Debian Bug report logs -
#912293
squid: CVE-2018-19131: SQUID-2018:4: Cross-Site Scripting issue in TLS error processing
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 29 Oct 2018 21:45:02 UTC
Severity: minor
Tags: security, upstream
Found in version squid/4.3-1
Fixed in version squid/4.4-1
Done: Luigi Gangitano <luigi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Luigi Gangitano <luigi@debian.org>
:
Bug#912293
; Package src:squid
.
(Mon, 29 Oct 2018 21:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Luigi Gangitano <luigi@debian.org>
.
(Mon, 29 Oct 2018 21:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: squid
Version: 4.3-1
Severity: minor
Tags: security upstream
Hi
Filling this bug to have an identifier (as long no CVEs are yet
assigned):
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
> Problem Description:
>
> Due to incorrect input handling, Squid is vulnerable to a
> Cross-Site Scripting vulnerability when generating HTTPS response
> messages about TLS errors.
Squid in Debian builds without TLS support, so it is marked as
"unimportant" from security-tracker point of view.
Regards,
Salvatore
Reply sent
to Luigi Gangitano <luigi@debian.org>
:
You have taken responsibility.
(Tue, 30 Oct 2018 15:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 30 Oct 2018 15:24:03 GMT) (full text, mbox, link).
Message #10 received at 912293-close@bugs.debian.org (full text, mbox, reply):
Source: squid
Source-Version: 4.4-1
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Oct 2018 14:57:15 +0100
Source: squid
Binary: squid3 squid squid-common squidclient squid-cgi squid-purge
Architecture: source amd64 all
Version: 4.4-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description:
squid - Full featured Web Proxy cache (HTTP proxy)
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-common - Full featured Web Proxy cache (HTTP proxy) - common files
squid-purge - Full featured Web Proxy cache (HTTP proxy) - cache management uti
squid3 - Transitional package
squidclient - Full featured Web Proxy cache (HTTP proxy) - HTTP(S) message util
Closes: 912293 912294
Changes:
squid (4.4-1) unstable; urgency=high
.
* Urgency high due to security fixes
.
[ Amos Jeffries <amosjeffries@squid-cache.org> ]
* New Upstream Release
- Fix security issue SQUID-2018:4 (CVE: TBD) (Closes: #912293)
- Fix security issue SQUID-2018:5 (CVE: TBD) (Closes: #912294)
.
[ Luigi Gangitano ]
* debian/squid.preinst
- Don't parse /etc/passwd, use getent to make lintian happy
Checksums-Sha1:
f50ce4ab8bdc25e9f351db1dfb88c9152167e320 2593 squid_4.4-1.dsc
f8a45921c088db2add7bead74027596f45ebc571 5167256 squid_4.4.orig.tar.gz
efe7c0d96ff9d5f27494b835d945d7c8d3322894 36596 squid_4.4-1.debian.tar.xz
8ae634a2b4fb41f3508a092609c8042771b588c3 231524 squid-cgi-dbgsym_4.4-1_amd64.deb
f4814ddc75ea4d440674ebf35772617e74f98e11 184276 squid-cgi_4.4-1_amd64.deb
b7624729bf5dcdd0ec0a3e1d70dec79b3bdee101 307108 squid-common_4.4-1_all.deb
e1b26a95063ee50bac41afc402cef8a72e8ce247 31240848 squid-dbgsym_4.4-1_amd64.deb
600cff5dc624ec928fbb11cdf89a6273c4aaa0f8 137196 squid-purge-dbgsym_4.4-1_amd64.deb
ed1fc3f1da15dc2543f66a147972bf9aeecdb52c 175544 squid-purge_4.4-1_amd64.deb
20268d65a6fee459d85086bf74e53af0135bdf2d 155724 squid3_4.4-1_all.deb
e743d13bf034fb83275969d62a3866af20b0a6cc 10175 squid_4.4-1_amd64.buildinfo
2dd61fd348411ad9c1abc9992c033331f8866ee6 2628868 squid_4.4-1_amd64.deb
84f0e085bc9631c12805729214e63e5e74559e19 297148 squidclient-dbgsym_4.4-1_amd64.deb
d58ebc49a6d13f6bb4b1386b66433d3477dd401c 188360 squidclient_4.4-1_amd64.deb
Checksums-Sha256:
6d84bf05762d2098ecbace6573aa43dc907d2ad4dbc3a96d34a303c8cbc62222 2593 squid_4.4-1.dsc
