhost ([127.0.0.1]:38722 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lTW3o-0004l8-5u for submit <at> debbugs.gnu.org; Mon, 05 Apr 2021 16:43:00 -0400 Received: from mail.zaclys.net ([178.33.93.72]:43589) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lTW3k-0004ks-Mx for 47142 <at> debbugs.gnu.org; Mon, 05 Apr 2021 16:42:57 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 135Kgo6G055791 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47142 <at> debbugs.gnu.org>; Mon, 5 Apr 2021 22:42:50 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 135Kgo6G055791 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617655370; bh=3Q1iNFI19wr/HaovmgYaoEfpb0mzM+GgDd1nTAmSLxg=; h=Subject:From:To:Date:From; b=gnRysIclVYhNwte9mSCGPOqO+F/U048YN6q4qCOVNIFfnjZzLxvTl14gylLPxmgmB 50Nsni3N/pSxqVrskZZHPju5F4MO9O1hnxVpm9QYLeqyNyiNbfCZXqZEIuiyZVjT0z aMJ1gMARvCZ9CogAWVLhIy04bmJ8JR76VCllw7T8= Message-ID: <4cde9f87826dd847af036646f5332f893b903fe2.camel@HIDDEN> Subject: squid package vulnerable to CVE-2021-28116 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN> To: 47142 <at> debbugs.gnu.org Date: Mon, 05 Apr 2021 22:42:40 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-5rEF1EtJ/lrUdeXag8Xz" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47142 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --=-5rEF1EtJ/lrUdeXag8Xz Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Still no fix available from upstream (unclear) --=-5rEF1EtJ/lrUdeXag8Xz Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrdkAACgkQRaix6GvN EKbCVQ/+M5JRYKZ4srtBgEGUZOdkPjGx8ng4ZOkZLDKmNp7Gm7OyJCdLbP9WPcc1 NwcNXdXICMJjrALbOjOGyGkn7szIe7UVDMGQ701T36oeDPeA2feOjwy3QlRZcv4Q ScN1qsfb7Or2UmnfaJoSmDXuzXu/3u8xQIjJI0QDIctXdGJD2XrIpgLsRjX1pR43 VFfFAdomxInNRN2M0EA0JDvvoMMMqQUzPUcJ+9KVIDTkHQXUZRhzGP5f3vn3Jis4 Gv69k7Fn5rntUc7Pz9FaM6tc+sHbynG95103uVI2JCV0NA47ZhtLpNnvEDrMwB3H 6cUPLs1++DxOhbhYn+Ck98cFCmPp4gz7g20V/Vw08GnswiIikmkIUW0Zoy/C/ycI gR1PDW4rW5Zkq1ponvjqGManqLWTCyaHKsywXqSgadwYqccyJXLjmqEa4UPnh+pT JJCuhBSt1XymDVzdipGKNwenpYJGrOtsAnvwET3VqGTu9Ig6+aJdHfBp6PFod7FA FgEOSMZEfUSVpRyjFAt/FVVGku4F/LlyCk9Qb0eSvGGKCiJkrkZfXftvN46iVDQz fhOqgDZRfd+UeZGgBtS7OLbtXh9+EPNlwMwrQJv9OKx2FbRdDpfEG1qZzefjtXjy H2fUYUhL8L4KtKVRxFk5eaRY/LVuantT3fa/iHMbb2NUp54xZiQ= =7PtE -----END PGP SIGNATURE----- --=-5rEF1EtJ/lrUdeXag8Xz--
bug-guix@HIDDEN:bug#47142; Package guix.
