From: Peter Marko <[email protected]> According to [1] the ESI feature implementation in squid is vulnerable without any fix available. NVD says it's fixed in 6.10, however the change in this release only disables ESI by default (which we always did via PACKAGECONFIG).
Commit in master branch related to this CVE is [2]. Title is "Remove Edge Side Include (ESI) protocol" and it's also what it does. So there will never be a fix for these ESI vulnerabilities. We should not break features in LTS branch and cannot fix this problem. So ignrore this CVE based on set PACKAGECONFIG which should remove it from reports for most users. Thos who need ESI need to assess the risk themselves. [1] https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj [2] https://github.com/squid-cache/squid/commit/5eb89ef3d828caa5fc43cd8064f958010dbc8158 Signed-off-by: Peter Marko <[email protected]> --- meta-networking/recipes-daemons/squid/squid_4.15.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-networking/recipes-daemons/squid/squid_4.15.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb index a042f57166..6a4ef0a2b6 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.15.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb @@ -123,3 +123,6 @@ FILES:${PN}-doc += "${datadir}/*.txt" RDEPENDS:${PN} += "perl" RDEPENDS:${PN}-ptest += "make" + +# Only ESI feature is vulnerable +CVE_CHECK_IGNORE += "${@'' if bb.utils.filter('PACKAGECONFIG', 'esi', d) else 'CVE-2024-45802'}" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#113768): https://lists.openembedded.org/g/openembedded-devel/message/113768 Mute This Topic: https://lists.openembedded.org/mt/109471670/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
