--- Begin Message ---
Subject: |
squid package vulnerable to CVE-2021-28116 |
Date: |
Sun, 14 Mar 2021 17:34:38 -0400 |
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100
CVE-2021-28116 09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.
Upstream did not release a patch yet. CVE entry to be monitored for a
fix.
https://www.zerodayinitiative.com/advisories/ZDI-21-157/ - says it is a
low impact issue.
signature.asc
Description: This is a digitally signed message part
-------------------- End of forwarded message --------------------
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#47142: squid package vulnerable to CVE-2021-28116 |
Date: |
Tue, 22 Mar 2022 23:05:54 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hello,
Mark H Weaver <mhw@netris.org> writes:
> I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
>
> Mark
>
> -------------------- Start of forwarded message --------------------
> Subject: squid package vulnerable to CVE-2021-28116
> From: Léo Le Bouter <lle-bout@zaclys.net>
> To: guix-devel@gnu.org
> Date: Wed, 10 Mar 2021 01:22:51 +0100
>
> CVE-2021-28116 09.03.21 23:15
> Squid through 4.14 and 5.x through 5.0.5, in some configurations,
We're now using squid 4.17.
Closing.
Thanks,
Maxim
--- End Message ---