Re: [pkg-squid-devel] squeeze update of squid3?
On 23/07/2015 11:37 a.m., Ben Hutchings wrote:
> On Thu, 2015-07-23 at 01:09 +0200, Luigi Gangitano wrote:
>>>
>>> Il giorno 23/lug/2015, alle ore 00:07, Ben Hutchings ha scritto:
>>>
>>> On Wed, 2015-07-22 at 23:02 +0200, Luigi Gangitano wrote:
>>>> Hi Ben,
>>>>
>>>> Thanks for the heads up on LTS security issues in squid3.
>>>>
>>>> We’ve already prepared an update for CVE-2015-5400 for jessie and are
>>>> willing to contribute an update for squeeze to. The link you sent me
>>>> is not working so I’m unable to check if other security issues are
>>>> open and co-ordinate a single package update.
>>>
>>> Sorry, I think this was the issue covered by
>>> .
>>> That was removed from the tracker by
>>>
>>> as it doesn't actually affect the Debian package.
>>
>> Ok, so no need for an updated squid3 in LTS?
>
> The squeeze-lts version does seem to be affected by CVE-2015-5400.
>
> Ben.
>
Yes it is. All squid and squid3 packages older that 3.5.6 are affected.
Just varies between packages about which part of the code is actively
broken (src/tunnel.cc in Squid3, src/ssl.c in squid).
FYI, the available fix patch depends on other bug fixes and a feature
only added to Squid in 3.4. The older Squid versions need almost
complete redesign of the patch during backport.
That redesign has proven non-trivial and halted the (brief) two attempts
I've made at it so far. Anyone wanting to dig in and assist is welcome.
I can offer naming credits in the official Advisory document, and
gratitude from all distros for a working Squid 3.3 or earlier patch.
Amos Jeffries
Squid Project (upstream)
Reply to: