CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

squid: handle CVE-2024-45802

Browse Source 
According to [1] the ESI implementation in squid feature is vulnerable
without any fix available.

NVD says it's fixed in 6.10, however the change in this release only
disables ESI by default (which we always did via PACKAGECONFIG).
This means CVE report would say Patched even if the vulnerability is
still present if someone adapts squid PACKAGECONFIG.

Commit in master branch related to this CVE is [2].
Title is "Remove Edge Side Include (ESI) protocol" and it's also what it
does. So there will never be a fix for these ESI vulnerabilities.
Based on this, remove vulnerable ESI PACKAGECONFIG already now.

[1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
[2] 5eb89ef3d8

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Peter Marko 2024-11-07 22:58:49 +01:00 committed by Khem Raj
parent 928ef34ead
commit 508a2e6b94
No known key found for this signature in database
GPG Key ID: BB053355919D3314
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
meta-networking/recipes-daemons/squid/squid_6.12.bb
View File

@ -48,7 +48,6 @@ PACKAGECONFIG ??= "auth url-rewrite-helpers \
PACKAGECONFIG[libnetfilter-conntrack] = "--with-netfilter-conntrack=${includedir}, --without-netfilter-conntrack, libnetfilter-conntrack"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
PACKAGECONFIG[werror] = "--enable-strict-error-checking,--disable-strict-error-checking,"
PACKAGECONFIG[esi] = "--enable-esi,--disable-esi,expat libxml2"
PACKAGECONFIG[ssl] = "--with-openssl=yes,--with-openssl=no,openssl"
PACKAGECONFIG[auth] = "--enable-auth-basic='${BASIC_AUTH}',--disable-auth --disable-auth-basic,krb5 openldap db cyrus-sasl"
PACKAGECONFIG[url-rewrite-helpers] = "--enable-url-rewrite-helpers,--disable-url-rewrite-helpers,"
@ -67,7 +66,9 @@ BASIC_AUTH += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'PAM', '', d)}"
EXTRA_OECONF += "--with-default-user=squid \
--sysconfdir=${sysconfdir}/${BPN} \
--with-logdir=${localstatedir}/log/${BPN} \
'PERL=${USRBINPATH}/env perl'"
'PERL=${USRBINPATH}/env perl' \
--disable-esi \
"
# Workaround a build failure when using a native compiler that need -std=c++17
# with a cross-compiler that doesn't.