I was looking at this in my SRU shift again, and this remark in '[Other info]':
""" No CVEs are being addressed this time (the ones fixed in between 6.6 and 6.10 are already fixed in noble's security pocket). Therefore, this should go through the updates pockets. """ Made me look if there were other security issues found in 6.10 later. There weren't, but this one caught my eye: https://github.com/squid- cache/squid/security/advisories/GHSA-f975-v7qw-q7hj That looks like it's CVE-2024-4580. And the "fix" that upstream applied to 6.10 is to disable esi by default, which was called out correctly in the "upstream changes" in this bug's description, but turns out we are keeping it enabled (because that's what we had so far). In other words, we are introducing that vulnerability in this SRU, it seems, by using --enable-esi But at the same time, the current squid in noble-security has this changelog entry: squid (6.6-1ubuntu5.1) noble-security; urgency=medium * SECURITY UPDATE: DoS in ESI processing using multi-byte characters - debian/patches/CVE-2024-37894.patch: fix variable datatype to handle variables names outside standard ASCII characters - CVE-2024-37894 -- Vyom Yadav <vyom.ya...@canonical.com> Sun, 07 Jul 2024 17:30:16 +0530 That is again talking about ESI processing, but has a different CVE ID. So, is the patch above fixing the esi vulnerabilities in full, and is it therefore safe to keep --enable-esi (if the patch is present in 6.10)CVE-2024-37894? Or is the patch perhaps just fixing a subset of what was reported in https://github.com/squid- cache/squid/security/advisories/GHSA-f975-v7qw-q7hj, hence the different CVE ID? https://ubuntu.com/security/CVE-2024-45802 shows it needs evaluation in noble. There is this note, however: """ Upstream have fixed this vulnerability by disabling ESI by default. Ubuntu packages would have to be updated to disable ESI to fix this issue, which would be a breaking change and could possibly be considered a regression in functionality. """ So it looks like with this SRU, we are not introducing the bug or changing anything about it. In other words, same status as with the package currently in noble-security and -updates (6.6-1ubuntu5.1). No regression, which means this can be accepted. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4580 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45802 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073322 Title: Upstream microrelease 6.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2073322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
