[Bugs] [Bug 13318] New: [CVE 21] squid 5.3 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 17:02:58 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13318

          Platform: 2021.1
            Bug ID: 13318
           Summary: [CVE 21] squid 5.3  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-46784, CVE-2022-41317, CVE-2022-41318,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package squid version 5.3

INFO (CVEs are): squid 5.3
 cves found
CVE-2021-46784
Desc: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to
improper buffer management, a Denial of Service can occur when processing long
Gopher server responses.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-46784
Severity: MEDIUM
CVE-2022-41317
Desc: An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6.
Due to inconsistent handling of internal URIs, there can be Exposure of
Sensitive Information about clients using the proxy via an HTTPS request to an
internal cache manager URL. This is fixed in 5.7.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41317
Severity: MEDIUM
CVE-2022-41318
Desc: A buffer over-read was discovered in libntlmauth in Squid 2.5 through
5.6. Due to incorrect integer-overflow protection, the SSPI and SMB
authentication helpers are vulnerable to reading unintended memory locations.
In some configurations, cleartext credentials from these locations are sent to
a client. This is fixed in 5.7.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41318
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/8d3b3bb8/attachment-0001.html>

Подробная информация о списке рассылки Bugs