From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id MzVAKlWDTmA1LwAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Mar 2021 21:42:45 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id WHWKJVWDTmBobAAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Mar 2021 21:42:45 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id DBF72181FC
	for <larch@yhetil.org>; Sun, 14 Mar 2021 22:42:44 +0100 (CET)
Received: from localhost ([::1]:41124 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lLYVX-00070G-TK
	for larch@yhetil.org; Sun, 14 Mar 2021 17:42:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55750)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lLYQ2-0000lo-Px
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:51018)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lLYQ2-0003ZD-H5
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lLYQ2-0002yy-Ey
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47142: squid package vulnerable to CVE-2021-28116
Resent-From: Mark H Weaver <mhw@netris.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 14 Mar 2021 21:37:02 +0000
Resent-Message-ID: <handler.47142.B.161575777411407@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 47142
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 47142@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.161575777411407
 (code B ref -1); Sun, 14 Mar 2021 21:37:02 +0000
Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:36:14 +0000
Received: from localhost ([127.0.0.1]:34331 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lLYPG-0002xv-Ht
 for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:36:14 -0400
Received: from lists.gnu.org ([209.51.188.17]:54356)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1lLYPE-0002xn-VE
 for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:36:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55596)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lLYPD-0008OU-Kq
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:36:12 -0400
Received: from world.peace.net ([64.112.178.59]:55708)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lLYPC-0003FF-6K
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:36:11 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lLYPA-00015o-NU; Sun, 14 Mar 2021 17:36:08 -0400
From: Mark H Weaver <mhw@netris.org>
References: <bc19eecdf5b924f0681c0fba22ffeb500540d988.camel@zaclys.net>
Date: Sun, 14 Mar 2021 17:34:38 -0400
Message-ID: <87czw1s9km.fsf@netris.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615758165;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=E5zKoHq3ZdFOwvHTE7SQTyqpzLFgwzDKxboO/DrrTzk=;
	b=PgEQU2fSuXmtPwfynqQt/KTOYEGUT8TrBlV9z07IuuC3/f7yGhJbt8LX9VuA1iuQKtPRjH
	h47xBRlJx9Ni3/ZgPLcnOJqYRpv9TpD7Fh8gc4B4QvraR30xjB8BBnwVVxge618H69GYcd
	X3GRfU5hgU/1Avfz19xKv6qFs7dl5+6nzJxHc0RPLDtaL4DJ251VJa3Zs/S3s+HVjbbxHe
	5epPky5MAgnI6ZfrJhXKyNNZReFOjB+XE97Et8nUicAt6JbLYjHIh5yZGnDVSkwnLbpcjO
	O+2RJAqU3766UkRYHHMj2XamYtIKuS7Nd4iI1Bag4pUKr9IlgiR7kDFiczEQdQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615758165; a=rsa-sha256; cv=none;
	b=W/N2nkMqfUXIz5rvH5eDAUoaa5BpOBIjUSmg+VhJ8GblBBWTS7XligeimWAD3oSliAIibw
	HwZ3YMYf/L4w3K6XTseYHOUVhK0x6ZnJYST5txuO5UpW2oE6zRT3zebS3rDq16YjxL90o+
	HY7kHZMbuKt+dMEf75voYLXSiS3H373cxLYIzggtif+xpJIKP9JFC5QUpC9ODF742/i+I2
	5+PIhwSeWLBkLDazmpssmPgasFbsqjPQB1yjCIUAWW26KXZLsY4AvVIMOdG42MuLmMh6/Y
	WQpKbGemmiqOHrXDskYwPeQmbSJsSlrjcIvEuXUtY1pQToR9Ns7XnmbqHvmGPA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -4.50
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: DBF72181FC
X-Spam-Score: -4.50
X-Migadu-Scanner: scn0.migadu.com
X-TUID: bRGTi47GcLSo

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

      Mark

-------------------- Start of forwarded message --------------------
Subject: squid package vulnerable to CVE-2021-28116
From: L=C3=A9o Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 01:22:51 +0100


--=-=-=
Content-Type: multipart/signed; boundary="==-=-="

--==-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

CVE-2021-28116	09.03.21 23:15
Squid through 4.14 and 5.x through 5.0.5, in some configurations,
allows information disclosure because of an out-of-bounds read in WCCP
protocol data. This can be leveraged as part of a chain for remote code
execution as nobody.

Upstream did not release a patch yet. CVE entry to be monitored for a
fix.

https://www.zerodayinitiative.com/advisories/ZDI-21-157/ - says it is a
low impact issue.

--==-=-=
Content-Type: application/pgp-signature; name=signature.asc
Content-Transfer-Encoding: base64
Content-Description: This is a digitally signed message part

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4
YXgzZzZSUmFpeDZHdk5FS1lGQW1CSUVWc0FDZ2tRUmFpeDZHdk4KRUthRU5nLy9XSEZmWHpCWGlV
QzEwRm9qWnlHWUJwUnNaNjMyNXNqMlZLb2sycThlQTFLa0Vkbk1Xd2FHc2J4Qwo4Tmw3bXBveHBY
QjdGcndmamR1QzhBeWsrOW9GS2h3WVhCSTZnN1hkdWFvUWpFK3hVZ3ROSnBVSDBwWU5QVTNkCldt
RG1PUkpORnc1VVd1NUFoMElvSnhFdWJYLytNOEhrZHBqc015ZFhpTmZFU2dVT1hoUFJ2VXhmREpm
RlFBbGkKdkp2cHkxVGRrUDFVdlBxM01lWVU4WTZwNGJac05DekFkWGg1c0UveWthYjkzaWg0MFR2
aFUvdk9MTVQrZXRrRApsQVhpaW1qOUxUMnloZWFYT05UQ1ZERHpCd25ybGhZY3IxVnZCWWhEVGJN
UTFGcDJreHpFSU5YVm9mZ3VFYnRWCjdNRU5jdjBtdEVFQXhJRkVXNGpOb25oZHdMZ2lpbENZSW8z
VUdPcGhDdXJYWkE2NjVlZFdnRkxFZC96dEk4VkEKOFF2eXFxVkphZ3V0QkpGUDRSMjg2T0JlQnp1
UXFmTk96RmtaWkNFelhsaERuQmlzbnhmU2U1dDZ0OUtwMElMQwplOSs2S0R1NEp2aGp3dXhISVZO
ZGQ0eFhCL2htVUZ6bmtiVENIaWdac1YzOXR1T1Y3SzdISEcraEl5aFh6VUx0CktoQ1dIc2NRL2dm
cDdYVUhtY2ZHeHZJWGdFcWtiSnZWK0tobmVyQkhmakwraFNiSFA0RVgzSWFWRDE1TThvakQKVUtV
VmEzSnFwSXpuUENiWC9sdDNvVzZWampXNmN1K0V3SGhXbVBiMEVtWVptcG5raGJ6M05IZ2RIWnpU
QW52ZgpVTFBxZkllbHBNRVF4cDNUbUFUNDN4OFhZMkRsTDJOeGZPRE8vcFgwNlYvVXhYM1lBUGM9
Cj0xZ1B1Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
--==-=-=--

--=-=-=
Content-Type: text/plain

-------------------- End of forwarded message --------------------

--=-=-=--