Hello Roberto, Am 25.09.20 um 21:25 schrieb Roberto C. Sánchez: > Hello fellow LTS people, > > I am working on an update for the squid3 package. At this time there > are 4 open CVEs, of which 3 have patches that apply with little or no > change required. However, the patch for CVE-2020-15049 does not apply > at all. You should have been aware that I have prepared the last update of squid3. I have just noticed that the NOTE on the squid entry in dla-needed.txt was removed but the last status was that the package simply needs more testing. Hence I didn't bother to readd myself but the NOTE was self-explaining (in ELTS and LTS). [...] > Based on the above findings, I am inclined to triage CVE-2020-15049 as > <ignored>: The patch for CVE-2020-15049 cannot be backported as is. The code that was added in the meantime must be taken into consideration as well. > [stretch] - squid3 <ignored> (complete fix is too invasive to backport) > > There appears to be precedent for taking this approach when a fix is far > too invasive and where there does not appear to be an alternate approach > to address the vulnerability. > > Unless there are any serious objections in the next few days I will > proceed with uploading the update I have prepared and will update the > security tracker entry as I have described. (Note: the same applies > both for the package in stretch LTS and in jessie ELTS.) It is not possible to "fix" the remaining CVE if you ignore CVE-2020-15049. The real fix was to backport the new header parsing code which includes additional improvements, some of them could be considered bug fixes for CVE, but upstream did not request identifiers for them. Even if you addressed only the reported CVE, the fix would be incomplete because of the missing sanity checks that were additionally added in the past. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature