[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IMPORTEND squid3 stable needs update

Hello startrekfan,

please don't do top posting.

Am 15.01.2016 um 23:19 schrieb startrekfan:
> squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
> actually only a fix of this bugs/security issues.

Which issues do you refer? What bugs in detail? Have you looked into the
links Ben was providing? If you are talking about CVE-2015-5400 you will
it is fixed and there are no other open issues, but Ben was already
talking about that.

> There is no patch for 3.4.8 because it's outdated.

But it's not impossible to do such a patch, isn't it? And that's what
maintainer of Debian packages do on their own if upstream isn't very
helpful. This work ends in security updates. You use this feature in
your sources list to get them via apt?

> Debian Jessie is the current active release. So why not fixing squid3
> in Debian Jessie with an stable 3.5 update?>

Because this isn't needed if you can patch such issues and will probably
break other packages if you do such updates without further testing.
Please remind there are over 40.000 packages in the release which need
time to test all such side effects.
Of course not all other packages within Debian depending on squid but
there are enough. Try out yourself 'apt-cache rdepends squid3'.

Carsten Schoenert

Reply to: