squid: handle CVE-2024-45802 - linux/meta-openembedded.git - Mirror of git.openembedded.org/meta-openembedded

diff options

author	Peter Marko <peter.marko@siemens.com>	2024-11-07 22:58:49 +0100
committer	Khem Raj <raj.khem@gmail.com>	2024-11-19 13:50:56 -0800
commit	508a2e6b942d4ff16ec23cc808464fcd9506ddc4 (patch)
tree	2b3d6fd6f446f39c017529aebf4571a4d20c6c23 /meta-python/recipes-devtools/python/python3-yappi/0002-Fix-import-of-tests.utils-to-enable-pytest.patch
parent	928ef34eadcab1272a2bc3a694873eede05a746d (diff)
download	meta-openembedded-508a2e6b942d4ff16ec23cc808464fcd9506ddc4.tar.gz

squid: handle CVE-2024-45802

According to [1] the ESI implementation in squid feature is vulnerable without any fix available. NVD says it's fixed in 6.10, however the change in this release only disables ESI by default (which we always did via PACKAGECONFIG). This means CVE report would say Patched even if the vulnerability is still present if someone adapts squid PACKAGECONFIG. Commit in master branch related to this CVE is [2]. Title is "Remove Edge Side Include (ESI) protocol" and it's also what it does. So there will never be a fix for these ESI vulnerabilities. Based on this, remove vulnerable ESI PACKAGECONFIG already now. [1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj [2] https://github.com/squid-cache/squid/commit/5eb89ef3d828caa5fc43cd8064f958010dbc8158 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>

Diffstat (limited to 'meta-python/recipes-devtools/python/python3-yappi/0002-Fix-import-of-tests.utils-to-enable-pytest.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: