Re: squid3: CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556

To: Amos Jeffries <squid3@treenet.co.nz>
Cc: 823968@bugs.debian.org, debian-security-tracker@lists.debian.org, pkg-squid-devel@lists.alioth.debian.org
Subject: Re: squid3: CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 11 May 2016 07:12:24 +0200
Message-id: <[🔎] 20160511051224.GA4247@lorien.valinor.li>
Mail-followup-to: Amos Jeffries <squid3@treenet.co.nz>, 823968@bugs.debian.org, debian-security-tracker@lists.debian.org, pkg-squid-devel@lists.alioth.debian.org
In-reply-to: <[🔎] ecdc89d6-b859-73e4-7968-e0fda195e423@treenet.co.nz>
References: <146291103527.12228.6879391137048122713.reportbug@eldamar.local> <146291103527.12228.6879391137048122713.reportbug@eldamar.local> <[🔎] ecdc89d6-b859-73e4-7968-e0fda195e423@treenet.co.nz>

Hi Amos,

On Wed, May 11, 2016 at 03:12:14PM +1200, Amos Jeffries wrote:
> 
> CVE-2016-4553:
>  Patch for 3.4 and older is now available at
> <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13240.patch>.
> 
> CVE-2016-4554:
>  Additional changes are needed than those initially linked to. see the
> advisory URL for updated patch links.
> 
> CVE-2016-4555:
>  Squid-3.1 in wheezy is not affected.
> 
> CVE-2016-4556:
>  Patch for 3.4 should also apply fairly easily to 3.1, but has not been
> tested.
>  Also, the severity of this issue is much reduced for Debian since SSL
> is not enabled.
>  Though it still remains an issue for CDN and reverse-proxy installations.
> 
> 
> HTH

Yes, thanks for your feedback.

Regards,
Salvatore

Reply to:

References:
- Re: squid3: CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556
  - From: Amos Jeffries <squid3@treenet.co.nz>

Prev by Date: Re: squid3: CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556
Next by Date: External check
Previous by thread: Re: squid3: CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556
Next by thread: please add icdiff to embedded-code-copies
Index(es):
- Date
- Thread