From patchwork Sat Jun 12 22:27:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Seiderer X-Patchwork-Id: 1491351 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=No/PYd2v; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G2XRb6z6Lz9sWF for ; Sun, 13 Jun 2021 08:28:27 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 82B1C605B2; Sat, 12 Jun 2021 22:28:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aSXXs5aq4lu4; Sat, 12 Jun 2021 22:28:24 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id C48B6606A6; Sat, 12 Jun 2021 22:28:23 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 250721BF94D for ; Sat, 12 Jun 2021 22:28:09 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 14F9C605B2 for ; Sat, 12 Jun 2021 22:28:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zf4auc4yWdhb for ; Sat, 12 Jun 2021 22:28:07 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by smtp3.osuosl.org (Postfix) with ESMTPS id 53C216005E for ; Sat, 12 Jun 2021 22:28:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1623536871; bh=xKpzcIsWyt/km8Fs7WbscmoAcmCM2/f7SPYt9vk3YPI=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=No/PYd2vN8wugMhvjQXwfTuV86L1RVj5QOF6p8zAtbu1M2agBHkU3xvOj3NoBUj6W I4gM4V1ls5nF+j7PZ7vPpws0cdOnUUHop3P49g4aGmq/Kj+HwpY40ODprjz5fLdMCd gIJy1I/AwDEBYOx5HG9A7i0yia/3cLWXolDderAc= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.fritz.box ([62.216.208.96]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MysW2-1l6XP32GuI-00vxpy; Sun, 13 Jun 2021 00:27:51 +0200 From: Peter Seiderer To: buildroot@buildroot.org Date: Sun, 13 Jun 2021 00:27:49 +0200 Message-Id: <20210612222749.25669-2-ps.report@gmx.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210612222749.25669-1-ps.report@gmx.net> References: <20210612222749.25669-1-ps.report@gmx.net> MIME-Version: 1.0 X-Provags-ID: V03:K1:StVFpK3Ldbmsd/pH4ZpmLRoitUgmjijaOpitjkvlNhMlkZN+GM1 xfJPIeLNNYHUJbpy3Rjem9bi2ZGJYNMovGxsDRPR7GYSvwU9YKGdohZppqSURY1mBW539YD O1dc+GatM7r0qDbNqrk88gQPSXyGq4gC/F02mMs7m3nVX4uWn6MkeKsgXLFONsaHSbOyNib zT7H3nTAGQEeApUPXFp4w== X-UI-Out-Filterresults: notjunk:1;V03:K0:YX3vEA4JFtM=:2LT+6bizCw1tTR4/l//Yxt xY1epY94BUpONelZNVvDPXV0XGpbKc49zFX4+gvvaEcZXkl28Mx0/9crvRgtqFom4CHreNNgs IDhcqymZCKp1mXqy6xzmRM7M4DxsVg2FQ7mOn1HofJPf5ENGnv6vtlwrAF49ksF4zUPd++3sL A9x/JsaAirn5rhoXnD/kMMYkpZ4Qd9hXUbuTG3GojeeuQ6i09D7B32+Fr8rQWjowdGYvyWm46 keQxKgekVaJGu0L8sXSSwysOSbbU8wSaEKpznBXl/CjJPeBfNemgmLVfA3gfWaFyRKYMSJ10d PDiKmGh7yhcpi9JTV2Ix9me0YPyapqOo4oXPHhlFlD8ECEedsj+nsXQwhTIFsY1OY4mXRqu5n A+xDLsFVRIOKpxnnp8SQMCYoUhpSv4Cn5jGo3mTy0PGiL7GBMQbE/VS9dnCzM4PtqwMEbDU22 UofMFcMi8qg61zJo9qAFb3SC+bXETGrqnRG3J3dP1iZULkJhM03hauR74JrbtGYtcqlcS6Nne PKr7730afihqlv2T+RNGIKIIeHco9jHXp9LX7CO7hgGj0aKVYPLbpsbVmKFM5wrpBsB7UpGhN 1Jb27zR6GC2i+0OEbdVRVG4VJ41hvbJLdnret2N8kAcM/V1PglENbZjhT8dBdQsxhvcz7OJmM ARgf182Swo1qnk0p0vUtGXwz2c28OYIV3SQt2FB9/y3g4YCIa3AYUDkcldvBXb/wTz/eRaSut +uFlY1qsn6pquKak/ir+V/pkqsm3FceNb/H5sVAuu74kh+9HP0wtqhLiY6Bc6cM4mk7CFNipC negClx3CmRXtYvR6vcVJWWja5YWufKSNXLrergbDcUGf3wxggdtgRk4XjqLMhqw45GCMLFVpy ycQZwD4syRElFKu/WXzKrjJbg/sKV978uSYcxFDbeItKvo35VpjnuEwAEOGvR2vka4MSZGwvk 