Re: Thoughts on CVE-2020-15049/squid3?

To: debian-lts@lists.debian.org
Subject: Re: Thoughts on CVE-2020-15049/squid3?
From: Markus Koschany <apo@debian.org>
Date: Fri, 25 Sep 2020 22:39:25 +0200
Message-id: <[🔎] a110ca55-20dd-7fad-504c-3935e95380b6@debian.org>
In-reply-to: <[🔎] 20200925202413.GD3179@connexer.com>
References: <[🔎] 20200925192509.GB3179@connexer.com> <[🔎] 2008d452-4190-1f65-9274-035c05fefa46@debian.org> <[🔎] 20200925202413.GD3179@connexer.com>

Am 25.09.20 um 22:24 schrieb Roberto C. Sánchez:
> On Fri, Sep 25, 2020 at 10:04:59PM +0200, Markus Koschany wrote:
>> Hello Roberto,
>>
>> Am 25.09.20 um 21:25 schrieb Roberto C. Sánchez:
>>> Hello fellow LTS people,
>>>
>>> I am working on an update for the squid3 package.  At this time there
>>> are 4 open CVEs, of which 3 have patches that apply with little or no
>>> change required.  However, the patch for CVE-2020-15049 does not apply
>>> at all.
>>
>> You should have been aware that I have prepared the last update of
>> squid3. I have just noticed that the NOTE on the squid entry in
>> dla-needed.txt was removed but the last status was that the package
>> simply needs more testing. Hence I didn't bother to readd myself but the
>> NOTE was self-explaining (in ELTS and LTS).
>>
> Hmm.  The note removal is unfortunate :-/

The NOTE was updated on 31.08. but it seems DLA-2278-3 removed the NOTE
on 04.09. and I forgot to readd it again.

[...]

> So, what is the best way to proceed?  I presume based on your above
> comment that you have already prepared the packages for upload.  Are
> those the same packages you referenced in your RFT message on 1st July?
> (I had to go hunting through the archive to locate the reference.)
> Should I review the backported code?  The time I have spent digging
> through the Git history should be beneficial in such a review.

Yes, I have done the backport already but I wanted to wait for the
feedback of a user who reported another parsing issue in #965012. At the
moment I believe the current header parsing is correct but I am still
investigating why the reported problem exists in the first place. Since
I have not received any other reports, it could be a server
configuration issue. If I don't find the underlying problem this
weekend, I will upload the new update to people.debian.org and send a
RFT to debian-lts. I would appreciate testing and feedback from you and
other contributors because the package is obviously still used by
several users and companies but they don't seem to be subscribed to
debian-lts.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Thoughts on CVE-2020-15049/squid3?
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- Thoughts on CVE-2020-15049/squid3?
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Thoughts on CVE-2020-15049/squid3?
  - From: Markus Koschany <apo@debian.org>
- Re: Thoughts on CVE-2020-15049/squid3?
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Thoughts on CVE-2020-15049/squid3?
Next by Date: Re: Thoughts on CVE-2020-15049/squid3?
Previous by thread: Re: Thoughts on CVE-2020-15049/squid3?
Next by thread: Re: Thoughts on CVE-2020-15049/squid3?
Index(es):
- Date
- Thread