[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-squid-devel] squeeze update of squid3?

On 23/07/2015 11:37 a.m., Ben Hutchings wrote:
> On Thu, 2015-07-23 at 01:09 +0200, Luigi Gangitano wrote:
>>> Il giorno 23/lug/2015, alle ore 00:07, Ben Hutchings ha scritto:
>>> On Wed, 2015-07-22 at 23:02 +0200, Luigi Gangitano wrote:
>>>> Hi Ben,
>>>> Thanks for the heads up on LTS security issues in squid3.
>>>> We’ve already prepared an update for CVE-2015-5400 for jessie and are 
>>>> willing to contribute an update for squeeze to. The link you sent me 
>>>> is not working so I’m unable to check if other security issues are 
>>>> open and co-ordinate a single package update.
>>> Sorry, I think this was the issue covered by
>>> .
>>> That was removed from the tracker by
>>> as it doesn't actually affect the Debian package.
>> Ok, so no need for an updated squid3 in LTS?
> The squeeze-lts version does seem to be affected by CVE-2015-5400.
> Ben.

Yes it is. All squid and squid3 packages older that 3.5.6 are affected.
Just varies between packages about which part of the code is actively
broken (src/tunnel.cc in Squid3, src/ssl.c in squid).

FYI, the available fix patch depends on other bug fixes and a feature
only added to Squid in 3.4. The older Squid versions need almost
complete redesign of the patch during backport.

That redesign has proven non-trivial and halted the (brief) two attempts
I've made at it so far. Anyone wanting to dig in and assist is welcome.
I can offer naming credits in the official Advisory document, and
gratitude from all distros for a working Squid 3.3 or earlier patch.

Amos Jeffries
Squid Project (upstream)

Reply to: