Squid package containing buffer overrun ??
I'm just sending this out as a 'request for comment' really --
I notice debian-stable has a package for squid which (besides being
security-updated already) still has a known buffer overflow in it
(although it is apparently of 'unknown risk').
See:
http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE7-url_escape
I reported this and was told that it was considered 'not important' and
would be sorted out when other things had been sorted out...
I wonder if this has been found to be really non-vulnerable or if debian
policy doesn't normally allow things to be updated unless a vulnerability
has been proved to really exist??
I'm confused and would like to know what others think!
-enyc <enyc@eeek.org.uk>
Reply to: