diff options
| author | Ola Lundqvist <ola@inguza.com> | 2020-01-20 22:27:08 +0100 |
|---|---|---|
| committer | Ola Lundqvist <ola@inguza.com> | 2020-01-20 22:27:53 +0100 |
| commit | fff895561e092a0881291c4ceced97c2befd766a (patch) | |
| tree | 7262113d590649473f3fd33c31b04f79401b3c53 /data/dla-needed.txt | |
| parent | 5b55efb5e8670596118849fd85efd432f59ae9d3 (diff) | |
Added information about the squid3 patch analysis made.
Diffstat (limited to 'data/dla-needed.txt')
| -rw-r--r-- | data/dla-needed.txt | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 119a3f728d..e8896142ba 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -113,12 +113,18 @@ sqlite3 (Thorsten Alteholz) NOTE: 20200112: WIP -- squid3 - NOTE: 20191210: Requires new API SBuf. + NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) + NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID + NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy + NOTE: 20200120: to add those checks without introducing SBuf. (Ola) + NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping + NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more + NOTE: 20200120: details on the intention. (Ola) -- storebackup (Utkarsh Gupta) -- |