Debian Bug report logs -
#716743
squid3: CVE-2013-4115 CVE-2013-4123
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 12 Jul 2013 06:36:02 UTC
Severity: grave
Tags: jessie, patch, security, sid
Fixed in version squid3/3.3.8-1
Done: Luigi Gangitano <luigi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#716743; Package squid3.
(Fri, 12 Jul 2013 06:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>.
(Fri, 12 Jul 2013 06:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squid3
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2013-4115:
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
Since this only affects 3.2 and later oldstable and stable are not affected.
Cheers,
Moritz
Added tag(s) sid and jessie.
Request was from Holger Levsen <holger@layer-acht.org>
to control@bugs.debian.org.
(Fri, 12 Jul 2013 12:18:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#716743; Package squid3.
(Mon, 15 Jul 2013 12:51:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Mon, 15 Jul 2013 12:51:23 GMT) (full text, mbox, link).
Message #12 received at 716743@bugs.debian.org (full text, mbox, reply):
retitle 716743 squid3: CVE-2013-4115 CVE-2013-4123
thanks
On Fri, Jul 12, 2013 at 08:29:19AM +0200, Moritz Muehlenhoff wrote:
> Package: squid3
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was assigned CVE-2013-4115:
> http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
>
> Since this only affects 3.2 and later oldstable and stable are not affected.
There's a second issue, CVE-2013-4123:
http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
Cheers,
Moritz
Changed Bug title to 'squid3: CVE-2013-4115 CVE-2013-4123' from 'squid3: CVE-2013-4115'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Mon, 15 Jul 2013 12:51:26 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#716743; Package squid3.
(Fri, 19 Jul 2013 08:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Joachim Wiedorn <ad_debian@joonet.de>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.
(Fri, 19 Jul 2013 08:33:07 GMT) (full text, mbox, link).
Message #19 received at 716743@bugs.debian.org (full text, mbox, reply):
tags 716743 patch
thanks
With version squid3 3.3.8 both security bugs are fixed.
Here you can find my updated version, made for Wheezy:
http://www.joonet.de/sources/squid3/deb/
---
Have a nice day.
Joachim (Germany)
Added tag(s) patch.
Request was from Joachim Wiedorn <ad_debian@joonet.de>
to control@bugs.debian.org.
(Fri, 19 Jul 2013 08:33:10 GMT) (full text, mbox, link).
Reply sent
to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility.
(Sun, 21 Jul 2013 23:09:17 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 21 Jul 2013 23:09:17 GMT) (full text, mbox, link).
Message #26 received at 716743-close@bugs.debian.org (full text, mbox, reply):
Source: squid3
Source-Version: 3.3.8-1
We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 716743@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 21 Jul 2013 18:28:36 +0200
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi squid-purge
Architecture: source all i386
Version: 3.3.8-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Full featured Web Proxy cache (HTTP proxy)
squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 683255 710126 716743
Changes:
squid3 (3.3.8-1) unstable; urgency=high
.
* Urgency high due to security fixes
.
* New upstream release
- Fixes security issues (Closes: #716743)
+ Buffer overflow in HTTP request handling (Ref: SQUID-2013:2,
CVE-2013-4115)
+ DoS in request processing (Ref: SQUID-2013:3, CVE-2013-4123)
- Includes PNG image used in error pages, with new copyright assignement
(Closes: #683255)
.
* Added /var/run/squid3 dir to host sockets in SMP configuration
(Closes: #710126)
.
* debian/control
- Bumped Standard-Version to 3.9.4, no change needed
Checksums-Sha1:
29b982c82709ef6c54d2de39293a5eef9c54d68e 1530 squid3_3.3.8-1.dsc
127c8252577bce25b62cb0d05b0fef7f3f379c23 2992708 squid3_3.3.8.orig.tar.bz2
35c8e4e202afdd212c93daf8a3227336d13ffbed 21184 squid3_3.3.8-1.debian.tar.gz
970be05ad424d557d29266c23b9c94559dc929e1 248802 squid3-common_3.3.8-1_all.deb
7cb282a4211f18e491ffdd81b50b368f8ce73bca 2336992 squid3_3.3.8-1_i386.deb
336c3a26dab65bc6550dbdf444f6532a395946c7 14453232 squid3-dbg_3.3.8-1_i386.deb
1ce5033441f00cd77e68f2687fc9027cec69cffd 127178 squidclient_3.3.8-1_i386.deb
d4004d225785eab90c30bbe0bb149a475e9a4f7c 130384 squid-cgi_3.3.8-1_i386.deb
813c1e50b323b21922a22f541ccffb55874543ae 119918 squid-purge_3.3.8-1_i386.deb
Checksums-Sha256:
67c2c5358449ad86b055e608a5ce6016c49b696fc38331d0b4a050d56071dd06 1530 squid3_3.3.8-1.dsc
6411f344510e780f9e579851151278e1d02d8fe06a56abb1d97b1c53c61326a1 2992708 squid3_3.3.8.orig.tar.bz2
123074ae98e0e98963be691b2867de470663ac6f90720ba22d012398ae958e78 21184 squid3_3.3.8-1.debian.tar.gz
22918ea8feca205c786edddd75942a394164ca6ec648132d4e756e77e115c4fa 248802 squid3-common_3.3.8-1_all.deb
e38acb63d8abd9e55842a899470e7e71578f02332956a5e2b0d1e203babc59ee 2336992 squid3_3.3.8-1_i386.deb
bb48b464fa32937924d93931e4bc1921f634ade2386ff8d94f1c6820abec8796 14453232 squid3-dbg_3.3.8-1_i386.deb
edfc36b7f07e6408fa02884db934db567051b22350d1e8f079f44035d58a8e2a 127178 squidclient_3.3.8-1_i386.deb
4c45e619d0c29294a873052b8e08253839cfe12351d9a2dcb3ab25800d78d6f5 130384 squid-cgi_3.3.8-1_i386.deb
ed78cbf694de834feee2b9017d0c6439a3e3f3fa96142e25fb87157710c9949c 119918 squid-purge_3.3.8-1_i386.deb
Files:
5457e74de1151bf4de9a63a2dde5a904 1530 web optional squid3_3.3.8-1.dsc
ec1654d28e29bdd2ee342ffb655ecc72 2992708 web optional squid3_3.3.8.orig.tar.bz2
d2b412af22ed83a3421eb1eb87a6c383 21184 web optional squid3_3.3.8-1.debian.tar.gz
74098a01d5b095badb7cd6be541052e7 248802 web optional squid3-common_3.3.8-1_all.deb
de8b893ae360d95f65d4728ca6a2dada 2336992 web optional squid3_3.3.8-1_i386.deb
91b6a9ee0c9941f522fde911b510c115 14453232 debug extra squid3-dbg_3.3.8-1_i386.deb
905f811921f712559887a48f41dabc5f 127178 web optional squidclient_3.3.8-1_i386.deb
cfdc5dc7b328568fcb403c8f8b45010d 130384 web optional squid-cgi_3.3.8-1_i386.deb
2e3912cf5f9ce2b29e803d8b4fd1483f 119918 web optional squid-purge_3.3.8-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
iEYEARECAAYFAlHsZGYACgkQ8ZumGJJMDCbCKQCeIx8yksq/+y25xxDWjNHDEK6e
rowAmwf4eedtcwJqLqqZiuRlBQMJFQmg
=OqMJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Aug 2013 07:28:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:57:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon