Squid package containing buffer overrun ??

To: debian-security@lists.debian.org
Subject: Squid package containing buffer overrun ??
From: enyc@eeek.org.uk
Date: Thu, 23 Oct 2003 14:43:08 +0100 (BST)
Message-id: <[🔎] Pine.LNX.4.56.0310231434230.9278@eeek>

I'm just sending this out as a 'request for comment' really --

I notice debian-stable has a package for squid which (besides being
 security-updated already) still has a known buffer overflow in it
 (although it is apparently of 'unknown risk').

See:
http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE7-url_escape

I reported this and was told that it was considered 'not important' and
 would be sorted out when other things had been sorted out...

I wonder if this has been found to be really non-vulnerable or if debian
 policy doesn't normally allow things to be updated unless a vulnerability
 has been proved to really exist??

I'm confused and would like to know what others think!

-enyc <enyc@eeek.org.uk>

Reply to:

Prev by Date: Re: Why not use /bin/noshell? (was Re: Why do system users have valid shells)
Next by Date: Re: Why not use /bin/noshell? (was Re: Why do system users have valid shells)
Previous by thread: UNSUBSCRIBE
Next by thread: Securetty: limits root login while allowing 'su -'
Index(es):
- Date
- Thread