Full text available.Leo Famulari <leo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:36:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 14 17:36:14 2021
Received: from localhost ([127.0.0.1]:34331 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lLYPG-0002xv-Ht
for submit <at> debbugs.gnu.org; Sun, 14 Mar 2021 17:36:14 -0400
Received: from lists.gnu.org ([209.51.188.17]:54356)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <mhw@HIDDEN>) id 1lLYPE-0002xn-VE
for submit <at> debbugs.gnu.org; Sun, 14 Mar 2021 17:36:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55596)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lLYPD-0008OU-Kq
for bug-guix@HIDDEN; Sun, 14 Mar 2021 17:36:12 -0400
Received: from world.peace.net ([64.112.178.59]:55708)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lLYPC-0003FF-6K
for bug-guix@HIDDEN; Sun, 14 Mar 2021 17:36:11 -0400
Received: from mhw by world.peace.net with esmtpsa
(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
(envelope-from <mhw@HIDDEN>)
id 1lLYPA-00015o-NU; Sun, 14 Mar 2021 17:36:08 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: bug-guix@HIDDEN
Subject: squid package vulnerable to CVE-2021-28116
References: <bc19eecdf5b924f0681c0fba22ffeb500540d988.camel@HIDDEN>
Date: Sun, 14 Mar 2021 17:34:38 -0400
Message-ID: <87czw1s9km.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@HIDDEN;
helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
I'm forwarding this to bug-guix@HIDDEN so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: L=C3=A9o Le Bouter <lle-bout@HIDDEN>
To: guix-devel@HIDDEN
Date: Wed, 10 Mar 2021 01:22:51 +0100
--=-=-=
Content-Type: multipart/signed; boundary="==-=-="
--==-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
CVE-2021-28116 09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.
Upstream did not release a patch yet. CVE entry to be monitored for a
fix.
https://www.zerodayinitiative.com/advisories/ZDI-21-157/ - says it is a
low impact issue.
--==-=-=
Content-Type: application/pgp-signature; name=signature.asc
Content-Transfer-Encoding: base64
Content-Description: This is a digitally signed message part
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4
YXgzZzZSUmFpeDZHdk5FS1lGQW1CSUVWc0FDZ2tRUmFpeDZHdk4KRUthRU5nLy9XSEZmWHpCWGlV
QzEwRm9qWnlHWUJwUnNaNjMyNXNqMlZLb2sycThlQTFLa0Vkbk1Xd2FHc2J4Qwo4Tmw3bXBveHBY
QjdGcndmamR1QzhBeWsrOW9GS2h3WVhCSTZnN1hkdWFvUWpFK3hVZ3ROSnBVSDBwWU5QVTNkCldt
RG1PUkpORnc1VVd1NUFoMElvSnhFdWJYLytNOEhrZHBqc015ZFhpTmZFU2dVT1hoUFJ2VXhmREpm
RlFBbGkKdkp2cHkxVGRrUDFVdlBxM01lWVU4WTZwNGJac05DekFkWGg1c0UveWthYjkzaWg0MFR2
aFUvdk9MTVQrZXRrRApsQVhpaW1qOUxUMnloZWFYT05UQ1ZERHpCd25ybGhZY3IxVnZCWWhEVGJN
UTFGcDJreHpFSU5YVm9mZ3VFYnRWCjdNRU5jdjBtdEVFQXhJRkVXNGpOb25oZHdMZ2lpbENZSW8z
VUdPcGhDdXJYWkE2NjVlZFdnRkxFZC96dEk4VkEKOFF2eXFxVkphZ3V0QkpGUDRSMjg2T0JlQnp1
UXFmTk96RmtaWkNFelhsaERuQmlzbnhmU2U1dDZ0OUtwMElMQwplOSs2S0R1NEp2aGp3dXhISVZO
ZGQ0eFhCL2htVUZ6bmtiVENIaWdac1YzOXR1T1Y3SzdISEcraEl5aFh6VUx0CktoQ1dIc2NRL2dm
cDdYVUhtY2ZHeHZJWGdFcWtiSnZWK0tobmVyQkhmakwraFNiSFA0RVgzSWFWRDE1TThvakQKVUtV
VmEzSnFwSXpuUENiWC9sdDNvVzZWampXNmN1K0V3SGhXbVBiMEVtWVptcG5raGJ6M05IZ2RIWnpU
QW52ZgpVTFBxZkllbHBNRVF4cDNUbUFUNDN4OFhZMkRsTDJOeGZPRE8vcFgwNlYvVXhYM1lBUGM9
Cj0xZ1B1Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
--==-=-=--
--=-=-=
Content-Type: text/plain
-------------------- End of forwarded message --------------------
--=-=-=--
Mark H Weaver <mhw@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#47142; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.