diff --git a/SOURCES/squid-3.5.20-CVE-2020-25097.patch b/SOURCES/squid-3.5.20-CVE-2020-25097.patch new file mode 100644 index 0000000..dec4382 --- /dev/null +++ b/SOURCES/squid-3.5.20-CVE-2020-25097.patch @@ -0,0 +1,28 @@ +diff --git a/src/url.cc b/src/url.cc +index ebdecbf..44255c2 100644 +--- a/src/url.cc ++++ b/src/url.cc +@@ -256,8 +256,9 @@ urlParse(const HttpRequestMethod& method, char *url, HttpRequest *request) + return NULL; + *dst = '\0'; + +- // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/' +- if (*src == '?' || *src == '#' || *src == '\0') { ++ // We are looking at path-abempty. ++ if (*src != '/') { ++ // path-empty, including the end of the `src` c-string cases + urlpath[0] = '/'; + dst = &urlpath[1]; + } else { +@@ -271,11 +272,6 @@ urlParse(const HttpRequestMethod& method, char *url, HttpRequest *request) + /* We -could- be at the end of the buffer here */ + if (i > l) + return NULL; +- /* If the URL path is empty we set it to be "/" */ +- if (dst == urlpath) { +- *dst = '/'; +- ++dst; +- } + *dst = '\0'; + + protocol = urlParseProtocol(proto); diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 2eab55a..2396ec9 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -4,7 +4,7 @@ Name: squid Version: 3.5.20 -Release: 17%{?dist}.5 +Release: 17%{?dist}.6 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -86,6 +86,8 @@ Patch509: squid-3.5.20-CVE-2020-24606.patch Patch510: squid-3.5.20-CVE-2020-15810.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1871702 Patch511: squid-3.5.20-CVE-2020-15811.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1939925 +Patch512: squid-3.5.20-CVE-2020-25097.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: bash >= 2.0 @@ -185,6 +187,7 @@ migration and script which prepares squid for downgrade operation. %patch509 -p1 -b .CVE-2020-24606 %patch510 -p1 -b .CVE-2020-15810 %patch511 -p1 -b .CVE-2020-15811 +%patch512 -p1 -b .CVE-2020-25097 # https://bugzilla.redhat.com/show_bug.cgi?id=1471140 # Patch in the vendor documentation and used different location for documentation @@ -414,6 +417,10 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog +* Wed Mar 31 2021 Lubos Uhliarik - 7:3.5.20-17.6 +- Resolves: #1944256 - CVE-2020-25097 squid: improper input validation may allow + a trusted client to perform HTTP Request Smuggling + * Mon Oct 26 2020 Lubos Uhliarik - 7:3.5.20-17.5 - Resolves: #1890581 - Fix for CVE 2019-13345 breaks authentication in cachemgr.cgi