--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team
Please unblock package squid3
The previous fix for CVE-2012-5643 and CVE-2013-0189 uploaded as
3.1.20-2.1 caused a cachemgr.cgi always crashing when supplying auth
credentials. Upstream provided a patch which was uploaded as
3.1.20-2.2.
See: #701123
The full debdiff against the current version in testing is attached.
Would it be possible to get a unblock for squid3?
unblock squid3/3.1.20-2.2
Regards,
Salvatore
Base version: squid3_3.1.20-2.1 from testing
Target version: squid3_3.1.20-2.2 from unstable
No hints in place.
Excuses:
changelog | 10 ++++++
patches/fix-701123-regression-in-cachemgr.patch | 39 ++++++++++++++++++++++++
patches/series | 1
3 files changed, 50 insertions(+)
gpgv: keyblock resource `/home/carnil/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Tue 05 Feb 2013 10:18:19 PM UTC using RSA key ID 4AC8EE1D
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on /tmp/tmpPcyNcv/squid3_3.1.20-2.1.dsc
gpgv: keyblock resource `/home/carnil/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Sat 23 Feb 2013 02:13:52 PM UTC using RSA key ID 7FD863FE
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on /tmp/tmpPcyNcv/squid3_3.1.20-2.2.dsc
diff -Nru squid3-3.1.20/debian/changelog squid3-3.1.20/debian/changelog
--- squid3-3.1.20/debian/changelog 2013-02-05 22:16:28.000000000 +0000
+++ squid3-3.1.20/debian/changelog 2013-02-23 14:07:26.000000000 +0000
@@ -1,3 +1,13 @@
+squid3 (3.1.20-2.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add fix-701123-regression-in-cachemgr.patch patch.
+ Fix missing bits in the fix for CVE-2012-5643 and CVE-2013-0189 causing
+ cachemgr.cgi crashing when authentication credentials are supplied.
+ Thanks to Amos Jeffries <amos@treenet.co.nz> (Closes: #701123)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 23 Feb 2013 13:44:48 +0100
+
squid3 (3.1.20-2.1) unstable; urgency=high
* Non-maintainer upload
diff -Nru squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch
--- squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 1970-01-01 00:00:00.000000000 +0000
+++ squid3-3.1.20/debian/patches/fix-701123-regression-in-cachemgr.patch 2013-02-23 14:07:26.000000000 +0000
@@ -0,0 +1,39 @@
+Description: Fix regression in cachemgr.cgi
+ Fix regression introduced by the patches for CVE-2012-5643 and
+ CVE-2013-0189. Apply further patch provided by upstream.
+Origin: upstream, http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10486.patch
+Bug: http://bugs.squid-cache.org/show_bug.cgi?id=3790
+Bug-Debian: http://bugs.debian.org/701123
+Forwarded: not-needed
+Author: Reinhard Sojka <reinhard.sojka@parlament.gv.at>
+Last-Update: 2013-02-23
+Applied-Upstream: yes
+
+--- a/tools/cachemgr.cc
++++ b/tools/cachemgr.cc
+@@ -1162,7 +1162,6 @@
+ {
+ static char buf[1024];
+ size_t stringLength = 0;
+- const char *str64;
+
+ if (!req->passwd)
+ return "";
+@@ -1171,15 +1170,12 @@
+ req->user_name ? req->user_name : "",
+ req->passwd);
+
+- str64 = base64_encode(buf);
+-
+- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
++ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));
+
+ assert(stringLength < sizeof(buf));
+
+- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
++ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));
+
+- xxfree(str64);
+ return buf;
+ }
+
diff -Nru squid3-3.1.20/debian/patches/series squid3-3.1.20/debian/patches/series
--- squid3-3.1.20/debian/patches/series 2013-02-05 21:53:05.000000000 +0000
+++ squid3-3.1.20/debian/patches/series 2013-02-23 14:07:26.000000000 +0000
@@ -3,3 +3,4 @@
15-cachemgr-default-config.patch
20-ipv6-fix
30-CVE-2012-5643-CVE-2013-0189.patch
+fix-701123-regression-in-cachemgr.patch
Hints needed:
unblock squid3/3.1.20-2.2
--- End Message ---