helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

squid: conditionally set status of CVE-2024-45802

Browse Source 
According to [1] the ESI feature implementation in squid is vulnerable
without any fix available.
NVD says it's fixed in 6.10, however the change in this release only
disables ESI by default (which we always did via PACKAGECONFIG).

Commit in master branch related to this CVE is [2].
Title is "Remove Edge Side Include (ESI) protocol" and it's also what it
does. So there will never be a fix for these ESI vulnerabilities.

We should not break features in LTS branch and cannot fix this problem.
So ignrore this CVE based on set PACKAGECONFIG which should remove it
from reports for most users. Thos who need ESI need to assess the risk
themselves.

[1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
[2] 5eb89ef3d8

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Peter Marko 2024-11-08 22:06:00 +01:00 committed by Armin Kuster
parent b126eb3705
commit 82a9ac867d
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
meta-networking/recipes-daemons/squid/squid_4.15.bb
View File

@ -123,3 +123,6 @@ FILES:${PN}-doc += "${datadir}/*.txt"
RDEPENDS:${PN} += "perl"
RDEPENDS:${PN}-ptest += "make"
# Only ESI feature is vulnerable
CVE_CHECK_IGNORE += "${@'' if bb.utils.filter('PACKAGECONFIG', 'esi', d) else 'CVE-2024-45802'}"