import squid-4.15-6.module+el8.8.0+20569+26050b0f.1

c8-stream-4 imports/c8-stream-4/squid-4.15-6.module+el8.8.0+20569+26050b0f.1
MSVSphere Packaging Team 1 year ago
parent 3991873cea
commit 51f400399c

File diff suppressed because it is too large Load Diff

@ -0,0 +1,23 @@
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index 6a9736f..0a883fa 100644
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
break;
case DIGEST_NC:
- if (value.size() != 8) {
+ if (value.size() == 8) {
+ // for historical reasons, the nc value MUST be exactly 8 bytes
+ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+ } else {
debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
+ digest_request->nc[0] = 0;
}
- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
break;
case DIGEST_CNONCE:

@ -2,7 +2,7 @@
Name: squid
Version: 4.15
Release: 6%{?dist}
Release: 6%{?dist}.1
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@ -46,6 +46,11 @@ Patch300: squid-4.15-CVE-2021-28116.patch
Patch301: squid-4.15-CVE-2021-46784.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
Patch302: squid-4.15-CVE-2022-41318.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2245910
# +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270
Patch303: squid-4.15-CVE-2023-46846.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2245916
Patch304: squid-4.15-CVE-2023-46847.patch
Requires: bash >= 2.0
Requires(pre): shadow-utils
@ -112,6 +117,8 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch300 -p1 -b .CVE-2021-28116
%patch301 -p1 -b .CVE-2021-46784
%patch302 -p1 -b .CVE-2022-41318
%patch303 -p1 -b .CVE-2023-46846
%patch304 -p1 -b .CVE-2023-46847
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation
@ -328,6 +335,12 @@ fi
%changelog
* Mon Oct 30 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-6.1
- Resolves: RHEL-14799 - squid: squid: Denial of Service in HTTP Digest
Authentication
- Resolves: RHEL-14775 - squid: squid: Request/Response smuggling in HTTP/1.1
and ICAP
* Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
- Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
flag to sockets created for outgoing connections in the squid source code.

Loading…
Cancel
Save