24XMGkswX/l7ee+K0iozx01CW1/2qryslZ1JdBC58BNf0hOIAdjmDeVEnNIE49OEib9nI+5A8 H1hZ2blvMSZE8JbCU6AVRsTj2Q2BQagVMAqSmf/U9bpx0i7ZPZbi2vllCclGRJZM0X1Y944D4 8vFkWKuxynvPwSi1gzYTurEer54aMcA18/7 Subject: [Buildroot] [PATCH v1 2/2] package/squid: security bump to version 4.15 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marek Kraus Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Peter Korsgaard Fixes the following security issues: - CVE-2021-28651: Denial of Service in URN processing Due to a buffer management bug Squid is vulnerable to a Denial of service attack against the server it is operating on. This attack is limited to proxies which attempt to resolve a "urn:" resource identifier. Support for this resolving is enabled by default in all Squid. https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 - CVE-2021-28652: Denial of Service issue in Cache Manager Due to an incorrect parser validation bug Squid is vulnerable to a Denial of Service attack against the Cache Manager API. https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447 - CVE-2021-28662: Denial of Service in HTTP Response Processing Due to an input validation bug Squid is vulnerable to a Denial of Service against all clients using the proxy. https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h - CVE-2021-31806, CVE-2021-31807, CVE-2021-31808: Multiple Issues in HTTP Range header Due to an incorrect input validation bug Squid is vulnerable to a Denial of Service attack against all clients using the proxy. https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf - CVE-2021-33620: Denial of Service in HTTP Response processing Due to an input validation bug Squid is vulnerable to a Denial of Service against all clients using the proxy. https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f Signed-off-by: Peter Korsgaard --- package/squid/squid.hash | 8 ++++---- package/squid/squid.mk | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package/squid/squid.hash b/package/squid/squid.hash index a2aaba5fd5..12a9e5d293 100644 --- a/package/squid/squid.hash +++ b/package/squid/squid.hash @@ -1,6 +1,6 @@ -# From http://www.squid-cache.org/Versions/v4/squid-4.14.tar.xz.asc -md5 7d9ba82703cd770b2ede169a0c1de94a squid-4.14.tar.xz -sha1 71ae13a845a6a7ffc69ce11086ea3e427625bc08 squid-4.14.tar.xz +# From http://www.squid-cache.org/Versions/v4/squid-4.15.tar.xz.asc +md5 a593de9dc888dfeca4f1f7db2cd7d3b9 squid-4.15.tar.xz +sha1 60bda34ba39657e2d870c8c1d2acece8a69c3075 squid-4.15.tar.xz # Locally calculated -sha256 f1097daa6434897c159bc100978b51347c0339041610845d0afa128151729ffc squid-4.14.tar.xz +sha256 b693a4e5ab2811a8a854f60de0a62afbbf3a952bb1d047952c9ae01321f84a25 squid-4.15.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/squid/squid.mk b/package/squid/squid.mk index 7e6865f8ed..b23a8d26ed 100644 --- a/package/squid/squid.mk +++ b/package/squid/squid.mk @@ -4,7 +4,7 @@ # ################################################################################ -SQUID_VERSION = 4.14 +SQUID_VERSION = 4.15 SQUID_SOURCE = squid-$(SQUID_VERSION).tar.xz SQUID_SITE = http://www.squid-cache.org/Versions/v4 SQUID_LICENSE = GPL-2.0+