diff --git a/SOURCES/squid-4.15-CVE-2024-23638.patch b/SOURCES/squid-4.15-CVE-2024-23638.patch new file mode 100644 index 0000000..51fc1f6 --- /dev/null +++ b/SOURCES/squid-4.15-CVE-2024-23638.patch @@ -0,0 +1,31 @@ +commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8 +Author: Alex Rousskov +Date: Sun Nov 12 09:33:20 2023 +0000 + + Do not update StoreEntry expiration after errorAppendEntry() (#1580) + + errorAppendEntry() is responsible for setting entry expiration times, + which it does by calling StoreEntry::storeErrorResponse() that calls + StoreEntry::negativeCache(). + + This change was triggered by a vulnerability report by Joshua Rogers at + https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where + it was filed as "Use-After-Free in Cache Manager Errors". The reported + "use after free" vulnerability was unknowingly addressed by 2022 commit + 1fa761a that removed excessively long "reentrant" store_client calls + responsible for the disappearance of the properly locked StoreEntry in + this (and probably other) contexts. + + +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index 8055ece..fdcc9cf 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -323,7 +323,6 @@ CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request + const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request); + err->url = xstrdup(entry->url()); + errorAppendEntry(entry, err); +- entry->expires = squid_curtime; + return; + } + diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 698173f..b26007e 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 10%{?dist}.1 +Release: 10%{?dist}.3 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -72,7 +72,8 @@ Patch312: squid-4.15-CVE-2024-25111.patch # Regression caused by squid-4.15-CVE-2023-46846.patch # Upstream PR: https://github.com/squid-cache/squid/pull/1914 Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=2260051 +Patch314: squid-4.15-CVE-2024-23638.patch Requires: bash >= 2.0 Requires(pre): shadow-utils @@ -89,8 +90,6 @@ BuildRequires: openssl-devel BuildRequires: krb5-devel # time_quota requires DB BuildRequires: libdb-devel -# ESI support requires Expat & libxml2 -BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat BuildRequires: libcap-devel # eCAP support @@ -151,6 +150,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch311 -p1 -b .CVE-2024-25617 %patch312 -p1 -b .CVE-2024-25111 %patch313 -p1 -b .ignore-wsp-chunk-sz +%patch314 -p1 -b .CVE-2024-23638 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -195,7 +195,7 @@ autoconf --enable-storeio="aufs,diskd,ufs,rock" \ --enable-diskio \ --enable-wccpv2 \ - --enable-esi \ + --disable-esi \ --enable-ecap \ --with-aio \ --with-default-user="squid" \ @@ -367,6 +367,15 @@ fi %changelog +* Wed Nov 13 2024 Luboš Uhliarik - 7:4.15-10.3 +- Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to + a Denial of Service attack against Cache Manager error responses + +* Thu Nov 07 2024 Luboš Uhliarik - 7:4.15-10.2 +- Disable ESI support +- Resolves: RHEL-65075 - CVE-2024-45802 squid:4/squid: Denial of Service + processing ESI response content + * Mon Oct 14 2024 Luboš Uhliarik - 7:4.15-10.1 - Resolves: RHEL-56024 - (Regression) Transfer-encoding:chunked data is not sent to the client in its complementary