7054b51a4814391094426c51644eed81588611999aeec4b4a500cd4a8aae5e85 5167256 squid_4.4.orig.tar.gz
8a1bb30b93ffbf50ee9f81cf588cd07b52a29a1791b2a0236ec0ea35700ec556 36596 squid_4.4-1.debian.tar.xz
8b514696893760e84f16c79ebc32656a174eea01f0b0610f6e813566925dc658 231524 squid-cgi-dbgsym_4.4-1_amd64.deb
d8998c6e4c368cc3f41cd28db45be8faebdc9ed90b3958ecffbdd2763988884c 184276 squid-cgi_4.4-1_amd64.deb
c68fed198258e5a5521460f17b8c9cef80d0de033073cfa94f133b59637dc747 307108 squid-common_4.4-1_all.deb
b489b76ac085fc338ee74408f0b5d5a367310f522fffb7e712ee7bd8c21b027c 31240848 squid-dbgsym_4.4-1_amd64.deb
98eb2135c3c26350206ded44050324c4cb29cf595fba4abe09e52d935e2ea653 137196 squid-purge-dbgsym_4.4-1_amd64.deb
0dbf4f3b4344a0dc534ed8b7a9a0170a1979547d1de940fc3d1c7c2b8f5f67b5 175544 squid-purge_4.4-1_amd64.deb
31531cd5744f5da5ad2ea6844d62f62bef9f9a7aab8c6e54a183f2051ef4a4a7 155724 squid3_4.4-1_all.deb
57e2ef7ff5e2ff4c516274d0b5ff8d09a64ab6e635cbcdf18e48ff28e67acdf6 10175 squid_4.4-1_amd64.buildinfo
d12d6b66c825864c39d301050fd704b6dc5ff20b417e520d237fe0524793825a 2628868 squid_4.4-1_amd64.deb
c3c9563a99b548373ffc15c72c8d10ef88bc16e454aae3562dc6a2f61a60ca5e 297148 squidclient-dbgsym_4.4-1_amd64.deb
4d32e4c132d0a898a1e1225137727895ada0f464529578093ee117c1a689ed00 188360 squidclient_4.4-1_amd64.deb
Files:
363012105f3f386ed12453ce112b7a7c 2593 web optional squid_4.4-1.dsc
b94eeae7e8b9778c3ecfe8488ddd25a1 5167256 web optional squid_4.4.orig.tar.gz
1ffc3aa1927c7fd8d67153f5c7635b7a 36596 web optional squid_4.4-1.debian.tar.xz
1abfcd431a7cc0e05c32066d877db5e9 231524 debug optional squid-cgi-dbgsym_4.4-1_amd64.deb
24f6f3a0243b0f4fd2ee18c1d86bcd85 184276 web optional squid-cgi_4.4-1_amd64.deb
f68f4dba425e744428bd66793a5bcd2f 307108 web optional squid-common_4.4-1_all.deb
23041184899b9e8b2b20a5a3e5c8f381 31240848 debug optional squid-dbgsym_4.4-1_amd64.deb
172b1e42d994a02703fb7cd395336a71 137196 debug optional squid-purge-dbgsym_4.4-1_amd64.deb
f664721d7447455b88b84c7c84045e8a 175544 web optional squid-purge_4.4-1_amd64.deb
060237a823c041d3862de04d082a0c81 155724 oldlibs optional squid3_4.4-1_all.deb
eb364a206502a6aed24cf000c897d122 10175 web optional squid_4.4-1_amd64.buildinfo
13317f4c8faefe2d465fe09eab530259 2628868 web optional squid_4.4-1_amd64.deb
c519b5045833836b7a4504b63d8d24e9 297148 debug optional squidclient-dbgsym_4.4-1_amd64.deb
d99c95142b4f1637079c34d56046086a 188360 web optional squidclient_4.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEjUhaNf8ebreQ5Q9tAoTyDCupfO0FAlvYbI4ACgkQAoTyDCup
fO1cchAAuLLfKXY4b0wov+pRfTfUdEDxLDLohGJvaR2SIB61MRZuHqLm8qAkHT5E
cytYy4f6ZEoSBEr6Q2ujJ3Gagx0G579tMtgDc9PkvYg7SU8vqC2VcbIXB0ln5983
QfuxgwRtf3/ert5Zb2/rlAMTS8UThzNjbE8w+PEJSKgJjiYpm9qrd0oiV4ls4149
drXqX2i6uJsSL9lm844RaOXzI4bQUKMklNsS+UdQ4h0grxv8vUnyjYokGk9TjlGM
eYWDweIjuL3eJdLktYF9YFcRnkniCalvM9EyD8tPQgKJ8VmGenOyjor4Xr4IOIgF
GsYg93hg9w/RQ/PfA3xiOK5J6n3qsrqNPT4wnr2EMf+rAOJR62gz/yTEd/zD7LLz
vu8En9OhFgg+JclrSmTXgaJYDMES6E5qgmmBnnnbKNb6U96yOiG/VLvzWzUwV+gs
YRHUHJc5XxTd82kH1alpQJaWFZnIMILUUMd+p9eRBKXnJwN2GgnVuZSZugNron3o
yWA1yVyD9xH3XnG2fp/lw4Bz8oR8xEJHe4wuBi5RjXRvaxKRaSE+YKHsriOeEebv
m+NHlaGDn/uMRwctTvSDmsb5ndwtdt60Mc9E8IgEfqeN51VW8po5KCh4WumE19Hg
ZCbBO214Ly2IduGE7AtzBecKZ0Y6XenWonruC6DAanac1J8fwts=
=4Oyt
-----END PGP SIGNATURE-----
Changed Bug title to 'squid: CVE-2018-19131: SQUID-2018:4: Cross-Site Scripting issue in TLS error processing' from 'squid: SQUID-2018:4: Cross-Site Scripting issue in TLS error processing'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 09 Nov 2018 13:24:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 08 Dec 2018 07:35:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:39:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.