From 6014ecf367b570fe3304fe8c0f4162e887d91073 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 17:10:39 +0000 Subject: import squid-4.11-4.module+el8.4.0+10676+a969168e.2 --- diff --git a/SOURCES/squid-4.11-CVE-2020-25097.patch b/SOURCES/squid-4.11-CVE-2020-25097.patch new file mode 100644 index 0000000..16fa1f8 --- /dev/null +++ b/SOURCES/squid-4.11-CVE-2020-25097.patch @@ -0,0 +1,60 @@ +From dfd818595b54942cb1adc45f6aed95c9b706e3a8 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Fri, 4 Sep 2020 17:38:30 +1200 +Subject: [PATCH] Merge pull request from GHSA-jvf6-h9gj-pmj6 + +* Add slash prefix to path-rootless or path-noscheme URLs + +* Update src/anyp/Uri.cc + +Co-authored-by: Alex Rousskov + +* restore file trailer GH auto-removes + +* Remove redundant path-empty check + +* Removed stale comment left behind by b2ab59a + +Many things imply a leading `/` in a URI. Their enumeration is likely to +(and did) become stale, misleading the reader. + +* fixup: Remind that the `src` iterator may be at its end + +We are dereferencing `src` without comparing it to `\0`. +To many readers that (incorrectly) implies that we are not done iterating yet. + +Also fixed branch-added comment indentation. + +Co-authored-by: Alex Rousskov +--- + src/anyp/Uri.cc | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc +index b745c54..31f02d5 100644 +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -293,8 +293,9 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl) + return false; + *dst = '\0'; + +- // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/' +- if (*src == '?' || *src == '#' || *src == '\0') { ++ // We are looking at path-abempty. ++ if (*src != '/') { ++ // path-empty, including the end of the `src` c-string cases + urlpath[0] = '/'; + dst = &urlpath[1]; + } else { +@@ -308,11 +309,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl) + /* We -could- be at the end of the buffer here */ + if (i > l) + return false; +- /* If the URL path is empty we set it to be "/" */ +- if (dst == urlpath) { +- *dst = '/'; +- ++dst; +- } + *dst = '\0'; + + foundPort = scheme.defaultPort(); // may be reset later diff --git a/SPECS/squid.spec b/SPECS/squid.spec index af20506..3ecf752 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.11 -Release: 4%{?dist} +Release: 4%{?dist}.2 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -50,6 +50,8 @@ Patch502: squid-4.11-CVE-2020-24606.patch Patch503: squid-4.11-CVE-2020-15811.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1871700 Patch504: squid-4.11-CVE-2020-15810.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1944260 +Patch505: squid-4.11-CVE-2020-25097.patch Requires: bash >= 2.0 @@ -119,6 +121,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch502 -p1 -b .cve-2020-24606 %patch503 -p1 -b .CVE-2020-15811 %patch504 -p1 -b .CVE-2020-15810 +%patch505 -p1 -b .CVE-2020-25097 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -335,6 +338,10 @@ fi %changelog +* Wed Mar 31 2021 Lubos Uhliarik - 7:4.11-4.2 +- Resolves: #1944260 - CVE-2020-25097 squid:4/squid: improper input validation + may allow a trusted client to perform HTTP Request Smuggling + * Mon Oct 26 2020 Lubos Uhliarik - 7:4.11-4 - Resolves: #1890606 - Fix for CVE 2019-13345 breaks authentication in cachemgr.cgi