[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Thoughts on CVE-2020-15049/squid3?

Hello Roberto,

Am 25.09.20 um 21:25 schrieb Roberto C. Sánchez:
> Hello fellow LTS people,
> I am working on an update for the squid3 package.  At this time there
> are 4 open CVEs, of which 3 have patches that apply with little or no
> change required.  However, the patch for CVE-2020-15049 does not apply
> at all.

You should have been aware that I have prepared the last update of
squid3. I have just noticed that the NOTE on the squid entry in
dla-needed.txt was removed but the last status was that the package
simply needs more testing. Hence I didn't bother to readd myself but the
NOTE was self-explaining (in ELTS and LTS).

> Based on the above findings, I am inclined to triage CVE-2020-15049 as
> <ignored>:

The patch for CVE-2020-15049 cannot be backported as is. The code that
was added in the meantime must be taken into consideration as well.

> [stretch] - squid3 <ignored> (complete fix is too invasive to backport)
> There appears to be precedent for taking this approach when a fix is far
> too invasive and where there does not appear to be an alternate approach
> to address the vulnerability.
> Unless there are any serious objections in the next few days I will
> proceed with uploading the update I have prepared and will update the
> security tracker entry as I have described.  (Note: the same applies
> both for the package in stretch LTS and in jessie ELTS.)

It is not possible to "fix" the remaining CVE if you ignore
CVE-2020-15049. The real fix was to backport the new header parsing code
which includes additional improvements, some of them could be considered
bug fixes for CVE, but upstream did not request identifiers for them.
Even if you addressed only the reported CVE, the fix would be incomplete
because of the missing sanity checks that were additionally added in the



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: