<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] squid 5.3 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13318">13318</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] squid 5.3  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2021-46784, CVE-2022-41317, CVE-2022-41318,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package squid version 5.3

INFO (CVEs are): squid 5.3

 cves found

CVE-2021-46784

Desc: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to

improper buffer management, a Denial of Service can occur when processing long

Gopher server responses.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-46784">https://nvd.nist.gov/vuln/detail/CVE-2021-46784</a>

Severity: MEDIUM

CVE-2022-41317

Desc: An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6.

Due to inconsistent handling of internal URIs, there can be Exposure of

Sensitive Information about clients using the proxy via an HTTPS request to an

internal cache manager URL. This is fixed in 5.7.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41317">https://nvd.nist.gov/vuln/detail/CVE-2022-41317</a>

Severity: MEDIUM

CVE-2022-41318

Desc: A buffer over-read was discovered in libntlmauth in Squid 2.5 through

5.6. Due to incorrect integer-overflow protection, the SSPI and SMB

authentication helpers are vulnerable to reading unintended memory locations.

In some configurations, cleartext credentials from these locations are sent to

a client. This is fixed in 5.7.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41318">https://nvd.nist.gov/vuln/detail/CVE-2022-41318</a>

Severity: HIGH</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>