diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-11-07 22:58:49 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2024-11-19 13:50:56 -0800 |
| commit | 508a2e6b942d4ff16ec23cc808464fcd9506ddc4 (patch) | |
| tree | 2b3d6fd6f446f39c017529aebf4571a4d20c6c23 /meta-networking | |
| parent | 928ef34eadcab1272a2bc3a694873eede05a746d (diff) | |
| download | meta-openembedded-508a2e6b942d4ff16ec23cc808464fcd9506ddc4.tar.gz | |
squid: handle CVE-2024-45802
According to [1] the ESI implementation in squid feature is vulnerable
without any fix available.
NVD says it's fixed in 6.10, however the change in this release only
disables ESI by default (which we always did via PACKAGECONFIG).
This means CVE report would say Patched even if the vulnerability is
still present if someone adapts squid PACKAGECONFIG.
Commit in master branch related to this CVE is [2].
Title is "Remove Edge Side Include (ESI) protocol" and it's also what it
does. So there will never be a fix for these ESI vulnerabilities.
Based on this, remove vulnerable ESI PACKAGECONFIG already now.
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
[2] https://github.com/squid-cache/squid/commit/5eb89ef3d828caa5fc43cd8064f958010dbc8158
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-daemons/squid/squid_6.12.bb | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/meta-networking/recipes-daemons/squid/squid_6.12.bb b/meta-networking/recipes-daemons/squid/squid_6.12.bb index cc3d2f25db..a697f21836 100644 --- a/meta-networking/recipes-daemons/squid/squid_6.12.bb +++ b/meta-networking/recipes-daemons/squid/squid_6.12.bb | |||
| @@ -48,7 +48,6 @@ PACKAGECONFIG ??= "auth url-rewrite-helpers \ | |||
| 48 | PACKAGECONFIG[libnetfilter-conntrack] = "--with-netfilter-conntrack=${includedir}, --without-netfilter-conntrack, libnetfilter-conntrack" | 48 | PACKAGECONFIG[libnetfilter-conntrack] = "--with-netfilter-conntrack=${includedir}, --without-netfilter-conntrack, libnetfilter-conntrack" |
| 49 | PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," | 49 | PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," |
| 50 | PACKAGECONFIG[werror] = "--enable-strict-error-checking,--disable-strict-error-checking," | 50 | PACKAGECONFIG[werror] = "--enable-strict-error-checking,--disable-strict-error-checking," |
| 51 | PACKAGECONFIG[esi] = "--enable-esi,--disable-esi,expat libxml2" | ||
| 52 | PACKAGECONFIG[ssl] = "--with-openssl=yes,--with-openssl=no,openssl" | 51 | PACKAGECONFIG[ssl] = "--with-openssl=yes,--with-openssl=no,openssl" |
| 53 | PACKAGECONFIG[auth] = "--enable-auth-basic='${BASIC_AUTH}',--disable-auth --disable-auth-basic,krb5 openldap db cyrus-sasl" | 52 | PACKAGECONFIG[auth] = "--enable-auth-basic='${BASIC_AUTH}',--disable-auth --disable-auth-basic,krb5 openldap db cyrus-sasl" |
| 54 | PACKAGECONFIG[url-rewrite-helpers] = "--enable-url-rewrite-helpers,--disable-url-rewrite-helpers," | 53 | PACKAGECONFIG[url-rewrite-helpers] = "--enable-url-rewrite-helpers,--disable-url-rewrite-helpers," |
| @@ -67,7 +66,9 @@ BASIC_AUTH += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'PAM', '', d)}" | |||
| 67 | EXTRA_OECONF += "--with-default-user=squid \ | 66 | EXTRA_OECONF += "--with-default-user=squid \ |
| 68 | --sysconfdir=${sysconfdir}/${BPN} \ | 67 | --sysconfdir=${sysconfdir}/${BPN} \ |
| 69 | --with-logdir=${localstatedir}/log/${BPN} \ | 68 | --with-logdir=${localstatedir}/log/${BPN} \ |
| 70 | 'PERL=${USRBINPATH}/env perl'" | 69 | 'PERL=${USRBINPATH}/env perl' \ |
| 70 | --disable-esi \ | ||
| 71 | " | ||
| 71 | 72 | ||
| 72 | # Workaround a build failure when using a native compiler that need -std=c++17 | 73 | # Workaround a build failure when using a native compiler that need -std=c++17 |
| 73 | # with a cross-compiler that doesn't. | 74 | # with a cross-compiler that doesn't. |