[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IMPORTEND squid3 stable needs update

I didn't subscribed to the mailing list. So please put my mail address into cc. thanks.

I think I found a security issue that is not fixed in debian squid 3.4.8. Squid 3.4 seems to use the sha1 algorithm for dynamic certificate generation. Sha1 is unsafe. This seems to be fixed only in squid 3.5

ref: https://forum.pfsense.org/index.php?topic=99141.0 (I think it's the same problem with debian jessie. The certificates are only generated with sha1)

2016-01-18 12:53 GMT+01:00 Martin Wuertele <martin@wuertele.net>:

* startrekfan <startrekfan75@freenet.de> [2016-01-15 23:39]:

> squid3 3.4.8 has some security issues(risks)/bugs so an upgrade to 3.5 is
> actually only a fix of this bugs/security issues. There is no patch for
> 3.4.8 because it's outdated. Debian Jessie is the current active release.
> So why not fixing squid3 in Debian Jessie with an stable 3.5 update?

Not the version in Debian. All bugfixes are backported. Check the
changelog, security tracker,...

Diese E-Mail wurde von einem virenfreien Computer gesendet, der von Avast geschützt wird.

Reply to: