Hello, Please consider merging this fix: https://salsa.debian.org/squid-team/squid/-/merge_requests/17
diff -Nru squid-4.13/debian/changelog squid-4.13/debian/changelog --- squid-4.13/debian/changelog 2021-03-22 23:18:11.000000000 +0000 +++ squid-4.13/debian/changelog 2021-05-27 22:53:36.000000000 +0000 @@ -1,3 +1,11 @@ +squid (4.13-10) unstable; urgency=medium + + * Team upload. + * Add debian/patches/0007-CVE-2021-28651.patch to fix a Denial + of Service in URN processing. (Closes: #988893, CVE-2021-28651) + + -- Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net> Thu, 27 May 2021 22:53:36 +0000 + squid (4.13-9) unstable; urgency=medium * Clarify on NEWS and scripts that we no longer remove logs on purge. diff -Nru squid-4.13/debian/patches/0007-CVE-2021-28651.patch squid-4.13/debian/patches/0007-CVE-2021-28651.patch --- squid-4.13/debian/patches/0007-CVE-2021-28651.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/0007-CVE-2021-28651.patch 2021-05-27 22:43:32.000000000 +0000 @@ -0,0 +1,23 @@ +Description: Fix CVE-2021-28651. + Due to a buffer-management bug, it allows + a denial of service in URN processing. + When resolving a request with the urn: scheme, + the parser leaks a small amount of memory. +Author: Amos Jeffries <ya...@users.noreply.github.com> +Origin: upstream, http://www.squid-cache.org/Versions/v4/changesets/squid-4-a975fd5aedc866629214aaaccb38376855351899.patch +Bug: https://github.com/squid-cache/squid/pull/778 +Bug-Debian: https://bugs.debian.org/988893 +Forwarded: not-needed +Reviewed-By: Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net> +Last-Update: 2021-05-27 + +--- squid-4.13.orig/src/urn.cc ++++ squid-4.13/src/urn.cc +@@ -412,6 +412,7 @@ urnParseReply(const char *inbuf, const H + } + + debugs(52, 3, "urnParseReply: Found " << i << " URLs"); ++ xfree(buf); + return list; + } + diff -Nru squid-4.13/debian/patches/series squid-4.13/debian/patches/series --- squid-4.13/debian/patches/series 2021-03-22 23:18:11.000000000 +0000 +++ squid-4.13/debian/patches/series 2021-05-27 22:13:37.000000000 +0000 @@ -4,3 +4,4 @@ #0004-upstream-bug5041.patch 0005-Use-RuntimeDirectory-to-create-run-squid.patch 0006-SQUID-2020_11.patch +0007-CVE-2021-28651.patch Best regards, -- Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net> 4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00
OpenPGP_signature
Description: OpenPGP digital signature