Bug 13318

Summary: [CVE 21] squid 5.3 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2021-46784, CVE-2022-41317, CVE-2022-41318,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:02:58 MSK 
Please patch CVEs for package squid version 5.3
  
INFO (CVEs are): squid 5.3
 cves found
CVE-2021-46784
Desc: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46784
Severity: MEDIUM
CVE-2022-41317
Desc: An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41317
Severity: MEDIUM
CVE-2022-41318
Desc: A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41318
Severity: HIGH
Comment 1 ilfat 2023-05-22 20:23:52 MSK 
********** QA ADVISORY **********

SVEs closed by project update

Updated to 5.9

https://abf.io/build_lists/4443032 x86_64
https://abf.io/build_lists/4443034 i686
https://abf.io/build_lists/4443033 aarch64
Comment 2 Dmitry Postnikov 2023-05-23 12:47:16 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-31 09:36:03 MSK 
squid-5.9-1
https://abf.io/build_lists/4443032 x86_64
https://abf.io/build_lists/4443034 i686
https://abf.io/build_lists/4443033 aarch64
**************************** Advisory ***********************
SVEs closed by project update
*************************************************************
QA Verified
Comment 4 Yury 2023-07-26 17:30:58 MSK 
Secteam Verified